• 0 Posts
  • 91 Comments
Joined 1 year ago
cake
Cake day: June 13th, 2023

help-circle
  • I browse Reddit only for one sub, a country-specific one that is reasonably niche. Right when the API migration happened, there seemed to be a very visible migration of Facebook/Instagram people migrating over to Reddit. Posts asking where to find Instagram/Facebook functionality came in daily, and the overall quality of both comments and posts degraded a lot, suddenly posts had a ton of comments with one word and a ton of emojis.


  • I was going to write a long ass answer to this, but tbh I’m tired of you asking and me answering the same question over and over again while not providing any source for your claims.

    • Lemmy holds PII. Usernames and other online identifiers are PII according to GDPR Art 4/1 and legal practice as well. Photos people upload of themselves, people claiming to be Jews or from some country in comments are all PII. You have just said “oh but they are not” without backing up your claims. If nothing else, the fact that Reddit, the site which this is a clone of, holds PII should convince you if the relatively plain words of the law don’t.

    • Lemmy processes data. According to GDPR Art 4/1 data processing does not involve sales of data, just “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Again, you have not found anything to back up your claim that “it actually doesn’t and selling and processing is the same”.

    • GDPR applies to nonprofits, even non-commercial entities, private individuals, government institutions as evidenced by fines. You claim an exception for “forum owners for free instances” without even trying to back it up, and are asking me to prove a negative, again without providing any evidence of your own.

    So the real question is, let’s say you’re an admin of some instance that grows to some noticeable size. Would you trust your gut feeling of “I hate EU regulations, and they shouldn’t apply to me either” before some random country you probably never heard of sends you a letter that you pay them some large amount of money? Or would you implement basic delete functionalities on your website and sleep easy?


  • Nice moving the goalposts there. You said “not selling anything”. I think police officers or the “Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications” don’t sell stuff, they were fined nevertheless.

    If I put a link to for example this case where a small social media provider got fined for nothing more than not handling data well, you could move the goalposts even further.

    Or you could look at the countless cases brought against private individuals where they of course are not selling things. Austria fined a guy under GDPR for having a dashcam!

    So again, you made a claim that there is an exception under GDPR for “forum owners of foss”. Let’s see evidence for that claim.



  • There are dozens of cases of fines issued to municipalities, and government offices that don’t do business. France fined a parliamentary candidate. Italy has fined the Italian Archery Federation, an NGO. Germany fined a bunch of individual police officers and an employee of a Covid testing centre.

    Please either start backing up your claim of some supposed nonprofit exception, or go sealioning somewhere else.



  • Anything that someone’s identity can be even indirectly inferred is PII. The GDPR explicitly defines usernames as online identifiers as PII.

    The whole “irrespective of whether a payment of the data subject is required” bit is so that it applies to free services like Lemmy as well. Lemmy provides me with a free service. It even monitors me through federation, since it scrapes my username and comments from other instances without my affirmative and explicit consent. Using a service, no matter its nature, is not consent as required by the GDPR.

    There is an explicit cutout for services you offer yourself or your household members. The reason it is there is that free services like Lemmy absolutely do qualify.




  • Usernames at the very least, as online identifiers.

    Art. 4 GDPR Definitions

    For the purposes of this Regulation:

    ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

    And they don’t need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.


  • Lemmy instances offer services to me as an in-EU data subject, and that makes it subject under the very Article 3/2 (a) you linked.

    the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union

    Since there is federation, a US-based instance would still be a data processor if it IP blocked be as coming from the EU.

    I did in fact read it.



  • Oh, that’s actually neat. But at the same time, that means every instance owner is responsible for the whole of the Fediverse.

    I can imagine that would mean non-compliant instances will get defederated at some point? Or ActivityPub will get some compliance features? It’s not like the EU is unaware of the Fediverse, they are the main monetary supporters behind Lemmy.




  • No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.

    As per official EU communication:

    The GDPR applies to:

    • a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
    • a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

    Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.

    You need to read up on the GDPR yourself.





  • You are responsible for data collected by your own instance. If a deletion request comes through, you are responsible for deleting it from your account, and forwarding the deletion request and responses to other instance you federate with. You are in the clear as long as you don’t keep data you legally can’t, and have sufficiently informed other instances of your obligations.