Anything else to consider when hosting a Lemmy instance in the EU?

I'd put a legal blob in the Legal section clearly outlining the nature of the fediverse and making it clear to the user that really deleting stuff from Lemmy is near impossible because every instance has a copy of it. That you'll happily comply and purge the user's data upon request but that it will still be cached on every other server.
I'd be interested to see what lawyers have to say about it. Technically the data sharing is absolutely required by the protocol so it might be okay with the GDPR, but it's also possible that as worded it can't possibly be GDPR compliant. It was designed with big companies like Google, Meta and big advertisers in mind, and didn't really account for decentralized services like the fediverse...
- The GDPR doesn't apply only to services hosted in the EU, but any services handling the data of an EU citizen.
  This is why some news outlets in the US just decided to block EU users all together, out of laziness.
  IANAL, but the GDPR doesn't cover pseudonymous data. Actually the GDPR encourages data processors (= services) to use pseudomization.
  Personally identifiable information are IPs, email addresses, street address, name, date of birth, ... Lemmy only collect IPs and email addresses. And these are not shared between instances.
  Whether the service is hosted in the EU or not, as long as it serves EU users, lemmy should provide a way to delete emails and ip information in a self serving way. (maybe by deleting the account) In the mean time, instances admins have to fulfil requests to delete emails/ips of EU citizens from the database.
  
  I'm gonna preface this: IANAL either.
  There are also different legal bases for different kinds of data processing. For example, I'm pretty sure ensuring your site's security counts as legitimate interest, and it's pretty common that IP addresses are stored and processed as such. You don't need to remove someone's IP from your access logs just because they asked for it, because your interest in keeping your site secure for both yourself and everyone else outweighs their interest in the privacy of their data. Legitimate interest is the fuzziest of the six legal bases and it doesn't help that advertisers have started attempting to qualify their BS as "legitimate interest" especially in consent forms (if they need your consent it's not legitimate interest, it's user consent, and they really should stop lying) but it still exists to keep things viable.
  As a rule of thumb, if you're storing data to provide a service you need to export or delete that data upon request, and if you're doing anything over what's strictly necessary for providing your service you need to ask the user about it. And you're right, this applies to anyone whose instance is used by EU citizens.
  Also, pseudonymous data still counts as personal data as long as the pseudonym can be linked back to personally identifiable information. You need to sever this link to comply with a deletion request.
  
  It's not only IPs and emails though. Since users can put whatever they want in comments and posts, all of those must be treated as potential PII, and have to be included in subject access requests and deletion requests.
- I am not a lawyer and definitely not anyone’s lawyer providing legal advices, but I’ve done a little bit of work around implementing GDPR compliance at my jobby job. My understanding is that you must inform users when you’re sending their data out to third party processors, and they, too, must be GDPR complaint.
  So if your instance is sending information that is covered under GDPR out to other instances, you much call out those instances as data processors, and ensure they’re complaint before you add them. When you add one, I think you’re also supposed to inform users that you’re adding a new data processor via some form of notice addressed to them. Furthermore, at time of deletion, you’d also need to inform your data processors of the request, such that their compliance workflow can be followed.
  In my mind, strictly speaking, what Lemmy is doing could work if the “cluster” of GDPR compliant instances doesn’t federate out to the broader non-GDPR compliant instances. So, lots of manual maintaining the allowed federation instances, each time you add a new instance, you’d then need to inform your users… once you receive a deletion request, you’d need to use the ban with purge option to purge everything on your instance, and pass that on to all federated instances. The key distinction here is ensuring your federated instances honours your purge request, which is hard to verify.
  The end result is that you’d essentially be creating your own bubble of the fediverse isolated from the rest of the fediverse… which is not an ideal outcome but that’s what happens when you let regulators decide what to do on things they don’t understand…
  
  Most of your points seem to be spot on from what I understand as well. However, I believe that the GDPR requirements can and should be baked into Lemmy itself. This would prevent the fragmentation you mentioned. A guarantee of removing user data as requested while federated plus a guarantee to remove stale user data while defederated since requests won't get through in that case. That would "just" leave the list of processors. This one can be very tricky because you are not just sharing data with your home instance and their federated instances but also with the federated instances of those federated instances. The home instance has no way of learning about the 2nd degree federation. I have no idea how to get the network of data sharing GDPR compliant and I think this is the mich more complicated part that your proposal also suffers from.
- Actually I wonder if the end result would end up essentially being, you can only federate with other GDPR compliant instances that you trust will respect the GDPR and honor federated data delete requests.
  The core of the issue is that just by the virtue of running, an instance collects a stupid amount of data. I was baffled at how many user accounts my instance had discovered mere hours after starting it up.
  Edit: row counts after just a week of running my private instance with only 3 users:
  The profiling potential is scary, so users should be really careful with basically every interaction on the Fediverse, including votes. I bet the feds are having a field day monitoring what's going on on exploding-heads and lemmygrad.
  
  IANAL but no, as instances do not share "personal data". There is a misconception that GDPR deletion requests apply to all data created by a user, but to my understanding it only applies to "personal data" as defined here: https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en
  
  I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.
  
