9point6@lemmy.world 3 weeks ago
Not an admin, but from a legal perspective, users in the EU have the right to request deletion of their data under the GDPR, which the consequences of violation are up to €10m or 2% of annual turnover (not profit), whichever is higher
Frankly, if a user asks a service owner to delete their personal data, the service owner should do it as promptly as possible.
Except that only applies to federated servers that exist in the EU. If your data gets federated out to a country outside of the EU, they don’t have to listen to your whines of GDPR as it’s not enforceable. And given that you could be federated with hundreds of instances across the world, good luck.
I said the same thing with AI scraping. All someone needs is to add their own instance that federates with everyone else and they can scrape data for AI training till their heart’s content.
First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. We talk more about this in another article.
Cool cool, now realistically, do you have the time, resources and know how to find and contact every owner of every federated instance these comments have made to? Would you be able to deal with the legal resources of any number of jurisdictions to truly test whether that is actually enforceable?
My point basically is that it’s functionally impossible regardless of what the law says, and you should treat your comments and personal information as such that they won’t ever be able to be deleted or scrubbed.
poVoq@slrpnk.net 3 weeks ago
Lemmy doesn’t federate “personal data” to other servers.
Requesting the deletion of posts that they agreed to be federated when signing up is purely voluntarily but usually done as it is fairly easy to ban a user and delete their contributions.
9point6@lemmy.world 3 weeks ago
From your link
The “directly or indirectly” part is important here, a username is a constant identifier between a user’s posts and comments
Given comments and posts are free text input, there’s no way of knowing the entire set of a user’s content doesn’t contain PII, unless an admin wants to spend the time combing through and determining which posts definitely contain PII and which definitely don’t, they should delete it all. The data subject does not need to make specific listings of what they want deleted, the onus is on the service owner to be able to process the deletion request completely and within a timely manner.
poVoq@slrpnk.net 3 weeks ago
No, as only the instance admin that hosts the original account can indirectly associate a user handle with actual “personal data”. An admin of a federated instance can not, as they do not have any “personal data” to correlate it with.
If a user themselves posts “personal data” publicly it is not covered by the GDPR IANAL and thus not subject to mandatory deletion requests. Of course deleting everything is often the easiest course of action, but this is not legally required.
9point6@lemmy.world 3 weeks ago
Also not a lawyer but I’ve done a lot of GDPR training since it was introduced and I believe you’re incorrect—the data subject posting it publicly or not doesn’t factor into the validity of a deletion request under the GDPR. There are a limited set of specific reasons a service owner can refuse a deletion request and they’re pretty much down to preventing abuse and facilitating compliance with other laws.