
Ask HN: Is HN GDPR compliant? - tschellenbach
After reading this post https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16954306 I thought about the small sites I like to visit. Things that started out like hobby projects such as Lobsters and HNews. I wonder, is HNews GDPR compliant? It doesn&#x27;t really seem to be. Some topics mentioned in articles about GDPR:<p>- Ability to export data
- Ability to delete your account
- Disclose tracking (the voting ring detection must do some sort of tracking)
======
lamlam
One important thing to not about some of these points is that they don't have
to be made easy for users. For example, in relation to "Abilty it export
data", there doesn't necessarily need to be a feature on the website for it to
be compliant. They simply need to do it if you ask. So if that means having
someone manually run a query to get a data dump every time someone asks, it's
still considered compliant.

Of course that doesn't actually scale. That's why most all the big players are
providing export features.

~~~
quotemstr
That can't be the whole story though. In general, a regulation stipulating
that a business provide a feature can't allow businesses to make it
_arbitrary_ difficult for a user to use that feature, since that would defeat
the public policy behind the regulation.

I suspect that the line here will be decided in some court.

~~~
Alex3917
> I suspect that the line here will be decided in some court.

Sure. At the end of the day though people shouldn't be using GDPR as an excuse
to avoid making stuff or launching their projects. As long as you make a
reasonable effort to do what people are asking for via email then you're
probably not going to be the test case.

------
cyberferret
Upon cursory inspection, the single fact that user don't seem to be able to
delete their account data from here would make it not compliant. Similarly the
inability to delete posts after a certain time may also conflict with the data
removal stipulation of GDPR.

But as a corollary to that, GDPR laws seem to only apply where there is data
that can personally identify a user. The usage of nicknames and throwaway
accounts on here may mean that GDPR requirements may be able to be ignored as
long as there is no piece of data that can be linked back to an identifiable
user (such as an email address in their profile etc.)

Note: IANAL - So please take this as my opinion, and not a legal finding.

~~~
dangrossman
Nothing in the GDPR says you must be able to delete your own data. It says
that you may request a business delete your personal data, and they _may_ have
to comply if they don't have a legitimate business reason not to. There's a
balancing test, not a blanket requirement that every web app be littered with
delete buttons.

------
shiado
American businesses should add a clause that all authorized access is
predicated on a user knowingly acknowledging that they are not a resident of
the EU. If GDPR becomes an issue they could abuse the CFAA to get the persons
of interest extradited to the USA for prosecution of unauthorized access. It
would be funny too because the data the lawyers would collect to proceed with
a case would be from unauthorized access too and they could be extradited and
prosecuted too and they would probably lose their jobs oh what fun lawyers
bring upon themselves and those that endure their wrath.

Just floating a crazy alcohol induced idea here don't take it too seriously.

~~~
acct1771
from* the USA?

~~~
tripletao
I think "to". Like, anyone alleging the GDPR violation is admitting that they
violated the CFAA. It's pretty stupid, though not clearly stupider than past
successful uses of the CFAA.

------
nodesocket
Probably not. I really have mixed emotions about GDPR being a SaaS founder. It
seems overstepping and heavy handed that the EU can enact laws that affect
American's and American companies. The EU can do what it wants, but generally
I am against regulation as it promotes bureaucracy, stifles innovation, and
creates fluff and burden's especially on small companies such Chief Data
Protection Officer and Chief Data Officer.

~~~
astro_robot
This bothers me a lot as well. The EU shouldn't have domain over American
companies. There's a reason that there isn't a ton of Tech companies in places
like Germany.

~~~
BLanen
They don't have domain over American companies.

Just don't accept European customer's data and you're fine.

~~~
panarky
I'm not a citizen of Pakistan.

I don't live in Pakistan.

My servers aren't in Pakistan.

Pakistan can't force me to comply with their laws just because a Pakistani
national uses my site.

Same thing with EU laws.

~~~
roddds
If you want to do business in Pakistan you do.

~~~
panarky
I'm not doing business in Pakistan or in the EU.

The mere fact that a Pakistani or European uses my site doesn't subject me to
the laws of Pakistan or the European Union.

~~~
marak830
The fact that they are using your site means you are doing business with them.

