this post was submitted on 15 May 2025
636 points (99.7% liked)
Technology
70266 readers
3589 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How? I just read the full text of that website, and I couldn't find any language in there that would harm the fediverse.
Federation means that personal data is sent to anyone who spins up an instance. What legal basis is there for that? These guys and their lawyers weren't able to figure one out.
What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren't private and to use Matrix instead? Or is there something else?
For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR
Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you're collecting personal data.
It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn't have anything like it.
no, that's wrong.
hi, i work in the EU, and the GDPR and related legislation is a big thing we regularly have to consider in our work.
"personal data" is NOT "anything connected to your username".
"personal data" (more correctly, and usually, called PID; Personally Identifiable Data) is data that can be used to identify you, the natural person, not your online persona.
that means: your Social Security Number, your Passport Info, your Drivers License, your Date of Birth in combination with your Birth-Name/Real Name, your Home Address, your religious affiliation, your gender, your sex, your fingerprints, your DNA, etc.
anything that can be used to clearly identify you in real life.
so, for example, if a company requires your phone number and passport to register, they are not allowed to give that to any third party, without the users explicit consent. "Mr. Karl Marx, born 05. May, 1818 in Trier is our customer and here is his passport, phone number, home address, and all the associated data we have on him" <-- this is NOT ok under the GDPR.
on the other hand "OGcommunist1818 posted {seize the means of production today, comrades!}, at 10:30 am, CET, on server 127.0.0.1, which was sent to 10.0.0.1, 10.0.0.2, and 10.0.0.3, into their respective local storage" <-- this is perfectly fine under the GDPR, because none of that is clearly tied to the natural person: "Karl Marx, born 05. May in Trier", even if it really was Karl that posted that, and even if we can guess from the username that it was probably Karl that posted that comment.
sending comments you make, your votes, your posts, etc., to another server is completely fine by the EUs data protection laws for 2 reasons:
Our data protection/privacy laws are mostly concerned with data being sent WITHOUT user consent (through sale to third parties, data dumps, data leaks, hacks, etc.), they do not protect you from sharing your personal info with strangers of your own volition.
so, no, the EU does not forbid the fediverse and there certainly are no laws to support that notion.
edit: clarification of something in list point (1). largely irrelevant to the overall discussion, because users always agree to the privacy statement of the instance that hosts their account, but still, technically needed clarification.
PSA: Everything in the above post is wrong.
I copied from and linked to the GDPR on the official database of EU law. There is nothing I could possibly say to someone who claims that that is wrong.
That the facts are downvoted and the "alternative" upvoted is either the result of manipulation or says something very horrible about this community.
alright, so, you DID copy the relevant legalise, yes, but you quite obviously didn't read it carefully enough.
everything in your quote says what i said, and disproves what you said.
that's just a fact and is why you are being downvoted: you said something nonsensical.
here's how:
self explanatory; no issues here.
here's our first issue: "natural person" is a legal term and means an actual, real life person.
a username (and therefore a user in general) is NOT a "natural person" in the eyes of the law.
your user account has no rights in the eyes of the law. you, the person reading, does. but those are two different things in law terms.
also "relating to an identified or identifiable natural person" does NOT mean "any data related to your user account". it ONLY refers to data that can be used to identify you, the natural person.
i think this is where most of your confusion comes from:
if the data cannot be used to identify you, then it is not protected by the GDPR.
it's that simple, really.
also important: this is about data, specifically.
so comments you make also are not covered by GDPR, because the GDPR only deals with systems data and personally identifiable information.
so your votes, for example, are NOT covered, because they can't be used to identify a natural person.
in fact, nothing that the Fediverse platform sends anywhere falls under GDPR (afaik).
anything identifiable you put on the platform, you've put their yourself, and the GDPR doesn't protect you from posting a picture of your own SSN. it doesn't protect from doing dumb things, it only protects information you didn't provide voluntarily.
here is where i think the rest of your confusion lies:
it's ONLY personally identifiable data, if, you know, it can identify you (the natural person)!
in layman's terms that means this law ONLY applies, if your username can be used to easily acquire your real name. and ONLY then.
your IP address is not enough to identify a natural person precisely.
if you haven't put your real name in your account description (which this law also doesn't protect against, since that is voluntary on the users part), there is no way to correlate your username with your real name.
