
Shutting Down Forum (GDPR) - spacebearmakes
https://discourse.drone.io/t/shutting-down-forum-gdpr/2297/13
======
DoreenMichele
I"m not really a fan of the GDPR. I don't think it really protects privacy. I
think it just uses the power of the EU, a fairly big and strong organization,
to intimidate the rest of the world to comply with laws that it really
shouldn't have legal jurisdiction to enforce globally. I think this is a scary
precedent to set that the biggest bully on the block can de facto enforce such
standards because the rest of the world is terrified of the consequences of
standing up to them.

Isn't this the sort of thing people accuse the US of? The rest of the world
makes ugly jokes about "Be careful what you say about the US or they might
come _liberate_ you too." The EU is now in the _protection_ racket. When the
mob says you should give us a few bucks because it would be a shame if
something happened to your business, people recognize that is not nice
behavior. But the EU can do the same on the web and some people laud it is a
good thing for individuals in the name of personal privacy.

If you want none of your personal info on the web, I have a suggestion: Don't
participate in forums, social media, etc.

(Yes, I am guilty of having this opinion without having actually read it. I
blogged previously about my opinion this would do bad things to forums. I am
shocked to see negative fallout happening so very soon.)

~~~
setquk
The GDPR exists because everyone has been a dick because they know they can
get away with it. By default the mentality is take take take. Now the business
models built on that are being trashed. If someone keeps burgling your house
they need to go to prison. Simple as. Time is up for this way of thinking.

It is not difficult to be compliant. Most people don’t bother because they are
drama queens or hiding what their business is really based on and the latter
is usually not ethical by any manor and deserve to be shoved off a cliff.

People will have to do some real innovation instead of selling off data and
working out how to attract people into a product that exists only to do that
really.

~~~
fiter
Saying that people need to be shoved off a cliff is not elevating your
position. In fact, these kind of statements are exactly what make me concerned
about regulations and laws. One has already made your mind up about a group of
people and now it's time to execute.

~~~
toomuchtodo
Such is the result of tech industry overreach. Had they adopted a more
moderate stance, people would not be calling for them to be pushed off the
proverbial cliff.

~~~
setquk
Yes the data gathering side of the tech industry is sounding like they’re
selling menthol cigarettes to sick people at this point.

------
codedokode
The owner says that he doesn't have time to review GDPR-related requests;
that's fine. But I wonder if he would receive a US court order would he treat
it the same way? What if he received a letter from NSA? A DMCA request? What
if someone posted something illegal on the forum, would he ignore that as
well?

It seems like he has no time only for legislation from EU.

~~~
ascorbic
Yes, this is really little different from shutting down a whole forum because
you received a single DMCA request. If anything it's even more of an
overreaction, because a DMCA request could be followed up by legal action,
whereas a data subject can't sue. All they can do is report you to the
regulator. The regulator is unlikely to do anything if it's a frivolous
request. Even if it's legitimate, their first action them would be to send a
warning.

~~~
fizx
DMCA is capped at what, $30k per violation? There are obvious ways to avoid
it, and the law has settled down.

GDPR is capped at $20+ million, no one knows what a typical fine looks like,
the law is much harder to read, and everyone is afraid to be made an example
of.

~~~
ascorbic
Its predecessor regulation capped fines at around $750k. Guess how many were
levied at or near the maximum? Zero. The only large fines were for serious,
deliberate abuses, such as a group maintaining a secret blacklist of
construction employees. This isn't like the massive fines from US regulators
on foreign companies. The rules say that fines should be proportionate to the
scale of the breach and the harm caused. The large fines are for serious,
deliberate, repeat offenders. It's also to stop a company like Google deciding
that they'd rather not comply, and treat a fine as a cost of business.

