Laurie VossMentioning GDPR in any context is an excellent way to get different people equally confidently telling you that GDPR requires totally opposite things.
You can always make an argument that GDPR requires something because nobody really knows what the fuck GDPR requires, including the lawyers whose job it is to know, and they'll be the first to tell you so.
Andy Bell@seldo i imagine even the policy-makers themselves have not a clue
Imbolc@seldo IANAL, but my understanding is the best way to think about GDPR is not in terms of "compliance" and what "GDPR required", but rather in terms of risk calculation
There are various things you can do that increase risk of regulatary scrutiny, and various things that reduce the risk
There are no guarantees, and it's an evolving landscape, but one would hope that if you are genuinely trying to follow the principles of GDPR you would naturally be reducing your risk exposure
@eob Okay so is providing a way to search posts risky or not, in your opinion?
garry@seldo @eob it’s a fun situation; GDPR was designed for centralised companies who own or at least choose all of the infra on which their services run. there’s literally no way for your mastodon server of choice to be compliant unless they simply choose not to federate, since they can’t share or vet all of the sub processors across the network.
@repeattofade @seldo IANAL, but it in the GDPR terminology an ActivePub instance is probably a "data controller" for the data of it's registered users and a "data processor" for data of users registered on other instances
So, in theory under GDPR, each instance should have a "data processing agreement" (DPA) in place with all instances with which it federates
It might be possible for, say, Mastodon gGmbH to draft a standard DPA suitable for a Mastodon instance with default settings
@repeattofade @seldo I'm guessing this uncertainty about the GDPR status of the Fediverse might be one of the things holding Meta back from providing Threads in the EU
@eob @seldo I appreciate you answering! I am keen to know this area better.
I agree that an ActivityPub server is the data controller for the users of their server. the hosting provider, if they run it outside of their home, would be the data processors.
based on yesterday’s blog post from Mastodon re Threads, servers do not broadcast PII (not even IP addresses) of users even to federate, so I think that means they can sidestep the need for any DPAs.
Sophie Schmieg@seldo the GDPR requires that a pilot willing to fly in the war is crazy, but that an application to being grounded on the basis of insanity shows the sanity of the applicant.
Little known fact.
Tomas Ekeli@seldo it's the modern equivalent of "for security reasons"
Psy Chuan 
@seldo actually i know about GDPR.
GDPR does not just relate to PII. Articles 17 and 19 of the GDPR enshrine in law the "right to be forgotten." To quote: "You have the right to have your data erased, without undue delay, by the data controller (...)"
There are of course conditions. The applicable clause here is point 2: "Where you withdraw your consent to the processing and there is no other lawful basis for processing the data." i.e. "if I say delete it."
Source: https://www.dataprotection.ie/en/individuals/know-your-rights/right-erasure-articles-17-19-gdpr
