Federation means that personal data is sent to anyone who spins up an instance. What legal basis is there for that? These guys and their lawyers weren’t able to figure one out.
What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren’t private and to use Matrix instead? Or is there something else?
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you’re collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn’t have anything like it.
I don’t really see how this ruling is helpful. The reasoning seems to confirm the view that the Fediverse is legally very problematic.
How? I just read the full text of that website, and I couldn’t find any language in there that would harm the fediverse.
Federation means that personal data is sent to anyone who spins up an instance. What legal basis is there for that? These guys and their lawyers weren’t able to figure one out.
What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren’t private and to use Matrix instead? Or is there something else?
For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you’re collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn’t have anything like it.