@luis_in_brief @neil @privacat I'm going to be really cheeky here and point to what @neil responded to me when I mentioned Threads and GDPR compliance: "The GDPR doesn't bite merely because an organisation is processing personal data of people in the EU - Article 3(2) GDPR is much narrower than that."
@krisnelson @luis_in_brief This response makes me really nervous because it smells an awful lot like "I'll know noncompliance when I see it, says the auditor."
- I don't know if providing posts from my users to the users on another node (who are in the EU) counts as "the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union"
- I don't know if receiving toots made by an EU data subject counts as "the monitoring of their behaviour." My turn-your-head-and-squint analysis suggests it does; you can infer a lot from a person (likely timezone, for instance) based on post patterns, without even getting into the question of "Stuff people post explicitly about themselves on social media."
Broadly speaking, I get squicky about GDPR because it feels a lot like the protection for small operators against getting smacked by the full force of the law is "Don't worry; the law is crafted to control the FAANGs, not you," which... I mean, we can look at the US's War on Drugs for an example of what happens when a law that criminalizes tons of regular activity is left up to enforcement discretion.
@mtomczak @krisnelson yes, I think that concern is correct, and why I raise it now: lots of people have jumped to the conclusion “Meta isn’t doing Threads in the EU because they take too much data”, but I think it’s equally plausible Meta isn’t doing Threads in the EU because federation and the GDPR are (at a very deep level) incompatible.
But I’m not a GDPR attorney by any stretch!