
Ask HN: Co-founder wants to leave messaging startup because of GDPR - webish
We are a building a messaging platform ina specific vertical which allows users to exchange text&#x2F;photo and voice messages. We have hired a lawyer to write a privacy policy and terms of use but they have not been updated for GDPR yet. However, my (technical) co-founder thinks we are leaving ourselves open to litigation because of how are system is designed. When a message is deleted, only the user&#x27;s access to the message is deleted. The message is preserved until all recipients have deleted it at which time the full contents of the message are permanently deleted. This was done for efficiency, otherwise we would need to keep a full copy of each message for each recipient.  To me this isn&#x27;t much different from email: when you delete an email you only delete your copy, not other people&#x27;s.<p>We are about a month from launch (we have both been working on it part time for 6 months) but my co-founder is having second thoughts.  He doesn&#x27;t want to spend the time and money to bring us into GDPR compliance. I have been learning to code and I feel I could maintain our current code but not redesign it all to comply with GDPR.  I am hoping some more experienced startup folks can provide some advice about what I should do
======
skrebbel
Of course I'm missing all kinds of key context, but going off of your
description I'd seriously consider letting him leave. Come up with some sort
of deal that you're both satisfied by - money, a loan, converting his shares
into non voting shares, whatever, but let him go.

I say this as the technical co-founder of an EU based messaging startup with
the vast majority of users and customers being subject to the GDPR. If your
co-founder finds a little bit of legislation to be so troublesome that he
wants to quit, then he's going to be worthless when things _actually_ get
difficult. Even if the worst case is true, in legal terms, and you decide that
you're forced to redesign the system to make the right to be forgotten (and
while I'm not a lawyer I really doubt that that is a sane explanation of the
GDPR), then it's just some refactoring work. It's not fundamental to the
design or business model of your app (you're a messaging app, not a "sell user
data app") - it's just an efficiency thing. If your co-founder can't even deal
with that, then I worry that he defibitely can't deal with the emotional
rollercoaster that will start when you actually launch.

That said, and IANAL, but I really wouldn't sweat it. If you can run a custom
query to delete user data when requested then you're all good. Use that to see
how many right-to-be-forgotten requests you actually get and consider
automating things only after you know that it's going to pay off.

~~~
ralston
> ven if the worst case is true, in legal terms, and you decide that you're
> forced to redesign the system to make the right to be forgotten (and while
> I'm not a lawyer I really doubt that that is a sane explanation of the
> GDPR), then it's just some refactoring work. It's not fundamental to the
> design or business model of your app (you're a messaging app, not a "sell
> user data app")

Exactly. Unless the business model is built around collecting and reselling
user data, then (without anymore context) it sounds like this should be a
(slight) refactor, not an entire redesign.

------
viraptor
I'm not a GDPR expert, so please confirm with your lawyers, but my reading of
[https://gdpr-info.eu/art-17-gdpr/](https://gdpr-info.eu/art-17-gdpr/) is that
you only need to remove the personal data, not old messages which still serve
a purpose (they're a part of communication channel). Specifically, none of the
grounds from point 1 apply:

a) data is still necessary (part of message chain)

b) consent wasn't necessary, the message was required for the messaging
component of the service

c) again, necessary processing is excluded

d) it wasn't unlawful

e) I'm assuming you're not in one of the member states and this doesn't apply

f) it's not related to child consent

If anyone disagrees here, I'd be really interested to know why.

(Sethammons is right though that the headers / metadata would be likely
covered)

~~~
jdietrich
Art.5(1)(e) says "Personal data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for the
purposes for which the personal data are processed".

The messages themselves constitute personal data, as defined in art.4(1). Data
doesn't need to be tagged with someone's name, address and social security
number to be personal data - if you could even hypothetically identify someone
based on that data, then it's personal data. Even if the users of this service
never divulge any personal information about themselves in the content of
their messages under any circumstances, they could still be identified by
stylometry.

