96
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story) - Michael Altfield's Tech Blog
(tech.michaelaltfield.net)
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.
I haven't read the GDPR, yet, but it's still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.
System administrators often aren't software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn't outright illegal, maybe it is. I'm in the camp of it being definitively not cool.
Inflicting lawyers on an open source project is a great way to drive off the developers.
If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.
If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.
You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren't toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they'll tell you they can't serve content to you for legal reasons.
Oh for sure they will try to fine, but being another sovereignty they have no authority to force a payment.
Yeaaaah no. Look it up, you still have to pay up. It's insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.
Ofcourse they do, because they want to keep their business working in Europe. Which doesn't apply to a decentralized system like the fediverse. But they do not have to pay the fine if they shut down all operations within Europe, which no company wants to do.
Most servers are in Europe. Also, yeah, that's my point - if you shut down access for Europeans, your worries fade away. The thing is - people want to have the cake and eat it too - not comply with GDPR and still allow people in Europe to be able to reach all instances.
Right now, Lemmy is too small to be noticed by anyone. But all it takes is some a-hole reporting GDPR noncompliance, and the entire project will get hit, and it will get hit hard.
"your point" was that the EU can force a fine on any foreign company operating outside the EU for not following local laws, which is ridiculous. But I agree with the rest.
It's not ridiculous if you actually read up what GDPR is. They can place a fine on any foreign company. It probably won't be enforced in China, Russia, Iran, etc. But GDPR isn't a "local law". Most countries comply with it, hence cookie notices and all that jazz
You might be missing the point. Again, the EU will send them a bill and a firm letter, but they don't have any authority to actually demand payment. That fact has nothing to do with GDPR but with the fact that it's an entirely different sovereignty.
The EU could sue them, they could impose sanctions on other companies for dealing with said company. They have an enormous amount of power to make sure said company can never deal with anything EU related. They have tried to sue companies in the US for not complying but no outcome for that is known.
That is why you see the cookie notices and general compliance, but also if you're a relatively small company it's actually not that hard to comply. It gets exponentially more difficult the larger you get but if you're that large than you'll definitely be dealing with world economics, including the EU which gives a lot of incentive to comply.
I have and was a part of my curriculum. Bit arrogant innit
Have you heard of such small indie developers such as Google, Amazon or Facebook?
The exact same ones who have millions in fines racked up and are paying them? Yes, I have heard of those.
You said it yourself: Millions. Not Billions.
For these companies, paying such a mundane fine is just the business cost of being able to do whatever they want. The execs figuratively (and perhaps literally too) piss out a fine payment every morning before reading the ~~newspaper~~ company whatsapp account.
And you think that lemmy devs / admins being hit by thousands of dollars of a fine is going to go the same way facebook goes? That they'll be able to ignore it and say it's a cost of business? The giant corps get fined too. The US companies get fined too (for all the people saying "this EU law, me no care".
Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: https://github.com/LemmyNet/lemmy/issues/3973
I've heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.
Aren't the key admin functions missing leading to GDPR non compliance?
Yeah, but talking about GDPR is burying the lede.
No, Lemmy servers are not exempt from GDPR compliance. The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.
That's one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.
I'm working in the gdpr compiance field ;) Using a personnal device to monitor public space doesn't fall under the household exception, this solution even pre-dates the GDPR (https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-12/cp140175en.pdf).
(the case-law is about camera fixed on a private house, but the logic easily translates in a private server grabbing public data).
Just as you did ^^
Article 3 GDPR is straightforward, gdpr will apply.
The real question is how any kind of authority could enforce it ? Almost no chance that any law enforcement/regulator will bother a single-user instance purely on the ground of gdpr...