I understand that very few (or no) websites actually delete anything. They just mark them as “deleted”. But this usually means that once something is deleted, users have no ability to see the deleted data. This doesn’t seem to be the case with Lemmy.

I’ve been trying out the Android app called Connect for Lemmy, and it shows the contents of all deleted comments with a “DELETED” word on them. See the uploaded screenshot.

This seems bad to me. Users expect that deleted comments are no longer viewable, and won’t be returned by Lemmy’s API. Lemmy still shows the username of the deleted comments, which was bad enough, but now I’m seeing that it doesn’t prevent apps from seeing the deleted comments.

What are your thoughts on this?

  • mod
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    edit-2
    1 year ago

    This seems to be non-compliant to the GDPR:

    Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

    • enkers
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      I wonder if Lemmy instances run by a person (and for personal reasons, i.e. with no intent to generate profit) would qualify for Article 2© exemption from the GDPR:

      This Regulation does not apply to the processing of personal data:

      by a natural person in the course of a purely personal or household activity;

      I’m not sure how a judge would interpret “purely personal” in this context. There seems to be some discussion of the matter at the following link, which leads me to think it would not be exempt:

      https://law.stackexchange.com/questions/28070/would-gdpr-affect-my-own-personal-website

    • pipows@lemmy.pt
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      This is also non-compliant with Brazilian’s LGPD

      Art. 3 This Law applies to any processing operation carried out by natural persons or legal entities of public or private law, regardless of the medium, the country of their headquarters or the country where the data is located, provided that:

      III - the personal data object of the treatment have been collected in the national territory.

      § 1 - Personal data is considered to be collected in the national territory if the data subject is located there at the time of collection.

      Art. 18 The holder of personal data has the right to obtain from the controller, in relation to the data subject’s data processed by the controller, at any time upon request:

      VI - erasure of personal data processed with the consent of the data subject, except in the cases foreseen in art. 16 of this Law;

      Not that I care about what my country’s law says, but I fond it ironic that a free, decentralized platform violates laws of data protection