this post was submitted on 19 Jun 2023
156 points (100.0% liked)
Technology
37716 readers
305 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Actually that is exactly what the GDPR stipulates. In your example Facebook needs a data processing agreement that ensures that all rights of the data owners are secured and the GDPR is followed. Facebook is liable here, not Amazon - the user must explicitly NOT ask Amazon to delete as the user may not even know where the data went to/should not be bothered to write requests to a huge amount of different data processing locations.
But, @hikaru755@feddit.de added another interesting point: The Instance may or may not be seen as a single data processing entity that does not voluntarily hands over data to other instances. That could indeed be a reasonable cause as e.g. data scrubbers are not within the sphere of influence of e.g. a service publicly displaying data. But as the whole network is build on interconnected nodes I wouldn't count on it if that reasoning would fly in front of a court. It may. Or it may not.
The originating instance definitely cannot be held responsible for failing to force a separate instance in another country to delete its cached copy of user data imo. I think what is more likely is that EU courts could force European Jimmy instances to only federate with GDPR-compliant instances.
This is incorrect if the data transfer was done voluntarily/planned. This also applies to EU data outside the EU - Meta has been fined a 1.2 billion euro for that.
And no, the definitive definition of the data transfer extent is a key point of the GDPR. Each and every data owner has the right to know where their data is stored exactly. So a "EU only" would not be enough - It is basically already mandatory as transfer to other countries is a major problem after Schrems 2.
Ah yeah if the originating instance sends data to a secondary one then that is somewhat different.