therefore the law doesn't apply here.
this part pretty much just says that healthcare data, religion related data, club memberships, etc., are also personally identifiable information and therefore sensitive data.
mostly this means that using aggregate data to uniquely identify an individual is illegal.
so, for example, if some company has your age, general area, your gender, and your address, then it would be trivial to uniquely identify you, therefore that combination of data is also protected and classified as "sensitive information" which has to be handled in specific ways by law. (the details here aren't important for the discussion, but it's things like only store it encrypted, only locally/with certified providers, etc.; just a bunch technical details)
it's also important to note that there are TONS of exceptions to the GDPR (which has made lots of privacy advocates very grumpy), so even IF data is personally identifiable, it may still be legal to process that data, of it falls under one of those exceptions and is clearly laid out in the privacy statement on the website.
now, if you can explain exactly where I'm wrong I'll gladly admit to my shortcomings, but just going "nuh-uh! you're wrong!" without any explanation is just plain rude.
read the text you copied carefully.
look up the parts you aren't sure about.
understand what it is you are copy/pasting.
and then make a judgement on what i said.
here's a handy summary of the GDPR in easy to understand language for you.
please read that carefully before posting more comments about the GDPR...
cheers,
a tired IT drone.
I have trouble believing that you have been taught this nonsense. As far as I can tell, the term "PID" is not in use anywhere. That commercial site that you are so kindly helping sell its services doesn't seem to use it. So who taught you that?
slight mistranslation: apparently, the proper english term is "personally identifiable information" or "PII".
my work environment is german speaking. didn't bother looking up the translation, since it's perfectly understandable and clearly communicates the right idea either way.
anyone that in any capacity handles data - like, say, sys admins (hint, hint) - knows this term.
it's not a surprise that it doesn't show up in an article called "GDPR for dummies", since the people familiar with the term won't get much use out of that site.
it's also an IT-term, not afaik a legal term, used as a kind of short hand for (extra) sensitive data.
(the site being "commercial" is also irrelevant. the information content is important. since you haven't been able to decipher the legal text, i figured linking a more easily digestible site would be more convenient.)
as to "who taught me that"...i couldn't say. it's part of my job to stay up to date on legislation related to my job, same as for anyone else. we've had countless meetings about how to handle this sort of data internally, with consultants, and with other departments. we have, as we are required to by law, a data security officer (i think that's the translation) that regularly sends updates, information, and requests/demands as to how to handle PII. like i said: it's a big thing^tm in IT in general. it's a topic that can easily fill a university lecture and then some. and it was a significant part of my certification process.
also, fun fact! if you type "personally identifiable data" into a search engine, the literally first result explains all of this and more!
isn't that fantastic?? :D
P.S.: i specifically told you:
soooo...you're not very good at finding information that isn't presented to you, evidently. maybe work on that a bit? just a suggestion...
PII is a concept from US law. It is not a thing in the EU.
I'm in the EU and PII definitely IS "a thing" here, because most IT professionals need to communicate in english at least some of the time and the US is the biggest market for software in the western hemisphere.
because of that most software companies from the US (like, say, Microsoft, Apple, and Google) use the term, which is why it is widespread over here as well.
and since translation errors are suuuper common in technical documentation from said companies, or there straight up isn't any in non-english, most professionals read a lot of US-english documentation. which obviously uses PII instead of PD.
the specifics differ, yes, and the areas use slightly different terms (PII vs personal data), and yet those terms are, in fact, synonymous.
(and also: it is common courtesy on the internet to use the terms more people are familiar with if the terms are, for all practical purposes, interchangeable.)
do you need an explanation for what a synonym is too?
jfc, i don't mean to be rude here, but how is it possible that this needs explaining??
just about ALL of this is common freaking sense???
Then let me be more clear: It is not a thing in EU law.
With due respect, the level of intellectual functioning, in this case reading comprehension, you display is incompatible with being an IT professional in any country. If you are not trolling, then you should consult a physician.
LMAO
Ok. So you are trolling. Haha. The vote manipulation isn't cool, though.
what manipulation?
junge, du:
....und dann hast du noch die Dreistigkeit zu behaupten hier wird irgendetwas manipuliert???
nein junge!
die leute durchschauen einfach nur, dass du offensichtlich keine Ahnung hast!
deswegen kommen downvotes: du erzählst blödsinn!
