I stumbled upon this article from the exellent NYOB organization - the one with Max Schrems - and they mention that a federated social network may be a possible way to avoid the current GDPR problem of transferring EU citizens data to the US.
Read the whole thing, but the relevant quote from the article:
Previously, Facebook / Meta spread the rumor that it would stop providing services in Europe. Given that Europe is by far the biggest source of income outside of the US and Meta has already built local data centers in the EU, these announcements are hardly credible. The long term solution seems to be some form of ‘federated social network’ where most personal data would stay in the EU, while only ‘necessary’ transfers would continue - for example when a European sends a direct message to a US friend. While Meta only got a short implementation period to come up with a solution, it knew about the legal situation for ten years and was already served with a draft decision in 2022.
That is not something I have seen discussed here before, so I thought it might be interesting as an additional reason for “Project 92”.
Transferring data from EU to US is a major GDPR issue, which has been ongoing since 2013. There is a brief overview here: https://noyb.eu/en/eu-us-data-transfers-0
Also consider supporting NYOB, they have done so much work to protect our privacy and get GDPR enforcement done!
Doubt it’s for the GDPR. The EU has been passing some other nice regulations on big tech lately, including the Digital Markets Act. Some things it does:
- It may prevent practices known as self-preferencing, applied by companies like Google for better displaying their products among the results of Google search.
- Gatekeeper companies could also be prohibited from reusing people’s personal data. For example, Facebook could be forbidden from using the data obtained from its subsidiary WhatsApp.
- The proposal ensures rights to the platform’s business users. For example, it could prohibit Apple from imposing a 30% commission on all the transactions concluded via App store.
- Gatekeepers platforms may also be prohibited from requiring business users to offer their best deals on the platform (for example Amazon required e-book publishers to apply their best conditions on the Amazon e-book marketplace).
- There are also device neutrality rules regarding the rights to delete pre-installed applications (as in the case of Apple iOS or Google Android for example) and to install apps from other sources.
- Protection rights for business users of platforms (including advertisers and publishers).
- Prohibition of some bundling practices.
- Provisions for ensuring a higher degree of data portability, interoperability, and access to data for the platform’s business and end-users.
- Companies that do not comply with the new obligations may risk fines up to 10% on their worldwide turnover.
Each provider still needs to respect GDPR, since the account sources from the home instance and all content comes with the home instance you only need to execute a GDPR to the home instance. Once executed within a week or so all copies should be gone from the network though there will still be some floating on backups not controlled by the home instance. Cleaning those would require a request to every instance in the federation.
Question, how would an owner of an instance comply with GDPR request? Try and find that specific user and delete all their posts? What happens if an American, on an American instance, subbed to an EU community? My understanding is that would pull all the posts to the American instance going forward? Would the owner of the American instance be required to comply?
If data moves away from an instance with whom an EU user has an agreement, those third party instances have to be bound by the home instance through agreements/contracts to follow the rules of the GDPR before giving away the data. Also the home instance would have to list all instances that have received data or that could likely receive data through such an agreement. Federation is not a solution to GDPR but it rather makes things incredibly complicated for the instance owners if they tried to comply fully. And from what I’ve read, Lemmy doesn’t even have the technical capabilities to make it possible, yet. Maybe that’s what compels Meta. They can just offload responsibility to the instance owners.
this is going to be more an issue for big instances i honestly suspect, however I also hope to see some tools to make compliance easier for people, deletion would just be a purge of the data, you can already do this for a number of sets including a specific user, its mostly for federated data, not sure how it works with home users. you can always manually edit the DB. The tools will need to get better fast.
as for us instances, they would be more likely to just block the EU unless compliance is super easy. its a federation so there is little reason for you to be on on instance so far away, im a big fan of many smaller instances.
imo the big take away is id like those in the EU to know is if you want good GDPR compliance, someone needs to go over the software and make compliance the easy default. For the most part, compliance can be automated.
There are software that can do this. They aren’t cheap, nor are they easy to configure.
However, for platform like lemmy, the developers should design their system to allow for automated deletes that do not burden the individual platform admins.
The long term solution seems to be some form of ‘federated social network’ where most personal data would stay in the EU, while only ‘necessary’ transfers would continue - for example when a European sends a direct message to a US friend.
A social network could do this without federation, though. MySpace did it for their Chinese site 15 years ago - Data was only transferred between China and “the rest of the world” when needed.
Is there any legal analysis of the Fediverse with regards to GDPR? A blog post or something? There is something for copyright and DMCA takedowns in the US by the EFF: https://www.eff.org/de/deeplinks/2022/12/user-generated-content-and-fediverse-legal-primer
In theory no, every single entity serving EU citizens must abide by the GDPR. In practice that breaks it from a single target to thousands, therefore being harder to enforce. Feels like a potential thing to exploit by them.