as:Public received its first (and only) GDPR complaint in early February, and I published my reply followers-only. In the interest of transparency, and because there is no longer a strategic purpose to holding it back, here it is:
------
I am fairly confident that the GDPR does not apply to my personal project in the United States. This is mostly because the United States is not a member of the European Union, and I do not do business in the EU.
But let's say it was. The Regulation would still not apply to any personal data that the data subject themselves deliberately made public. Obvious examples of this would include social media posts with the "Public"/"Everyone" scope. This even applies to special classes of "sensitive" data, when they are "manifestly made public by the data subject" under Article 9(2)(e). Please also keep in mind that if the Regulation was meant to cover public social media posts, then the user's instance would, in theory, be unable to disseminate that information to other instances, or even to other people on the same instance, under Article 5(1)(f), Article 32(2), and Articles 44 through 46. Even in such a case, the user would have consented to the "processing" of the data by their instance, which would include the "disclosure by transmission, dissemination or otherwise making available" (Article 4(2)) of each individual public post. This explicit consent would be both at account creation (for profile information, etc.) and at the time each public post is published.
It is also unreasonable to expect that this consent would only apply to dissemination or transmission to specific people or servers/instances, in this context. On a social media website running Mastodon, for example, posts with the "Public" and "Unlisted" scopes can be "boosted" by their original recipients, or anybody who knows the URL of the post. This immediately causes the "booster's" server to disseminate or transmit the information to any number of further third-parties for processing. This is normal and expected behavior of Mastodon and most other social media platforms; Making users aware of this would be the responsibility of the processor/controller that the user initially provided the data (the post content) to.
As a side note, the only other data potentially covered by the Regulation would be visitor IP addresses and similar information that is stored in the httpd's access log. General provision 49 excludes the processing of personal data "to the extent strictly necessary and proportionate for the purposes of ensuring network and information security," which httpd logs are generally considered to qualify as.
Even if the data itself was covered under the GDPR, the Regulation still does not apply to this website. There is no "offering of goods and services" to EU residents, which is required for the Regulation to apply to a controller or processor not established in the Union under Article 3(2)(a), and general provision 23. Provision 23 also specifies that the "mere accessibility" of the website is "insufficient to ascertain such intention" to explicitly offer goods and services to EU residents.
Further, this website and the software it runs on is a personal project. General provision 18 excludes from the Regulation any processing of data "by a natural person in the course of a purely personal or household activity" that is not commercial. I'm allowed to have hobbies, too.
Finally, violations of the GDPR by firms in the United States are typically remedied by fines or other sanctions to their counterparts registered in one or more EU countries. Again, this website is a personal project, and there is no firm, here or in the EU, to impose sanctions against.
If someone living in the EU wanted to give it a shot, I'd say their best first step would be to lodge a formal complaint with a supervisory authority such as the European Data Protection Supervisor, as laid out in Article 77. Their complaint form is located at https://edps.europa.eu/complaints-wizard_en
As a practical matter, the as:Public software powering the website will, at some point, be released as open source software. Each user of the software would be responsible for their own compliance with any applicable laws and regulations. For most, I doubt the GDPR would be one of them.
I hope this settles the matter.
--r000t
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.