Image Credit: Emerging Europe.
After chatting with various individuals on the Fediverse, I began wondering whether or not hosting my Mastodon, Pixelfed & Misskey instances within the European Union 🇪🇺 was going to bite me in the wazoo due to the General Data Protection Regulation (also known as GDPR).
Searching for answers, I encountered a post by @RobertJBateman, which equally enlightened my American mind—as well as partially terrified it.
Unlike many data protection laws, the GDPR isn’t aimed at any particular sector or type of company. It’s not restricted to commercial or public administration contexts. The GDPR can apply in virtually any context, except one. […]
The legal case of Rynes v Office for Personal Data Protection can help us understand how strict the GDPR can be about this. The case involved Mr. Rynes, who had set up security cameras in his garden. The cameras were designed to monitor his property but also filmed part of a public area.
The Czech Data Protection Authority fined Mr. Rynes for filming members of the public without their consent. Mr. Rynes appealed, arguing that he was covered by the personal and household activities exemption.
The court decided that although the filming was for private purposes, it involved people that were not part of Mr. Rynes’ private life. Therefore, Mr. Rynes was not covered by the exemption and had to comply with the GDPR.Via TermsFeed Blog
In the United States 🇺🇸 a case like this would have been laughed out of court as America 🇺🇸 places a priority on protecting personal property & treats public space with less legal protection.
However, the public space in Europe is treated with more gravitas, which could mean that I am in danger of unintentionally violating European Law by acquiring innocuous personal data for security reasons.
Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person.” An “identifiable natural person” means a living individual. Personal data can relate to an individual directly or indirectly (in combination with other data). […]
This definition extends very far. For example, it even includes IP addresses.
An IP address is the string of numbers that identifies a device as it connects to the internet. Even a dynamic IP address, which changes each time a person logs on, can be personal data under the GDPR.Via TermsFeed Blog
Robert goes on to elaborate that keeping information such as first & last names, email addresses, usernames, online identifiers, etcetera, without some form of consent, could also be a violation of the GDPR rules.
So my questions for the legally inclined are:
- Is keeping records of IP addresses (without consent) to thwart nefarious actors from taking down my sites (via DDoS) a violation of GDPR‽
- Is federating with instances/servers within the European Union also a violation of GDPR‽ (especially since they include usernames & sometimes legal names as well)
Either way, I will consult a legal expert about this, as I do not have the funds to spare to hire a European lawyer to defend myself from running personal websites whose purpose is to enrich my mind (& not my wallet).