So, I’m kinda new to this Lemmy thingy and the fediverse. I like the fediverse from a technological standpoint. However, I think that, if we gain more and more traction, Lemmy (and by extend the entire fediverse) is a GDPR clusterfuck waiting to happen. With big and expensive repercussions…
Why? Well, according to GDPR, all personal data from EU users must remain in the EU. And personal data goes really far. Even an IP-address is personal data. An e-mail address is personal data. I don’t think there is jurisprudence regarding usernames, so that might be up for discussion.
Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place. Resulting in a giant GDPR breach. And I have no idea who will be held responsible… The people hosting an instance? The developers of Lemmy? The developers of ActivityPub?
Large corporations are getting hefty fines for GDPR breaches. And since Lemmy is growing, Lemmy might be “in the spotlights” in the upcoming years.
I don’t like GDPR, and I’m all for the technological setup of the fediverse. However, I definitely can see a “competitor” (that is currently very large but loosing ground quickly) having a clear eye out to eliminate the competition…
What do y’all thing about this?
Ok, so I did some checking regarding the location and stuff, since I’m clearly not informed enough about this. However, my point still stands (I think).
Copy pasted from Twilio. I guess they are better aware than I am about the rules…
The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR. In other words, the entity or company that you pass the data to outside the EU must be under a legally binding obligation to follow GDPR data protection principles or the equivalent. (Unlike an outright prohibition on extraterritorial data transfers, this actually makes sense. No point if having rules if those rules get tossed out the window just by moving the data out of the EU.)
and also:
This legally binding obligation can be achieved in multiple ways. Here is a sampling: 1. The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission). 2. The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection. 3. The company has enacted Binding Corporate Rules. 4. There is some regulatory-approved code of conduct to which the entity subscribes.
So, if someone opens up an instance in, let’s say, Ethiopia or the US, it is not compliant, afaik.
However, question remains about the proxy thingy of the fediverse. Is data copied/stored on other instances OR does it remain on the instance that I subscribed to. And what if that instance is located in a “non-GDPR-compliant-environment”?