You are on a privacy-offending Cloudflare site (#LemmyWorld), so Tor users are blocked from seeing your Cloudflare-jailed image. If you care about privacy you will bounce from that instance.
Without seeing the image, I have to ask how an anonymous user gets #GDPR rights. Or has #Reddit started supporting an identification mechanism of some kind? When I start the reg process, it asks for an email address, username, and pw, not a first + lastname (but my test stopped when a Google reCAPTCHA push was attempted). I have zero sympathy for Reddit -- they are rotten to the core scumbags, but I do not see how the GDPR can be applied to anonymous accounts.
(edit) I gather from other comments you must have posted an email. Would be great if you could copy the text of the email into the body of your post so everyone can see it and so people using screen readers can hear it. Thanks!
"But Meta’s version of consent offers users a Hobson’s choice — of paying at least €9.99/month for an ad-free subscription (per each account they have on Facebook and Instagram); or agreeing to its tracking.
No other choices are available, despite the GDPR stipulating that for consent to be a valid legal basis for processing people’s information it must be freely given."
how to scalably introduce the concept of ACL at the post/toot level.
Very interested to hear yall’s ideas on this.
how to educate about the #fediverse in a user-friendly way
…and an accurate way. I think a lot of the blowups on the fediverse come from the way mastodon misrepresents the fediverse to ppl, notably that it’s privacy-focused.
how do we handle #GDPR compliance when federating in and out?
I’d be interested to hear what yall come up with for this too. It seems like ActivityPub is strictly incompatible with GDPR. If a user asks to delete their data, you can comply on your server but never guarantee that it’s deleted from the network. And then there’s the permission requirement for sharing data, which seems to mean basic federation isn’t allowed without a user’s explicit permission.
@0x1C3B00DA we are honestly not entirely sure how to handle the #GDPR aspect. We may have to put together a public working group (incl. lawyers) to discuss.
If your service processes Undo and Delete activities, you could argue that you adhere to Right to be Forgotten, but there is more to GDPR than just erasure/modification.
The amount of reality that @pluralistic dishes out in each post is mind-boggling. And the latest one about #apple, the #EU's #dma and the rest of #bigtech's approach to the #GDPR is even more unsettling than usual. Yikes.
There's a strain of anti-anti-monopolist that insists that they're not pro-monopoly - they're just realists who understand that global gigacorporations are too big to fail, too big to jail, and that governments can't hope to rein them in. Trying to regulate a tech giant, they say, is like trying to regulate the weather.
Take the #GDPR, Europe's landmark privacy law. The GDPR establishes strict limitations of data-collection and processing, and provides for brutal penalties for companies that violate its rules. The immediate impact of the GDPR was a mass-extinction event for Europe's data-brokerages and surveillance advertising companies, all of which were in obvious violation of the GDPR's rules.
One key reason that Americans don't understand the privacy dangers in their use of technology is that about 99% of product coverage doesn't consider privacy as a feature. Tech journalists care about privacy only on rare occasions, and it's drowned out by cheerleading.
The EDPS ("European Data Protection Supervisor") has released an open source tool called "Website Evidence Collector" that will collect evidence of personal data processing, such as cookies, or requests to third parties.
In particular, #GDPR 'data subjects’ privacy rights:
-The right to be informed
-The right of access
-The right to rectification
-The right to erasure
-The right to restrict processing
-The right to data portability
-The right to object
-Rights in relation to automated decision making and profiling.
Of these perhaps the most glaring difference between the EU and US is that "consent" under GDPR is, by law, opt-in. No one can collect your data without your permission.
Let's drill down on #GDPR definition of "consent":
-Consent must be “freely given, specific, informed and unambiguous.”
-Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
-Data subjects can withdraw previously given consent whenever they want...
-Children under 13 can only give consent with permission from their parent.
-You need to keep documentary evidence of consent.
In the US, such consent is not generally required.
@mastodonmigration I love it when I come across a #GDPR site that says, “Don’t use my data,” vs U.S. sites which say “Click here to choose the data we can collect,” and after clicking, the user must turn off half a dozen options and typically cannot de-select something called “essential” without any explanation as to what essential is.
For sure. In the US they try to make it as difficult as possible to turn off data collection. With #GDPR implementation this is sometimes referred to as Reject All. One button on the main consent dialog.
Yes. That kind of tomfoolery is not compliant with #GDPR.
"The requirement to offer a 'Reject All' button next to an 'Accept All' button follows indirectly from the consent requirements in the GDPR; consent must be as easy to revoke as it is to give. Hence, users must be able to provide or deny consent to non-essential cookies in an equal fashion."
You are in control of the data you share. Full stop.
The #GDPR has put you in control of your personal data, including enshrining consent to its processing and the right to be forgotten.
As of January, the European Data Act will extend your rights to connected products by making it easy to access and move any data generated – whether it's about personal data or not.
On #DataProtectionDay, we ask you: What are the most important advancements for you? 👇
We're living in the #enshittocene, in which the forces of enshittification are turning everything from our cars to our streaming services to our dishwashers into thoroughly enshittifified piles of shit. Call it the Great Enshittening:
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Critics of the #GDPR, the EU's landmark privacy law, often point to the devastation that enforcing privacy law had on the European #AdTech industry, driving small firms out of business. But these firms were the most egregious privacy offenders, because they had the least to lose, lacking the dominant position of US-based Big Tech surveillance companies.
As part of the proposals in the Road Safety Package we announced last March, a new digital driving licence will make it easier to prove your identity and driving skills across the EU.
The package also includes a zero-tolerance policy on drink-driving and tougher cross-border enforcement rules.
It will help achieve our goal to halve road fatalities and serious injuries by 2030.
@EU_Commission digital-only IDs available via some app and/or online service adds technical complexity, risk of failure and risk of abuse. Make life simpler, not more force-connected. Reduce technical and organizational complexity, don’t add to it. Improve data protection for EU citizen, don’t make abuse easier. #policy#eu#gdpr#app#DigitalEU#RiskReduction
Issues of data protection and human dignity of generative AI processing and creations are an important one. My #GDPR complaint about OpenAI's data processing. It concerns input and output, access to information, and technology design.
Context/writeup: https://blog.lukaszolejnik.com/ai-llms-gdpr-complaint-and-human-dignity/
@mastodonmigration I guess the same issue with personal data could arise with any #mastodon server. It all depends on the server operator. I tend to assume that using social media makes anything I post on it, including my profile accessible to anyone. After that point I have almost no control on how it it is used or stored, sadly.
Good organisations, especially those subject to #GDPR will be very strict on how they store and use the info collected. Not all will.
The UK Met Police have announced plans to use facial recognition tech to identify shoplifters – the new boogeyman to legitimise a explosion of biometric surveillance.
At the same time as the #DataGrabBill weakens the regulatory framework by scrapping the position of the Biometrics and Surveillance Camera Commissioner and the Surveillance Camera Code.
EU court lowers requirements for imposing fines for data protection breaches
The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set to facilitate the imposition of fines for infringements of the General Data Protection Regulation (GDPR).
Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation! ( lemmy.world )
Any pointers on how to report them?...