
Ask HN: Will my comments/topics on HN be deletable under the GDPR law? - ggregoire
Right now we can&#x27;t delete anything.
======
majewsky
I think the more interesting question is: Will my comments on HN be deletable
_on archive.org_ under the GDPR law?

~~~
gus_massa
> _I think the more interesting question is: Will my comments on HN be
> deletable on archive.org under the GDPR law?_

And what happens if someone quotes my comment?

------
venning
Questions I've had about this:

How does the allowance of comment/submission deletion affect HN being
perceived as a "permanent record"? I've always found this aspect of HN to be
important to me.

If comments can be deleted selectively, what effect does that have on the
permanent record? How many users would be tempted to write something they
don't want recorded permanently simply to judge responses before they delete
the comment later? (As opposed to requiring that all comments for a user be
deleted together, which would likely discourage deletion to remove specific
comments.)

Would this give rise to third-party "comment recovery" services that scrape
something like archive.org (assuming it is less affected by the GDPR) or
maintain their own records to piece together comment threads with deleted
comments? Similar to services that archive tweets that might get deleted.

~~~
krapp
>How does the allowance of comment/submission deletion affect HN being
perceived as a "permanent record"?

Has Hacker News ever presented itself as a service that maintains permanent
records for archival sake, or merely one that chooses not to delete comments?
I don't think they have an obligation to serve a purpose they never intended
to serve.

>How many users would be tempted to write something they don't want recorded
permanently simply to judge responses before they delete the comment later?

Users do that now - there is an edit and delete window for comments, it just
has a limit.

>Would this give rise to third-party "comment recovery" services that scrape
something like archive.org (assuming it is less affected by the GDPR) or
maintain their own records to piece together comment threads with deleted
comments?

Probably, such services exist for imageboards.

------
throwaway2016a
I'd be happy with just being able to redact my username (not this one). I was
stupid and registered originally with my real name in my username and I would
love to fix.

Alas, I'm not a EU citizen so even sites that do afford GDPR protection
probably won't respond to requests from me. Like Facebook [1].

[1] [https://techcrunch.com/2018/04/04/facebook-gdpr-wont-be-
univ...](https://techcrunch.com/2018/04/04/facebook-gdpr-wont-be-universal/)

------
lucideer
It may depend heavily on the content of the comment, but I would guess it
wouldn't constitute data _about_ you. Even your username is anonimisable _by_
you.

~~~
throwaway2016a
Username is only anonymized on initial signup. There is no way to anonymize a
username that already was set that I know of.

~~~
lucideer
ability to change username would be a nice feature

------
WilliamMayor
The right to erasure is not absolute, it only applies in certain
circumstances. Here's the UK ICO's advice on it: [https://ico.org.uk/for-
organisations/guide-to-the-general-da...](https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-
rights/right-to-erasure/)

In the list of "When does the right to erasure apply?", I'm not sure which one
you would argue if you wanted to have your HN comments deleted.

1\. The data is still necessary for the original purpose

2\. HN doesn't rely on consent for this data (I don't think?)

3\. I think HN are using legitimate interests, so you could try to object to
the processing. I think HN could argue that their legitimate interests
override the objection?

4+ Don't apply

So the only one that might work would be point 3. IANAL but it is in HN
legitimate interests to keep the comment.

I'm not certain, it seems a bit woolly now I've written it down. It might
depend on the seriousness of your objection.

Overall though I think it's important to remember that the right isn't
absolute, you can't just have all your data deleted whenever you like. That's
not the point of the law.

------
mankash666
Maybe third time will be the charm. Most respondents here (including me) would
like GDPR applied to all companies as it protects end users.

However, US companies with no legal/corporate presence in the EU are ONLY
bound by US law.

Take the case of EFF vs Australian patent troll [1]. Though EFF was sued in
Australian court under Australian law, it didn't matter because EFF was an
American company.

This holds true, otherwise China could sue US media under Chinese law on the
pretext of said media being available within China via the Internet.

Similarly, for the EU to go after non EU corporate/legal entities, it'll need
to implement a GDPR firewall, much like China's great firewall. It simply
cannot push the onus of GDPR compliance on non EU entities with laws that it
can't apply on them

[1]: [https://www.eff.org/deeplinks/2017/11/court-rules-effs-
stupi...](https://www.eff.org/deeplinks/2017/11/court-rules-effs-stupid-
patent-month-post-protected-speech)

------
mankash666
All those confidently stating that GDPR applies to YC despite it not being a
EU registered corporation are guessing at best. None of this has been tested
in litigation by US courts.

If US companies (without a EU legal/corporate presence) are beholden to EU
law, then US companies are beholden the Chinese censorship laws

~~~
ggregoire
I have to repeat the same response I already gave you:

Makes no sense at all and the analogy with the Chinese censorship laws is
really bad (not sure why I'm reading this analogy again and again on HN). GDPR
holds on US businesses only for the EU users. If they don't have EU users they
don't have to care about the GDPR. US businesses can have different set of
rules for the US and EU market (that's what Facebook plans to do about the
GDPR). The GDPR doesn't apply for the US market and the US users. Also US
companies can limit their service to the US market if they don't agree with
the GDPR.

~~~
mankash666
I don't know why you confidently state these things as fact without presedence
in litigation in US courts. US companies today that do not differentiate and
demarcate their users based on location needn't start doing this, because the
internet has no boundaries, and EU laws on EU citizens do not hold or apply to
US companies that do not care for the location of the user within their
service.

