Asklemmy

43380 readers

1866 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

How can an instance comply with GDPR if they're federated? (lemmy.world)

submitted 1 year ago by firipu@lemmy.world to c/asklemmy@lemmy.ml

35 comments fedilink hide all child comments

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

you are viewing a single comment's thread
view the rest of the comments

[–] dan@lemm.ee 22 points 1 year ago (2 children)

It sorta depends on the relationship between federated servers. If your server acts as a data controller and the servers it federated with act as a data processor, then yes indeed your admin would have to contact all those servers to get that data removed.

But I don’t think that’s what the relationship really is. I think your server publishes that data effectively publicly. At that point other servers can take a copy if they want (ie each would be a controller). So you’d have to make a request to each server to get the data removed.

Think about it like this, if you allow some print publication to print your name for some reason, some other companies might keep a copy of that data. Eg an archival company, or perhaps something less nice like a sales company. The publication doesn’t have a responsibility to contact them all. Even if, say, they have some relationship, like federation, or for example archival company has a subscription to the newspaper.

So if you want that data deleting you’re going to have to contact every sever that has it.

[–] firipu@lemmy.world 8 points 1 year ago (1 children)

Yeah, that sounds like the most correct take. I don't think the EU will be happy with that if ActivityPub really blows up. e.g. if Threads joins the federation (and we don't defederate from their data leeching service), that would become really really complex :)

[–] dan@lemm.ee 6 points 1 year ago

Yeah that really could end up being problematic!

Actually not sure how that’s going to go.. presumably it’ll work the same way search engines do cos it’s kinda like holding a copy of public data like they do…