There's a reasonable argument that retention of old messages is a necessary
feature of the product, but I'd be strongly inclined to delete everything from
the servers as soon as it's delivered. Old messages stored on the user's
devices aren't your problem as long as your involvement in the processing of
those messages was lawful. I'd also be strongly inclined to implement end-to-
end encryption unless there's an overwhelming reason not to, because it adds a
valuable layer of protection for both you and your users.

[https://gdpr-info.eu/art-5-gdpr/](https://gdpr-info.eu/art-5-gdpr/)

[https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)

~~~
everdev
I would follow other prominent players in the space. When I delete my tweets,
are those retweets and replies also deleted? When I delete my FB or Whatsapp
account, are my messages deleted from recipients accounts?

As a lean startup, I wouldn't pay my own lawyer to figure out what hundreds of
well paid lawyers have already decided.

You could write tech support for these companies and ask exactly how their
GDPR compliance works. I'm sure they'll be happy if not legally obligated to
tell you.

~~~
jdietrich
>I would follow other prominent players in the space.

Facebook can afford to play fast-and-loose with the rules. They have an army
of lawyers waiting to contest any ruling from a supervisory authority. They
have an army of developers ready to redesign their product if they're ordered
to do so. They have an army of DBAs and CSRs to manage deletion requests and
subject access requests.

If you're running a startup that collects and processes lots of personal data
and your resources are rather more limited than Facebook, it's sensible to
interpret the GDPR cautiously. The more data you collect and store, the
greater your potential liabilities. We're habituated to hoarding personal
data, because the cost of storage is effectively nil and it might be useful at
some point in the future. GDPR makes Schneier's argument that "data is a toxic
asset" into a business reality.

[https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...](https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html)

------
tripletao
Your co-founder's problem is that he thinks the GDPR is a law, in the sense of
"a document a judge can use to objectively determine whether an action is or
isn't lawful". The GDPR is a statement of general principles, with the
implication that if you behave more or less in that spirit then the regulators
won't go after you. If you are accustomed to the rule of law, then you won't
like the GDPR.

But you don't need the rule of law. Myanmar locked some Reuters reporters up
with no convincing legal basis; and yet I can visit the country with no
special fear that I'll get locked up, because I know more or less what their
government likes and dislikes, and I know that I'll stay well away from the
line. You can do that too. The EU obviously won't come after you for the email
deletion issue, just as Myanmar obviously won't lock up a visiting businessman
who sticks to business--there are too many easier targets.

Your lawyers can't help you, because this isn't law. They'll just say "it
depends", because that's all the text of the law allows them to say.
(Although, I do enjoy watching people who seem to be general proponents of the
GDPR confidently take contradictory positions here.) I seem to be the only one
who think this degradation of the rule of law--from the EU, a region that
basically invented the concept--is bad; but even I agree that it's no major
obstacle to doing business.

~~~
skybrian
I think you've nearly defined "law" out of existence? Law doesn't work like
math or computer code. It's always subject to interpretation and lawyers will
generally give you advice about what to expect based on experience, not
guarantees.

There are some areas more settled than others, but this is a continuum, not a
crisp boundary.

~~~
repolfx
That's true but a part of the general political tension between parties is, at
least in theory, to what extent law is interpreted by judges vs written by
politicians.

The theory is that laws should be written by politicians and merely applied to
specific cases by judges, because politicians are accountable and judges are
not.

