So, I’m kinda new to this Lemmy thingy and the fediverse. I like the fediverse from a technological standpoint. However, I think that, if we gain more and more traction, Lemmy (and by extend the entire fediverse) is a GDPR clusterfuck waiting to happen. With big and expensive repercussions…

Why? Well, according to GDPR, all personal data from EU users must remain in the EU. And personal data goes really far. Even an IP-address is personal data. An e-mail address is personal data. I don’t think there is jurisprudence regarding usernames, so that might be up for discussion.

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place. Resulting in a giant GDPR breach. And I have no idea who will be held responsible… The people hosting an instance? The developers of Lemmy? The developers of ActivityPub?

Large corporations are getting hefty fines for GDPR breaches. And since Lemmy is growing, Lemmy might be “in the spotlights” in the upcoming years.

I don’t like GDPR, and I’m all for the technological setup of the fediverse. However, I definitely can see a “competitor” (that is currently very large but loosing ground quickly) having a clear eye out to eliminate the competition…

What do y’all thing about this?

  • cwagner@discuss.tchncs.deEnglish
    4·
    1 year ago

    E-mail and IP can be personal data.

    Responsible: instance owners.

    all personal data from EU users must remain in the EU

    Not correct, any location just needs to fulfil some basic privacy requirements, so Spy Nation USA is out. Technically. Realistically, that’s still kinda open

    Solution: on signups having to agree to a TOS privacy policy explaining that the data you submit (not quite sure what gets transferred, just username and posts content?) can be submitted to servers in other jurisdictions.

    edit: I originally wrote TOS, but what I mean is a privacy policy.

    • infamousbelgian@lemmy.mlOPEnglish
      61·
      1 year ago

      I don’t think a TOS will hold up. GDPR (and the implementation per country) is a law. You can’t bypass a law with a TOS, I think.

      However, I’m definitely not a GDPR expert…

      • cwagner@discuss.tchncs.deEnglish
        11·
        1 year ago

        No circumventing the law, simply informing users what software they are using and what that means for their data (e.g. using the Lemmy software to post stuff to the US)

    • infamousbelgian@lemmy.mlOPEnglish
      3·
      1 year ago

      Ok, so I did some checking regarding the location and stuff, since I’m clearly not informed enough about this. However, my point still stands (I think).

      Copy pasted from Twilio. I guess they are better aware than I am about the rules…

      The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR. In other words, the entity or company that you pass the data to outside the EU must be under a legally binding obligation to follow GDPR data protection principles or the equivalent. (Unlike an outright prohibition on extraterritorial data transfers, this actually makes sense. No point if having rules if those rules get tossed out the window just by moving the data out of the EU.)

      and also:

      This legally binding obligation can be achieved in multiple ways. Here is a sampling:

1. The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).
2. The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection.
3. The company has enacted Binding Corporate Rules.
4. There is some regulatory-approved code of conduct to which the entity subscribes.

      So, if someone opens up an instance in, let’s say, Ethiopia or the US, it is not compliant, afaik.

      However, question remains about the proxy thingy of the fediverse. Is data copied/stored on other instances OR does it remain on the instance that I subscribed to. And what if that instance is located in a “non-GDPR-compliant-environment”?

    • Pfpirlet@kbin.social
      3·
      1 year ago

      I second this. Personal data doesn’t have to be kept within the boundaries of the EU, but cross-borders transfers has to comply with art. 45, art. 49 (art. 49-1,a. might be useful to back the TOS) and the Schrems ruling of the CJUE.

      I don’t see much troubles for the fediverse, here.

      Edit. Missing word.