it does give online identifier as an example, that is true.
but it does not say that this alone qualifies as personal data.
it says that in combination with other data it can potentially be considered personal data.
this is the part you refuse to accept: an example that is given under the qualifier “potentially” and with the condition “in combination with other data” means that a username alone does not necessarily qualify as personal data.
a username linked to a phone number, for example, does qualify as personal data.
did you give your phone number to lemmy.world when you registered? because i didn’t.
and an email address is not necessarily personal data either.
burner emails for example are specifically designed to not be identifying of a natural person. which means that on its own does not qualify as personal data.
same goes for cookies: the Fediverse stack cookies for example store things like your settings, locally. that’s not personal data. it’s only personal data when it’s used for tracking and contains identifying information. which these do not.
you need a reasonable way to identify a natural person, and none of the examples you gave qualify for that.
anything connected to your user account only qualifies as personal data, if your username can identify you in the first place.
how us your username linked to your real name? because mine isn’t.
or does it say “General_Effort” on your driver’s license?
if you don’t use an email service that requires personal data to register, then your username is not personal data. (which Fediverse services can’t know for certain, so they have to assume that email addresses are personal data, even when they’re not)
so it can be true that YOUR username is personal data, but that is not automatically true for every user. which is irrelevant for a data processor, but very relevant for the law.
here is another explanation from the GDPR website that clarifies this important distinction:
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
pseudonyms, like a username (which is a pseudonym by definition), ONLY qualifies, if it’s relatively easy to ID someone.
which means it is explicitly NOT automatically personal data.
the law text you like to quote so much says EXACTLY that!
but just because “online identifier” is listed as an example for something that can potentially be considered personal data, you made the wrong conclusion that it is always personal data.
it is not always personal data. it depends on what other data is linked to a username. and how exactly the user is stored and processed in the first place.
i think where you make a massive mistake is this part here:
a user is typically a natural person.
“typically” means “not always”.
and you are confused about the difference between a user being associated with a username from their own perspective and that user being identifiable by a third party by their username.
those are two different things.
you overgeneralize all of the GDPR, when the law really has to be considered on a case-by-case basis (meaning platform by platform, in the context of the article), which is the intended way the law works.
for an example of a username that is definitely NOT personal data, we can look at signal accounts:
signal requires a username to register for the service…and that’s all.
since there is no other information that can be used to identify a natural person, and the username can be anything, that username is not considered personal data.
only if a user ALSO registers their phone number, only then, does it become personal data under the GDPR.
on top of that anonymization can turn personal data into non-personal data.
an example of this is fingerprint data used to unlock phones: those are commonly stored as hash values using one-way algorithms that cannot be used to reconstruct the original fingerprint. this process turns personal data into non-personal data.
there is no confusion of copyright and GDPR on my part. that was you, when you brought up comments as an example of personal data, which is of course nonsense.
on top of everything you still haven’t provided an expansion of how exactly the ruling in the article relates to the Fediverse at all.
the ruling is about ad-tracking, which the Fediverse doesn’t use in the first place.
I still don’t get where all this disinformation comes from. What do you mean by “the GDPR website”? Are you under the impression that the linked website is somehow official? Even so, the information seems solid and shouldn’t give you these ideas.
no, the gdpr.eu website is not the official website of the EDPB, that’s this one here.
the gdpr.eu website is maintained by the proton foundation, which is why it is, as you correctly recognized, a good resource for practical information about the GDPR.
“these ideas” boil down to “it always depends on the context”.
that’s exactly the point you keep missing: the GDPR cannot be generalized to make blanket statements like “usernames are always personal data” <— this is a false statement.
and this is by design!
it’s supposed to be contextual!
usernames are potentially, sometimes, even often personal data, but the law very specifically says that this is NOT always the case.
that’s what the excerpt you quoted says: that these sorts of data are commonly considered personal data. whether or not something is personal data depends on the connected data.
with some, very limited, exceptions. for example: full names and addresses. those are actually always personal data.
the strange idea here is assuming that the GDPR allows anyone to make blanket statements without context.
also: STILL no explanation how anything in the article in any way relates to Fediverse services being somehow “illegal”?
how did you go from an article about “ad-tracking is illegal” to “the Fediverse is illegal”??
that’s an Olympic level leap in mental gymnastics!
