I’m not joking. It’s legally very questionable. It matters little if all the data is public.
Have you heard about that $1.3 billion fine that Meta got under the GDPR? That was for sending data to US servers where the US government can get to it. It was the highest fine ever under the GDPR and it happened because Meta complies with US law. For that matter, the option to embed images into posts is a violation, as well.
Unless you dox yourself what kind of personal information are instances sharing? On top of that stuff that isn’t due to the normal functioning of the site as a public message board?
What’s questionable is embedding images, lemm.ee mitigates that with proxying, but ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Little of the information that instance share is not personal. Identifiable is also very broad. It’s enough that it would be possible for someone with the right tools and access to other information to identify you. EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
It’s an extremely broad definition. If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
That’s exactly what my first reaction was. But the law sees it differently. No one is required to use an ad-blocker, VPN, or know anything about the internet. When you make a website or something, it is up to you to make sure that no one’s rights are violated. In fairness, if it was otherwise, tracking pixels would be fine.
We’re not at a point yet, where outgoing links must come with a warning, but it would be safer. Someone is always the first to lose a court over something. I noticed news media use rel=noreferrer. I think that’s the least one needs to do (“data minimization”).
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values. But it’s the law nevertheless and a lot of people on Lemmy positively love it.
Little of the information that instance share is not personal.
The only PII contained in that post you wrote is your user name. My instance has no idea what IP address or whatnot you used, it gets sent “user posted message”, “user voted”, etc. messages by lemmy.world. It does not interact with you.
The information that your instance shares with the rest of the world is a) pseudonymous, unless you dox yourself no connection can be made between your handle and your actual person and b) said information transfer is part of the primary service of the platform. You wouldn’t be here if things wouldn’t get shared that way, hence, you consented.
If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
Cookies are no issue. Tracking without consent is. Lemmy isn’t tracking you. You have an account with lemmy.world. You presumably have taken notice of its privacy policy. lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers. If you’re a EU citizen the GDPR applies, otherwise other stuff might apply, they’re spelling it all out.
EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
…yes? You gave lemmy.world the right to log your IP when you signed up. They’re not retaining it longer than necessary because of the general GDPR provision of data frugality, but if a court order knocks on their door saying that they need your IP they can also be required to wait until you log in and then send that fresh IP directly to the authorities. Newsflash: The GDPR does not provide opsec against EU state actors. Off to the darknet with you if you care about that. It does provide opsec against ad networks, data brokers, etc… well at least in so far as it’s actually enforced.
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values.
The only PII contained in that post you wrote is your user name.
I think you have California law in mind here? I’ll boil down the GDPR’s definition of personal data for this particular case.
‘[P]ersonal data’ means any information relating to an identifiable natural person.
All the data that is associated with a user account relates to that user. All of it is personal data.
[A]n identifiable natural person is one who can be identified by reference to an identifier such as an online identifier
Now that I come to mention it, I think a static IP is a sufficient identifier in itself, without further recourse to ISP data.
lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers.
Indeed, it’s heart-warming to see how the legal section grows every time I check. Which is a problem, because I’m pretty sure they need to give everyone the option to decline or accept every time they change it. Well, maybe in another couple months or years, it will be somewhat in compliance with EU regulations.
You gave lemmy.world the right to log your IP when you signed up
All the data that is associated with a user account relates to that user. All of it is personal data.
Yes and it’s identifiable. That’s why I mentioned your online handle. You also not just consented, you tasked lemmy.world with broadcasting it all over the place. Complaining about that is like complaining about an email provider sending an email to a recipient.
That has nothing to do with the data transfer lemmy instances are doing among each other. Which was what you complained about. Yes, it’s personal data, yes, you consented. No, the GDPR has no issues with that. I could’ve been more clear in the beginning, let me ask again:
Which personal data do lemmy instances exchange that you did not consent them to share. That is not necessary for them to share to function as federated social network. That, in fact, isn’t available via the web interface. Exactly one thing comes to mind: Votes are identifiable and not everyone knows about that but there’s also a discussion going on.
You know what? Why am I even talking to you. If you have something to complain about, contact your data protection officer.
The enlightenment bit was too much?