When you have laws that state virtually nothing and rely entirely on
interpretation, that's the same thing as moving power away from elected
political bodies and into unaccountable elites. This is, not coincidentally,
exactly what the entire EU project seems to be constantly engaged in, so it's
perhaps no surprise that the EU particularly enjoys passing vague laws that
move power away from national politicians and towards the Commission and ECJ
(the ECJ judges are appointed by the same process that decides the makeup of
the Commission).

~~~
dragonwriter
> That's true but a part of the general political tension between parties is,
> at least in theory, to what extent law is interpreted by judges vs written
> by politicians.

In the US, at least, that's true in the rhetoric of one of the parties, but
the opposing party doesn't argue the opposite side, just argues that the side
that claims it is an issue is hypocritical in its rhetorical stance.

------
lmkg
The Right to Erasure is not absolute. A Right to Erasure request can be denied
if you can describe an "Overriding Legitimate Interest." This has to be
stronger than a regular legitimate interest that enables processing in the
first place, but it's possible. The specifics will definitely require a
lawyer, but I think it's possible to describe an overriding legitimate
interest that allows you to retain message contents.

Denying a request is not a simple yes/no. You can delete some data but not
others, or delete data under certain conditions but not others. The principle
of Data Minimization still applies to your overriding legitimate interest:
only retain the data that is strictly necessary for that specific interest,
which is likely less than the original data necessary.

Probably the trickiest issue is going to be "what if the user sent a message
that contains PII?"

~~~
nodesocket
Does the Right To Erase apply to archived backups? I.E. we delete an account,
but it still exists in database dumps backed up to S3.

~~~
repolfx
Nobody knows. Lawyers seem to split 50/50 on the issue, like everything else
GDPR related.

I think even asking questions like this is missing the point by now. See the
discussion above. The GDPR doesn't say if backups are OK or for how long. They
might be or might not be depending on whether a random EU official believes
your justification is "legitimate".

In other words, stay in the Commission's good books and you'll be fine. Take a
position the Commission doesn't like and suddenly your backups might not be so
legitimate after all.

------
jiveturkey
Short and sweet. Let him go. founders and execs need to be able to weather the
storm (any storm not just gdpr). this is regardless of whether you can
actually be compliant or not. your co-founder is too risk averse, let him go.

that said, you need actual legal advice here. it doesn’t sound to me like your
current design can be compliant but you need expert counsel to decide. then if
the answer is no, are you prepared to change your design?

also, you have “been learning to code?”. no, you need to bring on an
experienced person if you want to deal with personal data. sorry, that’s table
stakes in 2018.

------
xstartup
In fact, you can pay customers of your competitors $100 to ask them to request
erasure of data from their competitor. Have fun!

~~~
jdalgetty
This is the sort of thing that worries me. Are we going to see a whole bunch
of GDPR trolls show up and try to extort businesses for money?

~~~
kasey_junk
One of the few things you _dont_ have to worry about with GDPR is private
firms trolling you.

The regulatory agencies are an open question...

~~~
repolfx
Private firms can't sue you for GDPR violations but they can encourage
customers to file requests that are expensive to deal with. It's not just
over-broad erasure requests, it's the right to get a data dump of everything
the company knows about you (this is like the worst case for big firms that
don't have joined up IT systems).

I doubt private firms actually _will_ engage in that sort of trolling though,
at least not at any volume. NGOs and activists on the other hand, I fully
expect that. They're always looking for ways to punish firms who they dislike.
Normally that's restricted to boycotts, in recent times they've experimented
with attacking advertisers for companies that rely on advertising ... GDPR
requests will likely become a new battleground.

------
ldjb
Are the messages stored on your own servers or on the users' own devices?

If they're on your servers, it should not be necessary to keep multiple copies
of the same message. You could make it so that if the sender deletes a
message, it is removed from the database and becomes inaccessible to
recipients.

If the messages are stored on users' own devices and not on your own servers,
then that is a different situation and is more like email.

~~~
webish
They are stored on our servers. The problem is, not all users will want the
message deleted just because one of the recipients does. This creates a
conflict with the GDPRs right to have information deleted. Recipient A might
want the message deleted but recipients B and C may not

~~~
ldjb
Suppose you have a Message_Recipients table in your database with the
following columns: message_id, recipient_user_id, deleted.

If a particular message has three recipients, then it will have three entries
in this table. The 'deleted' column is a boolean that is initially false. But
when a recipient deletes their copy, 'deleted' becomes true and the message
will be hidden in the UI for that recipient only.

