The link I provided says that pseudonymous data can be used to hide personalized data.

If you are a DPO, you can see the appeal and benefits of pseudonymization. It makes data identifiable if needed, but inaccessible to unauthorized users and allows data processors and data controllers to lower the risk of a potential data breach and safeguard personal data.

GDPR requires you to take all appropriate technical and organizational measures to protect personal data, and pseudonymization can be an appropriate method of choice if you want to keep the data utility.

The owner of lemmy.one can use tk338@lemmy.one to map it to an IP and/or email address. This becomes now personally identifiable data. But other instance owners can’t map it to any personalized data, so it is basically “anonymized data” for them.

You just have to provide a way to either

• To delete personally identifiable data
• Unlink the personally identifiable data from the pseudonymized data on your local instance.

Disclaimer, IANAL, YMMV, yaddy, yadda,…

Everybody is talking about the GPDR, but the GPDR when hosting in the EU, should be the least if your concerns. As I said elsewhere:

• Lemmy is not doing tracking/personalized-ads.
• Lemmy is only collecting IPs and email addresses as personally identifiable information. It’s not sharing them. So it makes GDPR compliance easy.

The real issue is Directive on Copyright in the Digital Single Market which is a nightmare if you want to host lemmy legally. Realistically, the government don’t care about a few copyright infrigement by some guy/gal hosting a lemmy instance in their garage.

But, if you want to follow the law to the letter, the EU doesn’t have any fair use. So theorically, you need to allow users to only post creative commons images, with attribution. Or do some copyright checks on the content posted on your instance. Here is an EU video on how to comply with the directive, it’s a nightmare.

As I said in another comment, the GDPR protects people. And the GDPR only applies to personnaly identifiable data (IPs, email addresses, street address, legal name, date of birh…) Lemmy only collect emails and IPs, and do not share them between instances. So it’s very easy to comply to the GDPR as long as you don’t do anything shady.

The EU has a marketing issue. They tried to pass legislation to prevent companies to collect data. But instead, company displayed a popup, kept collecting data, and blamed it on the EU. Everytime I see a popup, I blame ruthless data collection.

Actually, Lemmy is most likely violatiing the California Consumer Privacy Act, which, as opposed to the GPDR, gives the right to update/delete any data generated by the user, not only personally identifiable information.

The GDPR doesn’t apply only to services hosted in the EU, but any services handling the data of an EU citizen.

This is why some news outlets in the US just decided to block EU users all together, out of laziness.

IANAL, but the GDPR doesn’t cover pseudonymous data. Actually the GDPR encourages data processors (= services) to use pseudomization.

Personally identifiable information are IPs, email addresses, street address, name, date of birth, … Lemmy only collect IPs and email addresses. And these are not shared between instances.

Whether the service is hosted in the EU or not, as long as it serves EU users, lemmy should provide a way to delete emails and ip information in a self serving way. (maybe by deleting the account) In the mean time, instances admins have to fulfil requests to delete emails/ips of EU citizens from the database.