Bitcoin.

It may be illegal to operate a bitcoin miner in Europe. That’s entirely possible. I don’t think the courts would go so far as to outlaw crypto in Europe via that route. But who knows.

the technology is similar in the relevant aspects

No. You can just turn off federation. You can make contracts with the instances you federate with. With crypto, you have to send the whole blockchain around, or else you don’t have crypto.

As for Meta, the problem is that the data they’re sharing is not public.

No. Look up what companies and people are fined for.

Any information that a user willingly makes public can be processed in any way

No! NO!!!

You may not process any personal data without a legal basis. It does not matter if public or not.

Certain sensitive personal data may not be processed at all, even with a legal basis. Except in certain circumstances listed in Article 9.

Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It’s arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay “forever”. Otherwise Bitcoin would be completely ilegal since there’s no way to delete information there.

Any number of people here will happily tell you where to shove your illegal technology. In truth, the GDPR is explicitly meant to limit what may be done with existing technology.

With crypto, one can make use of some existing exceptions and perhaps create compliant apps. I’m not familiar with those. Much that stuff is not compliant. There isn’t a lot of enforcement.

So that’s my bad. I pointed out the issue with the right to erasure to highlight the problem, In truth, the probable violation happens when the data is shared. With e-mail, the user sends their own data, just like while clicking links. The transfer of data for lemmy federation is under the control of the instances involved. It might still be okay, like serving the data over the web. But that requires the user to know what’s going on.

If you could hand-wave these problems away so easily, Meta would not be paying those huge fines. What do you actually think that’s about?

I was going to reply with point by point why it either doesn’t apply to Lemmy or it follows GDPR

It does apply to lemmy and lemmy is not compliant. That is simply a fact as far as the courts have ruled so far.

Which one could argue is public forum primary use

One can argue a lot. But if such hand-wavy arguments work, then why do you think anyone ever has to pay fines or damages?

For this argument to work, you have to argue that erasing the precise personal data in question would infringe on someone else’s right to freedom of expression and information.

The original “right to be forgotten” was about links to media reports. The media reports themselves did not have to be deleted because of freedom of information, but google had to delete the links to them to make them harder to find. This is a narrow exception. Under EU law, data protection and these freedoms are both fundamental rights. They must be balanced. The GDPR dictates how. These exceptions will only apply where these freedoms are infringed in a big way.

At least, you have to do like reddit and anonymize the comments and posts. It could be argued that you actually may not even do more. Removing comments that someone else has replied to arguably makes their personal data incomplete. Reddit’s approach meets a lot of outspoken criticism on lemmy.

The problem is that the data is duplicated all over the federated instances. So, someone on your instance deletes their data, Other instances also delete their copies. What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That’s right. You pay damages to your user because you screwed it up.

Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).

Hold on. You can’t keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.

Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance. Or it could be argued that other people’s post may be kept (possibly anonymized) because otherwise your personal data would be incomplete. The 2nd is obviously what reddit is doing. That seems to draw more criticism than praise from the lemmy community, to put it mildly.

The GDPR gives you rights over data, like copyright does. It inherently gives you a right to control what other people do on their own with their own physical property.

Of course, the same can be said of surgery but it’s still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?

You don’t need to ask me. The GDPR is a terrible mistake, but that’s not what people want to hear. People don’t know the law and just chose to believe a happy fantasy. I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations. Mind, you also need to comply with the Digital Services Act and other stuff. With some skill, you can probably do a webpage, even with ads, but nothing where you interact with visitors and must collect data.

Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you’d need to pay for that extra legal firepower).

Yes. The DPOs issue guidances and send out newsletters. That would be a place to start. Unfortunately, the different DPOs don’t agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual. The problem is that this will still require extra time and effort. Well, content moderation also requires a lot of time and effort. Maybe it won’t be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.

We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)

Or am I missing anything here?

I was thinking the same. Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.

