Laurie VossMentioning GDPR in any context is an excellent way to get different people equally confidently telling you that GDPR requires totally opposite things.
You can always make an argument that GDPR requires something because nobody really knows what the fuck GDPR requires, including the lawyers whose job it is to know, and they'll be the first to tell you so.
Imbolc@seldo IANAL, but my understanding is the best way to think about GDPR is not in terms of "compliance" and what "GDPR required", but rather in terms of risk calculation
There are various things you can do that increase risk of regulatary scrutiny, and various things that reduce the risk
There are no guarantees, and it's an evolving landscape, but one would hope that if you are genuinely trying to follow the principles of GDPR you would naturally be reducing your risk exposure
@eob Okay so is providing a way to search posts risky or not, in your opinion?
garry@seldo @eob it’s a fun situation; GDPR was designed for centralised companies who own or at least choose all of the infra on which their services run. there’s literally no way for your mastodon server of choice to be compliant unless they simply choose not to federate, since they can’t share or vet all of the sub processors across the network.
@repeattofade @seldo IANAL, but it in the GDPR terminology an ActivePub instance is probably a "data controller" for the data of it's registered users and a "data processor" for data of users registered on other instances
So, in theory under GDPR, each instance should have a "data processing agreement" (DPA) in place with all instances with which it federates
It might be possible for, say, Mastodon gGmbH to draft a standard DPA suitable for a Mastodon instance with default settings
@repeattofade @seldo I'm guessing this uncertainty about the GDPR status of the Fediverse might be one of the things holding Meta back from providing Threads in the EU
@eob @seldo I appreciate you answering! I am keen to know this area better.
I agree that an ActivityPub server is the data controller for the users of their server. the hosting provider, if they run it outside of their home, would be the data processors.
based on yesterday’s blog post from Mastodon re Threads, servers do not broadcast PII (not even IP addresses) of users even to federate, so I think that means they can sidestep the need for any DPAs.