Federation means that personal data is sent to anyone who spins up an instance. What legal basis is there for that? These guys and their lawyers weren’t able to figure one out.
What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren’t private and to use Matrix instead? Or is there something else.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you’re collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn’t have anything like it.
hi, i work in the EU, and the GDPR and related legislation is a big thing we regularly have to consider in our work.
“personal data” is NOT anything connected to your username.
“personal data” (more correctly, and usually, called PID; Personally Identifiable Data) is data that can be used to identify you, the natural person, not your online persona.
that means: your Social Security Number, your Passport Info, your Drivers License, your Date of Birth in combination with your Birth-Name/Real Name, your Home Address, your religious affiliation, your gender, your sex, your fingerprints, your DNA, etc.
anything that can be used to clearly identify you in real life.
so, for example, if a company requires your phone number and passport to register, they are not allowed to give that to any third party, without the users explicit consent. “Mr. Karl Marx, born 05. May, 1818 in Trier is our customer and here is his passport, phone number, home address, and all the associated data we have on him” <-- this is NOT ok under the GDPR.
on the other hand “OGcommunist1818 posted {seize the means of production today, comrades!}, at 10:30 am, CET, on server 127.0.0.1, which was sent to 10.0.0.1, 10.0.0.2, and 10.0.0.3, into their respective local storage” <-- this is perfectly fine under the GDPR, because none of that is clearly tied to the natural person: “Karl Marx, born 05. May in Trier”, even if it really was Karl that posted that, and even if we can guess from the username that it was probably Karl that posted that comment.
sending comments you make, your votes, your posts, etc., to another server is completely fine by the EUs data protection laws for 2 reasons:
1: it’s not personally identifying data in the first place
2: you agreed to this information being sent {wherever} when you made your account, so you gave your consent to your data being used in this way.
Our data protection/privacy laws are mostly concerned with data being sent WITHOUT user consent (through sale to third parties, data dumps, data leaks, hacks, etc.), they do not protect you from sharing your personal info with strangers of your own volition.
so, no, the EU does not forbid the fediverse and there certainly are no laws to support that notion.
General_Effort@lemmy.world 1 day ago
Federation means that personal data is sent to anyone who spins up an instance. What legal basis is there for that? These guys and their lawyers weren’t able to figure one out.
refurbishedrefurbisher@lemmy.sdf.org 1 day ago
What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren’t private and to use Matrix instead? Or is there something else.
General_Effort@lemmy.world 1 day ago
For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you’re collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn’t have anything like it.
9bananas@feddit.org 1 day ago
no, that’s wrong.
hi, i work in the EU, and the GDPR and related legislation is a big thing we regularly have to consider in our work.
“personal data” is NOT anything connected to your username.
“personal data” (more correctly, and usually, called PID; Personally Identifiable Data) is data that can be used to identify you, the natural person, not your online persona.
that means: your Social Security Number, your Passport Info, your Drivers License, your Date of Birth in combination with your Birth-Name/Real Name, your Home Address, your religious affiliation, your gender, your sex, your fingerprints, your DNA, etc.
anything that can be used to clearly identify you in real life.
so, for example, if a company requires your phone number and passport to register, they are not allowed to give that to any third party, without the users explicit consent. “Mr. Karl Marx, born 05. May, 1818 in Trier is our customer and here is his passport, phone number, home address, and all the associated data we have on him” <-- this is NOT ok under the GDPR.
on the other hand “OGcommunist1818 posted {seize the means of production today, comrades!}, at 10:30 am, CET, on server 127.0.0.1, which was sent to 10.0.0.1, 10.0.0.2, and 10.0.0.3, into their respective local storage” <-- this is perfectly fine under the GDPR, because none of that is clearly tied to the natural person: “Karl Marx, born 05. May in Trier”, even if it really was Karl that posted that, and even if we can guess from the username that it was probably Karl that posted that comment.
sending comments you make, your votes, your posts, etc., to another server is completely fine by the EUs data protection laws for 2 reasons:
Our data protection/privacy laws are mostly concerned with data being sent WITHOUT user consent (through sale to third parties, data dumps, data leaks, hacks, etc.), they do not protect you from sharing your personal info with strangers of your own volition.
so, no, the EU does not forbid the fediverse and there certainly are no laws to support that notion.