Da ist nichts, was man einem Erwachsenen, der einen IT-Job hat, erklären müsste. Die Behauptung, dass personenbezogene Daten nach DSGVO und PII im US-Recht dasselbe sein, ist so fundamental unsinnig, dass ich sie nur als Witz verstehen kann. Klar, normalerweise würde ich das erklären, aber wenn einer so rumtextet von wegen Profi, dann muss das ein Witz sein.
In case there's really anyone lurking here. Maybe you could explain to them what you think happens when one agrees to be tracked for ads. That ought to be funny. Do they send a drone swarm with 4K-cameras to your location? What's a TC-string? Something that goes up your butt?
alles vollkommen irrelevant im sinne der ursprünglichen aussage:
dass das Fediverse iwie gegen die dsgvo verstößt.
kein einziges argument deinerseits wie genau hier ein Verstoß vorliergen soll.
immer noch nichts an greifbarer kritik.
nur vollkommen wertlose behauptungen über die richtigkeit, aber absolut keine konkrete aussage.
woe GENAU verletzt dad Fediverse in irgendeiner weise die dsgvo?
welche daten sind konkret problematisch?
die ursprünglich genannten Beispiele sind laut deinem eigenen Zitat vom Gesetzestext Blödsinn.
also was sonst soll hier problematisch sein?
ad tracking is COMPLETELY irrelevant to the original argument of the Fediverse being in violation of EU regulations.
it's just another deflection to distract from the complete and utter lack of concrete evidence of any foul play on the Fediverse protocols' side.
Changing the subject. I take that as a sign that you understand how absurd your pontifications about the GDPR were. That's great. I was able to help you. You're welcome. However, it's problematic that you chose to leave up incorrect info.
Now, you are not being truthful about what I wrote, so I do not think that it's a good use of my time to lay out the issues here. If, at some point in the future, you are genuinely interested and able to behave like a responsible adult, we can talk about this.
this is from a comment you made in this very comment chain:
this is so incomplete it can be regarded as false.
"anything connected to you username is personal data" is a false statement.
it's only personal data in combination with a whole lot of other data. then it can potentially be considered personal data, if it can be reasonably used to identify someone. reasonably.
your votes cannot reasonably be used to identify you, even in combination with other data. they are irrelevant. same goes for all other data, except user names, in that quote.
here is a further clarification from the GDPR website:
so, for now, your votes, comments, etc., are not covered. maybe they will be in the future, but probably not.
because the GDPR provides a "right to deletion" this would mean that someone else could have data you own deleted against your will.
which means if a politician posts something on bluesky, and some random asshole replies to that post, that asshole could then have the politicians post deleted.
that's obviously insanity.
while it is true that IP addresses can potentially be considered personal data, none of the listed data types by themselves are necessarily personal data.
your statement makes it sound as if they always are, which is wrong.
it is not reasonably possible to conclude who exactly posted something just from an IP or email address, for example. not without a whole lot more data. (since anyone can easily spoof an address, it's not difficult)
which is why it is potentially personal data, but not definitely. that's an important difference.
this discussion is entirely pointless anyway, since you already agreed to the terms outlined in your home instance as to how your data is processed.
for reference, here is the site for the feddit.org instances' privacy declaration.
it outlines exactly how data is processed, in accordance with the GDPR.
and yeah, the instance has to consider the GDPRs processing guidelines, because they posses aggregate data.
but that's also where you were wrong when you said that processing this data is in any way illegal.
doing so without informing the user, that is illegal.
processing it in ways other than the one's outlined in the privacy statement , that is illegal.
but it's not inherently illegal, as you said it is.
and before you (again) refuse to acknowledge that you DID say it's illegal, here's you saying exactly that:
the Fediverse is in no way "legally problematic", because everything the protocol does is something you agreed to, when you signed up.
there is no violation of your rights, because the GDPR cannot protect you from not reading what you are agreeing to.
i do concede that one point i did get wrong was this:
i have posted a clarification that IPs and usernames specifically can be considered personal data, when combined with other personal data.
important to note is, that the other Fediverse related features like up/dpwnvotes, comments, etc. are still not personal data.
i wasn't clear enough on that point, and that's a fair criticism.
i would have noticed that ages ago, if you could be bothered to actually back anything you say up with a quote or any kind of specific pointer instead of vague and nonsensical accusations how "everything is wrong".