Nope it already started at the neoliberal/conservative bits. Neoliberals would like to own all your data freely, privately, while conservatives would like the police to own all your data. Things like Chat Control come out of the neolib/conservative corner of the EU while data protection is a Pirate/Greens/EFA thing, with Socdems and Demsocs not minding it but not taking the initiative, either. Oh and there’s also some conservatives who are in favour because digital sovereignty and such.
You also not just consented, you tasked lemmy.world with broadcasting it all over the place.
Didn’t Meta try the same argument? I very much doubt this will work in court.
Under the GDPR, you need informed consent. That consent may only be for specific, limited purposes. A blanket permission for any broad purpose is not going to work. People know that their comments and posts will be read, so that’s fine. One should probably tell people that their posts will also be crawled and stored in various databases. That federation means that their personal data is actively sent to other instances and processed there, is not something your average person knows. To be legally above board, this should happen only under contract, with instances under the GDPR or equivalent, and only by informed consent.
Every once in a while, there are debates around federating with or blocking certain instances. In particular, federating with Meta’s Threads is a hot button issue. Clearly, a number of people explicitly do not consent to having their data sent to just anyone. I think they have the law on their side.
Complaining
I’m not complaining. I’m explaining the law. You asked, remember?
That has nothing to do with the data transfer lemmy instances are doing among each other.
I originally posted this with regard to embedding images. But it also shows you something else: Saying that something is simply the way the internet works just doesn’t hold up in court. In that case, the plaintiff could have configured their browser to not connect to google. But they explicitly don’t have to.
That, in fact, isn’t available via the web interface.
Good question. Why should it matter if the data is sent to other people, if those people could scrape the data just as easily. Common sense may be that it doesn’t matter. But you could equally well say: Why does it matter if I share copyrighted media, if people can already get pirated copies with ease?
Under what conditions, scraping is legal is mostly unanswered right now. But the legality of scraping does not directly affect the legality of data sharing for federation.
Neoliberals
Oh, I see. These terms are always a bit fuzzy.
Suppose we regulated food on the same principles. Manufacturers would have to print exactly what ingredients went into the food and what was done with them. Maybe they are also required to assess the impact of some ingredients or steps in the recipe. Then people can form their opinions on whether that is healthy or not; causes cancer or whatever. Nothing is banned outright, it’s just a matter of informed consent whether you eat something or not. To me, this is a neoliberal or libertarian approach.
The GDPR goes a step further by giving you rights over certain data, turning it into something similar to intellectual property. The dogma that we should turn everything into private property and leave it to the individual, and then a miracle happens, is to me libertarian or neoliberal. Suggest a better word if you have one.
Didn’t Meta try the same argument? I very much doubt this will work in court.
They shared, and processed, much more than post data. When you click on “reply” on your next post you’re consenting to publishing what you wrote, you’re not consenting to lemmy.world sending metrics about how long you seem to have looked at an ad to the yanks. You’re not consenting to having your typing patterns analysed to build a psychological profile. All that is data that your instance’s web UI could collect, but doesn’t, and also doesn’t share with anyone. Meta does.
Clearly, a number of people explicitly do not consent to having their data sent to just anyone. I think they have the law on their side.
They are free to use platforms which share information less freely. But that’s kinda pointless: As long as he information is publicly accessible, and you very much agree to the information being publicly accessible when posting it in a public forum and pretending you don’t understand that won’t fly in court, it is necessarily available world-wide in one way or another.
There’s some wibbles about details here, e.g. votes are aggregate in the public-facing view, while on the instance level you can see who voted how. That’s, in my understanding, why the devs proposed making them public also on the web interface: So that it’s clear that it’s public information.
Under what conditions, scraping is legal is mostly unanswered right now.
Scraping is perfectly legal in the EU. It’s like making a copy of a newspaper: You can get in trouble for distributing that copy, but not for making it for your own archival or whatever purposes.
I originally posted this with regard to embedding images.
lemm.ee actually proxies images. I’d say that it’d be good practice to proxy anything that needs to get loaded by browsers to display the page.
The GDPR goes a step further by giving you rights over certain data, turning it into something similar to intellectual property. The dogma that we should turn everything into private property and leave it to the individual, and then a miracle happens, is to me libertarian or neoliberal. Suggest a better word if you have one.
