Drive we are so privacy focused here. What is to prevent myself or anybody out there, from starting to report individual instances of GDPR and CCPA.

No lemmy insurances are complying with national privacy laws and nobody is talking about it at all.

  • trouser_mouse@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 year ago

    This is just at a really high level. Take for example https://lemdro.id. I am in the UK.

    • I do not get cookie information / consent
    • How do I make a SAR request, it isn’t stated
    • What is their data retention and privacy policy, it isn’t stated
    • How do I make a data sharing request as a member of law enforcement or government
    • How is data processed if I am under 16/13
    • Is data transferred from an EU to non-EU server if I search their content from another instance? Are the correct controls and risk assessments in place
    • If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
    • If I use an account from another instance and post an image on .id, and then delete my account, is the image I posted deleted from their server and backups etc

    GDPR is very serious and an absolute minefield. I am pretty sure Lemmy and individual instances are not compliant, and I am not sure they can be fully - it may have to be on a best-endeavours basis. Be interesting to see how that holds up under a challenge.

    • Kichae@kbin.social
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I actually question whether GDPR is up for the task of distributed systems like this.

      Like, if you put in a right to be forgotten request to your host server, it’s not at all clear that they’re responsible for the copies of your content that are being hosted elsewhere, any more than asking a news website to remove your personal information from an article requires them to also hunt down anyone else who has copied and spread the story to remove it, too.

      Different Lemmy websites are independently owned and operated, and your local admin holds no authority over other admins. They can request deletion on your behalf, if that’s a legal requirement, but they cannot compel action. I’m not even sure they can act as your proxy, given that there’s no formal relationship between admins.

    • WalrusDragonOnABike@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data

      There’s no way GDPR can tell we hosts they are responsible for other platform’s copy of data, right? Wouldn’t that mean Twitter has to remove tweets from every news article that makes copies, for example, if someone deleted their account under that right?

      • trouser_mouse@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It’s law to comply with GDPR and the ePrivacy Directive.

        • Receive users’ consent before you use any cookies except strictly necessary cookies.
        • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
        • Document and store consent received from users.
        • Allow users to access your service even if they refuse to allow the use of certain cookies
        • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
        • awderon@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          There is only one cookie present when I inspect the Cookies with my browsers dev tools. Which seems to be the auth token for my account.

          • trouser_mouse@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            As far as I am aware, a user authentication cookie is classed as personal data and therefore subject to GDPR!

            • awderon@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Receive users’ consent before you use any cookies except strictly necessary cookies.

              Wouldn’t the auth cookie fall into the strictly necessary category?

              • trouser_mouse@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I’m no expert so hopefully someone will be able to chip in. I know when I have dealt with GDPR stuff, there has been quite a lot of conflicting opinions!

                Even if it is not required to get consent for that, I think there is also a requirement around explaining to the user what they do and why they are necessary.

                • awderon@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  I’m also no expert, just trying to learn more about the topic as it’s kind of interesting to see how other people are interpreting it.

                  • trouser_mouse@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    1 year ago

                    Just as an example, this is Reddit’s cookie notification compliance - so something similar to this should be presented so that I know what the cookies are used for in plain language and can accept or reject any non-essential cookies. I should also be able to give or withdraw my consent at a later time.