~~~
dzelzs
You know, same could be said for the US, but look how that turned out for Kim
Dotcom. Extradition and humongous expenses for him - all because people in a
country that was unrelated to the site decided to break their copyright rules
and use it :).

------
tuke
I would strongly advise that we read carefully the language for Art. 3,
"Territorial scope," which says:

    
    
      (2) This Regulation applies to the processing of personal data
      of data subjects who are in the Union by a controller or processor
      not established in the Union, where the processing activities
      are related to:
    
        (a) the offering of goods or services, irrespective of whether
        a payment of the data subject is required, to such data subjects
        in the Union; or
    
        (b) the monitoring of their behaviour as far as their behaviour
        takes place within the Union.
    

So, I would ask: _Has HN made an "offering of goods or services . . . to such
data subjects in the Union"?_ ([https://gdpr-
info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/))

The critical issue is that word: "offering."

The language here seems to be about intentions. Has HN "offered" anything to
data subjects in the Union? Maybe not. To be sure, people in the EU may have
chosen to look at HN, but has HN sought to "offer" to them?

(The presence of a domain such as news.ycombinator.eu would tip to "yes.")

~~~
strictnein
A country can't tell foreign citizens how to behave, even if the country (or
group of countries, in this case) writes a law saying they can.

~~~
eesmith
According to the Geneva Convention, war crimes have international
jurisdiction.

This means that a court in, eg, Spain can "tell foreign citizens how to
behave"

~~~
strictnein
GDPR isn't a treaty. The US hasn't signed on to it.

~~~
eesmith
strictnein's comment was blanket statement, and not limited to GDPR.

More specifically, tuke pointed out the territorial scope of GDPR, and
strictnein's response seemed to argue that the underlying premise should be
invalid.

My comment was to point to a counter-example that is already widely supported.

------
thisisit
This has been discussed so many times already:

[https://news.ycombinator.com/item?id=16661323](https://news.ycombinator.com/item?id=16661323)

[https://news.ycombinator.com/item?id=16698937](https://news.ycombinator.com/item?id=16698937)

[https://news.ycombinator.com/item?id=16751656](https://news.ycombinator.com/item?id=16751656)

[https://news.ycombinator.com/item?id=16834240](https://news.ycombinator.com/item?id=16834240)

------
jannes
Even if HN isn't compliant, I doubt any European country has jurisdiction over
Y Combinator Management LLC, because they don't do business with any European
residents.

~~~
rdlecler1
If they invest in European compnies and have European LPs then they certainly
do.

------
scottmcdot
Regarding the guidance for Australian businesses and GDPR [1], if there are a
few users based in the EU, would their whole website need to comply?

[1] [https://www.oaic.gov.au/media-and-speeches/news/general-
data...](https://www.oaic.gov.au/media-and-speeches/news/general-data-
protection-regulation-guidance-for-australian-businesses)

------
ARothfusz
Why would it need to be compliant? Ycombinator is not a European company.

~~~
cyberferret
But if they hold and manage data for users who reside in the EU (which they
do), then I believe the rules apply too.

From what I can gather, if a user in the EU approaches HN and asks for their
profile data and posts to be removed, then that falls under the GDPR laws.

~~~
strictnein
No, laws don't work that way. American first amendment rights, for instance,
don't extend to websites based in Europe.

You don't get to bring your laws and rights with you when you visit a website
that's hosted and run in a foreign country.

edit: clarified European based websites

~~~
joshuamorton
This depends. Those laws could absolutely be enforced if, for example, Paul
Graham tried to travel to Germany.

You may not agree with the ethics of that, but that's how it works in
practice. Now whether or not the EU will attempt to enforce the GDPR that
strongly is another question.

~~~
dnomad
This is pure nonsense.

You might learn that the GDPR only applies to businesses located in the EU or
who _pursue_ EU citizens. It does not mean that if you Google Analytics and an
EU citizen stumbles upon your site you are suddenly in violation. It is not
some sort of magical global law that applies to every business in the world.

The amount of FUD and ignorance and nonsense about the GDPR is getting out of
control. Why not do some research? Or actually read the regulation?

Anyways I see it's a lost cause but I find it remarkable how much BS about
this topic exists from a community that prides itself on its technology
acumen.

