Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.

  • Deleted comments remain on the server but hidden to non-admins, the username remains visible
  • Deleted account usernames remain visible too
  • Anything remains visible on federated servers!
  • When you delete your account, media does not get deleted on any server
  • philpo@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The first point is indeed the only one I see atm that might be working. If one can reasonably argue that the node/instance is not voluntarily giving away the data and has no way to prevent that without massively hampering operation of the plattform it might be acceptable in front of a court.

    Again: With a lots of might/could/ifs.

    Because simply the fact that the nodes themselves are build for connecting to each other and very much do so (and you can effectively block other nodes from federating your content to a extent) speaks against that reasoning. But it worked for e.g. data scrubbers,etc.

    However, you could circumvent that issue by making the case that each instance actually acts as an independent Controller. By participating on a federated service, you are explicitly agreeing to the data you provide (your profile, posts, comments, etc.) being made public and shared with other compatible services. That should be enough as the basis for other instances to reasonably assume you want your data to be processed by them, which (I think, not a lawyer) is sufficient justification for processing the data independently, as long as it’s in line with how you generally expect the fediverse to work.

    That sadly explicitly does not work. Any consent given must be under definitive circumstances - a ‘card blanc’ consent is not possible under the GDPR. You must absolutely know where, by whom and what for your data is processed or transfered. And the initial data processor still has the obligation for a data processing agreement.