Again - your opinions are just as valid as mine because there isn't a
precedent in US (federal) courts. Stop pretending like your 'opinion' is fact

~~~
nemoniac
Why do you think that US (federal) courts have anything to say about this?

It's an EU law governing companies holding data about EU citizens. It means
that EU courts can rule over the activity of such companies, whether the
companies come from the USA or elsewhere. Do you anticipate the EU wanting to
test the GDPR in a US court? That would be as strange as the US choosing to
test a US law in an EU court.

~~~
mankash666
Because US companies with no legal/corporate presence in the EU are ONLY bound
by US law.

Take the case of EFF vs Australian patent troll [1]. Though EFF was sued in
Australian court under Australian law, it didn't matter because EFF was an
American company.

[1]: [https://www.eff.org/deeplinks/2017/11/court-rules-effs-
stupi...](https://www.eff.org/deeplinks/2017/11/court-rules-effs-stupid-
patent-month-post-protected-speech)

~~~
jakobegger
You can‘t extrapolate from one court case.

We all agree that GDPR applies to companies that operate in the EU.

Beyond that, there‘s a big uncertainty. Time will tell how the GDPR will be
enforced with regard to companies that don‘t have a presence in the EU.

My guess is that smaller ventures (like HN) are going to fly under the Radar,
while bigger companies are going to comply.

------
dyu
HN may cite legitimate business interest and not oblige in deletion.

A more extreme example can be that when you perform a deletion, do you also
deep delete from logs and backups of logs? What if you need to keep them for
audit and forensic purposes?

Edit: citing legitimate business interest does not necessarily mean it will
succeed. Courts will have the final say. EU likely will not enforce smaller
entities so soon. We may need to see a few court decisions or better
guidelines before we get a better idea how to navigate through GDPR.

~~~
mankash666
GDPR rules do not apply to YC - a US company.

~~~
dyu
I thought the legal side would work in a similar fashion as EU-US Privacy
Shield?

~~~
mankash666
"While joining the Privacy Shield is voluntary, once an eligible organization
makes the public commitment to comply with the Framework’s requirements, the
commitment will become enforceable under U.S. law" from [1].

I'm not a lawyer, but it's fairly obvious that web services built in
accordance with the jurisdiction of incorporation take precedence, especially
when the software/service makes no customization to appeal to the EU. Maybe
one runs a blog with content critical of China, but since they're running said
blog as a US corp on US soil, China cannot apply it's laws on the said blog.

[1]: [https://www.privacyshield.gov/Program-
Overview](https://www.privacyshield.gov/Program-Overview)

------
cjbprime
The law isn't in effect yet.

But when it is, being able to delete comments by emailing the admins and
asking for them to be deleted sounds like it would be in compliance with the
law.

I don't know any specifics, but I expect they would probably do that for you
anyway, before the law, too.

~~~
unicornporn
> The law isn't in effect yet.

Sort of, kind of.

[http://dbsdata.co.uk/blog/gdpr-2018-deadline-red-
herring/](http://dbsdata.co.uk/blog/gdpr-2018-deadline-red-herring/)

------
trevyn
So what’s the deal with jurisdiction? YC is a US entity and GDPR is an EU law.

~~~
kiliankoe
It applies to all EU citizens, no matter where your operations are based. It
would make sense though for most companies to just treat everybody as an EU
citizen for GDPR. Unless apparently you're Facebook and don't want to...

~~~
trevyn
Ok, so I’m a US entity without EU presence and I violate EU law. Explain how
this would impact me?

~~~
cjbprime
Maybe they can't enforce against you now, but maybe you have investors and
they balk at an EU judgement against you, or maybe you plan to one day expand
to the EU and now you can't.

------
orf
I sense a lot of misplaced patriotism here, with many comments reeking of
almost outrage: "how dare the EU tell us what to do on _our_ soil! We are
Americans damnit, this makes us better than other people and allows us to
selectively ignore other laws!"

Well, the USA has been doing this to other countries for decades. Your failure
to self regulate the protection of the huge volumes of personal data you like
to collect plus your governments love to hoover this up has led to this. Deal
with it, and be glad that at least _someone_ is legislating this crazy
situation we find ourselves in.

~~~
sb8244
There's a spectrum and being on either extreme of it isn't good. We're going
to simultaneously find ourselves on both extremes and not central at all.

------
mankash666
Unless some subsidiary of YC is incorporated in the EU, none of the GDPR rules
affect YC (a US company).

Additionally, for emerging Saas companies it would be wise to avoid an EU
subsidiary, to lower the cost of GDPR compliance

~~~
Ninn
Categorily false. GDPR applies based on your users location, not the
website/buisness.

Please consider not stating things as facts that you havnt bothered to
research.

~~~
mankash666
And you are stating theories as facts. If GDPR holds on American businesses
with no legal presence in the EU, then Chinese censorship laws apply to us
companies outside China. Or do they?

~~~
ggregoire
Makes no sense at all and the analogy is really bad. GDPR holds on US
businesses only for the EU users. If they don't have EU users they don't have
to care about the GDPR. US businesses can have different set of rules for the
US and EU market (that's what Facebook plans to do about the GDPR). The GDPR
doesn't apply for the US market and the US users. Also US companies can limit
their service to the US market if they don't agree with the GDPR.

