Discovery data sharing and privacy policies

[oneiros]

We recognized early on that at least some FASP will need to receive PII from fediverse servers and that this will need to be as transparent as possible. As under GDPR this must become part of the fediverse server's privacy policy, we went so far as to require the specifications to include this information (see https://github.com/mastodon/fediverse_auxiliary_service_provider_specifications/blob/main/general/v0.1/provider_specifications.md#privacy-policy-information).

I fully expected the discovery provider specifications to be the first instance where this would become necessary. But then we decided on a concept that was slightly different from my initial expectation: In our current proposal fediverse servers only share URIs of content/accounts with FASP. FASP then need to fetch the actual content or account information themselves.

I am pretty confident that URIs are not PII. But that means I have absolutely no idea what to put into the specification regarding privacy policies 😦

(See also this discussion: #36 (comment))

Any ideas or help would be really appreciated.

[ThisIsMissEm]

In this case, whilst the Fediverse server isn't directly sending PII to the FASP, the FASP may be requesting it based on the URIs sent, therefore the FASP would be processing PII. At least, that's my assumption