I’d be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?

Lemmy is storing users data so is there any requirement to do anything GDPR wise?

Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I’d put a legal blob in the Legal section clearly outlining the nature of the fediverse and making it clear to the user that really deleting stuff from Lemmy is near impossible because every instance has a copy of it. That you’ll happily comply and purge the user’s data upon request but that it will still be cached on every other server.

    I’d be interested to see what lawyers have to say about it. Technically the data sharing is absolutely required by the protocol so it might be okay with the GDPR, but it’s also possible that as worded it can’t possibly be GDPR compliant. It was designed with big companies like Google, Meta and big advertisers in mind, and didn’t really account for decentralized services like the fediverse…

    • Max-P@lemmy.max-p.me
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      Actually I wonder if the end result would end up essentially being, you can only federate with other GDPR compliant instances that you trust will respect the GDPR and honor federated data delete requests.

      The core of the issue is that just by the virtue of running, an instance collects a stupid amount of data. I was baffled at how many user accounts my instance had discovered mere hours after starting it up.

      Edit: row counts after just a week of running my private instance with only 3 users:

      The profiling potential is scary, so users should be really careful with basically every interaction on the Fediverse, including votes. I bet the feds are having a field day monitoring what’s going on on exploding-heads and lemmygrad.

          • TheButtonJustSpins@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            However, this duplication mechanism renders content deletion or rectification more difficult. In case of deletion by the user, the platforms with duplicates receive usually an automated deletion request and must be trusted to comply and delete their duplicate.

            Seems like sending the delete notice is all that’s required?

            • Max-P@lemmy.max-p.me
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Seems like sending the delete notice is all that’s required?

              Yes, but

              and must be trusted to comply and delete their duplicate.

              So because of that trust factor, if you really want to protect yourself and be 100% GDPR compliant, you’d probably want a legal contract with every instance to federate with ascertaining that they are GDPR compliant too to legally deflect blame if you’re unable to comply with a data delete request.

        • Max-P@lemmy.max-p.me
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Under GDPR, any piece of potentially identifying information is considered personal data. I had GDPR training at work. Under the GDPR it’s not even possible to count unique visitors to your website because you’d have to keep track of some identifier even if just IP address and User-Agent, even if it’s entirely client side. You still have to get consent for this.

          Even just community subscriptions is plenty of data to make a rather comprehensive profile of the user’s interests, and if you throw in votes it quickly becomes scary.

          This is everything you upvoted:

      • Thorosofbeer@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.

    • Thorosofbeer@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.

      • Daniel Jackson@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        As I said in another comment, the GDPR protects people. And the GDPR only applies to personnaly identifiable data (IPs, email addresses, street address, legal name, date of birh…) Lemmy only collect emails and IPs, and do not share them between instances. So it’s very easy to comply to the GDPR as long as you don’t do anything shady.

        The EU has a marketing issue. They tried to pass legislation to prevent companies to collect data. But instead, company displayed a popup, kept collecting data, and blamed it on the EU. Everytime I see a popup, I blame ruthless data collection.

        Actually, Lemmy is most likely violatiing the California Consumer Privacy Act, which, as opposed to the GPDR, gives the right to update/delete any data generated by the user, not only personally identifiable information.

    • Daniel Jackson@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The GDPR doesn’t apply only to services hosted in the EU, but any services handling the data of an EU citizen.

      This is why some news outlets in the US just decided to block EU users all together, out of laziness.

      IANAL, but the GDPR doesn’t cover pseudonymous data. Actually the GDPR encourages data processors (= services) to use pseudomization.

      Personally identifiable information are IPs, email addresses, street address, name, date of birth, … Lemmy only collect IPs and email addresses. And these are not shared between instances.

      Whether the service is hosted in the EU or not, as long as it serves EU users, lemmy should provide a way to delete emails and ip information in a self serving way. (maybe by deleting the account) In the mean time, instances admins have to fulfil requests to delete emails/ips of EU citizens from the database.

      • hikaru755@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It’s not only IPs and emails though. Since users can put whatever they want in comments and posts, all of those must be treated as potential PII, and have to be included in subject access requests and deletion requests.

      • b3nsn0w@pricefield.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m gonna preface this: IANAL either.

        There are also different legal bases for different kinds of data processing. For example, I’m pretty sure ensuring your site’s security counts as legitimate interest, and it’s pretty common that IP addresses are stored and processed as such. You don’t need to remove someone’s IP from your access logs just because they asked for it, because your interest in keeping your site secure for both yourself and everyone else outweighs their interest in the privacy of their data. Legitimate interest is the fuzziest of the six legal bases and it doesn’t help that advertisers have started attempting to qualify their BS as “legitimate interest” especially in consent forms (if they need your consent it’s not legitimate interest, it’s user consent, and they really should stop lying) but it still exists to keep things viable.

        As a rule of thumb, if you’re storing data to provide a service you need to export or delete that data upon request, and if you’re doing anything over what’s strictly necessary for providing your service you need to ask the user about it. And you’re right, this applies to anyone whose instance is used by EU citizens.

        Also, pseudonymous data still counts as personal data as long as the pseudonym can be linked back to personally identifiable information. You need to sever this link to comply with a deletion request.