~~~
mseebach
When a new law is enacted, it's not prudent analysis to assume anything about
how it will be enforced based on the previous law, especially not when fines
were increased 25x - GDPR is _not_ a minor clarification of a few bits and
pieces, it's a whole new thing. The previous law was _specifically_ criticised
for having no teeth, and the new law has _specifically_ been highlighted for
it's new teeth. Of course it's possible that regulators will just sit on their
hands, it's just not very likely.

The only reasonable assumption is that those new teeth will be tried out, and
whoever they will be tried out on first will have a bad time. Do not assume
that the first cases will be Google and Facebook, the regulators aren't stupid
enough to try their luck first on the two organisations that has spend the
most on being technically compliant, and has bottomless warchests to fight it.

~~~
ascorbic
That doesn't mean lawyer up or shut down at the first request. Of course you
should be prepared, by doing sensible things like having an up to date privacy
policy, and only keep the data that you need and that you have permission for.
However when it comes to compliance, if you get a request, be sensible. The
time to lawyer up is if you get a notice from the ICO, if you think it's
unreasonable and/or you don't think you can comply with it. I've dealt with
the ICO quite a bit, as I've appealed a few FOI requests, and they've always
been very reasonable, if a little overworked and slow to respond.

------
ashelmire
Could/should probably ignore GPDR requests if your business operations are
entirely US based, whether or not anyone from the EU uses your site. US
national sovereignty doesn't disappear because the EU says jump. We are not
bound by the laws of governments other than our own.

You can probably ignore them anyway if you aren't a big company. With millions
of these troll letters going around (and probably getting ignored), odds of
any corrective action against you seem very low.

In any case, the corrective demands of the EU give you time to comply after
they declare that you've violated something? Could probably wait for that
point even if you're in the EU.

~~~
infinitismal8
If you make money from EU users and are US based you need to be GDPR compliant
or they will target you through payment processors and ad networks.

If you don't make money from EU users and don't want to be GDPR compliant you
should probably just shut them off if you ever want to operate in the EU in
the future

~~~
briandear
So you admit that GDPR is really just a trade barrier.

~~~
adventured
GDPR - the core of it - is about privacy, it's an increment on prior laws in
EU countries. It's also in part a response to the data hungry US tech
companies, without question.

The 4% of worldwide revenue fine potential is exclusively targeted at the US
tech giants. By my last count, the US has roughly 100 tech companies worth
over $10 billion each (with trillions of dollars in worldwide revenue). Nobody
taxes revenue, that's about the most moronic thing you can possibly do -
unless you're doing it to try to harm / punish companies. Very few EU tech
companies have meaningful worldwide revenue to tax.

~~~
icebraining
Of course they're trying to harm companies when they fine them. That's
implicit in the term "fine".

They target revenue because otherwise companies will just use Hollywood
accounting to declare they make 0% profit, they just pay huge licensing fees
to some cayman island company.

------
Animats
I just sent a GDPR letter to a company in the UK, which is still part of the
EU. I have one of their Android phones, and it came with a non-removable app.
It appeared to just be a bookmark. One day that app woke up and sent me a
notification asking me to visit a web site, which led to a SurveyMonkey form.

So I sent the company a letter asking what data they have on me. It's going to
be interesting to see what happens.

~~~
TekMol

        It's going to be interesting to see what happens.
    

My bet: Nothing.

~~~
orf
From the several requests I've made already, that seems unlikely.

~~~
TekMol
Can you give an example, whom you sent a request and what you got in return?

------
notacoward
From the prototype letter:

"I am a customer of yours."

Not until you pay me, you're not. Yes, Mr. Well Actually, I know that the law
says otherwise, and that's exactly why the law is FUBAR.

~~~
raziel2p
Are you implying that free services like Facebook should be exempt from
privacy laws like GDPR?

~~~
merb
Well if you know that Facebook is bad, why did people even register in the
first place? Or put their whole life onto it?

