Edit: obligatory explanation (thanks mods for squaring me away)…
What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
I don’t think email is a good example because you’re in complete control of who you send an email to. However, I’m not in control of who Lemmy sends my voting data to (because I don’t control who a given instance is federated with), but GDPR grants me the right to know that.
deleted by creator
Still not a good example because I’m still in control of what I choose to send and whether or not I choose to send it at all. I can’t choose whether or not Lemmy broadcasts my username in conjunction with my votes to whoever may be listening, but I can choose not to send an email to a mailing list stating who I am and how I vote on Lemmy posts.
Organizations handling EU citizens’ data are required to abide by the GDPR and I can assure you that Gmail and others do that, they were among the first scrutinized when the GDPR went into effect. Just because I can send any data via email, doesn’t mean that email providers can do whatever they want with the data. If an email provider processes the contents of your email in order to do targeted advertising, then they have to very clearly state that in their privacy policy.
This isn’t specifically aimed at you, @cwagner@lemmy.cwagner.me, but more of a general observation. Lots of people in this thread appear to be unfamiliar with the GDPR and how it works, and that’s completely fair — especially if you’re not from Europa and/or haven’t worked with it. I just wish they would actually check how it works instead of making assumptions. This is a good start: https://gdpr.eu/data-privacy/
That makes no sense whatsoever. It doesn’t matter if you post your +1 via lemmy or via email. Unless someone is standing behind you with a gun forcing you to broadcast that upvote? I think you are completely misunderstanding what I’m saying.
I’ll try to tear it apart:
In both cases you tell the server to do this. It’s not something that just happens, you actively use the server to distribute that information to other servers.
Not only have I heard of the GDPR, I was in contact with our local DPA regarding a compliance issue at work, where I both implemented the original and their changes.
It absolutely does. When sending an email, you fill in the recipient and decide where your data goes, but when you press ‘upvote’ on Lemmy, you don’t have a say in who that information is broadcast to — especially not in its current form. And it’s on whoever runs the Lemmy server to comply with the GDPR and make data processors known. It really doesn’t matter how similar you think it is to email, the GDPR treats it differently and that’s the reality you have to accept.
Your argument could easily be extended to every piece of information floating across the internet. No one is forcing anyone to upload an image to Facebook, but Meta is still responsible for documenting who handles the image and for what purposes, they can’t just say, “you uploaded it, we let 3rd parties have their way with it”.
And I’ve also worked with the GDPR, both as a developer implementing systems to accommodate requests for data insight and erasure, and implementing controls to make sure data was being handled correctly and e.g. not stored for longer than allowed, and I’ve worked with it from a security perspective in order to protect the personal data of about a couple of million people, and finally I’ve worked with it in management to implement safe and GDPR compliant data handling strategies in a couple of companies.
deleted by creator
I am interested in discussion but I prefer to discuss things based on facts rather than feelings.
Email isn’t exempt from the GDPR. If an email provider is doing anything with your email except for delivering it to the intended recipient, then you have a right to know under the GDPR. Plenty of hefty fines have been handed out over failing to sufficiently inform about such things: https://www.enforcementtracker.com/ (look for e.g. art. 12 violations). Even something as simple as SMTP logs contain PII according to the GDPR and should be handled as such.
You voluntarily sending an email, with whatever content you decide to put there, to a recipient of your choosing, is in absolutely no way the same as clicking a vote button and involuntarily having your vote and username broadcast to whoever cares to listen without your prior knowledge and consent. Yes, emails travel through a bunch of MTAs underway — that’s a prerequisite for email to work. And no, broadcasting Lemmy votes along with usernames is in no way a prerequisite for voting to work.
No, you are not, you are insulting, condescending, and misunderstanding what I’m saying while making no effort to try and understand.
I’ll try one final time, if you still don’t understand t what I’m saying, please, just leave me alone.
It’s not involuntary. This is the purpose of Lemmy. It acts as a sender of information. It’s voluntarily broadcasting it, because YOU told it to broadcast it. The privacy policy explains this to you in my example. Just because you have a wrong image of Lemmy in your head, doesn’t turn it into a different application.
You can disagree with that, that’s fine with me, but at least try to understand what I’m saying at all.
Yes, and that’s not the issue as I’ve been saying the entire time. The issue is that you have a right to know where it’s broadcast — both in the past and in the present. That’s what I’ve been saying the entire time. And the privacy policy needs to specify exactly what data is sent and where to. The privacy policy you cited did neither, it just stated that it was sent out.
You can easily check which instances your server is federated with in the footer of your server. If any of those external servers have subscriptions to the community you’re posting in, they will receive an update, so it’s safe to assume it’s being sent to all of them.
Problem is that it’s not historical. If a server was defederated yesterday, it doesn’t appear in that list. And again, GDPR takes this stuff seriously, and “look at the bottom” is not sufficient. It needs to specify what data goes where.