Open JojoRoro opened 6 months ago
Nutomic
commented
6 months ago You can already import/export your account data on the settings page. Comments, post and private messages can be retrieved through the api, so I dont see why there should be a separate method to download them. It could easily be handled by an external tool like lasim.
dessalines
commented
6 months ago Paging through content via the API is less than ideal, and it won't be difficult to add this.
dullbananas
commented
6 months ago Comments, post and private messages can be retrieved through the api
Is that enough for GDPR compliance?
JojoRoro
commented
6 months ago It would certainly not make it fully compliant, as there are other issues to still solve (Data proccessing objection, and deletion are not automated, but an instance admin could manipulate the database manually), but according to my limited legal skills having a universal export button would, while making the user have even some advanced technicall skills would not make Lemmy compliant with article 20, The right to data portability (gdpr.eu)
Nutomic
commented
6 months ago Are public posts even considered as "personal data"? To do this properly it would be necessary to pay a lawyer to figure out how exactly GDPR would apply to Lemmy. If we rely on interpretations from amateurs those will most likely be wrong.
dullbananas
commented
6 months ago Consoom lawyers
Or just implement the darn feature either way because it reduces vendor lock-in
Nutomic
commented
6 months ago Consoom lawyers
What do you mean? GDPR is a law so of course it needs to be interpreted by lawyers. And how can an open source project have any vendor lock-in?
dullbananas
commented
6 months ago I used "vendor lock-in" to refer to any inconvenience in using data outside of Lemmy. With libre software (when backend is included), there's a limit to how dangerous it can be. With lemmy, I now think it's a negligible issue unless a third party export tool doesn't already exist. Bun GDPR compliance is important, and I think it's a bad idea to wait until we know for sure that it requires exporting of posts.
Also, maybe this is a frontend issue.
dessalines
commented
6 months ago I can work on this sometime soon. I'm just going to add a simple user data export. We can tweak it later if an actual GDPR lawyer shows up to help with compliance.
For the future, any GDPR compliance advice needs to come from a lawyer, not from random non-lawyers interpreting what they think is correct.
Requirements
Is your proposal related to a problem?
While a data import / export feature is being worked on, it would be good to have an export only feature for GDPR compliance reasons as well as user comfort.
Describe the solution you'd like.
There should be an API call that, upon user authentication and authorisation, exports all data to (multiple) CSV files. Theese could be zipped first. It would include all comments and posts with the relevant scores and replies as well as the data included in the already implemented user export option. "Private" messages and post images would most likely be exported to a seperate folder in the archive. A rate limit should be applied to this request so that a user can only request this once every 24 hours and no more than, say, 5 per month.
Describe alternatives you've considered.
An alternative would be for the API request to include an email adress. The request then gets made and queed up, so there are not multiple running at the same time. Once completed, the backend sends an email to the user with a download link. After, say 7 days, the zip file gets deleted off of the server.
Additional context
This was discussed in the context of my home instance, feddit.ch, shutting down and there being no way to export my data natively.
Context: (archive.org)