~~~
joshuamorton
None of what I said is nonsense. The EU absolutely could enforce GDPR
regulations on businesses which are not based in the EU, if persons involved
in those businesses attempted to travel to the EU. That's not FUD, that's why
Edward Snowden isn't going to hop on a plane back to the US anytime soon.

Your argument about "pursue" falls under the umbrella of

>Now whether or not the EU will attempt to enforce the GDPR that strongly is
another question.

Pursue isn't currently a fully defined term. Is pursuing specifically
advertising and marketing towards? Or is it simply allowing to register? If I
use paypal as a payment service, that allows EU citizens to pay, am I pursuing
them since they can now purchase my service?

Fwiw, I agree that its unlikely that HN is violating the GDPR, and its even
more unlikely that HN will be chased for any violations it did commit. But
calling others' more cautious interpretation of the law "nonsense" isn't
particularly productive, especially when I wasn't even commenting on the GDPR
in the first place, but instead on broader ways that international law works.

~~~
dnomad
All of this is spelled out in the law.

> Pursue isn't currently a fully defined term.

This is pure FUD. This is fully defined that's what makes it a binding
legislative act.

Let's go to the actual law:

Article 3: Territorial Scope [1] spells out the explicit territorial scope.

> the monitoring of their behaviour as far as their behaviour takes place
> within the Union.

Oh, sounds scary. The latter part is clarified [2]:

> Whereas the mere accessibility of the controller’s, processor’s or an
> intermediary’s website in the Union, of an email address or of other contact
> details, or the use of a language generally used in the third country where
> the controller is established, is insufficient to ascertain such intention,
> factors such as the use of a language or a currency generally used in one or
> more Member States with the possibility of ordering goods and services in
> that other language, or the mentioning of customers or users who are in the
> Union, may make it apparent that the controller envisages offering goods or
> services to data subjects in the Union.

There's a ton of nonsense about this on HN right now but anybody who's
actually read the law should understand that the intention of the law is to
prevent non-consensual surveillance of EU citizens. The idea that if somebody
who stumbles upon your website and you log their IP address makes you subject
is pure FUD. The idea that the EU will pursue American sites who don't target
the EU is pure FUD. But the biggest FUD of all is this notion that the EU even
has some sort of legal enforcement mechanisms independent of a Member State.
As they say, that's not how any of this works. There are no "EU cops" waiting
at the airport. Please.

[1] [https://gdpr-info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/)

[2] [https://www.gdpreu.org/the-regulation/who-must-
comply/](https://www.gdpreu.org/the-regulation/who-must-comply/)

~~~
joshuamorton
>Oh, sounds scary. The latter part is clarified [2]:

And according to that clarification, having paypal as a payment processor
might make it apparent that the controller envisages offering goods or
services to data subjects in the union. That's what I said. Or it might not.
Its not fully defined. A cautious interpretation makes sense.

>There are no "EU cops" waiting at the airport. Please.

And to be clear, I never said there were. I was making the point that,
contrary to g-g-great-grandparent, it is absolutely possible for a country to
exert control over the actions of people outside its borders, assuming those
people might have interest in international travel.

If you're going to keep yelling FUD about things, you should first confine
yourself to calling out things people are actually saying, instead of creating
ridiculous strawpeople. Its not productive to call people out for saying
ridiculous things that they didn't actually say.

~~~
dnomad
> And according to that clarification, having paypal as a payment processor
> might make it apparent that the controller envisages offering goods or
> services to data subjects in the union. That's what I said. Or it might not.
> Its not fully defined

This is not true. Using a payment processor or accepting credit cards in no
way constitutes targeting of EU customers. In that scenario you are neither
data controller nor processor, in fact. I think, like a lot of posters in this
thread, you've spent virtually zero time understanding the law and are just
echoing FUD.

~~~
joshuamorton
And it's very courageous of you that you're willing to risk other people's
money to that effect :)

It's quite odd that you're calling a statement that amounts to "in the
presence of untested law, caution is warranted" FUD.

That's like not even controversial. You're entire argument is predicated on
you understanding the law better than everyone else. And well, I'm not
particularly confident in a person whose most used word is "FUD" and who began
a conversation by misunderstanding what I was saying. What reason do I have
believe you?

