Lemmy (and the fediverse) and GDPR: a clusterfuck waiting to happen?

So, I’m kinda new to this Lemmy thingy and the fediverse. I like the fediverse from a technological standpoint. However, I think that, if we gain more and more traction, Lemmy (and by extend the entire fediverse) is a GDPR clusterfuck waiting to happen. With big and expensive repercussions…

Why? Well, according to GDPR, all personal data from EU users must remain in the EU. And personal data goes really far. Even an IP-address is personal data. An e-mail address is personal data. I don’t think there is jurisprudence regarding usernames, so that might be up for discussion.

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place. Resulting in a giant GDPR breach. And I have no idea who will be held responsible… The people hosting an instance? The developers of Lemmy? The developers of ActivityPub?

Large corporations are getting hefty fines for GDPR breaches. And since Lemmy is growing, Lemmy might be “in the spotlights” in the upcoming years.

I don’t like GDPR, and I’m all for the technological setup of the fediverse. However, I definitely can see a “competitor” (that is currently very large but loosing ground quickly) having a clear eye out to eliminate the competition…

What do y’all thing about this?

126 comments

"don't like GDPR"? What's not to like? Best thing that came out of EU regulation in a long time. And as others have noted you seem to be misinformed about what it actually says...
- I also can't wrap my head around “not liking” GDPR
  As a relevant example, seems like only citizens covered by GDPR will be able to request Reddit to remove all of their data from Reddit's servers since comment deleting tools and scripts are being bypassed, with loads of comments and even entire profiles getting restored by Reddit admins
- Can you explain where I'm misinformed? I can surely be misinformed about the workings of Lemmy. However, for GDPR you will not "win" it with a simple TOS or something like that.
  If even Google can't make their Workplace to follow rules in such a way that Workplace can be used according to the AVG rules in the Belgian (well, Flemish) schools, I'm pretty sure that just saying "it's in the TOS" is not enough...
  But again, no expert so I hope that I am wrong.

And personal data goes really far. Even an IP-address is personal data. An e-mail address is personal data.
Thankfully, Lemmy instances do not transport this kind of information about their users to other instances!
- Maybe not IP addresses, but every post and comment you make is your personal data.
  
  Public posts and comments are, well, public (and there's no expectation from users that their posts and comments would be private, considering the nature of what Lemmy is).
  The only way to not transport public posts and comments to the rest of the internet (including but not limited to other Lemmy instances) would be to completely disconnect an instance from the internet 😅

I'm not an expert in GDPR and will leave the technical side to those who are, but the fact that the EU actively present at the Fediverse with among others the @EUCommission represented at their official Mastodon instance, I would be surprised if the GDPR was suddenly weaponised against it.
GDPR was written with the intention of empowering users over corporations. The Fediverse has the same goal.
- IANAL, but he GDPR is quite reasonable and if Lemmy did the right thing (c) it would not be a problem I think. Transferring data to a jurisdiction, like for example the US, where people do not enjoy the same level of data protection comes with risks for any eu citizen. Therefore, it is important that any new user of Lemmy/ActivityPub is educated on what's actually going on here and the consequences of posting on Lemmy for their personal data. Article 49, 1a) of the GDPR provides an exemption for the rule this posting is about if
  the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
  Why can't we have that? Add a step to the signup process that explains the basics of how a decentralised community works: even if you sign up to a German Lemmy instance, Lemmy is a global community, your data may be transferred to any place in the world and that means that you won't be able to enjoy the rights and protection you may expect on a German server. Click the "accept the risks" button to continue. Go to this link if you ever change your mind to stop federation of your content and attempt to remove it from any place it has already been federated to.
  Even cooler if we can somehow record the jurisdiction of instances and build mechanics that act on that information, e.g. during federation.
- Wholesomely and fully agree... Just hope that Lemmy doesn't get sued over it...
- Although I would be curious about how GDPR deletion would work. Do all instances have to delete it, or is it just the hosting instance?
  
  It's only the instance on which you create your account that has your personal data, that data is not sent around.
  Your comments are not included, it's you willingly writing them, not some corporation spreading around your data without your knowledge nor consent, this is what the GDPR is about, data held by corporations that users cannot control in any way, or even have no knowledge about.