it was a single, small detail in the original reply i wrote.
everything else, as far as i can tell, is accurate.
unless you can, specifically and with a quote point out any other issues.
i will simply ignore any further accusations without a corresponding quote of both the offending comment and a citation of the corresponding law (article and paragraph is fine, doesn't need to be a direct quote, it just needs to be clear what exactly the issue(s) is (are)).
and please, for the love of god, stop spreading the misinformation that the Fediverse is somehow illegal, just because you didn't read the privacy statement.
that privacy statement is all that a digital service provide is required to present to the user, if they don't use your data in any other way than "legitimate interest". which is specifically excluded from GDPR protections. and this exception is also mentioned in the privacy statement you did not read.
it. is. not. illegal. to. processes. your. Fediverse. data.
and it's also not illegal to send that data to other instances, because you agreed to that being a possibility when you made your account.
not knowing about that, because you didn't read how your data will be processed, doesn't make it illegal.
you were informed about the ways your data will be processed, which satisfies the GDPR just fine.
A user is typically a natural person. A username identifies that person. Any information that is directly or indirectly linked to that username is thus personal data of that person. The GDPR explicitly gives "online identifier" as an example of an identifier. I did link to the official repository, which hosts translation in all European languages. Each translation can be reached with 1 click. It cannot be a language issue. I do not understand what the problem could be.
The personal data in the OP (consent options) are linked to a person via a cookie stored in their browser. I do not understand how one could make sense of the case without understanding what personal data is.
There also appears to be some confusion between GDPR and copyright. I do not know where these strange ideas come from.
it does give online identifier as an example, that is true.
but it does not say that this alone qualifies as personal data.
it says that in combination with other data it can potentially be considered personal data.
this is the part you refuse to accept: an example that is given under the qualifier "potentially" and with the condition "in combination with other data" means that a username alone does not necessarily qualify as personal data.
a username linked to a phone number, for example, does qualify as personal data.
did you give your phone number to lemmy.world when you registered? because i didn't.
and an email address is not necessarily personal data either.
burner emails for example are specifically designed to not be identifying of a natural person. which means that on its own does not qualify as personal data.
same goes for cookies: the Fediverse stack cookies for example store things like your settings, locally. that's not personal data. it's only personal data when it's used for tracking and contains identifying information. which these do not.
you need a reasonable way to identify a natural person, and none of the examples you gave qualify for that.
anything connected to your user account only qualifies as personal data, if your username can identify you in the first place.
how us your username linked to your real name? because mine isn't.
or does it say "General_Effort" on your driver's license?
if you don't use an email service that requires personal data to register, then your username is not personal data. (which Fediverse services can't know for certain, so they have to assume that email addresses are personal data, even when they're not)
so it can be true that YOUR username is personal data, but that is not automatically true for every user. which is irrelevant for a data processor, but very relevant for the law.
here is another explanation from the GDPR website that clarifies this important distinction:
pseudonyms, like a username (which is a pseudonym by definition), ONLY qualifies, if it's relatively easy to ID someone.
which means it is explicitly NOT automatically personal data.
the law text you like to quote so much says EXACTLY that!
but just because "online identifier" is listed as an example for something that can potentially be considered personal data, you made the wrong conclusion that it is always personal data.
it is not always personal data. it depends on what other data is linked to a username. and how exactly the user is stored and processed in the first place.
i think where you make a massive mistake is this part here:
"typically" means "not always".
and you are confused about the difference between a user being associated with a username from their own perspective and that user being identifiable by a third party by their username.
those are two different things.
you overgeneralize all of the GDPR, when the law really has to be considered on a case-by-case basis (meaning platform by platform, in the context of the article), which is the intended way the law works.
for an example of a username that is definitely NOT personal data, we can look at signal accounts:
signal requires a username to register for the service...and that's all.
since there is no other information that can be used to identify a natural person, and the username can be anything, that username is not considered personal data.
only if a user ALSO registers their phone number, only then, does it become personal data under the GDPR.
on top of that anonymization can turn personal data into non-personal data.
an example of this is fingerprint data used to unlock phones: those are commonly stored as hash values using one-way algorithms that cannot be used to reconstruct the original fingerprint. this process turns personal data into non-personal data.
there is no confusion of copyright and GDPR on my part. that was you, when you brought up comments as an example of personal data, which is of course nonsense.
on top of everything you still haven't provided an expansion of how exactly the ruling in the article relates to the Fediverse at all.
the ruling is about ad-tracking, which the Fediverse doesn't use in the first place.