------
dustingetz
This is a FAQ
[https://hn.algolia.com/?query=gdpr%20hn&sort=byPopularity&pr...](https://hn.algolia.com/?query=gdpr%20hn&sort=byPopularity&prefix=false&page=0&dateRange=pastYear&type=story)

------
donohoe
Short answer: No, but it doesn’t matter.

If you are a Non-EU business, that is a business with no legal presence or
employees in the EU then you can comfortably skip GDPR compliance with minimal
risk (some unknown obscure treaty provision?)

#notalawyer

~~~
astro_robot
That's actually not true in terms of the GDPR. A company, simply, only needs
to have an EU citizen as a customer for the company to be regulated by the
GDPR. [1]

[1]
[https://www.forbes.com/sites/forbestechcouncil/2017/12/04/ye...](https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-
the-gdpr-will-affect-your-u-s-based-business/#1b23fb926ff2)

~~~
donohoe
Yes. It SAYS that. However it’s about enforcement.

Dumb example: Blasphemy is illegal in Ireland but Irish Gov can’t enforce that
law in France.

------
KempFood
No, it's not.

------
mikekij
Does the fact that HN is not using this data to generate revenue impact their
need to comply? Being charged 4% (or whatever) if HN’s revenue as a penalty
would seem to be $0.

~~~
jtmcmc
4% or 20 million whichever is greater

~~~
mikekij
Ouch.

------
BLanen
Threads like this make me like GDPR more and more.

Arrogant Americans coming in 'It doesn't have jurisdiction over American
companies'. Wholly misinformed.

~~~
tripletao
How do you expect the EU to enforce the GDPR extraterritorially? Like, do you
expect the USA to comply with an EU request to impose a fine? Or do you think
they'll be successful in pushing enforcement out through the target's
customers and vendors, similar to US extraterritorial application of its
financial laws on banks?

My personal guess is that everyone with shady business models will move
offshore, and the EU will play a marginal game of whack-a-mole trying to
coerce them through their vendors and customers, especially payment
processors, similar to American enforcement of online gambling laws. I expect
the GDPR to be effective on large companies that want to portray themselves as
respectable, and ineffective on everyone else.

~~~
BLanen
EU can sue American companies without getting US government approval/
involvement as long as they have operations here.

>Or do you think they'll be successful in pushing enforcement out through the
target's customers and vendors, similar to US extraterritorial application of
its financial laws on banks?

At least somewhat of a deterrence. As if American KYC & AML laws are
completely ineffective.

>My personal guess is that everyone with shady business models will move
offshore, and the EU will play a marginal game of whack-a-mole trying to
coerce them through their vendors and customers, especially payment
processors, similar to American enforcement of online gambling laws. I expect
the GDPR to be effective on large companies that want to portray themselves as
respectable, and ineffective on everyone else.

Implying the big companies aren't the ones with the 'shady business models'?
My view is that this is specifically made for the big companies.

~~~
tripletao
By "shady business model", I mean something like "business model dependent on
breaking the GDPR". Facebook seems almost surely still profitable while
complying, just not quite so spectacularly so. Many e.g. data brokers probably
aren't. Their choice then becomes to disappear or go offshore. I think many
will choose the latter. American extraterritorial enforcement of its financial
laws is the most successful example of such enforcement that I know, and it's
still easy to fund an online poker account.

I'd agree that the GDPR is designed for large companies, and will genuinely
improve their behavior. I think its effects will be similar e.g. to American
cities with very strong and complex tenant protections--we create a class of
large, politically-connected operators with the resources to comply, and a
class of shady operators one step ahead of the law. There's little in between
--if you lack the resources to be absolutely certain you comply, and the
punishments for large and small noncompliance are both catastrophic, then you
might as well go all the way. (Yes, I expect the regulators to mostly exercise
reasonable discretion. No, I don't want the discretion of a mid-level
bureaucrat to be the only thing between me and financial ruin.) That part
doesn't seem positive to me.

Aside: I wonder how many people promoting heavy-handed enforcement of data
protection laws without regard for the second-order consequences have argued
against heavy-handed enforcement of drug laws without regard for the second-
order consequences...

