I’d be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?
Lemmy is storing users data so is there any requirement to do anything GDPR wise?
Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that
My understanding is that the onus to have the data removed is on the originating instance owner, so they’re required to ensure their data processors (i.e.: destination federation servers) to comply. As such, while Lemmy could make it such that itself attempts to be GDPR compliant (and to some extent, with the ability to request to purge makes it relatively close), the problem is that the recipients doesn’t have to adhere to it – they could run a third party Lemmy server that ignores it. This is why you’d end up with a cluster/bubble – in order for each instance to join, they also must adhere to the standard proposed by GDPR (ensuring every single instance they federate to adhere to it, etc. etc. etc.). This becomes increasingly complicated because as more servers gets added, everyone must verify each other and comply, stunting the growth significantly… I don’t think there’s a good way around it, and thus the closing remark… complex matters are, surprisingly, complex :(
Yes, I agree. This use case likely wasn’t considered when the law was written. We’ll see how things turn out in the future because at some point we will have enough very knowledgeable people regarding GDPR in the community who are willing and even keen on steering the project in the right direction towards compliance.