I still don't get where all this disinformation comes from. What do you mean by "the GDPR website"? Are you under the impression that the linked website is somehow official? Even so, the information seems solid and shouldn't give you these ideas.
no, the gdpr.eu website is not the official website of the EDPB, that's this one here.
the gdpr.eu website is maintained by the proton foundation, which is why it is, as you correctly recognized, a good resource for practical information about the GDPR.
"these ideas" boil down to "it always depends on the context".
that's exactly the point you keep missing: the GDPR cannot be generalized to make blanket statements like "usernames are always personal data" <--- this is a false statement.
and this is by design!
it's supposed to be contextual!
usernames are potentially, sometimes, even often personal data, but the law very specifically says that this is NOT always the case.
that's what the excerpt you quoted says: that these sorts of data are commonly considered personal data. whether or not something is personal data depends on the connected data.
with some, very limited, exceptions. for example: full names and addresses. those are actually always personal data.
the strange idea here is assuming that the GDPR allows anyone to make blanket statements without context.
also: STILL no explanation how anything in the article in any way relates to Fediverse services being somehow "illegal"?
how did you go from an article about "ad-tracking is illegal" to "the Fediverse is illegal"??
that's an Olympic level leap in mental gymnastics!
So, what you are telling me, is that you are an IT professional working in Europe, and in your considered opinion, emails don't fall under GDPR if you don't provide your phone number or something. And that totally doesn't sound like a joke. Is that about right?
so you think that an automated account like, say "[email protected]", is somehow personal data?
you forget that emails are constantly used by automated systems. those are, obviously, not personal data, because they can't identify a person.
and that's just the first example that comes to mind.
this is exactly why the answer to the question "do emails fall under the GDPR?" is "it depends."
"[email protected]" <-- most likely IS personal data.
"[email protected]" <-- almost certainly NOT personal data.
"email" as a concept does not automatically make it personal data.
it is only personal data, if it is connected to data that can reasonably be used to identify a natural person.
is the entire concept of nuance just lost on you??
some email addresses are personal data, other are not.
IT DEPENDS ON THE CONTEXT!!
this is the difference between a professional and a layman: a layman doesn't even know, how much they don't know.
No. I don't know why you would believe that.
why WOULD you believe that??
what natural person is identifiable by an automated message?
explain that.
Instead of being silly, why don't you just correct your disinformation and be done with it? Why these games?
At least they choose the utmost ironic username for it.
that they certainly did! lol
Well kind of. If it is possible to connect something easily to your person, than that is private information too. For example your license plate or vin would be personal info too. Your advertiser id is seen as private info too.
Some information that is not directly linked to you is also private information. This includes stuff like healthcare or banking information
yes, that is also true!
i didn't want to make the topic more confusing by including that kind of information as well...
for the average user it's probably enough to know roughly what is covered.
technically, if you have a database with a direct connection between username and real name, then that would also be covered and would fall under "sensitive data".
ANYTHING that directly correlates your real identity to any data is personal data.
(the rest I'm guessing you'll already know, but for everyone else:)
for example: a UUID correlated with your fingerprint in a database would also fall under it.
even though it's not your name (and kinda difficult to make an identification just by fingerprint if your prints aren't otherwise in a system). just because it CAN be used to directly identify a natural person.
the primary intent of the GDPR is not really to protect people online (although it does that too, that's secondary), but rather to protect sensitive information about people, especially in a state administration context. so: healthcare, employment, religion, and so on...
it also happens protects those things online!
but mostly it's about preventing institutional abuse, state violence, unnecessary surveillance, discrimination, harassment, etc.
there's reeeeally good reasons for the term "sensitive data"! ;)
IP addresses could be used to identify someone
All this, plus the well-established legal notion of "informed consent". If I rent a megaphone from a shop it would be utterly unreasonable for that shop to tell everyone I'd bought a megaphone - I wasn't informed and wouldn't reasonably assume that's what they would do, so I couldn't consent - but if I walk around using that megaphone to shout at people it would similarly be utterly unreasonable to argue that the shop is responsible for keeping my bellowings private.