If it's the sender who is deleting the message, then just delete it in the
Messages table, and no one else will be able to view it.

~~~
webish
Our current implementation is similar to this, bit if the sender deletes a
message, don't the recipients have a right to retain a message that was sent
to them? For their own records I mean. This is what's causing the difficulty.
A sender's right to delete the message vs a recipient's right to keep copies
of messages sent to them.

~~~
jdietrich
_> don't the recipients have a right to retain a message that was sent to
them?_

No. There is no "right to retention" in the GDPR. Users have the right to
access any data you hold that relates to them (with some exceptions), but you
are under no obligation to retain data. GDPR requires you to do the exact
opposite - delete (or thoroughly anonymise) data as soon as possible.

Art.5(1)(e) says "Personal data shall be kept in a form which permits
identification of data subjects for _no longer than is necessary_ for the
purposes for which the personal data are processed". If you're aiming for
maximum GDPR compliance, it would be sensible to delete the messages from your
server as soon as they have been delivered to the recipients. You're a
messaging service, not an archival service; storing the messaging data or
metadata indefinitely is contrary to the principles of the GDPR and exposes
you to liability if that data is ever leaked.

I'd also question why you need plaintext access to user messages in the first
place. End-to-end encryption protects you and your users. If you can't access
the data, you can't inadvertently breach the GDPR.

[https://gdpr-info.eu/art-5-gdpr/](https://gdpr-info.eu/art-5-gdpr/)

~~~
jdietrich
Would any of the people who downvoted my comment like to explain their point
of disagreement? If you believe my statement to be factually wrong, it would
be more useful to correct it rather than simply downvoting it.

------
iends
The easiest solution is to block access to EU citizens.

------
sethammons
My understanding is that you have to be able to remove PII like usernames,
email addresses, and such. The actual message sent to other recipients is not
covered, but the envelope information would be. For envelope look up (sender,
recipient), have those as hashes that are in a look up table. If the sender
sends you a GDPR request, delete them from your hash look up and display "user
deleted" as the "from" user on the message.

Obviously, run this through your lawyer as I am not one.

~~~
jdietrich
The GDPR is not concerned with "personally identifying information", but
"personal data". It defines the latter very broadly, viz:

 _‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person
is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person;_

Even if they're completely stripped of metadata, instant messages are highly
likely to contain information that could indirectly identify the sender or
recipient.

------
keerthiko
IINM, un-processed contents of encrypted messages do not constitute personally
identifying information (PII), and if a user deleting their account or
deleting a message deletes the correlation between the message and their
user/account/id from your servers.

The complicated part is your intent to preserve it for the other participants
in the thread. I think it's ok to allow a message author to cause their
messages to be deleted from all other users as well (maybe leave a <deleted>
bubble in its place). If an entire thread or account is deleted, you can just
remove the association to the user and preserve the messages itself.

It's a bit messy the more you want to preserve despite a user's wish to GDPR-
bomb their data, but I don't think untenable.

------
afpx
Think of it in terms of sunk costs. If your business model is still sound,
redo your financial analysis from today forward. Estimate the costs to alter
the design as well as probability and impacts of litigation. Then forecast
those costs out to see where your breakeven point is.

------
sls
You are hearing a lot of different advice about what GDPR compliance means,
and until that is settled (or proven so unsettled as to be unknowable), you
lack a key factor in your business decision. My advice is to consult an
attorney who you trust to be knowledgable about GDPR compliance and find out
what exactly you need to do to become compliant, or to determine what the
options are and what level of comfort you have with them. Then you can make
the call whether you want to spend the required effort.

The upside here is that this investment also opens the possibility of giving
your co-founder the confidence that they need to stay with the project, should
the answer be that the compliance work is small / simple.

------
nolite
Let him go. You're going to face business killing issues like this ALL the
time.. several times a year. If he's already showing signs of quitting, it's
only a matter of time before he does.