It's ok if the privacy law only gone against stuff like analytics or horrible
facebook buttons that even collected stuffs from people who clearly weren't
users. i.e. tracking especially tracking outside their "domain"

however GDPR goes against all and anything. I mean if I go to a supermarkt I
can't just tell the supermarkt owner to shut down all his cameras until I
leave the store, he would basically just kick me off his market (which
actually is his right in the EU). However the EU somehow made a solution that
actually even goes against their own market principles just to have extreme
amount of Privacy in the internet (only in the internet, their own
institutions can still collect data, i.e. in germany the ard has tons of data
about everybody) and this is my problem with the GDPR, it's a law from people
who actually just want to hurt the big us internet companies. The law also was
made by a lot of people without any clear technical background (there were
some, but they were a minority)

~~~
DanBC
GDPR isn't limited to the Internet. It includes most automated processing.

[https://gdpr-info.eu/art-2-gdpr/](https://gdpr-info.eu/art-2-gdpr/)

> This Regulation applies to the processing of personal data wholly or partly
> by automated means and to the processing other than by automated means of
> personal data which form part of a filing system or are intended to form
> part of a filing system.

------
marenkay
Considering GDPR is actually a thing from 2016, and 25th May only marked the
day from which on it would actively be enforced... that kind of comes late.

What I wonder: this is an Open Source project, so why not ask the community
for help instead?

Being a long-time (very happy) Drone user, I would have happily helped to
produce the necessary documents for the project if that had been asked before
the final deadline.

Well, probably would even do that now.

------
drcode
I don't know why all these websites are shutting down due to GDPR when all you
have to do is hire a competent law firm with GDPR compliance expertise to
review your software and help you determine if any parts need to change to
become compliant and also help you address any GDPR requests.

</sarcasm>

~~~
DoreenMichele
_In its majestic equality, the law forbids rich and poor alike to sleep under
bridges, beg in the streets and steal loaves of bread or violate the GDPR._

\-- Anatole France (I might have edited that quote slightly)

~~~
etatoby
OMG this is perfect! I'm so stealing this quote. It applies to so much it's
scary.

~~~
lovemenot
But in this context it really doesn't work well as an analogy.

Few rich people have any inclination to sleep rough, whereas many wealthy tech
companies have been happily selling their users' data as the law allowed it.

~~~
drcode
The idea is large companies can afford the compliance costs.

~~~
DoreenMichele
The idea is large companies can steal many loaves of bread and get away with
it on a technicality because they have the resources to comply with the letter
of the law while pissing on its spirit.

Only little people would steal a crust of bread for their supper. The rich
generally commit bigger crimes.

------
hjek
Well, if the owner of the forum is receiving request e.g. to delete accounts
or to disclose what data is recorded about someone, why not just comply with
the request? What's the big deal?

~~~
xori
If I ran a forum for a number of years, and a person decided to close their
account, that'd be fine. But if they then said that I need to remove _all of
their posts_, that's really shitty.

It would destroy the usefulness of a forum.

~~~
weberc2
How does GDPR affect people in other countries with no interest in doing
business in Europe? If I host a forum in the US and you ask me to remove your
posts and I tell you where to stick it, what legal consequences might I face?

Erm, asking for a friend.

~~~
amyjess
As much as I dislike Donald Trump, I am willing to hold my nose here and
suggest encouraging the Trump Administration to go full MAGA and direct
Congress to pass laws explicitly stating that no foreign judgements or fines
may be enforced on US citizens.

~~~
michaelsjoeberg
boom.

1000% increase in foreigners moving/ starting technology companies in the US.

seriously tho. great idea.

------
qwerty456127
How can it be hard for a forum to comply to GDPR? What kind of private
information does it really need to save?

~~~
tephra
I'm a European that supports the GDPR but here's my take on the issue in the
post.

I don't think it would be hard for the person in the post to comply, it would
just be time consuming. Say for example that a user requests a data
transcript. Well he will have to collect all the post etc from that user and
send it somehow. Now this is probably just a simple SQL query but it takes a
bit of time, time that many people don't have.

Another issue seems to be that he is afraid of repercussions and is
conditioned in the US system where everyone seems to be suing everyone all the
time.