It’s you who introduces the term “property”, there. The European legal tradition considers the whole topic as part of the right to informational self-determination, if you want to call that a “property” then only in so far as honour or glory or bodily integrity are also property.
The neolib position, I think, could be better described as private data being a) a commodity and b) the identified person does not actually have any inherent rights to it. They don’t want to pay you, lowly peasant, for collecting data about you, they are always and everywhere in favour of their own privilege of owning all the things without equitable exchange. Less insane liberals may still formulate things it terms of property, but then have the basic common fucking decency to assign property of your own data to you. They may even limit some of the commodity aspects.
They shared, and processed, much more than post data.
That does make a difference, but probably not enough of one. The GDPR defines sensitive data: Religious beliefs, trade union membership, sexual orientation, and more. The sensitive data is in the posts. That other data was probably not a big deal.
The counterargument was that the processing wasn’t strictly necessary for the contract. It is not strictly necessary either to store lemmy posts on other servers outside the reach of the GDPR.
Scraping is perfectly legal in the EU. It’s like making a copy of a newspaper: You can get in trouble for distributing that copy, but not for making it for your own archival or whatever purposes.
No. You misunderstand. Scraping, as such, is legal in the abstract. But where personal data is concerned, the GDPR applies. How and for what purposes the GDPR allows scraping is contested, to put it mildly.
You’re probably allowed to make copies of a newspaper for your private, non-professional, non-business purposes throughout Europe, but the states have somewhat different laws for that sort of thing. It’s not necessarily legal under all circumstances in all member states.
It’s you who introduces the term “property”, there.
I said similar to intellectual property. Property is something that may not be used or taken without consent. When someone else has it, the owner can demand to know about its whereabouts or condition, or take it back. That seems quite similar to the requirements of the GDPR. Neither honor nor bodily integrity are like that. The main difference to property is that you cannot irrevocably transfer it to someone else.
Continental European copyright is also like that. Maybe the PR work of the copyright industry laid the groundwork for the GDPR. Note how people talk: Tracking cookies are “stealing your data”. It’s not spying on you - not invading your privacy - it’s an act of theft; a property crime.
Maybe you think the dissimilarities weigh more heavily. Even so, it is still neolib or libertarian to me. That’s the point of the food analogy.
You’re right that they want it to be even more property like. I expect eventually we’ll get some data trustee or PIMS scheme or something along those lines. Some brain-dead ordoliberal fever dream born out of dogma rather than reason. That seems to be the track we’re on. The left is dead.
It certainly is against the GDPR to federate with US instances.
considers
I don’t think that it is, even for EU instances, in that the GDPR regulates businesses, so it’s out-of-scope for the GDPR.
In theory, I suppose that GDPR implications might come up if someone starts selling commercial Threadiverse access at some point, though.
There might be some interesting questions providing Usenet or maybe XMPP, though, as there are commercial providers of those services, and they are federated and transfer data all over the world.
kagis
Hmm. This has some people talking about it for XMPP. At least this guy’s first pass is that it might apply:
Under UK GDPR (not sure about the EU one) the only grounds for
exemption is “Residential use” (other than police and national
security, which are also exempt), quoting from the ICO:
“Domestic purposes – personal data processed in the course of a purely
personal or household activity, with no connection to a professional or
commercial activity, is outside the UK GDPR’s scope. This means that if
you only use personal data for such things as writing to friends and
family or taking pictures for your own enjoyment, you are not subject
to the UK GDPR.” [1]
(For those who don’t know who the ICO is, they are the British data
protection authority, see [2])
At first, at least in my case, this seems pretty easy. The data is
stored domestically, it is used with me and my friends for
communication, there shouldn’t be any more to it… right?
But there is. I regularly connect and talk in many MUCs for open source
projects, such as Ignite Realtime (which this was initially discussed
until Guus suggested moving it to operators, thanks Guus :) ).
IP addresses, are considered identifiable information, logs will store
said information, this therefore means my server is storing
identifiable information on other servers, in this case, servers which
could be considered for commercial purposes.
It needs to be noticed commercial purposes doesn’t necessarily mean
paid services, charities and non-profits are included within the
definition. Open source projects COULD be considered commercial
purposes because, although contributions are provided free of charge,
it is still a “donation” of sorts in the way of code.
