So, I’m kinda new to this Lemmy thingy and the fediverse. I like the fediverse from a technological standpoint. However, I think that, if we gain more and more traction, Lemmy (and by extend the entire fediverse) is a GDPR clusterfuck waiting to happen. With big and expensive repercussions…

Why? Well, according to GDPR, all personal data from EU users must remain in the EU. And personal data goes really far. Even an IP-address is personal data. An e-mail address is personal data. I don’t think there is jurisprudence regarding usernames, so that might be up for discussion.

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place. Resulting in a giant GDPR breach. And I have no idea who will be held responsible… The people hosting an instance? The developers of Lemmy? The developers of ActivityPub?

Large corporations are getting hefty fines for GDPR breaches. And since Lemmy is growing, Lemmy might be “in the spotlights” in the upcoming years.

I don’t like GDPR, and I’m all for the technological setup of the fediverse. However, I definitely can see a “competitor” (that is currently very large but loosing ground quickly) having a clear eye out to eliminate the competition…

What do y’all thing about this?

  • Ulu-Mulu-no-die
    link
    fedilink
    English
    02 years ago

    all personal data from EU users must remain in the EU

    Create your account on a EU server, problem solved.

    Lemmy (fediverse in general) doesn’t send account data away, and posts don’t qualify as personal data, when you publish something to the internet, it’s public by definition.

  • @wintermute@feddit.de
    link
    fedilink
    English
    02 years ago

    Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place.

    It doesn’t work like that, think of your instance being a proxy to the fediverse

    • infamousbelgianOP
      link
      fedilink
      English
      02 years ago

      Is it? I read somewhere that data effectively gets “copied” to the different instances? But that might be wrong info :p

      • @hardypart@feddit.de
        link
        fedilink
        English
        22 years ago

        You’re right. If someone from feddit.de subscribes to a lemmy.world community, the entire content of that community is going to be copied to the feddit.de server and that’s the exact issue OP is referring to.

        • @mkulimaA
          link
          English
          12 years ago

          Then it should be the responsibility of the EU people to avoid joining the fediverse. I do not see a practical way to align with GDPR. The effort is non-trivial and the rewards are extremely minimal.

          From your perspective, what should be the way out?

          • @hardypart@feddit.de
            link
            fedilink
            English
            22 years ago

            Then it should be the responsibility of the EU people to avoid joining the fediverse.

            The instances are providing their services in the EU, so it’s legally up to them to comply with the GDPR.

            From your perspective, what should be the way out?

            Honestly, no idea. I’m not even sure if Lemmy in its current shape violates the GDPR in the first place, but if I were the admin of a large feddit instance in the EU I would make sure to get advise from a GDPR consultant.

    • @hardypart@feddit.de
      link
      fedilink
      English
      02 years ago

      But when a lemmy.world user subscribes to a feddit.de community, the entire community will be copied to the lemmy.world server, or am I wrong?

        • @hardypart@feddit.de
          link
          fedilink
          English
          0
          edit-2
          2 years ago

          I think you, being an admin of a huge Lemmy instance, would be well advised to educate yourself on the difference between “public” and “personal” when it comes to GDPR compliance. All the data I create here is my personal data, no matter if it’s my IP, my mail address, posts, comments or votes and the GDPR says that it’s my right to decide what happens with my data and if it should stay public. The fact that I post something publicly doesn’t make my data non-personal.

          • @wintermute@feddit.de
            link
            fedilink
            English
            12 years ago

            I think you, being an admin of a huge Lemmy instance, would be well advised to educate yourself on the difference between “public” and “personal” when it comes to GDPR compliance.

            I’m quite well advised, maybe I`m using wrong terms as EN is not my native language.