Drive we are so privacy focused here. What is to prevent myself or anybody out there, from starting to report individual instances of GDPR and CCPA.
No lemmy insurances are complying with national privacy laws and nobody is talking about it at all.
Yep, nobody is talking about it at all…
🤷♂️ seems pretty buried with the current UI. In general most users seem to think this place is actually more private than a reddit or Facebook.
That’s the worst strawman I’ve read in quite a while. This is literally a public forum, no one thinks it’s private in any way.
👌
Geez, check out OP’s comment history…
Definitely dealing with a lot of copium around the reality of running web services.
Disclaimer: I have no law degree and everything in this post is speculative.
After reading up on GDPR (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) it deals with the transfer of personal data to entities outside the EU or EEA for processing. The definition of personal data would be the main point to see if/how GDPR is applicable to lemmy instances. (https://en.wikipedia.org/wiki/Personal_data)
Your IP address and EMail address could be classified as personal data from my point of view. But this won’t be shared or processed outside of the instance as far as I can tell. If your username and associated posts are classified as personal data I can’t say, but there seems no connection of these to your IP or Mail outside the instance. According to this TechDispatch (https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en) the instances still must adhere to GPDR, but as there is not much or no processing of personal data taking place this should pose no issue.
All of this is based on a bit of research, so please enlighten me if I made any mistakes.
In the UK a screen name is an identifier. See ICO here. I am in the UK. Therefore combined with other data being collected, e.g. IP. Lemmy and instances I interact with are handling personal data. If it is transferred between instances when I search or view content from one instance to another, there are GDPR implications.
Here is the information I have on your user ID as an operator of a remote instance.
1: Your username and home instance (and a separate link to your profile page on your home instance)
2: Your avatar
3: Your about info
4: Date/time of your last activity (but that I think will be the last time you were seen by my instance, interacting in a community I also have here), so not shared really.I took a look at the json returned from your home instance, and again the info is profile page, username, information required for communication between instances with the only PII present being the username, the about and an icon and image.
Here’s why I’m going to say this isn’t likely to be a problem as such. This is the same as on reddit, if I look at a post a user makes I can click on the user and get access to this level of public information. Also under GDPR and DPA based on advice from the ICO data sharing isn’t forbidden, but the minimum required to fulfil the function of that sharing should be sent. I think the above data meets that. There isn’t information we don’t need to work a distributed network like this.
I think the point about making a privacy policy visible is a good one. It should make it clear how the network works, and what kind of information is shared with federated instances (and also available to the public, the user query is publicly available). But the data that is federated is the same as is publicly available.
Now I do feel like there’s the scope for a lot of manual work. For example, federation sometimes means that edits/deletes don’t make it. It can be caused by problems on both sides of the connection. So if you want all your data deleted. Sure I could delete all posts and your user info here. And even make requests to the home instances that they delete them too. But, some might remain on remote instances, and I don’t know who would be responsible for that. Some grey areas remain.
but this won’t be shared
How do you know that? No registered entities, no policies, no assurance what so ever.
The issue for lemmy is the same as mastodon
The Mastodon.social privacy policy covers a lot of this, https://mastodon.social/privacy-policy
This is the least every lemmy site should have
That makes no mention of GDPR or the ability to have data deleted.
You don’t need to mention the law in order to be beholden to the law.
GDPR states you must have a specific GDPR policy. It’s absurd all theses comments from uneducated users. Like 1 in 10 have brought in useful pertinent information. This is stuff a privacy office would know on day one fresh out of school.
How are instances not complying?
Where are the compliance pages? That’s literally step 1.
Can you provide specific and detailed examples
This is just at a really high level. Take for example https://lemdro.id. I am in the UK.
- I do not get cookie information / consent
- How do I make a SAR request, it isn’t stated
- What is their data retention and privacy policy, it isn’t stated
- How do I make a data sharing request as a member of law enforcement or government
- How is data processed if I am under 16/13
- Is data transferred from an EU to non-EU server if I search their content from another instance? Are the correct controls and risk assessments in place
- If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
- If I use an account from another instance and post an image on .id, and then delete my account, is the image I posted deleted from their server and backups etc
GDPR is very serious and an absolute minefield. I am pretty sure Lemmy and individual instances are not compliant, and I am not sure they can be fully - it may have to be on a best-endeavours basis. Be interesting to see how that holds up under a challenge.
Holy shit that is quite a lot
Can you point my to where the GDPR policy for lemmy.world is?
That is a tos not GDPR.
maybe