But of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.
Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
I haven’t read the GDPR, yet, but it’s still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.
System administrators often aren’t software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn’t outright illegal, maybe it is. I’m in the camp of it being definitively not cool.
If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: https://github.com/LemmyNet/lemmy/issues/3973
I’ve heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.
You’re on Sopuli, which is hosted in Europe, so it’s an issue for your server. Same with Lemmy.world and Lemmy.ml, actually.
Over half of the Fediverse is hosted in companies that require GDPR compliance. Maybe your private server isn’t, but that doesn’t mean this stuff isn’t relevant for the rest of the network.
As for the CRUD problem: the issue is actually the API design, once you leave a page where you uploaded the image, your browser throws out the delete token and you no longer have control over the image. This could be easily solved by adding a list of attachments and delete tokens to the database so each user can delete their files, but there is currently no frontend or backend API to accomplish that.
Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.
You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren’t toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they’ll tell you they can’t serve content to you for legal reasons.
For these companies, paying such a mundane fine is just the business cost of being able to do whatever they want. The execs figuratively (and perhaps literally too) piss out a fine payment every morning before reading the newspaper company whatsapp account.
Yeaaaah no. Look it up, you still have to pay up. It’s insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.
Ofcourse they do, because they want to keep their business working in Europe. Which doesn’t apply to a decentralized system like the fediverse. But they do not have to pay the fine if they shut down all operations within Europe, which no company wants to do.
Actually, it has implemented deletion for server admins, though the delete needs to be executed through the command line.
As for the GDPR, there are no tools for GDPR compliance. Most Lemmy servers will be practically exempt (as they are personal projects, not businesses) but if you’re stupid enough to set up an organisation or a non-profit for people to donate to, you’re pretty screwed if you run Lemmy. GDPR compliance will require tons of manual database work. Most Lemmy servers seem to be hosted in Europe, so the majority of servers may run into an issue here.
No, Lemmy servers are not exempt from GDPR compliance.
The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.
That’s one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.
My server is closed for registration for a reason :) I think most servers are single-user instances actually.
I’m not so sure about the GDPR status for the Fediverse, I don’t think there’s the law is prepared for “Jerry runs this for people, just for fun”. It’s very much “official organisation” or “money grabbing business” oriented. Someone should fund an actual lawyer to look into this and lay down the real requirements.
You’re right that nobody cares about the law on the Fediverse. There’s a lot of shouting about consent when someone bridges your posts, but when legal compliance comes up, everybody just sticks their fingers in their ears and pretends not to hear you.
I’m not so sure about the GDPR status for the Fediverse, I don’t think there’s the law is prepared for “Jerry runs this for people, just for fun”. It’s very much “official organisation” or “money grabbing business” oriented. Someone should fund an actual lawyer to look into this and lay down the real requirements.
The question is, though: what if you’re delivering services to other users? A one-person server on the Fediverse can be GDPR free, but surely lemmy.world can ignore privacy laws like that.
Article 3 GDPR is straightforward, gdpr will apply.
The real question is how any kind of authority could enforce it ?
Almost no chance that any law enforcement/regulator will bother a single-user instance purely on the ground of gdpr…
But of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.
I haven’t read the GDPR, yet, but it’s still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.
System administrators often aren’t software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn’t outright illegal, maybe it is. I’m in the camp of it being definitively not cool.
Inflicting lawyers on an open source project is a great way to drive off the developers.
If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.
If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: https://github.com/LemmyNet/lemmy/issues/3973
I’ve heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.
You’re on Sopuli, which is hosted in Europe, so it’s an issue for your server. Same with Lemmy.world and Lemmy.ml, actually.
Over half of the Fediverse is hosted in companies that require GDPR compliance. Maybe your private server isn’t, but that doesn’t mean this stuff isn’t relevant for the rest of the network.
As for the CRUD problem: the issue is actually the API design, once you leave a page where you uploaded the image, your browser throws out the delete token and you no longer have control over the image. This could be easily solved by adding a list of attachments and delete tokens to the database so each user can delete their files, but there is currently no frontend or backend API to accomplish that.
Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.
You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren’t toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they’ll tell you they can’t serve content to you for legal reasons.
Have you heard of such small indie developers such as Google, Amazon or Facebook?
The exact same ones who have millions in fines racked up and are paying them? Yes, I have heard of those.
You said it yourself: Millions. Not Billions.
For these companies, paying such a mundane fine is just the business cost of being able to do whatever they want. The execs figuratively (and perhaps literally too) piss out a fine payment every morning before reading the
newspapercompany whatsapp account.Oh for sure they will try to fine, but being another sovereignty they have no authority to force a payment.
Yeaaaah no. Look it up, you still have to pay up. It’s insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.
Ofcourse they do, because they want to keep their business working in Europe. Which doesn’t apply to a decentralized system like the fediverse. But they do not have to pay the fine if they shut down all operations within Europe, which no company wants to do.
Aren’t the key admin functions missing leading to GDPR non compliance?
Yeah, but talking about GDPR is burying the lede.
Actually, it has implemented deletion for server admins, though the delete needs to be executed through the command line.
As for the GDPR, there are no tools for GDPR compliance. Most Lemmy servers will be practically exempt (as they are personal projects, not businesses) but if you’re stupid enough to set up an organisation or a non-profit for people to donate to, you’re pretty screwed if you run Lemmy. GDPR compliance will require tons of manual database work. Most Lemmy servers seem to be hosted in Europe, so the majority of servers may run into an issue here.
No, Lemmy servers are not exempt from GDPR compliance. The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.
That’s one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.
My server is closed for registration for a reason :) I think most servers are single-user instances actually.
I’m not so sure about the GDPR status for the Fediverse, I don’t think there’s the law is prepared for “Jerry runs this for people, just for fun”. It’s very much “official organisation” or “money grabbing business” oriented. Someone should fund an actual lawyer to look into this and lay down the real requirements.
You’re right that nobody cares about the law on the Fediverse. There’s a lot of shouting about consent when someone bridges your posts, but when legal compliance comes up, everybody just sticks their fingers in their ears and pretends not to hear you.
I’m working in the gdpr compiance field ;) Using a personnal device to monitor public space doesn’t fall under the household exception, this solution even pre-dates the GDPR (https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-12/cp140175en.pdf).
(the case-law is about camera fixed on a private house, but the logic easily translates in a private server grabbing public data).
Just as you did ^^
The question is, though: what if you’re delivering services to other users? A one-person server on the Fediverse can be GDPR free, but surely lemmy.world can ignore privacy laws like that.
Article 3 GDPR is straightforward, gdpr will apply.
The real question is how any kind of authority could enforce it ? Almost no chance that any law enforcement/regulator will bother a single-user instance purely on the ground of gdpr…