~~~
jopsen
On HN I can go to my user profile and see all comments/posts I've made. And I
can delete them all.

I strongly suspect this sufficient. Maybe it would be ideal to offer a "delete
account" and "download account" button.

But there is no reason you should be processing letters from people.

I'm not even sure you need to offer removal of public information. But
allowing deletions of accounts is hardly controversial.

~~~
ItsMe000001
> _And I can delete them all._

How? I can only delete for a small amount of time after posting. I cannot
delete any of my past comments. If there is an option to remove old(er)
comments I would sure like to know about it, seems to be hidden pretty well.

------
scaryclam
I'm a little confused. _Who_ is sending compliance requests? If it's not the
ico, there's rely no problem. If it is the ico, ask what needs to change. No
lawyers required.

~~~
danShumway
> No lawyers required.

Phrases like this just sound weird to me. If there's a risk that someone could
sue you over something, from a business perspective I have always been taught
that you avoid it, period, until you get a lawyer.

I wonder if this is a cultural difference between the US and EU? Might explain
some of the different reactions people have had to the legislation.

~~~
Sir_Substance
>If there's a risk that someone could sue you over something, from a business
perspective I have always been taught that you avoid it, period, until you get
a lawyer.

Bad news: If you have a business, people can attempt to sue your business for
whatever they want, and you might have to defend against it. There is nothing
on the books that says lawsuits have to be reasonable before they can be
filed, only that people who abuse the legal system get punished AFTER a court
decides they're a moron.

~~~
tatersolid
Judges in the US routinely dismiss frivolous cases[1] with prejudice.

And in fact even filing a frivolous case can result in fines or jail time for
contempt.

So no, you can’t in practice sue someone for anything.

[1]:
[https://en.m.wikipedia.org/wiki/Frivolous_litigation](https://en.m.wikipedia.org/wiki/Frivolous_litigation)

------
bovermyer
The GDPR seems to me to be just another example of nontechnical authorities
trying to regulate what they don't understand.

Why don't more technical people become politicians, or at least form lobbying
groups or think tanks?

~~~
DanBC
The response to the GDPR seems to me to be a bunch of people who fundamentally
misunderstand how law works, especially in Europe, and who have a pathological
relationship to regulators because their own legal system is fucked beyond all
recognition.

GDPR requires you to only gather the data you need; only keep it for as long
as you need it; tell people what you're doing with it; and allow them to
correct it if it's wrong. How is that too hard?

~~~
Matticus_Rex
... and document every instance of processing, as well as the legal basis for
processing for each use of each piece of data, and how you decided that legal
basis (and if you used "legitimate interest," you need to do a LIA -- the
template I use is several pages _before_ you enter the information). Then you
have to negotiate different DPA terms with a dozen clients whose privacy
lawyers told them they each need a different term because we privacy
professionals still have no idea what parts of this law mean. Oh, and then you
have to handhold customers who think they know more about privacy law than you
do because they read a 500-word rundown of the GDPR, because if you don't
nicely convince them they're wrong, they'll make a complaint.

There's plenty more, but you get the idea. Anyone who says implementing this
law is simple isn't implementing this law in a business of normal size and
complication.

~~~
DanBC
> and document every instance of processing, as well as the legal basis for
> processing for each use of each piece of data, and how you decided that
> legal basis

But only if that's proportionate.

[https://gdpr-info.eu/art-24-gdpr/](https://gdpr-info.eu/art-24-gdpr/)

> Taking into account the nature, scope, context and purposes of processing as
> well as the risks of varying likelihood and severity for the rights and
> freedoms of natural persons, the controller shall implement appropriate
> technical and organisational measures to ensure and to be able to
> demonstrate that processing is performed in accordance with this Regulation.
> 2Those measures shall be reviewed and updated where necessary.

> Where proportionate in relation to processing activities, the measures
> referred to in paragraph 1 shall include the implementation of appropriate
> data protection policies by the controller.

