I’d be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?
Lemmy is storing users data so is there any requirement to do anything GDPR wise?
Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that
If you’re self hosting (i.e. running it for yourself, your family members and maybe some friends), your use would fall under GDPR’s household exemption
does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
Thats Article (2)(2)a.
Of course, if you’re taking money or making it available to the general public it’s a different matter.
First of all, I’m not a lawyer or a legal consultant, just a instance admin that wants to make sure that his instance complies.
Lemmy does not store any PII (birthdates, legal names, addresses,securitynumbers). But users are able to share whatever they want. And that can be a problem.
Check out my instances legal page: https://Laguna.chat/legal
In the future I want to make sure that my instances content can only be shared by GDPR respecting instances.
Lemmy is storing users data
The only “personal data” that you are storing would be their email, perhaps IP addresses. As long as you are not altering your instance, placing third-party analytics or ads, you are good.
The main issue would be thay users can post personally identifiable information themselves.
For example, I can say that my social security number is 1234 and that would be personal data if it was true.
I’m not a lawyer, but i think i remember something that the gpdr rights cannot be just waived.
Since the user can just delete their own posts, it shouldn’t be a problem, but what do I know.
The main issue would be thay users can post personally identifiable information themselves.
For example, I can say that my social security number is 1234 and that would be personal data if it was true.
I’m not a lawyer, but i think i remember something that the gpdr rights cannot be just waived.
Since the user can just delete their own posts, it shouldn’t be a problem, but what do I know.
I am assuming this would be non commercial. I think in that case you probably would be exempted from GDPR: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Exemptions
Yes I think you’re right, but also IANAL. From what I learned in a mandatory class at work, I think the GDPR only covers commercial activity. GDPR is supposed to protect citizens when engaging in commerce:
an entity or more precisely an “enterprise” has to be engaged in “economic activity” to be covered by the GDPR.
Lemmy doesn’t charge a subscription fee or sell ads (yet), so it’s acting as a kind of personal messaging system for communicating between people. The GDPR explicitly says it doesn’t regulate personal messaging systems like email. I think Lemmy would fall under that exemption clause.
Everybody is talking about the GPDR, but the GPDR when hosting in the EU, should be the least if your concerns. As I said elsewhere:
- Lemmy is not doing tracking/personalized-ads.
- Lemmy is only collecting IPs and email addresses as personally identifiable information. It’s not sharing them. So it makes GDPR compliance easy.
The real issue is Directive on Copyright in the Digital Single Market which is a nightmare if you want to host lemmy legally. Realistically, the government don’t care about a few copyright infrigement by some guy/gal hosting a lemmy instance in their garage.
But, if you want to follow the law to the letter, the EU doesn’t have any fair use. So theorically, you need to allow users to only post creative commons images, with attribution. Or do some copyright checks on the content posted on your instance. Here is an EU video on how to comply with the directive, it’s a nightmare.
Intersting you bring that up copyright. I was looking at Peertube just earlier today and I was wondering how on earth some of the larger instances are dealing with copyright. There is no way they can watch every second of content that gets uploaded
I think you’re right though. Unless you get lucky/unlucky, its highly unlikely your instance is ever going to be used by many people, and therefore for most it’ll probably be a grey area.
If it did however, you need to not only “administer” that instance, both from a front and backend point of view, but there are also things like copyright to deal with.