  I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.
- The protocol would seem unlikely to satisfy the concept of "necessary". It's entirely possible for the protocol to be impossible to implement whilst not complying with GDPR. Might require the development of something more sharded - data pulling in real time, etc.
- That definitely seems like it might be along the right lines - Though GDPR (rightly so) was designed to leave the power in the hands of the user/customer, you're right, it doesn't account for things like the fediverse. I wonder if something else put in the legal section would actually cover it
- I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.
  
  As I said in another comment, the GDPR protects people. And the GDPR only applies to personnaly identifiable data (IPs, email addresses, street address, legal name, date of birh...) Lemmy only collect emails and IPs, and do not share them between instances. So it's very easy to comply to the GDPR as long as you don't do anything shady.
  The EU has a marketing issue. They tried to pass legislation to prevent companies to collect data. But instead, company displayed a popup, kept collecting data, and blamed it on the EU. Everytime I see a popup, I blame ruthless data collection.
  Actually, Lemmy is most likely violatiing the California Consumer Privacy Act, which, as opposed to the GPDR, gives the right to update/delete any data generated by the user, not only personally identifiable information.

I plan to implement a systemd timer that truly drops data from the database that was marked as "deleted" after around 30 days. I also have a note up that says to contact me if a copy of stored data has to be requested, etc.
- This is already implemented in lemmy 0.18.1 for comments and posts!
  
  Ah, great. Thanks for the info.
- Good idea!

First of all, I'm not a lawyer or a legal consultant, just a instance admin that wants to make sure that his instance complies.
Lemmy does not store any PII (birthdates, legal names, addresses,securitynumbers). But users are able to share whatever they want. And that can be a problem.
Check out my instances legal page: https://Laguna.chat/legal
In the future I want to make sure that my instances content can only be shared by GDPR respecting instances.

Everybody is talking about the GPDR, but the GPDR when hosting in the EU, should be the least if your concerns. As I said elsewhere:
Lemmy is not doing tracking/personalized-ads.
Lemmy is only collecting IPs and email addresses as personally identifiable information. It's not sharing them. So it makes GDPR compliance easy.
The real issue is Directive on Copyright in the Digital Single Market which is a nightmare if you want to host lemmy legally. Realistically, the government don't care about a few copyright infrigement by some guy/gal hosting a lemmy instance in their garage.
But, if you want to follow the law to the letter, the EU doesn't have any fair use. So theorically, you need to allow users to only post creative commons images, with attribution. Or do some copyright checks on the content posted on your instance. Here is an EU video on how to comply with the directive, it's a nightmare.
- Intersting you bring that up copyright. I was looking at Peertube just earlier today and I was wondering how on earth some of the larger instances are dealing with copyright. There is no way they can watch every second of content that gets uploaded
  I think you're right though. Unless you get lucky/unlucky, its highly unlikely your instance is ever going to be used by many people, and therefore for most it'll probably be a grey area.
  If it did however, you need to not only "administer" that instance, both from a front and backend point of view, but there are also things like copyright to deal with.

IANAL, but if you use an external service to process personal data such as sending registration emails, this needs to be clearly mentioned on the legal page.

Perhaps look at the privacy policy of the EU Voice Mastodon: here As lemmy, kbin and mastodon are using ActivityPub it is relevant.
- Very interesting, they actually seem to have thought this aspect through. Fully supportive of the fediverse and wouldn't ever want to ever scaremonger or push people to not want to hosting their own instance, but with the explosion of Lemmy instances - At a certain point I am guessing someone will want to look into this in more detail.
  Whether its a change in regulation or helping people be responsible with data - Holding PID of some kind (in this case emails) does need to be done responsibly

Lemmy is storing users data
The only "personal data" that you are storing would be their email, perhaps IP addresses. As long as you are not altering your instance, placing third-party analytics or ads, you are good.
- The main issue would be thay users can post personally identifiable information themselves.
  For example, I can say that my social security number is 1234 and that would be personal data if it was true.
  I'm not a lawyer, but i think i remember something that the gpdr rights cannot be just waived.
  Since the user can just delete their own posts, it shouldn't be a problem, but what do I know.

For legal issues that are not EU-specific you may also want to take inspiration from this instance.

I am assuming this would be non commercial. I think in that case you probably would be exempted from GDPR: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Exemptions
- No, public websites are explicitly not covered by this exemption even if no profit motive is involved.
- Yes I think you’re right, but also IANAL. From what I learned in a mandatory class at work, I think the GDPR only covers commercial activity. GDPR is supposed to protect citizens when engaging in commerce:
  an entity or more precisely an "enterprise" has to be engaged in "economic activity" to be covered by the GDPR.
  Lemmy doesn’t charge a subscription fee or sell ads (yet), so it’s acting as a kind of personal messaging system for communicating between people. The GDPR explicitly says it doesn’t regulate personal messaging systems like email. I think Lemmy would fall under that exemption clause.
- Interesting - The Wiki article seems to make it out to be less about commercial that the actual links to the articles provided. I'll keep reading, thank you

If you're self hosting (i.e. running it for yourself, your family members and maybe some friends), your use would fall under GDPR's household exemption
does not apply to ... the processing of personal data by an individual in the course of a purely personal or household activity
Thats Article (2)(2)a.
Of course, if you're taking money or making it available to the general public it's a different matter.

I think if you just let people delete their data whenever and clearly state how that data is used/ stored everything will be fine.