gdpr and the indie web
Just as a disclaimer, this is personal opinion and informed from my still on-going law degree I have not finished yet, and I am not a lawyer; plus, most of my degree is Germany-centric, the rest of it is EU-centric, so this influences what I say.
During my studies to get a general law degree with a focus on data protection law, I sometimes think about the legal implications of offering Small Web or IndieWeb services inside the EU. I think there is hesitance to really tackle this in the community, and awareness of it and the following of the legal obligations seems... patchy. There seems to be insecurity about who is even affected, who needs to do what, and what the implications or consequences are. And I get that; legalese sucks to read, and it's a nerve-wracking topic.
However, I really encourage everyone that's thinking of opening up online spaces that are also accessible to EU users to at least consider it and be aware - knowing when it is you that is responsible (for example, hosting something yourself on your own server and not relying on a third party service), or when you're simply using a service that does it for you and you collect nothing (think: opening a Discord server).
You cannot just bank on security by obscurity, hoping you're too small, or pointing to the fact that you're not a company, or being sure that no one will report you, or no entity will seek you out about it. I would also not bank on statements such as "I only collect xyz (usually IP addresses), this doesn't fall under personal data! This other webmaster told me!" or similar things. Not knowing or having misunderstood doesn't protect you. Throughout my degree so far, I learned that lots of things I thought I knew about law were wrong, and especially so around data protection or GDPR. The law is relatively open, wide spanning and tech-agnostic on purpose.
It seems like lots of web masters are relying on word of mouth, or blindly copying what someone else is doing, or thinking it's done by googling and reading popsci-level of legal analysis; like some tech blog summary articles. I feel like many of these are outdated and partially wrong; law evolves, and there was a big need in 2018 to push out articles about what it all means and it seems like everyone wanted to be the first to get it out there and farm all the clicks and be cited in stuff. But it's been a few years, and there is far, far more literature about it all now, legal precedence in form of cases truly defining what specific Articles or words mean, and it's good to stay on top of that. You don't want to rely on an outdated definition or understanding. Lots of summaries and word of mouth leave no space for nuance, but law is full of "It depends".
I sometimes also read justifications that are kinda like "Why, isn't this just for Big Tech like Facebook? Why am I, as a small fish in the pond, affected? I cannot even do anything harmful!" and personally, I think we cannot both point to Big Tech asking them to be held accountable harder for data harvesting, and then absolve ourselves of the responsibility of sensitive, identifiable data at the same time. This is more about rights of ourselves and our fellow people and less about punishment. I don't want you to be punished, but I want the same right to know what is done with my data and what you collect and consent to that, that I do elsewhere, ideally, or at least have on paper. I don't care about who is doing worse things with my data or the scale of misuse, or if it's a paid or free service, whether you're a big company or a "smol bean". I think it is wrong to assume that one single person in the role of Benevolent Dictator for Life of a small online service is automatically doing no harm with collected data because they are not a for-profit company.
Something I definitely want to look into in the near future is how GDPR meshes with federation and decentralization. This is one other reason why I am not signed up on any of these services; so far I think it's difficult for this to comply fully, and I don't know how some random instance operator letting me sign up from the EU is aware of it all and not doing weird stuff with my data (and you have to consider that this doesn't just involve usernames and public statuses, but also DMs). I wonder how federation handles the right to be forgotten, for example, and if it's enough to just prove it is not on your instance anymore, and how it is when you as a EU instance operator federate EU user content outside of the EU. I'll have to read up on it.
I don't know the specifics in this regard, but I've seen California kind of trying to replicate some of the protections in the EU, even around digital data, so I guess this is also worth considering and looking up even if you don't care to cater to EU users.
Published 07 Oct, 2024, edited 7 months, 2 weeks ago