The definition of “professional” does not seem to be clarified anywhere
on the ICO page, nor in their legal definitions [3]. It doesn’t seem to
be within the UK GDPR legislation [4] (I will admit I did not read all
of this, I tried searching for keywords and found nothing, if someone
read it all and knows where this exception is clarified, please let me
know). Professional could mean a lot, but I will assume it is to do
with some sort of “work”, which therefore would include open source
contributions.
This therefore could break the “no connection to professional or
commercial activity”, to be honest the easiest thing to draw from this
is if it involves someone who is not family or friend (or yourself),
you are very likely to not be exempt.
For those who will suggest a zero storage solution, where the XMPP
server doesn’t store any data, it still comes under GDPR due to
PROCESSING of data, simply processing it, even if you don’t store it,
will have GDPR requirements.
Failure to pay when you are required to results in fines.
This is really cracking open a huge can of worms, it isn’t so much of
“ah £45/yr is no big deal”, once you are exempt you must follow all the
legal requirements of GDPR, and for a hobby? Is it worth it?
I am 100% sure, an XMPP server which does not federate, which is used
to communicate with friends would be exempt. But I have my doubts
whether a federated server can still use the same exemption clause.
For example: If you keep a personal journal and write about your friends and acquaintances, that’s out of scope. [ETA: As long as the journal is private. When it’s shared outside the household, it is in scope and probably a violation.] But when the Jehovah’s Witnesses go door to door and make notes who opens etc, that’s in scope. [ETA: And has been ruled a violation by the ECJ.]
It certainly is against the GDPR to federate with US instances. US law enforcement could get their hands on our data!
It’s OK though because EU police can get their hands on it too. Phew!
I’m not joking. It’s legally very questionable. It matters little if all the data is public.
Have you heard about that $1.3 billion fine that Meta got under the GDPR? That was for sending data to US servers where the US government can get to it. It was the highest fine ever under the GDPR and it happened because Meta complies with US law. For that matter, the option to embed images into posts is a violation, as well.
Unless you dox yourself what kind of personal information are instances sharing? On top of that stuff that isn’t due to the normal functioning of the site as a public message board?
What’s questionable is embedding images, lemm.ee mitigates that with proxying, but ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
I’ll quote the definition from the GDPR:
Little of the information that instance share is not personal. Identifiable is also very broad. It’s enough that it would be possible for someone with the right tools and access to other information to identify you. EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
It’s an extremely broad definition. If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
That’s exactly what my first reaction was. But the law sees it differently. No one is required to use an ad-blocker, VPN, or know anything about the internet. When you make a website or something, it is up to you to make sure that no one’s rights are violated. In fairness, if it was otherwise, tracking pixels would be fine.
We’re not at a point yet, where outgoing links must come with a warning, but it would be safer. Someone is always the first to lose a court over something. I noticed news media use rel=noreferrer. I think that’s the least one needs to do (“data minimization”).
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values. But it’s the law nevertheless and a lot of people on Lemmy positively love it.
The only PII contained in that post you wrote is your user name. My instance has no idea what IP address or whatnot you used, it gets sent “user posted message”, “user voted”, etc. messages by lemmy.world. It does not interact with you.
The information that your instance shares with the rest of the world is a) pseudonymous, unless you dox yourself no connection can be made between your handle and your actual person and b) said information transfer is part of the primary service of the platform. You wouldn’t be here if things wouldn’t get shared that way, hence, you consented.
Cookies are no issue. Tracking without consent is. Lemmy isn’t tracking you. You have an account with lemmy.world. You presumably have taken notice of its privacy policy. lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers. If you’re a EU citizen the GDPR applies, otherwise other stuff might apply, they’re spelling it all out.
…yes? You gave lemmy.world the right to log your IP when you signed up. They’re not retaining it longer than necessary because of the general GDPR provision of data frugality, but if a court order knocks on their door saying that they need your IP they can also be required to wait until you log in and then send that fresh IP directly to the authorities. Newsflash: The GDPR does not provide opsec against EU state actors. Off to the darknet with you if you care about that. It does provide opsec against ad networks, data brokers, etc… well at least in so far as it’s actually enforced.
The fuck are you on about.
I think you have California law in mind here? I’ll boil down the GDPR’s definition of personal data for this particular case.
