• jmcs@discuss.tchncs.de
    link
    fedilink
    arrow-up
    18
    ·
    14 hours ago

    Mastodon and Lemmy don’t actually share any data actually protected by GDPR, unless the users actively make it public (like using their real name).

    • Tuukka R@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      4 minutes ago

      Am I right in my understanding that if you run a federated Lemmy instance, you can see who has upvoted what, even on other instances?

      Is that not something protected by GDPR?

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      4 hours ago

      PII includes any information that can be used to link or correlate personal information. That includes usernames and account IDs. Every like/upvote contains that information, as well as a timestamp, indicating a unique account but also behaviour. The system doesn’t just share a list of names, it shares a list of names with a lot of context. Stuff like this is also why pseudonymisation isn’t sufficient to avoid GDPR obligations.

      Usernames aren’t sensitive information, so you can handle it without too much special care (although you do need to ensure basic protection of login credentials against data leaks, for instance by encrypting databases as a minimum requirement). They are PII, though, which means you’re obligated to take some level of care and ensure that the information can be corrected or redacted everywhere.

      The GDPR simply wasn’t written with something like the Fediverse in mind. My server knowing when your account upvoted what posts on a third server would be ridiculous if we’re talking about Twitter and Facebook, but it’s the core of vote counting on Lemmy.

      • jmcs@discuss.tchncs.de
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        38 minutes ago

        GDPR doesn’t include things you choose to make public, otherwise no social media could show your posts or username to anyone. My only doubt about Lemmy and Mastodon is about DMs where people have a reasonable expectation that they are private but they are not.

        Edit: and thinking about it, even DMs probably fall into the same exception as email.