• tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    2
    ·
    edit-2
    4 months ago

    It certainly is against the GDPR to federate with US instances.

    considers

    I don’t think that it is, even for EU instances, in that the GDPR regulates businesses, so it’s out-of-scope for the GDPR.

    In theory, I suppose that GDPR implications might come up if someone starts selling commercial Threadiverse access at some point, though.

    There might be some interesting questions providing Usenet or maybe XMPP, though, as there are commercial providers of those services, and they are federated and transfer data all over the world.

    kagis

    Hmm. This has some people talking about it for XMPP. At least this guy’s first pass is that it might apply:

    https://mail.jabber.org/hyperkitty/list/operators@xmpp.org/thread/F5EGKYVPD42PPHOW72VBOS5E6OZTA22M/

    Under UK GDPR (not sure about the EU one) the only grounds for exemption is “Residential use” (other than police and national security, which are also exempt), quoting from the ICO:

    “Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the UK GDPR.” [1]

    (For those who don’t know who the ICO is, they are the British data protection authority, see [2])

    At first, at least in my case, this seems pretty easy. The data is stored domestically, it is used with me and my friends for communication, there shouldn’t be any more to it… right?

    But there is. I regularly connect and talk in many MUCs for open source projects, such as Ignite Realtime (which this was initially discussed until Guus suggested moving it to operators, thanks Guus :) ).

    IP addresses, are considered identifiable information, logs will store said information, this therefore means my server is storing identifiable information on other servers, in this case, servers which could be considered for commercial purposes.

    It needs to be noticed commercial purposes doesn’t necessarily mean paid services, charities and non-profits are included within the definition. Open source projects COULD be considered commercial purposes because, although contributions are provided free of charge, it is still a “donation” of sorts in the way of code.

    The definition of “professional” does not seem to be clarified anywhere on the ICO page, nor in their legal definitions [3]. It doesn’t seem to be within the UK GDPR legislation [4] (I will admit I did not read all of this, I tried searching for keywords and found nothing, if someone read it all and knows where this exception is clarified, please let me know). Professional could mean a lot, but I will assume it is to do with some sort of “work”, which therefore would include open source contributions.

    This therefore could break the “no connection to professional or commercial activity”, to be honest the easiest thing to draw from this is if it involves someone who is not family or friend (or yourself), you are very likely to not be exempt.

    For those who will suggest a zero storage solution, where the XMPP server doesn’t store any data, it still comes under GDPR due to PROCESSING of data, simply processing it, even if you don’t store it, will have GDPR requirements.

    Failure to pay when you are required to results in fines.

    This is really cracking open a huge can of worms, it isn’t so much of “ah £45/yr is no big deal”, once you are exempt you must follow all the legal requirements of GDPR, and for a hobby? Is it worth it?

    I am 100% sure, an XMPP server which does not federate, which is used to communicate with friends would be exempt. But I have my doubts whether a federated server can still use the same exemption clause.

    • General_Effort@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      4 months ago

      the GDPR regulates businesses,

      The GDPR regulates everything and everyone, including individuals and non-profits. See Article 2. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

      For example: If you keep a personal journal and write about your friends and acquaintances, that’s out of scope. [ETA: As long as the journal is private. When it’s shared outside the household, it is in scope and probably a violation.] But when the Jehovah’s Witnesses go door to door and make notes who opens etc, that’s in scope. [ETA: And has been ruled a violation by the ECJ.]