Mastodon Instances All Violate the GDPR: Bad Software, Bad Developers 

Did you know #Mastodon by default has admins violating the GDPR on the regular without warning, by irrevocably deleting all of a users' data upon banning that user?

I tried to tell Gargron and Nightpool, but they said that would only apply to instances that obviously serve users in the EU.

They are very okay with all of you instance admins possibly paying fines if any user of yours from the EU decides to complain about it, and since the software does not warn you, there will probably be lots of evidence of it happening many, many times before.

Also.. I guess Gargron and Nightpool are just okay abandoning the HUGE part of Mastodon that is French? and every .eu instance? I spent a good amount of energy attempting to explain to them how the GDPR works and that you don't have to state you are "intentionally targeting" the EU for the GDPR to apply. It was mostly wasted.

The other argument they made was that it was up to you all to decide on the GDPR, and that people who don't want to violate the GDPR can use the suspend function. This completely ignores the fact that the ban-delete function does not warn you that you are inherently violating the GDPR by using it without the user's consent. At least a warning of some kind that you need to provide the user a copy of their data first or get their consent to delete the data without providing it to them first before you can delete it.

This is very clearly listed under these requirements, which I walked them through multiple times:

https://gdpr-info.eu/art-6-gdpr/
To which "banning a user" does not qualify for any of the reasons to process a user's data without their consent.

https://gdpr-info.eu/art-4-gdpr/
"4.2: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"

https://gdpr-info.eu/issues/consent/ for more.

What do you think of this, instance admins? Are you okay with them allowing a GDPR violation as a normal function on all of your instances that could get you fined? Are you okay with Gargron deciding a simple warning when clicking the delete button is too much to ask?

Here is the github repo. In the below thread I will be posting our interactions of them completely failing to understand the GDPR, not even making an attempt to reach out to other individuals to correct the failure in their knowledge, and instead decide to try to pull unrelated events into it to paint my reason for trying to make Mastodon GDPR compliant as somehow self-motivated.

https://github.com/tootsuite/mastodon/issues/14718

@viomi I read your post. And I read your github issue. I agree with nightpool on GitHub.

@k@toot.love You should probably look up how the GDPR works before agreeing with something factually incorrect.

Sign in to participate in the conversation
toot.love

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!