Save yourself some time and heartache - find a new co-founder

------
mand1575
Not knowing much about your startup and where it is based and the user base
that you are looking to tackle. Being in finance my company deals with GDPR
and various other regulatory requirements, that doesn't mean you don't develop
a product. May be he needs to better understand the requirements.
[https://www.eugdpr.org/key-changes.html](https://www.eugdpr.org/key-
changes.html)

Get a good lawyer and have the CTO focus on delivering technical solution
after all that his job, if the going gets tough and he gets weak knees get him
out...

Ring fence your product to region for launching so you don't get side
swiped...good luck.

------
orcs
First the obligatory: I'm not a lawyer or expert on GDPR.

My question is if your app simply passes on messages between users of the app
and doesn't store these messages how can you be held accountable for what's
being held on the users device, even if it is a different persons message?
Your app has simply processed that users data with their consent, at the time,
and passed it on as they wanted.

The other issue, if the answer to the above is: 'yes', is does the GDPR expect
you to be able to go into a user's phone and delete content from their phone
at the request of another user? Surely that's not legal?

Like I say I'm no expert, simply asking questions.

------
nextweek2
Sounds like a get out clause from the co-founder.

How many requests do you actually think you'll get in a year? Some industries
mandate data retention which overrides GDPR.

Is your business model going to implode if 0.01% of messages are deleted with
due cause? You are only liable if you fail to complete the request in time.
Plus how much longer until you have a GDPR friendly agreement which lets users
know once a message is sent it is no longer personal data? If the sender gets
deleted the recipient would see from 'deleted user'. This is kind of how
stackoverflow.com do it.

GDPR is extra work but it's not shut up shop work.

------
btmm
This is pretty basic:

a) By sending a message, the user is consenting to the contents of the message
being delivered.

b) The user is entitled to request that you (the messaging service) deletes
their details but you have a legitimate business reason for retaining the
message details (ie. someone else that you are serving is using them).

That said, if your co-founder isn’t more committed than this, then let him
go—just make sure you have a legal document stating that he gives up all
rights.

~~~
btmm
I should add that I have worked on a messaging service recently, and that is
the advice that a qualified UK-based solicitor provided in their case.

I doubt your case is any different.

------
codedokode
I don't see what is the problem to delete user's messages at their request.
Just replace its text with "message deleted" for example. It doesn't require
anything advanced.

It seems that your co-founder just doesn't like GDPR and users' rights. It is
a political, not a technical problem.

If someone will post something that violates US laws (for example, terrorism-
related content or child porn), will you refuse to delete it too?

------
Alex3917
> When a message is deleted, only the user's access to the message is deleted.

It's going to take all of 30 seconds until someone sues Google and asks for
them to delete sent messages from someone else's inbox. Regardless of whether
or not what your doing is legal (and I think you're in the clear), you're not
going to be the test case here.

~~~
orf
You can't sue for perceived GDPR issues.

~~~
caymanjim
You can sue for anything. It may be dismissed for legal reasons, but that sets
precedent. It may be settled without setting a legal precedent. In either
case, there are material and immaterial costs involved.

~~~
orf
> You can sue for anything

Sure, but that's nothing to do with GDPR and can be done today.

Tacking GDPR onto a frivolous suit doesn't add anything and also doesn't set
any precedent.

The law clearly sets out how to handle GDPR complaints, and it's not via the
courts.

------
baby
I'm confused. Do you have anyone with technical capabilities on the team to
realize that the changes needed are not difficult to implement? That's a
database delete. If you're advertising your app as being secure and etc. then
don't do that. Be honest to your users as what you're serving.

------
atmosx
I believe that if you make _crystal clear_ to the sender that his messages are
_publicly available_ to all parties until everyone deletes the message and
also include this to your Privacy Rules, you'll be fine. Doesn't seem like a
big deal.

------
LoSboccacc
Take some litigation insurance from the company that follows your gdpr
deployment so that he has not to worry about liabilities

------
whatyoucantsay
GDPR is a train-wreck. I'm fully behind the motives, but like many high-level
initiatives it has the effect of further tilting the playing field in favour
of incumbents who have the financial and legal resources to accommodate it.
Europe needs to rein in Facebook, but not at the cost of any hope of the next
Facebook being European.