it does give online identifier as an example, that is true.
but it does not say that this alone qualifies as personal data.
it says that in combination with other data it can potentially be considered personal data.
this is the part you refuse to accept: an example that is given under the qualifier “potentially” and with the condition “in combination with other data” means that a username alone does not necessarily qualify as personal data.
a username linked to a phone number, for example, does qualify as personal data.
did you give your phone number to lemmy.world when you registered? because i didn’t.
and an email address is not necessarily personal data either.
burner emails for example are specifically designed to not be identifying of a natural person. which means that on its own does not qualify as personal data.
same goes for cookies: the Fediverse stack cookies for example store things like your settings, locally. that’s not personal data. it’s only personal data when it’s used for tracking and contains identifying information. which these do not.
you need a reasonable way to identify a natural person, and none of the examples you gave qualify for that.
anything connected to your user account only qualifies as personal data, if your username can identify you in the first place.
how us your username linked to your real name? because mine isn’t.
or does it say “General_Effort” on your driver’s license?
if you don’t use an email service that requires personal data to register, then your username is not personal data. (which Fediverse services can’t know for certain, so they have to assume that email addresses are personal data, even when they’re not)
so it can be true that YOUR username is personal data, but that is not automatically true for every user. which is irrelevant for a data processor, but very relevant for the law.
here is another explanation from the GDPR website that clarifies this important distinction:
pseudonyms, like a username (which is a pseudonym by definition), ONLY qualifies, if it’s relatively easy to ID someone.
which means it is explicitly NOT automatically personal data.
the law text you like to quote so much says EXACTLY that!
but just because “online identifier” is listed as an example for something that can potentially be considered personal data, you made the wrong conclusion that it is always personal data.
it is not always personal data. it depends on what other data is linked to a username. and how exactly the user is stored and processed in the first place.
i think where you make a massive mistake is this part here:
“typically” means “not always”.
and you are confused about the difference between a user being associated with a username from their own perspective and that user being identifiable by a third party by their username.
those are two different things.
you overgeneralize all of the GDPR, when the law really has to be considered on a case-by-case basis (meaning platform by platform, in the context of the article), which is the intended way the law works.
for an example of a username that is definitely NOT personal data, we can look at signal accounts:
signal requires a username to register for the service…and that’s all.
since there is no other information that can be used to identify a natural person, and the username can be anything, that username is not considered personal data.
only if a user ALSO registers their phone number, only then, does it become personal data under the GDPR.
on top of that anonymization can turn personal data into non-personal data.
an example of this is fingerprint data used to unlock phones: those are commonly stored as hash values using one-way algorithms that cannot be used to reconstruct the original fingerprint. this process turns personal data into non-personal data.
there is no confusion of copyright and GDPR on my part. that was you, when you brought up comments as an example of personal data, which is of course nonsense.
on top of everything you still haven’t provided an expansion of how exactly the ruling in the article relates to the Fediverse at all.
the ruling is about ad-tracking, which the Fediverse doesn’t use in the first place.
I still don’t get where all this disinformation comes from. What do you mean by “the GDPR website”? Are you under the impression that the linked website is somehow official? Even so, the information seems solid and shouldn’t give you these ideas.
no, the gdpr.eu website is not the official website of the EDPB, that’s this one here.
the gdpr.eu website is maintained by the proton foundation, which is why it is, as you correctly recognized, a good resource for practical information about the GDPR.
“these ideas” boil down to “it always depends on the context”.
that’s exactly the point you keep missing: the GDPR cannot be generalized to make blanket statements like “usernames are always personal data” <— this is a false statement.
and this is by design!
it’s supposed to be contextual!
usernames are potentially, sometimes, even often personal data, but the law very specifically says that this is NOT always the case.
that’s what the excerpt you quoted says: that these sorts of data are commonly considered personal data. whether or not something is personal data depends on the connected data.
with some, very limited, exceptions. for example: full names and addresses. those are actually always personal data.
the strange idea here is assuming that the GDPR allows anyone to make blanket statements without context.
also: STILL no explanation how anything in the article in any way relates to Fediverse services being somehow “illegal”?
how did you go from an article about “ad-tracking is illegal” to “the Fediverse is illegal”??
that’s an Olympic level leap in mental gymnastics!