For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you’re collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn’t have anything like it.
9bananas@feddit.org 14 hours ago
no, that’s wrong.
hi, i work in the EU, and the GDPR and related legislation is a big thing we regularly have to consider in our work.
“personal data” is NOT anything connected to your username.
“personal data” (more correctly, and usually, called PID; Personally Identifiable Data) is data that can be used to identify you, the natural person, not your online persona.
that means: your Social Security Number, your Passport Info, your Drivers License, your Date of Birth in combination with your Birth-Name/Real Name, your Home Address, your religious affiliation, your gender, your sex, your fingerprints, your DNA, etc.
anything that can be used to clearly identify you in real life.
so, for example, if a company requires your phone number and passport to register, they are not allowed to give that to any third party, without the users explicit consent. “Mr. Karl Marx, born 05. May, 1818 in Trier is our customer and here is his passport, phone number, home address, and all the associated data we have on him” <-- this is NOT ok under the GDPR.
on the other hand “OGcommunist1818 posted {seize the means of production today, comrades!}, at 10:30 am, CET, on server 127.0.0.1, which was sent to 10.0.0.1, 10.0.0.2, and 10.0.0.3, into their respective local storage” <-- this is perfectly fine under the GDPR, because none of that is clearly tied to the natural person: “Karl Marx, born 05. May in Trier”, even if it really was Karl that posted that, and even if we can guess from the username that it was probably Karl that posted that comment.
sending comments you make, your votes, your posts, etc., to another server is completely fine by the EUs data protection laws for 2 reasons:
Our data protection/privacy laws are mostly concerned with data being sent WITHOUT user consent (through sale to third parties, data dumps, data leaks, hacks, etc.), they do not protect you from sharing your personal info with strangers of your own volition.
so, no, the EU does not forbid the fediverse and there certainly are no laws to support that notion.
rmuk@feddit.uk 13 hours ago
All this, plus the well-established legal notion of “informed consent”. If I rent a megaphone from a shop it would be utterly unreasonable for that shop to tell everyone I’d bought a megaphone - I wasn’t informed and wouldn’t reasonably assume that’s what they would do, so I couldn’t consent - but if I walk around using that megaphone to shout at people it would similarly be utterly unreasonable to argue that the shop is responsible for keeping my bellowings private.
General_Effort@lemmy.world 7 hours ago
PSA: Everything in the above post is wrong.
I copied from and linked to the GDPR on the official database of EU law. There is nothing I could possibly say to someone who claims that that is wrong.
That the facts are downvoted and the “alternative” upvoted is either the result of manipulation or says something very horrible about this community.
9bananas@feddit.org 6 hours ago
alright, so, you DID copy the relevant legalise, yes, but you quite obviously didn’t read it carefully enough.
everything in your quote says what i said, and disproves what you said.
that’s just a fact and is why you are being downvoted: you said something nonsensical.
here’s how:
self explanatory; no issues here.
here’s our first issue: “natural person” is a legal term and means an actual, real life person.
a username (and therefore a user in general) is NOT a “natural person” in the eyes of the law.
your user account has no rights in the eyes of the law. you, the person reading, does. but those are two different things in law terms.
also “relating to an identified or identifiable natural person” does NOT mean “any data related to your user account”. it ONLY refers to data that can be used to identify you, the natural person.
i think this is where most of your confusion comes from:
if the data cannot be used to identify you, then it is not protected by the GDPR.
it’s that simple, really.
also important: this is about data, specifically.
so comments you make also are not covered by GDPR, because the GDPR only deals with systems data and personally identifiable information.
so your votes, for example, are NOT covered, because they can’t be used to identify a natural person.
in fact, nothing that the Fediverse platform sends anywhere falls under GDPR (afaik).
anything identifiable you put on the platform, you’ve put their yourself, and the GDPR doesn’t protect you from posting a picture of your own SSN. it doesn’t protect from doing dumb things, it only protects information you didn’t provide voluntarily.
here is where i think the rest of your confusion lies:
it’s ONLY personally identifiable data, if, you know, it can identify you (the natural person)!
in layman’s terms that means this law ONLY applies, if your username can be used to easily acquire your real name. and ONLY then.
your IP address is not enough to identify a natural person precisely.
if you haven’t put your real name in your account description (which this law also doesn’t protect against, since that is voluntary on the users part), there is no way to correlate your username with your real name.
therefore the law doesn’t apply here.
this part pretty much just says that healthcare data, religion related data, club memberships, etc., are also personally identifiable information and therefore sensitive data.
mostly this means that using aggregate data to uniquely identify an individual is illegal.
so, for example, if some company has your age, general area, your gender, and your address, then it would be trivial to uniquely identify you, therefore that combination of data is also protected and classified as “sensitive information” which has to be handled in specific ways by law. (the details here aren’t important for the discussion, but it’s things like only store it encrypted, only locally/with certified providers, etc.; just a bunch technical details)
it’s also important to note that there are TONS of exceptions to the GDPR (which has made lots of privacy advocates very grumpy), so even IF data is personally identifiable, it may still be legal to process that data, of it falls under one of those exceptions and is clearly laid out in the privacy statement on the website.
now, if you can explain exactly where I’m wrong I’ll gladly admit to my shortcomings, but just going “nuh-uh! you’re wrong!” without any explanation is just plain rude.
read the text you copied carefully.
look up the parts you aren’t sure about.
understand what it is you are copy/pasting.
and then make a judgement on what i said.
here’s a handy summary of the GDPR in easy to understand language for you.
please read that carefully before posting more comments about the GDPR…
cheers,
a tired IT drone.
General_Effort@lemmy.world 4 hours ago
I have trouble believing that you have been taught this nonsense. As far as I can tell, the term “PID” is not in use anywhere. That commercial site that you are so kindly helping sell its services doesn’t seem to use it. So who taught you that?
deaddigger@lemm.ee 12 hours ago
Well kind of. If it is possible to connect something easily to your person, than that is private information too. For example your license plate or vin would be personal info too. Your advertiser id is seen as private info too.
Some information that is not directly linked to you is also private information. This includes stuff like healthcare or banking information
9bananas@feddit.org 7 hours ago
yes, that is also true!
i didn’t want to make the topic more confusing by including that kind of information as well…
for the average user it’s probably enough to know roughly what is covered.
technically, if you have a database with a direct connection between username and real name, then that would also be covered and would fall under “sensitive data”.
ANYTHING that directly correlates your real identity to any data is personal data.
(the rest I’m guessing you’ll already know, but for everyone else:)
for example: a UUID correlated with your fingerprint in a database would also fall under it.
even though it’s not your name (and kinda difficult to make an identification just by fingerprint if your prints aren’t otherwise in a system). just because it CAN be used to directly identify a natural person.
the primary intent of the GDPR is not really to protect people online (although it does that too, that’s secondary), but rather to protect sensitive information about people, especially in a state administration context. so: healthcare, employment, religion, and so on…
it also happens protects those things online!
but mostly it’s about preventing institutional abuse, state violence, unnecessary surveillance, discrimination, harassment, etc.
there’s reeeeally good reasons for the term “sensitive data”! ;)
WolfLink@sh.itjust.works 13 hours ago
IP addresses could be used to identify someone
General_Effort@lemmy.world 13 hours ago
9bananas@feddit.org 13 hours ago
dafuq?
you are the one bullshitting, why do YOU lie??