Technically yes, practically no.
maynarkh
joined 1 year ago
Usernames at the very least, as online identifiers.
Art. 4 GDPR Definitions
For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
And they don't need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.
Lemmy instances offer services to me as an in-EU data subject, and that makes it subject under the very Article 3/2 (a) you linked.
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
Since there is federation, a US-based instance would still be a data processor if it IP blocked be as coming from the EU.
I did in fact read it.
Article 22 GDPR:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. [...]
There is a carve-out if it "is necessary for entering into, or performance of, a contract between the data subject and a data controller", which nobody seems sure what it means, and it has not been tested in court.
Since the GDPR, companies are required to give you a detailed breakdown on why an AI would reject you, if the final decision is on the AI. I'm not sure how many companies are complying though, it's hard to enforce.
The issue I see is that if my instance is on the hook for the fediverse at large, and I operate on an allowlist basis, malicious actors can scrape PII and ignore the GDPR, and that would make me the one on the hook for that, isn't that right?
Oh, that's actually neat. But at the same time, that means every instance owner is responsible for the whole of the Fediverse.
I can imagine that would mean non-compliant instances will get defederated at some point? Or ActivityPub will get some compliance features? It's not like the EU is unaware of the Fediverse, they are the main monetary supporters behind Lemmy.
What I mean by informing others is that you have to explicitly forward the deletion request. Not much else you can do I think.
GDPR article 3, and the EU-US Data Protection Umbrella Agreement concluded in the US in December 2016 which makes it US law disagree.
No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.
As per official EU communication:
The GDPR applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.
You need to read up on the GDPR yourself.
Did they defederate from all instances allowing access to EU citizens? If not, they are still liable, as they are scraping EU citizen's data for federation. Even usernames are personal data according to the GDPR.
The big platform has to develop an open API to implement standard message, image and video traffic. No need for a common standard, as long as everyone can implement the eg. open Whatsapp API.