I’d be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?
Lemmy is storing users data so is there any requirement to do anything GDPR wise?
Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that
Actually I wonder if the end result would end up essentially being, you can only federate with other GDPR compliant instances that you trust will respect the GDPR and honor federated data delete requests.
The core of the issue is that just by the virtue of running, an instance collects a stupid amount of data. I was baffled at how many user accounts my instance had discovered mere hours after starting it up.
Edit: row counts after just a week of running my private instance with only 3 users:
The profiling potential is scary, so users should be really careful with basically every interaction on the Fediverse, including votes. I bet the feds are having a field day monitoring what’s going on on exploding-heads and lemmygrad.
However, this duplication mechanism renders content deletion or rectification more difficult. In case of deletion by the user, the platforms with duplicates receive usually an automated deletion request and must be trusted to comply and delete their duplicate.
Seems like sending the delete notice is all that’s required?
Seems like sending the delete notice is all that’s required?
Yes, but
and must be trusted to comply and delete their duplicate.
So because of that trust factor, if you really want to protect yourself and be 100% GDPR compliant, you’d probably want a legal contract with every instance to federate with ascertaining that they are GDPR compliant too to legally deflect blame if you’re unable to comply with a data delete request.
Under GDPR, any piece of potentially identifying information is considered personal data. I had GDPR training at work. Under the GDPR it’s not even possible to count unique visitors to your website because you’d have to keep track of some identifier even if just IP address and User-Agent, even if it’s entirely client side. You still have to get consent for this.
Even just community subscriptions is plenty of data to make a rather comprehensive profile of the user’s interests, and if you throw in votes it quickly becomes scary.
I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
Actually I wonder if the end result would end up essentially being, you can only federate with other GDPR compliant instances that you trust will respect the GDPR and honor federated data delete requests.
The core of the issue is that just by the virtue of running, an instance collects a stupid amount of data. I was baffled at how many user accounts my instance had discovered mere hours after starting it up.
Edit: row counts after just a week of running my private instance with only 3 users:
The profiling potential is scary, so users should be really careful with basically every interaction on the Fediverse, including votes. I bet the feds are having a field day monitoring what’s going on on exploding-heads and lemmygrad.
IANAL but no, as instances do not share “personal data”. There is a misconception that GDPR deletion requests apply to all data created by a user, but to my understanding it only applies to “personal data” as defined here: https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en
Interestingly, they’re clearly aware of the existence of the Fediverse: https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en
Seems like sending the delete notice is all that’s required?
Yes, but
So because of that trust factor, if you really want to protect yourself and be 100% GDPR compliant, you’d probably want a legal contract with every instance to federate with ascertaining that they are GDPR compliant too to legally deflect blame if you’re unable to comply with a data delete request.
Under GDPR, any piece of potentially identifying information is considered personal data. I had GDPR training at work. Under the GDPR it’s not even possible to count unique visitors to your website because you’d have to keep track of some identifier even if just IP address and User-Agent, even if it’s entirely client side. You still have to get consent for this.
Even just community subscriptions is plenty of data to make a rather comprehensive profile of the user’s interests, and if you throw in votes it quickly becomes scary.
This is everything you upvoted:
I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.