‘[P]ersonal data’ means any information relating to an identifiable natural person.
All the data that is associated with a user account relates to that user. All of it is personal data.
[A]n identifiable natural person is one who can be identified by reference to an identifier such as an online identifier
Now that I come to mention it, I think a static IP is a sufficient identifier in itself, without further recourse to ISP data.
Indeed, it’s heart-warming to see how the legal section grows every time I check. Which is a problem, because I’m pretty sure they need to give everyone the option to decline or accept every time they change it. Well, maybe in another couple months or years, it will be somewhat in compliance with EU regulations.
The IP was simply an example that came from the court case I linked earlier. Oh, but not in this particular fork. https://www.techdirt.com/2022/02/07/german-court-fines-site-owner-sharing-user-data-with-google-to-access-web-fonts/
The enlightenment bit was too much? I see where you’re coming from. Well, you probably don’t want to read my rant.
Yes and it’s identifiable. That’s why I mentioned your online handle. You also not just consented, you tasked lemmy.world with broadcasting it all over the place. Complaining about that is like complaining about an email provider sending an email to a recipient.
That has nothing to do with the data transfer lemmy instances are doing among each other. Which was what you complained about. Yes, it’s personal data, yes, you consented. No, the GDPR has no issues with that. I could’ve been more clear in the beginning, let me ask again:
Which personal data do lemmy instances exchange that you did not consent them to share. That is not necessary for them to share to function as federated social network. That, in fact, isn’t available via the web interface. Exactly one thing comes to mind: Votes are identifiable and not everyone knows about that but there’s also a discussion going on.
You know what? Why am I even talking to you. If you have something to complain about, contact your data protection officer.
Nope it already started at the neoliberal/conservative bits. Neoliberals would like to own all your data freely, privately, while conservatives would like the police to own all your data. Things like Chat Control come out of the neolib/conservative corner of the EU while data protection is a Pirate/Greens/EFA thing, with Socdems and Demsocs not minding it but not taking the initiative, either. Oh and there’s also some conservatives who are in favour because digital sovereignty and such.
Didn’t Meta try the same argument? I very much doubt this will work in court.
Under the GDPR, you need informed consent. That consent may only be for specific, limited purposes. A blanket permission for any broad purpose is not going to work. People know that their comments and posts will be read, so that’s fine. One should probably tell people that their posts will also be crawled and stored in various databases. That federation means that their personal data is actively sent to other instances and processed there, is not something your average person knows. To be legally above board, this should happen only under contract, with instances under the GDPR or equivalent, and only by informed consent.
Every once in a while, there are debates around federating with or blocking certain instances. In particular, federating with Meta’s Threads is a hot button issue. Clearly, a number of people explicitly do not consent to having their data sent to just anyone. I think they have the law on their side.
I’m not complaining. I’m explaining the law. You asked, remember?
I originally posted this with regard to embedding images. But it also shows you something else: Saying that something is simply the way the internet works just doesn’t hold up in court. In that case, the plaintiff could have configured their browser to not connect to google. But they explicitly don’t have to.
Good question. Why should it matter if the data is sent to other people, if those people could scrape the data just as easily. Common sense may be that it doesn’t matter. But you could equally well say: Why does it matter if I share copyrighted media, if people can already get pirated copies with ease?
Under what conditions, scraping is legal is mostly unanswered right now. But the legality of scraping does not directly affect the legality of data sharing for federation.
Oh, I see. These terms are always a bit fuzzy.
Suppose we regulated food on the same principles. Manufacturers would have to print exactly what ingredients went into the food and what was done with them. Maybe they are also required to assess the impact of some ingredients or steps in the recipe. Then people can form their opinions on whether that is healthy or not; causes cancer or whatever. Nothing is banned outright, it’s just a matter of informed consent whether you eat something or not. To me, this is a neoliberal or libertarian approach.
The GDPR goes a step further by giving you rights over certain data, turning it into something similar to intellectual property. The dogma that we should turn everything into private property and leave it to the individual, and then a miracle happens, is to me libertarian or neoliberal. Suggest a better word if you have one.