IMO it's pretty much the same case as email. With email you send data to some remote server which may or may not reside in the EU.
I'm not really sure what argument you can make that fediverse apps but not email break gdpr.
Or even something as simple as putting your email on a public website that may be visited by someone in the US.
- You are correct. That's why email is a big topic in GDPR: https://gdpr.eu/email-encryption/

Neil Brown did quite a good write-up on the legal standing of the Fediverse late last year: https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view
There's a section part way down about GDPR, but the answer is "it depends"
- Thanks! The info actually makes sense. Also, do note that every EU country has their own specific implementation of the GDPR law with very small differences. So this is written according to the UK implementation, but the BE implementation might be just a bit different.
  All complicated stuff...

all personal data from EU users must remain in the EU
Create your account on a EU server, problem solved.
Lemmy (fediverse in general) doesn't send account data away, and posts don't qualify as personal data, when you publish something to the internet, it's public by definition.
- I'm not sure this is true. Like imagine someone posts their address in a Lemmy post - I'm pretty sure that counts as PII and they have the right to request its deletion.
  
  Like imagine someone posts their address in a Lemmy post
  As you write it you can also delete it.
  It's still you willingly doing it, not the server spreading your data without your consent, this last case is where GDPR applies.
  But it's a very stupid thing to do, never post your personal data in comments.
  
  HackerNews doesn't do this though.
- GDPR Art 4.(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  Posts in Lemmy do qualify as personal data because posts contain the ideas and opinions of an identifiable natural person (by their user handle). Therefore the Lemmy instances are handling personal data and must comply with the GDPR.
  
  Ideas and opinions are NOT identifiable information, unless you're so smart to as openly writing your personal data on a public forum (something noone should ever do, it's even bannable on reddit), your comments and posts do NOT contain and personally identifiable info, only your account does.

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place.
It doesn't work like that, think of your instance being a proxy to the fediverse
- Is it? I read somewhere that data effectively gets "copied" to the different instances? But that might be wrong info :p
  
  You're right. If someone from feddit.de subscribes to a lemmy.world community, the entire content of that community is going to be copied to the feddit.de server and that's the exact issue OP is referring to.
- But when a lemmy.world user subscribes to a feddit.de community, the entire community will be copied to the lemmy.world server, or am I wrong?
  
  You are indeed wrong. The email and IP addresses and passwords for example don't get copied. I'm not well versed enough about how it works to go into more detail.
  
  sure, but no personal data like email/ IP

What do y’all thing about this?
This is why I won't ever run any web service with public registration.
The people hosting an instance are responsible for the informed consent. So if you federate with anyone you need to make sure to inform your individual users about all of your peers, what data they process, and who's the contact for that peer.
This is of course impossible.
If anyone ever sues you, they probably effortlessly win the lawsuit.

Kbin.social and feddit.de are hosted in Germany. That's why I signed up there.

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place.
Not all data is transferred to other servers. That's the point where I think you are wrong.
You mention email and IP addresses as examples of personal data covered by GDPR, but that data is not transferred to other instances, only the instance where you registered holds that data. So you would only need to care about the instance where you registered to be GDPR-compliant.
- Ok, agree. There seems to be a bit of a discussion on if my posts are personal data, but if we say that those are public, then that is covered. Now there is just a simple question I have... What if I, as a EU citizen, knowingly subscribe to a non-EU, non-GDPR friendly instance and/or service. Is that ok? Should that instance then suddenly become GDPR friendly?
  
  I don't think I can answer that :-)
  I think the GDPR applies to any company providing services to an EU citizen, regardless of where it is. So I guess that means yes to your question? Does it mean you can force foreign companies into becoming compliant by using their services unless the actively block EU citizens from using their services?
  I guess that if you started using that service knowing that it was non-compliant, we could say you were implicitly giving up that right, but I don't think that is something you can do individually given that it's a right affecting all EU citizens.
  But, honestly, now I am talking about things very out of my area of expertise :-)

"Exchange with non-compliant platforms can be restricted based on a case-by-case analysis. ": I quote this from an article from European data protection supervisor website https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en. I think the platform will evolve to solve the existing issues such as The right to be forgotten.

FWIW Hacker News just says it doesn't apply to them as it doesn't count as a service for just a discussion board.
But I think the right of deletion is a bigger issue than where email addresses are stored.

126 comments