- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
You must log in or register to comment.
2025 is a banger year for open source and internet freedom.
I don’t really see how this ruling is helpful. The reasoning seems to confirm the view that the Fediverse is legally very problematic.
How? I just read the full text of that website, and I couldn’t find any language in there that would harm the fediverse.
Federation means that personal data is sent to anyone who spins up an instance. What legal basis is there for that? These guys and their lawyers weren’t able to figure one out.
What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren’t private and to use Matrix instead? Or is there something else?
For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you’re collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn’t have anything like it.
no, that’s wrong.
hi, i work in the EU, and the GDPR and related legislation is a big thing we regularly have to consider in our work.
“personal data” is NOT “anything connected to your username”.
“personal data” (more correctly, and usually, called PID; Personally Identifiable Data) is data that can be used to identify you, the natural person, not your online persona.
that means: your Social Security Number, your Passport Info, your Drivers License, your Date of Birth in combination with your Birth-Name/Real Name, your Home Address, your religious affiliation, your gender, your sex, your fingerprints, your DNA, etc.
anything that can be used to clearly identify you in real life.
so, for example, if a company requires your phone number and passport to register, they are not allowed to give that to any third party, without the users explicit consent. “Mr. Karl Marx, born 05. May, 1818 in Trier is our customer and here is his passport, phone number, home address, and all the associated data we have on him” <-- this is NOT ok under the GDPR.
on the other hand “OGcommunist1818 posted {seize the means of production today, comrades!}, at 10:30 am, CET, on server 127.0.0.1, which was sent to 10.0.0.1, 10.0.0.2, and 10.0.0.3, into their respective local storage” <-- this is perfectly fine under the GDPR, because none of that is clearly tied to the natural person: “Karl Marx, born 05. May in Trier”, even if it really was Karl that posted that, and even if we can guess from the username that it was probably Karl that posted that comment.
sending comments you make, your votes, your posts, etc., to another server is completely fine by the EUs data protection laws for 2 reasons:
- 1:
it’s not personally identifying data in the first placewhoops, that needs more clarification: IP addresses can be considered personal data, usernames too. but that’s about it. everything else lemmy (or Fediverse in general) related in the upstream comment is not considered personal data (upvotes, comments, etc.) - 2: you agreed to this information being sent {wherever} when you made your account, so you gave your consent to your data being used in this way.
Our data protection/privacy laws are mostly concerned with data being sent WITHOUT user consent (through sale to third parties, data dumps, data leaks, hacks, etc.), they do not protect you from sharing your personal info with strangers of your own volition.
so, no, the EU does not forbid the fediverse and there certainly are no laws to support that notion.
edit: clarification of something in list point (1). largely irrelevant to the overall discussion, because users always agree to the privacy statement of the instance that hosts their account, but still, technically needed clarification.
PSA: Everything in the above post is wrong.
I copied from and linked to the GDPR on the official database of EU law. There is nothing I could possibly say to someone who claims that that is wrong.
That the facts are downvoted and the “alternative” upvoted is either the result of manipulation or says something very horrible about this community.
- 1: