
Ask HN: Does HN respect the GDPR? - vgf
Specifically, does HN&#x2F;Y Combinator plan to allow contributors from the EU to request their contributed content to be deleted after May 25?<p>Note that they currently do not allow bulk deletes of one contributor&#x27;s messages, &quot;as that would wreck havoc in the discussion threads&quot;.<p>Basically you can ask nicely to delete some few posts, but if you want to delete all of your contributions you will get a no. This is at odds with the GDPR.
======
cedsav
I'm not a lawyer, but HN is not established (AFAIK) in the EU, and while it
has EU users, it likely does not meet the threshold of actively offering goods
or services to EU residents. Being accessible from the EU in itself isn't
sufficient to trigger the GDPR.

~~~
huac
my understanding is that these conditions apply to people in the EU, i.e. that
EU residents must be able to delete their content from HN (but HN has no
obligation to non-EU residents)

~~~
akerl_
How would EU law compel a non-EU entity to delete content based on the
residency of the user?

As an example of the opposite state, where this does definitely apply: Tarsnap
complies with Canadian law around collecting names/addresses for users who are
located in Canada, because Tarsnap is operated as a Canadian business. But if
Tarsnap were located in the US, it would not be responsible for collecting
that information from Canadian users.

~~~
nabla9
> How would EU law compel a non-EU entity

Because US and EU have singed agreements to that effect. It's the price US
must pay for EU to allow American internet companies to serve EU customers.

It obviously applies to any company with direct business operations in any one
of the 28 member states of the EU. But financial transaction is not nessesary
for the extended scope of the law to kick in. Collecting personal data from EU
citizen is enough.

~~~
akerl_
Which agreement between the US and EU mandates this?

~~~
nabla9
EU-U.S. and Swiss-U.S. Privacy Shield Framework.

It came to effect 2016 and replaced the Safe Harbor agreement.

~~~
akerl_
"While joining the Privacy Shield is voluntary, once an eligible organization
makes the public commitment to comply with the Framework’s requirements, the
commitment will become enforceable under U.S. law."

From [https://www.privacyshield.gov/Program-
Overview](https://www.privacyshield.gov/Program-Overview)

~~~
nabla9
U.S companies have option to either do legally binding self-certifications or
outside compliance reviews.

If they don't do that, they have no authority to collect data from EU Citizens
(no user accounts or customers from EU).

------
idbehold
What happens when I ask Google to go through everyone's gmail inbox and remove
my information and all emails I've sent?

~~~
cedsav
Interesting question. Google might argue you should direct your request to
those individuals you emailed to. Google storing the emails doesn't
necessarily mean that they're responsible for processing your deletion request
under the GDPR (or maybe it does, I'm just speculating).

~~~
idbehold
Google still makes available to its Gmail users the previous emails I've sent
to them.

~~~
cedsav
Yes, but the GDPR makes a distinction between data controllers and data
processors. The data controller is obligated to process your request, but
Google could argue they're just the data processor, and redirect you to the
users (again still speculating... not a lawyer)

------
davidjgraph
For me the question that a lot of people will be asking after 25th May, is
what happens if they don't?

I would bet on nothing. The GDPR is there to catch the worst offenders, the
other 99% of offenders will feel nothing.

~~~
mschuster91
> I would bet on nothing. The GDPR is there to catch the worst offenders, the
> other 99% of offenders will feel nothing.

No. The danger is that Internet goliaths will use the GDPR to intimidate or
even shut down smaller competitors. Think of patent trolls, just worse -
because the GDPR has really huge fines attached and is damn easy to get wrong
in implementations.

While the GDPR was intended to be beneficial to EU consumers, I fear it will
end up being most beneficial to lawyers.

~~~
dpwm
I'm interested in how you think this would work. As far as I can tell, the
enforcing authority for the country where the individual affected resides
would need to investigate. And frankly, where a smaller entity was playing
fast and loose with data, I would want the authorities to investigate.

For instance, in the UK the plan appears to be for the ICO to work with
companies and fine where there's a major breach and appropriate security
wasn't implemented.