~~~
Matticus_Rex
The bar for that is very, very low given the guidance we've received from the
supervisory authorities, so that doesn't really minimize my point. An
incredibly small number of businesses would be able to argue that this doesn't
apply to them.

------
mark_l_watson
I have a contrarian opinion to much I am reading here. Until a few weeks ago,
I hosted my own web site and used blogger to host my blog on a subdomain. With
huge reluctance I disabled comments, and then when Google’s patches for GDPR
compliance didn’t work for me, I converted my 2000+ blog posts from the last
20 years to Jekyll and now host as part of my web site.

While it is nice to have total control, now I need to be using my laptop to
post new blog posts, and I miss having readers comment. I also feel badly that
the interesting things that readers have posted are lost to the Internet.

Even with all that, as a US citizen, I approve of GDPR and I wish it were
universal. As much as I miss user comments, I am fortunate to have many
readers engage with me directly via email discussions.

~~~
DanBC
Was your blog personal? Or was it commercial?

If it was personal the GDPR doesn't apply.

~~~
mark_l_watson
Well, what is a personal blog? My blog was mostly fun tech stuff, but it
attracts dev business. So, I would say it is a commercially blog.

------
clon
Guy shuts down forum, goes through the nightmare letter dissecting each part
as "good question" or "you should have this already" or "easy one". So what
was his issue anyway?

~~~
raziel2p
He points out that he's dealing with several of these requests. Even if you're
doing everything correctly in terms of privacy etc., responding to these
requests can still be time consuming.

~~~
DanBC
How is "read the privacy policy, then click this link to get all your data"
time consuming?

------
tobyhinloopen
I've been sending all kinds of companies a request of my data. Everyone that
keeps sending me mails without me knowing why, I just sent them a nice request
to give me a copy of my data.

After that, I request them to delete it all :)

------
zerostar07
He's still obliged to respond to that letter. Can't hide like this.

(guys, I'm being sarcastic)

~~~
duxup
Do you think if the complaint went to a government official in the EU they
would throw down the hammer on a site that was up for all of a couple days in
GDPR time?

I have my doubts.

I've got a handful of sites (ultimately for portfolio / coding practice type
stuff) out there. Honestly it wouldn't take me too much to respond to
someone's letter considering the simplicity of the site(s), not that anyone
uses them.

I also really wouldn't expect any EU official to throw down the hammer on me.
Personally I wouldn't panic, and I'd at least wait for the EU official to
weigh in before panicking.

~~~
zerostar07
No, but it is more than enough to scare people. Doing a project that makes you
zero or very small amounts of money does not justify any risk-taking, and
certainly nobody wants to go into the trouble of sending emails to various DPA
people in Europe if the need arises. This kind of treatment should be reserved
for large companies or specific uses of private data. In addition, the
approach of the law "guilty until proven innocent" is hugely off-putting.

------
ggg9990
Goes to show that when an industry does not self-regulate, it gets over-
regulated, which often disproportionately benefits incumbents, which
incentivizes future lack of self regulation.

~~~
adventured
Not exactly. GDPR only applies to the EU. China isn't going to rewrite its
laws to make the EU happy and mirror GDPR, neither is the US.

It's more accurate to say that when an industry doesn't self-regulate, the EU
over-regulates and shoots themselves in the face. The US and China will race
even further out ahead accordingly.

In the US I can easily unleash a large user data hungry AI at will,
experimenting all day long with anything and everything I can come up with. I
can screw with people's data in countless ways, without their permission.
While this haven exists, I can rapidly learn and come up with technology and
services that tech companies in the EU can't risk attempting and won't bother
to contemplate.

To the point: you can still push every edge of the AI revolution in the US and
China, to see what's there. That revolution is heavily built on user data. In
the EU, you're in a straight-jacket at the very beginning of the revolution
(one that is guaranteed to only get tighter), many years before we've even
seriously begun experimenting with the fertile soil. They're fucked, the world
will be dominated by AI that comes out of either the US or China, or both.

