this post was submitted on 21 Oct 2024
41 points (93.6% liked)
Fediverse
28371 readers
992 users here now
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to [email protected]!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Also not a lawyer but I've done a lot of GDPR training since it was introduced and I believe you're incorrect—the data subject posting it publicly or not doesn't factor into the validity of a deletion request under the GDPR. There are a limited set of specific reasons a service owner can refuse a deletion request and they're pretty much down to preventing abuse and facilitating compliance with other laws.
Not a lawyer, but honestly, both of these takes are probably not correct.
I'd say that most fedi-services fall more into the 'can I make someone delete an email' GDPR category (tldr: probably not, but maybe) with a dose of the 'this service is for personal/non-commercial use and includes messaging and social media' exemption.
This of course won't work if you're taking money or doing commercial activity but at that point you're a business and should consult your lawyers to ensure your compliance. (And if you can't, then maybe don't be in that business.)
I wouldn't want to be the one to spend the billion dollars to litigate that, but frankly if you're not in the EU, and not a business, then the person demanding removal would have to take you to court to force compliance (assuming you didn't just do it so you don't have to deal with a grumpy person) which is... unlikely.
The much more horrifying interpretation is that the data controller, processor, and sub-processor language comes into effect and everyone needs to sign written agreements with every other fediserver to be even remotely in compliance.