I checked Mastodon briefly. It appears they are currently not in compliance. There are open issues on GitHub, but nothing looks close.
I checked Mastodon briefly. It appears they are currently not in compliance. There are open issues on GitHub, but nothing looks close.
Wouldn’t it be easier to fix the delete federation bug so Lemmy could comply with GDPR ?
The law specifically names “online identifier”.
The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
Just say, we don’t provide or target EU individuals and you’re free.
Don’t allow users from the EU to sign up? Is that your plan?
See https://gdpr-info.eu/issues/right-to-be-forgotten/
Once the “controller has made the personal data public”, they have legal obligations. Gmail doesn’t make my data public, generally.
See https://gdpr-info.eu/issues/right-to-be-forgotten/
Once the “controller has made the personal data public”, they have legal obligations. When you send an email, you are not making it public.
See https://gdpr-info.eu/issues/right-to-be-forgotten/
Once the “controller has made the personal data public”, they have legal obligations.
Unfortunately, as one of those 3.8k daily users, I’m still using Reddit mostly. Lemmy has a long way to go before I drop Reddit all the way.
The GPDR doesn’t require Lemmy to remove personal data from the entire internet. But when a Lemmy instance gives data to other Lemmy instance, there are legal responsibilities.
https://gdpr-info.eu/art-17-gdpr/ Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
==========
Maybe this is open to interpretation, but I feel that the same Federation protocol that federates out my personal data (my posts and comments), should also federate out my delete requests. I’m unsure why this would be controversial.