
Ask HN: Had anyone already had to deal with the GDPR fines / abuse? - forthispurpose
Recently there was a fair amount of concerns about GDPR being a harbinger of doom for smaller companies and fears of user abusing GDPR requests or other companies using GDPR as a tool for taking down competitors.<p>Had anyone on HN had experience with people &#x2F; companies &#x2F; institutions abusing GDPR?
======
buro9
I've had trolls whom I had banned from online forums attempting to use GDPR as
a tool for trolling me (with the chore of gathering all data, but I already
had an API that did this). And then attempting to use it to gut forums by
claiming several identities and requesting deletion of all comments (try and
imagine HN if comments by patio11 were deleted throughout).

On the forums I run email is the only identifying property and in my case the
trolls (2 of them I think) were unable to sign in as the users in question, so
I have refused to recognise the request (and then had the threats of legal
action... but what else can one do if someone cannot prove their identity?).

~~~
duxup
I was wondering about a catch 22 where someone misbehaves, then gets banned,
cites GDPR and demands their data be deleted (they can do that right?) ....and
signs up again later with the same data.... wash rinse repeat....

~~~
phiresky
You can keep storing an identifier (like email address) without any problems
if you have a reason (like to blacklist them)

~~~
imhoguy
IANAL. I think you can't store raw email without user consent. It is personal
data one wants to be forgotten. However you can keep pseudonymised data [0]
[1]. E.g. just keep MD5/SHA hash of the email string.

[0]
[https://en.m.wikipedia.org/wiki/Pseudonymization](https://en.m.wikipedia.org/wiki/Pseudonymization)

[1] [https://www.protegrity.com/pseudonymization-vs-
anonymization...](https://www.protegrity.com/pseudonymization-vs-
anonymization-help-gdpr/)

~~~
dangrossman
Your right to be forgotten is not absolute, but instead balanced against the
business's interests: you can process personal data without consent when you
have a legitimate interest in doing so. Recital 47 of the GDPR states: "the
processing of personal data strictly necessary for the purposes of preventing
fraud also constitutes a legitimate interest of the data controller
concerned". Storing a hash is likely a better practice for mitigating the
damage of a data breach, though you have to _process_ the raw email to get and
compare hashes either way.

~~~
duxup
Hopefully that means you could keep some data like an email address that is
key to creating an account to prevent abuses or duplication or other things.

------
jarnix
Well, in France yes already (and the links are in French, basically the first
one is about a basic hack where you could change the id of the user in the URL
of the current page to get others users' invoices -no comment-, and the second
one because the users could not decide what cookies could be stored on their
computers, they did not offer any choice eg through a CMP or something else)

Optical Center : 250 k€

[https://www.clubic.com/rgpd/actualite-844065-sanction-
rgpd-p...](https://www.clubic.com/rgpd/actualite-844065-sanction-rgpd-premier-
degat-250-000-optical-center.html)

Challenges.fr : 25 k€

[https://www.legalis.net/actualite/le-conseil-detat-
confirme-...](https://www.legalis.net/actualite/le-conseil-detat-confirme-la-
sanction-de-challenges-fr-pour-ses-cookies/)

~~~
scoom
Users always can decide what cookies can be stored on their computers - Europe
is braindead on this issue.

~~~
genericid
They can't. It may be technically possible, but users can't. Even for power
users it's a pain in the ass.

~~~
delian66
Yes, they can. You are simply wrong.

------
codycraven
Drone.io nearly immediately received the Nightmare GDPR letter and closed its
Discourse forum to avoid the overhead that providing a forum for an open
source tool now causes.

It instead moved to a much less useful Reddit subthread.

~~~
mr_toad
Discourse is exactly the kind of thing the GDPR is aimed at.

~~~
duxup
What do you mean?

~~~
mr_toad
[https://www.discourse.org/privacy](https://www.discourse.org/privacy)

They collect data about you from every website that you visit that uses
Discourse. They share it with a lot of other organisations, including Google
analytics.

Do you just want to trust them, pinky promise, they they aren’t (for instance)
compiling a record of all your comments on Internet forums, and sending them
to job recruiters and HR?

~~~
tomasduda
No, they don't collect data from Discourse installs when you host them
yourself.

> CDCK sets only its own privacy practices, not the privacy practices of CDCK
> customers or others who host Discourse forums for themselves or others. You
> should ask all of those involved in administering and hosting Discourse
> forums that you use for information about their privacy practices.

------
butz
Some shady web development agency sent spam emails to several smaller
websites, pretending to be local Data Protection Authority. Email mentions
complaints received from users and lists some fake fines. They went so far as
buying custom domain and redirecting it to actual website of Data Protection
Authority. Later, they contact website owners trying to sell their services.

------
Rjevski
Given how many sites blatantly ignore or violate GDPR (no opt-out, etc) I'd
say there doesn't seem to be any enforcement. At the moment, GDPR is just
scare-mongering but in the end is just as useless as the previous privacy
directives. I wish this would change but I'm not holding my breath for it.

> Had anyone on HN had experience with people / companies / institutions
> abusing GDPR?

Any site that gives you a consent box with the bullshit tracking enabled by
default, or that lets you know they use cookies with no way to opt-out. Per
GDPR tracking should be _opt-in_ so even pre-ticked checkboxes aren't allowed.

The only site that I've seen do this right is Quartz. They have a simple modal
"we use tracking for X and Y", do you want to allow or deny?