~~~
lovemenot
GDPR does not restrict EU companies' activities in less regulated markets.
They are still just as free to abuse the privacy of users in USA as are their
competitors overseas.

Your anxiety appears to be about American AI companies' competiveness in the
face of even worse abuse of users' privacy in China than in USA.

In a race to the bottom do you really want to be the winner, no matter what?

~~~
detaro
[https://gdpr-info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/)

> _This Regulation applies to the processing of personal data in the context
> of the activities of an establishment of a controller or a processor in the
> Union, regardless of whether the processing takes place in the Union or
> not._

------
casperb
The GDPR does not apply if it is for personal use or for a hobby only. I don’t
know how the structure of this forum is set up, but this can be a good reason
to run such forums on your personal name.

~~~
evfanknitram
Where is the exception for hobby projects specified?

~~~
casperb
Article 2, section 2(c) exempts processing of personal data “by a natural
person in the course of a purely personal or household activity”.

[http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...](http://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN)

------
qwerty456127
By the way, what I really love about GDPR is that now I finally can disallow a
website to log and analyze my behaviour to provide any kind of
"personalisation" they want and still use it. It's just so great they can't
say "agree or go away" any more.

I thought it was going to be another stupid thing like a "cookie law" (which,
I hope, is going to be canceled now as we''ve got the GDPR), the recent US
FOSTA or a "store all my data in my country on a government-certified server
with a police backdoor" law but fortunately it absolutely is not.

I really hope non-EU countries are going to clone this law, it seems to be the
second (the first being the US net neutrality policy) law I love.

------
lanevorockz
The EU is already targetting Open Source in the new legislation. We should
start making a stronger case for the internet while we still have it. The
Pirate Party tends to be the best resource for the support, they organise
petitions and have elected officials in the Parliament.

------
drivingmenuts
The thing I have to wonder is who did this and more importantly, why?

If you're a startup competing against an open-source project, then this is
potentially a great (not good) way to get a leg up. You get the benefit of
access to the code until you don't need it anymore, then get the project shut
down and reap the benefit of being the last man standing.

Sure, you might eventually run up against the license on the software you just
lifted, but open-source projects can't afford the same protections that a
well-funded startup has.

And if you somehow get sued for license violations, the penalties are usually
more a slap on the wrist than an effective notice to knock that shit off.

I really hate the way my mind works some days.

~~~
zerostar07
> If you're a startup competing against an open-source project

Doesn't have to be a startup. I expect many small businesses will use it to
damage competitors. It's not like it's unheard of .

------
bigbugbag
I wonder is the drone.io guy has read the link he provides to the end of it:

>> So, there you go, that should take the sting out of answering the
‘nightmare letter’, even if not all the questions are appropriate (or
appropriately worded) you can answer the bulk of them in relatively short
order and with automation you can take the sting out. If this is the worst you
can expect under the GDPR then that’s not so bad, and the effect might
actually be positive:

\- we get to know about a lot of undisclosed breaches

\- it will be clear who has their house in order and who hasn’t

\- if you don’t have your house in order just answering the letter will help
you to get there <<

------
duxup
It's really hard to know what exactly was asked of him by the letter and by
whom. I get the nightmare letter scenario but is that the exact request he
got?

Can he not extract all that user's data and delete if that is what is being
requested?

~~~
TACIXAT
This was linked to in the post: [https://jacquesmattheij.com/so-your-start-up-
receive-the-nig...](https://jacquesmattheij.com/so-your-start-up-receive-the-
nightmare-gdpr-letter)

It is a request for a lot of information.

~~~
duxup
Yeah i'm familiar with that. I was wondering if that was the exact request.
It's not clear to me that the dude got that exact request.