Now, perhaps some individuals will band together and complain, but they do not
stand to gain from the enforcement in the same way that patent trolls do.

We're going from an era where companies can claim AES encrypted at rest and
AES encrypted over the wire whilst running an ancient stack full of
vulnerabilities and, above a certain scale, not even worry about it. I
personally have high hopes that the GDPR will at least make people running
companies like that worry a bit.

------
NicoJuicy
Or decouple the content from the username/email, GDPR approved, content is
still alive

~~~
vgf
They "do not support that". Agree that it would be a nice workaround. Should
also be technically trivial.

~~~
sctb
We're working on it.

~~~
vgf
For months now. That is not credible. Seems like you actually need legislation
as a deadline.

~~~
mziel
This is the case with most organisations. You have a finite amount of
resources and attention, therefore you need to prioritise.

Most GDPR chatter started picking up only in the last few months (of course
big orgs have been preparing for the May deadline for a while already).

------
peterkelly
I agree it would cause problems with the discussion threads, but a solution to
this would be for HN to substitute the username & message with "Removed due to
GDPR request" or similar.

------
RcouF1uZ4gsC
Maybe the easiest thing to do is for websites to place a banner that if you
are a EU citizen, you are not welcome or allowed to view the website and are
violating the terms of service.

~~~
jakeogh
Forced labor? Forced speech? Demanding others time without compensation? What
is Europe becoming?

------
JulienRbrt
I have never understood why HN does not do like Reddit – replacing the
username by [deleted] or ghost.

------
emodendroket
Are they under any obligation to?

~~~
hprotagonist
_The regulation applies if the data controller, an organisation that collects
data from EU residents, or processor, an organisation that processes data on
behalf of data controller like cloud service providers or the data subject
(person) is based in the EU.

The regulation also applies to organisations based outside the EU if they
collect or process personal data of individuals located inside the EU.
According to the European Commission, "personal data is any information
relating to an individual, whether it relates to his or her private,
professional or public life. It can be anything from a name, a home address, a
photo, an email address, bank details, posts on social networking websites,
medical information, or a computer’s IP address."_

[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Scope)

~~~
icedchai
So all web sites (most, anyway) are subject to the GDPR because they may
record EU IP addresses in logs?

~~~
mschuster91
Yup, which is what makes GDPR so dangerous.

~~~
mindslight
Massachusetts is attempting to promulgate sales taxes on out of state Internet
purchases using similar logic applied to cookies [0]. It seems that all it
takes is nouns being put on these things, for that parasitic ambient authority
to attempt to jam itself in.

Having said that, as a USian, it seems like it's at least possible for EU
regulation to have its intended effects (/me glances at uUSB connectors on
everything). So, especially because I bear no responsibility for its
existence, I'm cautiously optimistic that the GPDR will do some good pushing
back against the surveillance industry, rather than simply being yet another
tool to strip individuals' freedoms away.

[0] Hey, maybe if it holds up in court, it will spur development and adoption
of browser-based nym management!

~~~
emodendroket
It seems a little different if we're talking about selling and shipping goods
to a territory.

~~~
mindslight
Per US federal law, retailers are only responsible for collecting a given
state's sales tax if they have a physical presence in that state. The legal
theory specifically relies on considering the cookie on the user's computer as
a physical presence in the state.

------
vgf
A particularly ugly thing happens if the HN mods for some good or bad reason
decide to ban an account: their contributions will be there forever, with no
ability to append explanations to previous posts.

This will after May 25 be illegal for services offered in the EU, but I kind
of think that the same courtesy should apply to non-europeans.

~~~
aaron-lebo
Not to devalue privacy (at all), but if the GDPR is so far reaching that
anonymous posts are expected to comply with this, that destroys much
discussion. Don't see why that's a reasonable expectation. That's no longer
private but public data.

If you contribute to public knowledge/discussion, then taking your ball and
going home leaves huge gaps in history, the same way you see [deleted]
throughout many Reddit threads.

Is the GDPR that far reaching?

~~~
vgf
The GDPR only cares about privacy, not quality of internet threads.

