I’d be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?
Lemmy is storing users data so is there any requirement to do anything GDPR wise?
Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that
I plan to implement a systemd timer that truly drops data from the database that was marked as “deleted” after around 30 days. I also have a note up that says to contact me if a copy of stored data has to be requested, etc.
This is already implemented in lemmy 0.18.1 for comments and posts!
I’d put a legal blob in the Legal section clearly outlining the nature of the fediverse and making it clear to the user that really deleting stuff from Lemmy is near impossible because every instance has a copy of it. That you’ll happily comply and purge the user’s data upon request but that it will still be cached on every other server.
I’d be interested to see what lawyers have to say about it. Technically the data sharing is absolutely required by the protocol so it might be okay with the GDPR, but it’s also possible that as worded it can’t possibly be GDPR compliant. It was designed with big companies like Google, Meta and big advertisers in mind, and didn’t really account for decentralized services like the fediverse…
The GDPR doesn’t apply only to services hosted in the EU, but any services handling the data of an EU citizen.
This is why some news outlets in the US just decided to block EU users all together, out of laziness.
IANAL, but the GDPR doesn’t cover pseudonymous data. Actually the GDPR encourages data processors (= services) to use pseudomization.
Personally identifiable information are IPs, email addresses, street address, name, date of birth, … Lemmy only collect IPs and email addresses. And these are not shared between instances.
Whether the service is hosted in the EU or not, as long as it serves EU users, lemmy should provide a way to delete emails and ip information in a self serving way. (maybe by deleting the account) In the mean time, instances admins have to fulfil requests to delete emails/ips of EU citizens from the database.
Actually I wonder if the end result would end up essentially being, you can only federate with other GDPR compliant instances that you trust will respect the GDPR and honor federated data delete requests.
The core of the issue is that just by the virtue of running, an instance collects a stupid amount of data. I was baffled at how many user accounts my instance had discovered mere hours after starting it up.
Edit: row counts after just a week of running my private instance with only 3 users:
The profiling potential is scary, so users should be really careful with basically every interaction on the Fediverse, including votes. I bet the feds are having a field day monitoring what’s going on on exploding-heads and lemmygrad.
I believe this is probably what will happen if this ever becomes a big issue. GDPR was never intended to be navigable for anything except giant proprietary blob tech companies.
IANAL but no, as instances do not share “personal data”. There is a misconception that GDPR deletion requests apply to all data created by a user, but to my understanding it only applies to “personal data” as defined here: https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en
If you’re self hosting (i.e. running it for yourself, your family members and maybe some friends), your use would fall under GDPR’s household exemption
does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
Thats Article (2)(2)a.
Of course, if you’re taking money or making it available to the general public it’s a different matter.
Lemmy is storing users data
The only “personal data” that you are storing would be their email, perhaps IP addresses. As long as you are not altering your instance, placing third-party analytics or ads, you are good.