They shared, and processed, much more than post data. When you click on “reply” on your next post you’re consenting to publishing what you wrote, you’re not consenting to lemmy.world sending metrics about how long you seem to have looked at an ad to the yanks. You’re not consenting to having your typing patterns analysed to build a psychological profile. All that is data that your instance’s web UI could collect, but doesn’t, and also doesn’t share with anyone. Meta does.
They are free to use platforms which share information less freely. But that’s kinda pointless: As long as he information is publicly accessible, and you very much agree to the information being publicly accessible when posting it in a public forum and pretending you don’t understand that won’t fly in court, it is necessarily available world-wide in one way or another.
There’s some wibbles about details here, e.g. votes are aggregate in the public-facing view, while on the instance level you can see who voted how. That’s, in my understanding, why the devs proposed making them public also on the web interface: So that it’s clear that it’s public information.
Scraping is perfectly legal in the EU. It’s like making a copy of a newspaper: You can get in trouble for distributing that copy, but not for making it for your own archival or whatever purposes.
lemm.ee actually proxies images. I’d say that it’d be good practice to proxy anything that needs to get loaded by browsers to display the page.
It’s you who introduces the term “property”, there. The European legal tradition considers the whole topic as part of the right to informational self-determination, if you want to call that a “property” then only in so far as honour or glory or bodily integrity are also property.
The neolib position, I think, could be better described as private data being a) a commodity and b) the identified person does not actually have any inherent rights to it. They don’t want to pay you, lowly peasant, for collecting data about you, they are always and everywhere in favour of their own privilege of owning all the things without equitable exchange. Less insane liberals may still formulate things it terms of property, but then have the basic common fucking decency to assign property of your own data to you. They may even limit some of the commodity aspects.
That does make a difference, but probably not enough of one. The GDPR defines sensitive data: Religious beliefs, trade union membership, sexual orientation, and more. The sensitive data is in the posts. That other data was probably not a big deal.
The counterargument was that the processing wasn’t strictly necessary for the contract. It is not strictly necessary either to store lemmy posts on other servers outside the reach of the GDPR.
No. You misunderstand. Scraping, as such, is legal in the abstract. But where personal data is concerned, the GDPR applies. How and for what purposes the GDPR allows scraping is contested, to put it mildly.
You’re probably allowed to make copies of a newspaper for your private, non-professional, non-business purposes throughout Europe, but the states have somewhat different laws for that sort of thing. It’s not necessarily legal under all circumstances in all member states.
I said similar to intellectual property. Property is something that may not be used or taken without consent. When someone else has it, the owner can demand to know about its whereabouts or condition, or take it back. That seems quite similar to the requirements of the GDPR. Neither honor nor bodily integrity are like that. The main difference to property is that you cannot irrevocably transfer it to someone else.
Continental European copyright is also like that. Maybe the PR work of the copyright industry laid the groundwork for the GDPR. Note how people talk: Tracking cookies are “stealing your data”. It’s not spying on you - not invading your privacy - it’s an act of theft; a property crime.
Maybe you think the dissimilarities weigh more heavily. Even so, it is still neolib or libertarian to me. That’s the point of the food analogy.
You’re right that they want it to be even more property like. I expect eventually we’ll get some data trustee or PIMS scheme or something along those lines. Some brain-dead ordoliberal fever dream born out of dogma rather than reason. That seems to be the track we’re on. The left is dead.
considers
I don’t think that it is, even for EU instances, in that the GDPR regulates businesses, so it’s out-of-scope for the GDPR.
In theory, I suppose that GDPR implications might come up if someone starts selling commercial Threadiverse access at some point, though.
There might be some interesting questions providing Usenet or maybe XMPP, though, as there are commercial providers of those services, and they are federated and transfer data all over the world.
kagis
Hmm. This has some people talking about it for XMPP. At least this guy’s first pass is that it might apply:
https://mail.jabber.org/hyperkitty/list/operators@xmpp.org/thread/F5EGKYVPD42PPHOW72VBOS5E6OZTA22M/
The GDPR regulates everything and everyone, including individuals and non-profits. See Article 2. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
For example: If you keep a personal journal and write about your friends and acquaintances, that’s out of scope. [ETA: As long as the journal is private. When it’s shared outside the household, it is in scope and probably a violation.] But when the Jehovah’s Witnesses go door to door and make notes who opens etc, that’s in scope. [ETA: And has been ruled a violation by the ECJ.]