I dont really use it much tbf just thought it was a cool project but I’ve just read about how lemmy instances can be fined for not complying with GDPR Read more
Nobody has actually fined any instance yet, and they are not going after your little instance if they start doing it.
It would be Lemmy.world first as a target because of their size and the entire lemmy network would not stop talking about it for weeks.
Sometimes establishing a precedent with a weaker party is a good strategy though. It even went as far as litigating known parties for piracy issues. Anything is fair game to some actors.
Thought for GDPR most actors are legit and the actions have merits. Shoutout to Mr Schrems for example.
AFAIK European law isn’t often based on common law, but Napoleonic Code / civil law. Ie. precedent is less relevant.
Also, given Meta’s been fined 2.5 billion euros in the past few years, it sounds like they’re going after the big guys first.
It’s absolutely not based on common law indeed but you can be sure that precedents are still a big thing especially for such regulations… we are watching like awks what’s happening everywhere because we know there will be a lot of consistency both on decisions but also on the topics being pursued.
I mean, if nobody uses the instance, you absolutely can delete it. Oh and the Lemmy devs should fix the deletion issues asap. It’s really not ok for quite a big social media to have them
Is this a private instance with no other user accounts? If so I would not worry.
Technically he must still comply especially with data subject rights / request for deletion.
Now I wonder how that would work in practice, considering the underlying technology which is akin to what I manage (telco / isp) and where a lot of principles are still vague to implement.
Like when we get request to delete personal data sometimes some has been transmitted by nature of the service and a lot of actors have legitimate interest in processing / keeping the data for a while.
But generally it’s not about the content of a transmission but more the attached metadata used for billing and such.
Anyway it’s very interesting to watch, preferably from a distance.
Unless he gets a direct request he’s not bound by the requests other instances get. Which actually brings up something interesting. Because of the way the data is shared, someone wanting to delete data would have to contact all instances one by one which is function impossible.
Yeaahhhh I don’t know about that… likely all instances are processors. And the on he subscribe to would be controller. Somewhat because to my knowledge no one really decides of particular treatment of the user data (it’s all rather communist architecturally). So maybe every instance would be join controller…
And in the end up to the (join) controller to cascade the request. That’s part of why it’s a thing of beauty to watch it happen on the feddiverse 😅
It’s definitely not impossible to contact all instances; it’s a finite list. But we should have a tool to make this easier. Something that can take a given username or post, do a search, find out all the instances that it federated-to, get the contact for all of those instances, and then send-out a formal “GDPR Erasure Request” to all of the relevant admins.
And for any of those “processors” outside of the EU? Good luck. I could stand up a processor anywhere outside the EU, get all of the feed data and 1) good luck finding it, me, or where it’s at. And 2) removing it. There’s no centralized authority to fine.
As long as they process data of European citizens it’s applicable. See all gdpr fines imposed…. Now the execution / collection would be a bitch but I could imagine à order to stop processing the data imposed to European instances…
I mean pretty crazy things can happen. See the various adequacy decisions / appeals by Mr Schrems; I cannot give guidance with a life expectancy of more than 1 year given the instability of the application of the regulation.
Not that I’m complaining ; it feeds me :)
“Now the execution / collection would be a bitch”. That’s my point. It’s basically unenforceable as they would have to go after every federated instance on the internet, including knowing every single person that spun up their own instance, so basically this law would be pointless. It’s better leveraged against companies, not small individual entities, so good luck utilizing it.
Im the only one that uses this instance but its federated
While the post you link to is new to me, thank you for sharing, the underlying issues associated with running your own instance are what has stopped me from running my own at this stage.
If the only person on your own instance is you, then none of this really matters, since you are the master of your own destiny. As I understand it, the GDPR doesn’t apply.
The moment you let anyone else create an account however, there’s a liability. You become exposed to whatever they say in their account on your instance and other laws start applying.
What I mean by that is as I understand it, any illegal or undesirable activity conducted by an account holder on something you control becomes a legal minefield for you. And you’ll be stuck in the middle between the account holder and the world. Things like the GDPR may apply, but that likely depends on their location.
So, if your instance is just you, no need to delete it. If it’s more, then I’d be thinking long and hard about who else is there with you.
Finally, consider the implications of taking money from account holders to finance your instance, now there’s a financial contract between you and them.
That would be true if their instance wasn’t federating. If the instance is federating, then it’s downloading content from other users, even if the user isn’t registered on the instance. And that content is publicly available.
So if someone discovers their content on their instance and sends them a GDPR request (eg Erasure), then they are legally required to process it.
I do not believe that is true, but I’m happy to be wrong.
I’d say, if you’re concerned, better safe than sorry. Nobody can take the legal responsibility here.
IMO the fines are made to sound scary, and are relevant for large corpos, but the ICO or whatever body for your country, has no interest in prosecuting an individual. What is a ‘percentage of revenue’ on something that makes no revenue anyway.
Even if they did take interest it would start with an opportunity to correct things before prosecution.
The fines usually are a percent of revenue or millions of Euros, whichever is higher.
So if your revenue is 0 EUR then they can fine you the millions of Euros instead. The point of the “percent of revenue” alternative was for larger corporations that can get fined tens or hundreds of millions of Euros (or, as it happened to Meta, in some cases – billions of Euros for a single GDPR violation).
Personally I wouldn’t run a lemmy instance because of this (and also many other concerns)
I recommend [a] letting the lemmy devs know (eg on GitHub) that this issue is preventing you from running a lemmy instance and [b] donating to alternative projects that actually care about data privacy rights.
Can’t you simply wait for a complaint to actually make that call?
From a privacy perspective, owning a federated server doesn’t really do much for your data except for providing a “home base” that’s a little more under your control.
A little.
AFAIK if you get banned from a community, you lose the ability to delete your content on it. If your post on a community gets removed, it also seems to vanish (so I’m not sure how deleting it works)…
Edit: apparently this answer is wrong, now if people could reply with reasons, that would be more helpful.
if you get a letter because you violate the gdpr thing you have to pay. there is no ‘it looks like you do something wrong. stop it or you will be fined’
then again the fine is based on yearly profit, if op is not a company the gdpr should not be a big problem. (but still could be)
The fines usually are a percent of revenue or millions of Euros, whichever is higher.
So if your revenue is 0 EUR then they can fine you the millions of Euros instead. The point of the “percent of revenue” alternative was for larger corporations that can get fined tens or hundreds of millions of Euros (or, as it happened to Meta, in some cases – billions of Euros for a single GDPR violation).
Why are people below not prefacing their comments with IANAL (I am not a lawyer). This should be a bare minimum for all legal advice.
Nah, any advice you ever get on the internet should never be construed as legal (or medical, or <insert profession here>) advice. The whole “IANAL” and “IANYL” shit is stupid. You hired a lawyer and enter into contract with them to get proper advice. They don’t have to disclose their job/position to talk on the internet. Nor do I or any other person just to have a discussion.
I can only imagine the argument in court “He gave me advice on the internet and didn’t disclose if they were or weren’t a lawyer!”. I’m pretty sure every judge on the planet would just look at them the same way they look at Sovereign Citizens.
Because you don’t seek for a legal advice on Lemmy in the first place.
You should probably just always assume that unless you are literally paying a lawyer you’ve contacted. Tbh, it’d be better for a lawyer to delineate that they are one specifically in their comment due to the fact that statistically most people are in fact not lawyers.
I assume you are a lawyer and this is legal advice?
