I’d be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?
Lemmy is storing users data so is there any requirement to do anything GDPR wise?
Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that
Everybody is talking about the GPDR, but the GPDR when hosting in the EU, should be the least if your concerns. As I said elsewhere:
- Lemmy is not doing tracking/personalized-ads.
- Lemmy is only collecting IPs and email addresses as personally identifiable information. It’s not sharing them. So it makes GDPR compliance easy.
The real issue is Directive on Copyright in the Digital Single Market which is a nightmare if you want to host lemmy legally. Realistically, the government don’t care about a few copyright infrigement by some guy/gal hosting a lemmy instance in their garage.
But, if you want to follow the law to the letter, the EU doesn’t have any fair use. So theorically, you need to allow users to only post creative commons images, with attribution. Or do some copyright checks on the content posted on your instance. Here is an EU video on how to comply with the directive, it’s a nightmare.
Intersting you bring that up copyright. I was looking at Peertube just earlier today and I was wondering how on earth some of the larger instances are dealing with copyright. There is no way they can watch every second of content that gets uploaded
I think you’re right though. Unless you get lucky/unlucky, its highly unlikely your instance is ever going to be used by many people, and therefore for most it’ll probably be a grey area.
If it did however, you need to not only “administer” that instance, both from a front and backend point of view, but there are also things like copyright to deal with.
Perhaps look at the privacy policy of the EU Voice Mastodon: here As lemmy, kbin and mastodon are using ActivityPub it is relevant.
Very interesting, they actually seem to have thought this aspect through. Fully supportive of the fediverse and wouldn’t ever want to ever scaremonger or push people to not want to hosting their own instance, but with the explosion of Lemmy instances - At a certain point I am guessing someone will want to look into this in more detail.
Whether its a change in regulation or helping people be responsible with data - Holding PID of some kind (in this case emails) does need to be done responsibly
I am assuming this would be non commercial. I think in that case you probably would be exempted from GDPR: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Exemptions
Interesting - The Wiki article seems to make it out to be less about commercial that the actual links to the articles provided. I’ll keep reading, thank you
Yes I think you’re right, but also IANAL. From what I learned in a mandatory class at work, I think the GDPR only covers commercial activity. GDPR is supposed to protect citizens when engaging in commerce:
an entity or more precisely an “enterprise” has to be engaged in “economic activity” to be covered by the GDPR.
Lemmy doesn’t charge a subscription fee or sell ads (yet), so it’s acting as a kind of personal messaging system for communicating between people. The GDPR explicitly says it doesn’t regulate personal messaging systems like email. I think Lemmy would fall under that exemption clause.
First of all, I’m not a lawyer or a legal consultant, just a instance admin that wants to make sure that his instance complies.
Lemmy does not store any PII (birthdates, legal names, addresses,securitynumbers). But users are able to share whatever they want. And that can be a problem.
Check out my instances legal page: https://Laguna.chat/legal
In the future I want to make sure that my instances content can only be shared by GDPR respecting instances.
For legal issues that are not EU-specific you may also want to take inspiration from this instance.
deleted by creator
I think if you just let people delete their data whenever and clearly state how that data is used/ stored everything will be fine.