You’d only be hosting the communities created on your own instance. Apart from that, you’d simply authenticate the identities of users. One question is what that would do to server load. I don’t know.

Unfortunately, confirming the identities also means transferring personal data. It would also mean that the remote instance is able to connect an IP-address to a username; potentially allowing the real life identity to be uncovered. Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.

Clearly they had technically knowledgable advisors at the very least.

Yes. Those are commonly referred to as industry lobbyists.

“Involuntary data transfer”

I don’t know what exception that is. There are rules for data breaches. I’m not at all sure how much you have to do to block crawlers.

What’s not enough? lemmy.world’s privacy policy?

There’s way more to do than writing a privacy policy. And I don’t think the policy meets the requirements but getting that right certainly needs a specialist.

Hmm… what’s the difference?

On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.

seems to suggest a fundamental incompatibility between federation and the GDPR overall.

You could say that there is a fundamental incompatibility between the internet and the GDPR, but that’s by design. The internet is about sharing (ie processing) data. The GDPR says, you mustn’t (unless).

Take the “right to be forgotten”. Before the internet, people read their newspapers, threw them away, and forgot about it. The articles were still available in some dusty archive, but you finding them was laborious. With search engines, you could easily find any unflattering press coverage. So you get the right to make search engines remove these links and it’s like back in the good old days. The fact that the GDPR is incompatible with existing technology is a feature, not a bug.

Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.

The main problem for the fediverse is that compliance requires a lot of expert legal knowledge. There’s not just the GDPR but also the DSA and other regulations to follow.

Federation itself may also be problematic, since many more people get to be in control of the data than strictly necessary. The flow of data must be controlled and should be limited as much as possible. That would be much easier with a central authority in charge. But that’s not a deal-breaker.

That’s not true. Out of curiosity, where did you learn that?

(and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write)

The stuff you write is personal data as long as it can be connected to your identity and so protected under the GDPR. But that’s a problem for other people.

Your problem is the personal data of other people that come under your control. For starters, you need to answer this question: What legal basis do you have for processing that data?

For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

They need legal experts on the team. As GDPR-fans will tell you, data protection is a fundamental human right. We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.

Complying with the GDPR is challenging at the best of times. When you handle personal data, some of it sensitive, at the scale of a fediverse instance, it becomes extremely hard.

Strictly speaking, it’s impossible. EG you need to provide information about what you do with the data in simple language. The information also needs to be complete. If the explanation is too long and people just click accept without reading, that’s not proper consent. You need to square that circle in a way that any judge will accept. That’s impossible for now. Maybe in a few years, when there’s more case law, there’ll be a solid consensus.

Complying as well as possible will require the input of legal experts, specialized in the law of social media sites. The GDPR is not the only relevant law. There’s also the DSA, quite possibly other stuff I am not aware of, and local laws.

Definite problems, I can see:

1. Under german law, an instance owner has to provide an address, that may be served legal papers.
2. It’s possible to embed images, but under the GDPR, there must not be connections to 3rd party servers without consent. In fact, all out-going links are a problem.
3. Federation itself. You can’t federate with instance, if you haven’t made sure that they comply with GDPR.

So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?

That’s not even remotely enough, even assuming that the information is sufficient.

Mastodon is in a much better place, on account of how federation works there. It might still not be enough. Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent. Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

a purely personal or household activity

No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

It is a problem. If anyone complains or sues about GDPR compliance, they will get fined and/or have to pay damages.

There’s also other regulations, like the DSA. I’m fairly sure the GDPR isn’t the only legal problem.

That is entirely incorrect. It is general data protection regulation, not privacy regulation.

You are given certain rights over data relating to you. For example: you may have it deleted. Have you googled the name of a person? At the bottom, you will find a notice that “some results may have been removed”. Under the GDPR, you can make search engines delete links relating to you; for example, links to unflattering news stories (once you are out of the public eye).