As the Fediverse grows more and more, rules and regulations become more important. For example, is Lemmy GDPR compliant? If not, are admins aware of the possible consequence? What does this mean for the growth of Lemmy?

Edit: The question “is Lemmy GDPR compliant” should mean, does the software stack provide admins with means to be GDPR compliant.

Edit2: Similar discussion with many interesting opinions on lemmy.ml by /u/infamousbelgian@waste-of.space–> https://lemmy.ml/post/1409164

  • FiveMacs@lemmy.ca
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    Does Lemmy even need to be gdpr compliment? It’s not a company, it’s private individuals.

      • heartlessevil@lemmy.one
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        This isn’t true since your single user instance is federated. For example, this comment is going to end up on your instance, and it could have my personal data.

        edit: here’s a meta-link to this comment on your instance: https://lemmy.cwagner.me/comment/2786 – despite it originating from lemmy.one and the post being lemmy.ml from a user on lemmy.world (interestingly every person involved in this interaction is on a different instance)

          • You can disable most endpoints in your application firewall, or put them behind a whitelist. For federation to succeed you don’t need all that many publicly reachable endpoints (mostly a bunch of inboxes and the data for your own user account).

            I don’t think the privacy policy is sufficient. My post will end up on your server but also on the server this community is hosted on, from which it’ll end up on hundreds or thousands of other servers. I’ve never agreed to any of their privacy policies and terms of service and neither has anyone else here.

            The concept of the Fediverse doesn’t work well with traditional corporate interpretations of privacy law. Going strictly by the way it’s interpreted for traditional social media, you’re on the hook for any personal data your private instance stores and makes available. This approach effectively kills the concept of the Fediverse, so I sort of fear the inevitable DPA investigation and/or lawsuits.

              • Skull giver@popplesburger.hilciferous.nl
                link
                fedilink
                arrow-up
                3
                ·
                edit-2
                1 year ago

                I don’t have a guide for you, sorry. I’ve looked into it briefly but I can’t say I care enough to fix it.

                I’m pretty sure you’ll be able to go federation only by blocking everything that’s not an application/ld+jsoncontent type (technically application/ld+json; profile="https://www.w3.org/ns/activitystreams" but some servers don’t send the correct Accept headers). The Lemmy frontend submits plain JSON and POST requests and it doesn’t implement the client-server ActivityPub API, so that should be the easiest way to keep federation working while whitelisting your personal IP addresses.

    • Poseidon@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      For now anyways, I can see that changing in the future. Company centric instances with communities for each of their product lines.

    • The GDPR also applies to invidivuals. It’s not very common, but if you start your own private data collection for shit and giggles you’ll have to take the necessary steps to comply with the GDPR. Of course you won’t need a data privacy officer or anything like that as an individual, but you do need to take certain precautions.

      Now, with the way social media works, I’m pretty sure you can get away with claiming all data collected is necessary to make the system work in the first place, and Lemmy doesn’t even collect all that much data.

      Most instances also accept donations and other financial incentives as well. That makes the entire system more complicated. With lemmy.world and other servers being run by Europeans, I’d say a significant part of Lemmy definitely does need to comply with the GDPR.

      • Dislodge3233@feddit.de
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        It doesn’t apply to purely personal use. See Article 2 section 2 ©. For shits and giggles would fall under that.

        • I don’t think a networked service repeating collected data to the internet would fall under “purely personal or household activity”.

          The exception would make perfect sense for a personal address book or something like that, but if you manage to collect enough data to make leaks a problem for other people I don’t think you’ll get away with “just a personal project”.

          • Dislodge3233@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I agree. I was replying to your comment that GDPR applies to private data collection for shits and giggles, which isn’t correct. For Lemmy, I’m certain it applies. GDPR applies to small churches even