This is just at a really high level. Take for example https://lemdro.id. I am in the UK.
I do not get cookie information / consent
How do I make a SAR request, it isn’t stated
What is their data retention and privacy policy, it isn’t stated
How do I make a data sharing request as a member of law enforcement or government
How is data processed if I am under 16/13
Is data transferred from an EU to non-EU server if I search their content from another instance? Are the correct controls and risk assessments in place
If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
If I use an account from another instance and post an image on .id, and then delete my account, is the image I posted deleted from their server and backups etc
GDPR is very serious and an absolute minefield. I am pretty sure Lemmy and individual instances are not compliant, and I am not sure they can be fully - it may have to be on a best-endeavours basis. Be interesting to see how that holds up under a challenge.
I’m no expert so hopefully someone will be able to chip in. I know when I have dealt with GDPR stuff, there has been quite a lot of conflicting opinions!
Even if it is not required to get consent for that, I think there is also a requirement around explaining to the user what they do and why they are necessary.
If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
There’s no way GDPR can tell we hosts they are responsible for other platform’s copy of data, right? Wouldn’t that mean Twitter has to remove tweets from every news article that makes copies, for example, if someone deleted their account under that right?
The answer is that currently federation and Lemmys use of it are not gdpr compliant and the first gdpr case against any Lemmy instance in the eu will force that instance to defederate from all non-eu servers.
I actually question whether GDPR is up for the task of distributed systems like this.
Like, if you put in a right to be forgotten request to your host server, it’s not at all clear that they’re responsible for the copies of your content that are being hosted elsewhere, any more than asking a news website to remove your personal information from an article requires them to also hunt down anyone else who has copied and spread the story to remove it, too.
Different Lemmy websites are independently owned and operated, and your local admin holds no authority over other admins. They can request deletion on your behalf, if that’s a legal requirement, but they cannot compel action. I’m not even sure they can act as your proxy, given that there’s no formal relationship between admins.
Then message the server admins or you create a PR on the lemmy github page with the missing information. The missing legal footnotes is an issue you have to take up with them or the upstream lemmy repo on github.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
A community to talk about the Fediverse and all it’s related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to [email protected]!
Rules
Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Can you provide specific and detailed examples
This is just at a really high level. Take for example https://lemdro.id. I am in the UK.
GDPR is very serious and an absolute minefield. I am pretty sure Lemmy and individual instances are not compliant, and I am not sure they can be fully - it may have to be on a best-endeavours basis. Be interesting to see how that holds up under a challenge.
Holy shit that is quite a lot
Why would there be a need for a cookie constent?
It’s law to comply with GDPR and the ePrivacy Directive.
There is only one cookie present when I inspect the Cookies with my browsers dev tools. Which seems to be the auth token for my account.
As far as I am aware, a user authentication cookie is classed as personal data and therefore subject to GDPR!
Wouldn’t the auth cookie fall into the strictly necessary category?
I’m no expert so hopefully someone will be able to chip in. I know when I have dealt with GDPR stuff, there has been quite a lot of conflicting opinions!
Even if it is not required to get consent for that, I think there is also a requirement around explaining to the user what they do and why they are necessary.
I’m also no expert, just trying to learn more about the topic as it’s kind of interesting to see how other people are interpreting it.
There’s no way GDPR can tell we hosts they are responsible for other platform’s copy of data, right? Wouldn’t that mean Twitter has to remove tweets from every news article that makes copies, for example, if someone deleted their account under that right?
It will be interesting to find out!
I mean… It’s pretty explicit in gdpr that the “transfer to non-eu servers” part means you can’t send it via federation in the first place to non-eu servers unless those servers also adhere to gdpr: https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en
The answer is that currently federation and Lemmys use of it are not gdpr compliant and the first gdpr case against any Lemmy instance in the eu will force that instance to defederate from all non-eu servers.
I actually question whether GDPR is up for the task of distributed systems like this.
Like, if you put in a right to be forgotten request to your host server, it’s not at all clear that they’re responsible for the copies of your content that are being hosted elsewhere, any more than asking a news website to remove your personal information from an article requires them to also hunt down anyone else who has copied and spread the story to remove it, too.
Different Lemmy websites are independently owned and operated, and your local admin holds no authority over other admins. They can request deletion on your behalf, if that’s a legal requirement, but they cannot compel action. I’m not even sure they can act as your proxy, given that there’s no formal relationship between admins.
Totally, I do wonder how compliant these systems can be!
Can you point my to where the GDPR policy for lemmy.world is?
https://lemmy.world/legal
That is a tos not GDPR.
Then message the server admins or you create a PR on the lemmy github page with the missing information. The missing legal footnotes is an issue you have to take up with them or the upstream lemmy repo on github.
maybe