It's also not clear to me that anyone getting that letter must do what that
letter says to the letter else face consequences. We haven't seen that
situation tested yet (although I can get why someone might not want to test it
them self) all we've seen are letters being sent from individuals to
individuals. Now how any enforcement would actual play out IRL.

~~~
zerostar07
Who wants to be a guinea pig for lawyers? what fun!

~~~
ascorbic
It wouldn't be lawyers unless it got a lot further down the line and went to
tribunal. It would be the ICO (or equivalent), which is the regulator.

------
technologia
Well that sucks, I wonder if this means other discourse instances might be hit
with the same GDPR letters? There'll probably be someone who has (or will
have) forked discourse to make these changes.

~~~
uptown
How does Discourse factor into this? From my read of this, it doesn't seem to
be specific to the fact that he's using Discourse.

~~~
technologia
I thought he was using Discourse for his forum? Its not like I'm taking a shot
at Discourse, I was just saying that it might be worthwhile to tack on an
export function that is user facing to mitigate the onslaught of requests.

[edit]: @jcastro, I totally didn't realize that was already there, my bad.

~~~
jcastro
Not sure what version this was added to but Discourse has an export button
that individual users can use from their profile page.

------
simlevesque
Does he have any proof that the person is a troll ? From what I read he just
assumes it.

~~~
spacebearmakes
When you receive a request that is titled the "Nightmare letter" [1] it is
hard to assume otherwise.

1: [https://www.linkedin.com/pulse/nightmare-letter-subject-
acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-
request-under-gdpr-karbaliotis/)

~~~
kyberias
I don't think the TITLE of the letter is literally "Nightmare letter". It's
the name of the letter that people copy and send.

------
RaleyField
Can't wait for future nightmare letters coming from Saudi Arabia when they
find moral indecency on my web site or China finding imperialist propaganda
that needs addressing. This will be used as a precedent for every other
control freak pushing their values onto us. What happened to free and open
internet?

~~~
jbob2000
This already happens. Russia sent notices to GitHub about certain documents
that were hosted there. China and Saudi Arabia just straight up block things
they don’t like.

~~~
RaleyField
Yea, but this emboldens them because they can now point to EU and say that
this is what normal countries do, long arm[0] people around.

[0] [https://en.wikipedia.org/wiki/Long-
arm_jurisdiction](https://en.wikipedia.org/wiki/Long-arm_jurisdiction)

~~~
vbernat
Or US with DMCA requests.

------
lukebennett
Unless I’m missing something, shutting down the forum does precisely nothing
to limit GDPR liability as the main drone.io site itself has an account/login
area. Whilst it’s private beta currently, unless EU access is blocked, GDPR
liability will continue to apply to any personal data collected via that.

The only benefit here is that there’s one fewer system to keep track of when
it comes to tracking/deleting personal data - the need to respond to subject
access requests, right to be forgotten, form letters etc remains.

------
antaviana
Can you send a GDPR letter to a public body, for example, the Office for
National Statistics? Can you ask them to delete your data? Should they comply
or are they waived from GDPR compliance?

~~~
perlgeek
> Can you send a GDPR letter to a public body

I'm pretty sure you can.

> Can you send a GDPR letter to a public body

You can, for PII. One would hope they store their data anonymized.

> Should they comply or are they waived from GDPR compliance?

I think they'd need to make a pretty strong case for why they cannot anonymize
your data for their work to get an exception.

------
ledriveby
I operate a 150 person forum and I, too, am scared shitless of weaponized GPDR
harassment.

------
_pdp_
Overreaction as usual!

------
ggg9990
Is it legal to publish the name of the requestor? Name and shame?

~~~
pkaye
> The sad thing is that one email came from the co-founder of a Startup out of
> Germany.

