
Ask HN: Is Hacker News GDPR Compliant? - rajnathani
Few points relevant to a discussion around this question:<p>- While most users use pseudonyms, there are some users who do not, and most users (hypothesis from my side here) use their actual email address, and not a throw away email address or an email address exclusively created for HN.<p>- Hacker News has an API, though they (obviously) do not disclose the email addresses of any of its users in the API, they do however include HN usernames which alongwith the public posts also available in the API are attributable to given users, and therefore is indirectly personal information.<p>- Hacker News doesn’t support the deletion of comments and posts after a certain 24-48 hour period. Upon research I’ve learnt that one can contact PG or the HN News mods to have your content deleted on the platform, however this delete wouldn’t be enforceable on API consumers of HN, who may have a cache or a permanent archive of the data in any location (analogous to how FB is getting Cambridge Analytica to delete any of the user data which CA still has).<p>- HN’s severs with all user data is (I believe) located in California. Data residency in the EU doesn’t seem the case. Even if the case is made that all HN user information is in public forum, personal data such as users’ email addresses and favorites are private information stored on HN.<p>- Finally, the point about consequences. All the above points would seem null if HN really doesn’t have any revenue for it to be charged the 2-4% of global revenue as penalty for violating GDPR. However to this point I would like to issue a reminder that Hacker News is by all legal matters owned by Y Combinator (also on the company domain name *.ycombinator.com), and YC sure does rake in the revenue. Would HN legally be argued as some sort of a free non-profit forum, and thus not connected to YC for any GDPR violation? Currently YC companies have their hiring posts artificially promoted on HN’s front page, so there’s that thorn.
======
jsnell
Do we really need a fourth thread on this in three weeks?

[https://news.ycombinator.com/item?id=16661323](https://news.ycombinator.com/item?id=16661323)

[https://news.ycombinator.com/item?id=16698937](https://news.ycombinator.com/item?id=16698937)

[https://news.ycombinator.com/item?id=16751656](https://news.ycombinator.com/item?id=16751656)

~~~
rajnathani
I didn’t see those threads before posting this. Thanks for the links.

On a side note: There still isn’t an answer to the question in matter.

~~~
venning
'sctb did state that they are "working on" a way to decouple the content from
the username/email which should allow them to delete user accounts without
removing their content:
[https://news.ycombinator.com/item?id=16661687](https://news.ycombinator.com/item?id=16661687)
(plus the context two comments higher in the thread).

~~~
rajnathani
Thanks for sharing that comment.

That action in itself would not be enough to be GDPR complaint. User generated
content is associated with a user. To be compliant, all user data would have
to be removed. It would be really simple for FB to be GDPR complaint if all
that was required was to delete a user profile and none of the respective user
activity on the platform.

------
verelo
This is an excellent question. I feel like the right to be deleted/forgotten
is certainly not supported by the current implementation, and the relationship
to a VC fund certainly could introduce an element of this being an attractive
target. I don't know about the comment caching though, for example, I'm sure
Twitter doesnt solve for this either, is this actually a requirement? Or are
those caching Twitter comments simply in violation of the Twitter TOS?

I'd love to see someone with a legal background provide their thoughts here!

------
ParameterOne
I think GDPR should be based on Gltd's and ccGltd's. That way you know when
you leave the comfort of a .nl or .eu and enter the .com you have been warned.
Just like signing an agreement that says which state laws you agree the
contract uses.

~~~
rajnathani
While it works elegantly for websites, I would be curious as to how a solution
like this be implemented for mobile applications?

------
gus_massa
How is this different from an email list? If I send an email to a email list
can I a few years later request the hosting site to delete my email, delete
that part of the monthly digest (or all the monthly digest) and also request
that the hosting site forward the deletion request to Gmail, Hotmail,
Yahoo(mail), ...

------
flignats
AFAIK - entities are required to be able to provide a computer and human
readable formatted document about all personal information, when requested,
within a reasonable time period.

They don't need to have a delete button or even any action items in the UI -
just be able to provide the service if/when requested.

------
amriksohata
Whilst we are here is WhatsApp gdpr compliant with end to end encryption? Can
they force your old messages to be deleted off someone else's phone even if
they are long deleted off your phone and you can't access them to delete them?

------
outside2344
Hacker News is hosted in the United States, so it is not liable to GDPR, at
least currently.

That said, it's an interesting thought experiment to understand what the
implications would be if it was hosted in a GDPR country.

~~~
techman9
My understanding was that GDPR requirements apply to all citizens of the EU
regardless of where the company is located. Someone else can chime in if
that's not accurate!

~~~
jkaplowitz
It doesn't care about anyone's citizenship, but it can apply to US-based
entities if they're sufficiently targeting Europe in offering goods or
services.

~~~
5555624
But is HN targeting Europe or any geographic area? If someone from Europe
decides to participate, isn't that a conscious decision to participate in a
forum outside of Europe and thus outside of the GDPR? Should someone expect
their own, local laws to apply around the world?

