this post was submitted on 06 Mar 2024
307 points (89.1% liked)
Fediverse
28499 readers
481 users here now
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You can't and this is a shit article...the GDPR doesn't apply to instance outside of the EU....
https://www.dickinson-wright.com/news-alerts/what-usbased-companies-need-to-know#:~:text=The%20GDPR%20even%20applies%20if,language%20of%20an%20EU%20country%2C
Literally people using the GDPR like it's some gotcha thing for admins. If nothing is sold or offered to be sold and their is no financial gain it's not going to apply. On top of that good luck suing a FOSS dev.
Edit: that downvote button does jack shit on Lemmy people. If you think I'm wrong why not prove that I'm wrong...and why a bunch of law firms are wrong as well.
It absolutely does, if the company processes data of EU residents. The US enforces GDPR themselves, as they have signed an agreement to do so. To be clear, this means that according to US law, if you are a US web host, you can abuse US customer data and the FBI will not come after you, but if you do so with EU customer data, US authorities will come after you on behalf of the EU.
Yeah it does, as soon as you are providing a service, if you have a user from the EU that's not you, it applies. And while GDPR fines are defined in a revenue percentage, there is a minimum of "up to 10 million EUR" for a violation.
Nobody is getting sued. EU data protection agencies don't "sue" people and companies. They fine them. The difference is that a lawsuit is a process where at the end you might need to pay money, but you mostly settle. A GDPR fine looks like you get a letter saying you need to pay an amount, if you want to appeal, you can do so after paying.
And it's not the devs that will be getting these fines, it's instance admins.
No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.
No it does not, if you do not sell anything to anyone or offer any services or make any money it doesn't apply. Stop repeating bullshit.
Good luck fining a host admin, of a foss instance. I don't know why you think that any admins of instances will be getting fined if they're not selling anything. You need to read up on the GDPR.
Again, no they will not.
As per official EU communication:
Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.
You need to read up on the GDPR yourself.
What personal data is being processed by a Lemmy instance, what are they processing that's being sold in the EU? The GDPR does not apply here, stop trying to wiggle it into something it's not.
Usernames at the very least, as online identifiers.
And they don't need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.
Usernames are not PII...the GDPR only applies if someone is making money from the service. It does not mean just because your site is free but hosts ads or sells user data it's exempt. Lemmy instances do none of this.
What do you think an online identifier is then? And why would the GDPR only apply if there is money made? It specifically says in multiple places free services also count.
https://www.ibm.com/topics/pii#:~:text=Personally%20identifiable%20information%20(PII)%20is,email%20address%20or%20phone%20number.
Usernames are not and never have been considered pii
The GDPR states it clearly that the company/entity has to be collecting pii or selling something to the person. Lemmy does neither of these.
How is IBM authoritative on this subject? And even so, this article doesn't say that usernames are not PII, it even indirectly says it is indirect PII.
Here's another random company's page saying usernames are PII: https://www.keepersecurity.com/blog/2023/06/14/what-is-personally-identifiable-information-pii/
The GDPR says it clearly and explicitly that:
Usernames that are used in an internal network are, because they're linked to pii, a public username is not pii.
And where did you read that? If anything, public usernames are easier to correlate to form identities.