They should definitely name and shame them.

~~~
netsharc
Having lived in Germany, "Co-founder of a Startup out of Germany" conjures up
the image of one of the many economics-degree-holding bros who strut around
and "network", bullshitting everyone (themselves included) that they're going
to be the next Zuckerberg.

Then again, my remote impression is that Silicon Valley isn't that much
different nowadays.

------
hyprCoin
Overbearing legislation applied by unelected representatives is being abused.
If only there were technical solutions provided with an assumption of goodwill
instead of 88 pages of mandates without such an assumption.

~~~
jimnotgym
Legislation is usually applied by unellected people. Judicial independence is
usually seen as a good thing. Perhaps you mean that the law was enacted by
unellected people, which is also incorrect of course? So now I don't see your
point at all?

~~~
hartator
The law has been proposed by the European Commission who is just nominated not
elected.

~~~
rndgermandude
The European Commission's members are sent there by the national governments.
Elect another parliament/government if you don't like who yours did sent.

~~~
briandear
That’s like saying if you don’t like a police officer then elect a different
city council. Parliament members don’t campaign on who they’ll nominate to the
EU commission. Brexit can’t come fast enough.

~~~
synotna
Thank God for the Queen and the Lords eh?

------
jabn76
People asking to exercise their rights on their own private information are
not trolls.

~~~
xori
In this case, you are making work for a person that doesn't monetize the
platform you're using. It was service that was offered in good faith, and is
now, because of this useless request, not going to be available.

Instead they are being forwarded to a service that _does_ monetize their
service.

~~~
jimnotgym
>now, because of this useless request

No, it is because of an overreaction to a request. If they are acting in good
faith then just reply

~~~
oh_sigh
How many hours should this person put in to respond to the request?

~~~
DanBC
About 3 minutes.

"Here's the privacy policy. Here's the data export page."

~~~
infinitismal8
Haha data export page, what even is that? Let me just go to my SQL DB, redis,
glacier backups, and Kafka logs and just click the data export button. It will
only take 3 minutes.

~~~
ascorbic
There's a button to download the user's data on their profile page. You can
direct them to that. There's also a function to anonimise a user, which scrubs
records of IP addresses and usernames.

------
chvid
The EU could have sent a man to Mars with the money used on GDPR ...

------
transfire
Wow, look how easy it is to put the small Internet business out of business
now. Well played 9.9%.

------
bigbugbag
So basically drone.io is saying that discourse is not RGPD compliant and
reddit is better equipped to deal with RGPD requests so he's moving his
community discussion from a self hosted discourse to reddit.

Looks like a knee jerk reaction and missing the point that you can evade RGPD
by outsourcing to a third party, one can still send RGPD requests to drone.io
and owner is still responsible for answering those but now has to deal with
getting the relevant data from reddit.

~~~
zerostar07
no he wont be. reddit will

------
Sir_Substance
I don't really see this as a GDPR troll. This guy is saying he can't manage
formal GDPR requests. He's running an internet forum for christs sake. We had
forums before we ever had tracking, and anonymous internet handles were
practically invented on forums. What's he doing exactly that he can't answer
GDPR requests with a simple "we don't collect personal information"?

Of course, he probably is collecting PII, because he's using discourse. But
since he says he doesn't have time to answer GDPR requests you can be pretty
sure he doesn't take the time to ensure his infrastructure hasn't been owned.
I'd wager he doesn't even know what PII the system he runs is collecting, so
how can he be securing it on his users behalf?

It's totally reasonable for his users to ask how he's protecting their
personal data. If he wants to flip tables and storm out when they ask, that's
up to him. From my perspective, the system works. He wasn't making the effort
his users deserve to securely store their PII, and so now he isn't storing it
at all. No one had to sue anyone, no one had to go to court, and he made the
sensible decision to get out of the PII game he had no business being in.
Success if ever I heard it.

~~~
cm2012
Oh no, your email address (PII) might be compromised. How would you survive if
a competent hacker could find that?

~~~
Sir_Substance
[https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd)

