So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.
If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.
My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?
Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?
Or am I completely misunderstanding how GDPR works?
Think of it this way. The way I see it federation is similar to an archival service storing a copy of the data. If reddit deletes all info when requested, but archive.org doesn’t delete it. Well it ain’t reddit’s problem anymore.
Similarly, if a user request data deletion of data in their home instance located in the EU, and as long as the instance honors the request and delete their copy, that instance is not liable for other instances not honoring the deletion request. You might have to request data deletion with each individual instance that has a copy of your data, and it’s only enforceable if the instance is in the EU where GDPR applies.
That’s my interpretation, correct me if I’m wrong.
That sounds like a good take. I have no idea if it’s correct, but it sounds reasonable.
So I’d have to contact every single instance to get rid of my data, which sounds reasonable, but is practically speaking absolutely impossible.
Lemmy just sounds like a GDPR nightmare for the EU tbh.