- cross-posted to:
- technology@beehaw.org
- fediverse@kbin.social
- fediverse@lemmy.ml
- cross-posted to:
- technology@beehaw.org
- fediverse@kbin.social
- fediverse@lemmy.ml
Highlighting the recent report of users and admins being unable to delete images, and how Trust & Safety tooling is currently lacking.
As per official EU communication:
Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.
You need to read up on the GDPR yourself.
What personal data is being processed by a Lemmy instance, what are they processing that’s being sold in the EU? The GDPR does not apply here, stop trying to wiggle it into something it’s not.
Usernames at the very least, as online identifiers.
And they don’t need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.
Usernames are not PII…the GDPR only applies if someone is making money from the service. It does not mean just because your site is free but hosts ads or sells user data it’s exempt. Lemmy instances do none of this.
What do you think an online identifier is then? And why would the GDPR only apply if there is money made? It specifically says in multiple places free services also count.
https://www.ibm.com/topics/pii#:~:text=Personally identifiable information (PII) is,email address or phone number.
Usernames are not and never have been considered pii
The GDPR states it clearly that the company/entity has to be collecting pii or selling something to the person. Lemmy does neither of these.
How is IBM authoritative on this subject? And even so, this article doesn’t say that usernames are not PII, it even indirectly says it is indirect PII.
Here’s another random company’s page saying usernames are PII: https://www.keepersecurity.com/blog/2023/06/14/what-is-personally-identifiable-information-pii/
The GDPR says it clearly and explicitly that:
Usernames that are used in an internal network are, because they’re linked to pii, a public username is not pii.
And where did you read that? If anything, public usernames are easier to correlate to form identities.