Dear EU server admins: If you at all consider a shutdown of your server, you *must* notify your users in advance.

@anthropy this also doesn't apply only to EU server admins, but all admins who have members living in the EU

If you are at risk of losing your server due to personal reasons, reach out to other admins, make public posts to try and preserve the data; I think it's fair to say we're all in this together, and many people are willing to help.

I also want to tell people that, while things like GDPR may seem daunting, it really isn't impossible to selfhost a public server either, not everything applies to you, but you do need to take into account things like 'right to erasure' and privacy laws.

"I have a server, how do I make it compliant?"

Glad you asked!

- Privacy Policy: State what you run, location, and that you don't sell data.

- Contact: gdpr@ alias or webform for Art. 17 (erasure) requests. Can be completely manually handled.

- Logs: Rotate/erase often. Don't hoard IPs.

- VPS: Sign the "Data Processing Agreement" (DPA) in your dashboard. usually 1 click.

- Closing? Announce well in advance. Give users time to export/migrate.

These are honestly the most important parts.

It's important to note that *I am not a lawyer* and you should also do your own research in the topic, but as far as I can tell, this covers the important parts, and it's what I also implement myself (even though technically I don't have any true public services .. yet).

I'm also writing up a blog post about this that will come later (I need to do a bunch more verification and find some practical examples and how I've implemented them).

If you have any questions in the mean time, Please Do Ask

@anthropy I am by no means lawyer, so take my opinions with large grain of salt.
The article 32 is regarding "Security of processing" and I don't think deletion of server is considered processing of data. It's as well about risk assessment to define level of security you need (e.g. backups, encryption) and not forbidding anything.
Other relevant point is article 33 (Notification of a personal data breach to the supervisory authority). You are not always required to notify about the personal data breach:
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

@anthropy (yeah but don’t bring up “government this laws that illegal that” unnessesarily when there’s better, substantially less statist arguments available like “don’t be an asshole”)

@anthropy note that the GDPR doesn't just apply to servers hosted in the EU. only one of the data controller data processor or data subject (that is a person using the service) needs to be located in the EU for it to take effect.
if you have users living in the EU you need to follow the GDPR.

@das_robin That's a fair distinction, it seems you're right that Art. 32 is technically about "Security" (preventing accidents/attacks) rather than business continuity.

However, I'd still argue the notice requirement comes from art 5 ("Fairness") and 20 ("Data Portability").

I think if I delete a service overnight, I make it impossible for users to exercise their Right to Portability. To be "Fair" to the user, I have to give them a window to actually use those rights before the data vanishes.