this post was submitted on 06 Jul 2023
38 points (100.0% liked)

Asklemmy

43783 readers
849 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
mekhos@lemmy.ml
tmpod@lemmy.pt
14specks@lemmy.ml
38
How can an instance comply with GDPR if they're federated? (lemmy.world)
submitted 1 year ago by firipu@lemmy.world to c/asklemmy@lemmy.ml
36 comments fedilink hide all child comments
 

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] CarbonIceDragon@pawb.social 1 points 1 year ago (1 children)

That feels potentially incomplete, because there's still the question of how to deal with an instance that refuses to honor federated removal requests, or which claims to but lies and secretly keeps a backup. If for example the legal/regulatory system was to decide that the original instance was responsible for ensuring user data is deleted even from federated servers, then the potential existence of such non-deleting servers would be a huge problem for the network as a whole.

[โ€“] kromem@lemmy.world 3 points 1 year ago

As soon as the content moves to another server, it's their liability to comply.

If you scrape a website, them removing a user's PII in response to a GDPR request is not contingent on you also deleting what you scraped.

Federation of removal requests would simply ease the flow of compliance for both hosts and users.

If certain hosts decide to ignore the requests and the GDPR, that's up to them.