Edit: obligatory explanation (thanks mods for squaring me away)…
What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
According to the GDPR an “organization” has to specify exactly who processes the user’s data (i.e. every instance in a federation — past and present), and everyone that processes that data must make it easy to make data/deletion requests, to that’s hopefully baked into Lemmy from the get-go because otherwise someone is going to find themselves in the middle of a GDPR nightmare sooner rather than later. It’s not enough to say in the privacy policy that “user data spreads to federated instances” or something to that effect.
And given that usernames are connected to the votes, I’m pretty sure that it does not comply with the GDPR to just say that it “will place this interaction in the user’s outbox and immediately deliver it on the user’s behalf to all”.
Edit: Added link.
deleted by creator
I don’t think email is a good example because you’re in complete control of who you send an email to. However, I’m not in control of who Lemmy sends my voting data to (because I don’t control who a given instance is federated with), but GDPR grants me the right to know that.
You can easily check which instances your server is federated with in the footer of your server. If any of those external servers have subscriptions to the community you’re posting in, they will receive an update, so it’s safe to assume it’s being sent to all of them.
Problem is that it’s not historical. If a server was defederated yesterday, it doesn’t appear in that list. And again, GDPR takes this stuff seriously, and “look at the bottom” is not sufficient. It needs to specify what data goes where.