Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Does HN respect the GDPR?
81 points by vgf 6 months ago | hide | past | web | favorite | 97 comments
Specifically, does HN/Y Combinator plan to allow contributors from the EU to request their contributed content to be deleted after May 25?

Note that they currently do not allow bulk deletes of one contributor's messages, "as that would wreck havoc in the discussion threads".

Basically you can ask nicely to delete some few posts, but if you want to delete all of your contributions you will get a no. This is at odds with the GDPR.

I'm not a lawyer, but HN is not established (AFAIK) in the EU, and while it has EU users, it likely does not meet the threshold of actively offering goods or services to EU residents. Being accessible from the EU in itself isn't sufficient to trigger the GDPR.

I'm not a lawyer either, but have been going through the GDPR process at my job. It doesn't matter if you operate or are established in the EU. If you have EU visitors/users they gain the protections of the GDPR and you have to comply.

GDPR affects any org/site that collects personal or sensitive data. Amongst many others IP address and email address are considered PII under GDPR. We use IP address for some high level geolocation data and decided to drop the last octet so it's not tied directly to an individual visitor. The specialists we spoke with had concerns about free form input fields because anyone can write anything they want in them.

In the case of hackernews it seems like email address, ip, profiles, and comments could contain personally identifiable data. I'm also curious how HN similar sites are supposed to comply with GDPR removal requests when it can destroy the usability and functionality of the site.

In the case of hackernews it seems like email address, ip, profiles, and comments could contain personally identifiable data.

You aren't required to put anything in the profile. If you choose to put information in the profile, you can remove it yourself at any time you so choose.

The GDPR also requires personal information be removed from backups, or at least after a backup is restored (eg: restoring from backup does not negate the original Right To Be Forgotten request).

So while you can remove some of that info yourself, I don't think that can be seen as fulfilling GDPR requirements.

Disclaimer: I am neither a lawyer nor GDPR expert.

I'm very interested to see how such requests would actually work...mainly because I'm curious to see what actual authority the EU has to enforce its laws outside of its borders.

I understand it applying to companies that are doing business in Europe but beyond that...?

There's a plenty of measures the EU could take within it's jurisdiction to enforce it's laws around the world.

It might suck if the EU started blocking payments to you.

>Does your online activity lead you to sell goods or services in the European Union?

HN is not selling anything

YC does not need to sell anything. HN is a service offered by YC: a news and discussion platform service.

HN is selling HN, their associated startups, job postings, and so on.

Edit: who are they selling to? Would-be founders... you understand how the VC model works, right?

? Who are they selling it to?

I wonder how this applies to SESTA/FOSTA, as many escort listing sites are apparently already operating from overseas.

There are cases out there, like LICRA vs Yahoo! [1] that could suggest otherwise.

[1]: https://en.wikipedia.org/wiki/LICRA_v._Yahoo!

I'm not sure how this case suggests otherwise, but Yahoo is not HN/YCombinator, and Yahoo is most definitely impacted by the GDPR.

my understanding is that these conditions apply to people in the EU, i.e. that EU residents must be able to delete their content from HN (but HN has no obligation to non-EU residents)

How would EU law compel a non-EU entity to delete content based on the residency of the user?

As an example of the opposite state, where this does definitely apply: Tarsnap complies with Canadian law around collecting names/addresses for users who are located in Canada, because Tarsnap is operated as a Canadian business. But if Tarsnap were located in the US, it would not be responsible for collecting that information from Canadian users.

> How would EU law compel a non-EU entity

Because US and EU have singed agreements to that effect. It's the price US must pay for EU to allow American internet companies to serve EU customers.

It obviously applies to any company with direct business operations in any one of the 28 member states of the EU. But financial transaction is not nessesary for the extended scope of the law to kick in. Collecting personal data from EU citizen is enough.

Which agreement between the US and EU mandates this?

EU-U.S. and Swiss-U.S. Privacy Shield Framework.

It came to effect 2016 and replaced the Safe Harbor agreement.

"While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law."

From https://www.privacyshield.gov/Program-Overview

U.S companies have option to either do legally binding self-certifications or outside compliance reviews.

If they don't do that, they have no authority to collect data from EU Citizens (no user accounts or customers from EU).

> But if Tarsnap were located in the US, it would not be responsible for collecting that information from Canadian users.

Responsibility is not defined by gut-feelings, but by law. So, with a suited law, Tarsnap could also be bound in Canada's jurisdiction even if it were located in the US.

I'm not sure where you derived your comment about gut-feelings from.

Do you have an example of precedent for one country's laws being enforced on a company with no business presence in that country, without there being a law or treaty in a country the business does operate in that mandates compliance with the foreign law?

I don't think anyone would dispute that if the US were to make a law requiring US companies to comply with the GDPR for EU users, that law would apply to US companies. My point is that absent some measure by the US government, EU laws are not applicable to companies without business presence in the EU

> My point is that absent some measure by the US government, EU laws are not applicable to companies without business presence in the EU

They are applicable if they say they are applicable. Effective enforceability is optional to applicability.

The case is pretty simple in my eyes.

We have separate, sovereign jurisdictions and governments. They can do about anything they want, if they have the means to do so and aren't bound by some treaty or law. For example, they can take legal or executive measures against anybody in the world, and it is irrelevant if that person agrees or disagrees. In fact, in the first place, it is also irrelevant what position the sovereign of that entity takes.

Now, can each sovereign entity enforce what they have decided? Well, that depends on many factors, but is optional to their decision.

The sovereign we are dealing with here is the EU. They can, within the bounds by their law and international treaties, judge and take measures against entities not residing under their jurisdiction. Who's stopping them?

See for example the sanctions on Russian officials currently imposed by the EU.

The EU has many tools to enforce it's decisions.

I don't see what's the difficulty of understanding this situation, besides not agreeing with it.

I'll admit to what feels like a pedantic point: Yes, the EU can make a law saying it'll be very very angry if a non-EU entity does not do what it wants. But since this post is asking about HN's compliance with the GDPR, it seems practical to scope the conversation to "Can the EU make and enforce a law that affects non-EU entities".

Otherwise, it's fair to say that I can personally draft a document saying HN must give me $3.50, and sign it into law for the House Of Akerl. But my law is quite uninteresting to HN, given the low odds of any of the YC folks sending me $3.50.

Well, it seems we agree that the EU can make a law theoretically-legally affecting non-EU entities.

Can that law be enforced? That depends on whether YC has a representation in the EU, or people from YC plan to visit the EU in the future, or many other things. Maybe the EU gets creative to find other ways of enforceability. I don't intend to give a full assessment of the ways of enforcement.

Either way, it is not a nice thing to have a big jurisdiction going after you.

One can avoid the GDPR by not handling data from or about European citizens or people in the EU, and having no presence there, and actively filtering out affected people.

Or one can implement the GDPR.

I haven't researched that particular point, but I'm not sure that your HN comments qualify as "personal data" under the GDPR (they'd need to personally identify you).

"Personal data" is defined quite broadly in the GDPR:

Article 4 states

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

I just read a pretty interesting white paper (written by a compliance law firm) about data anonymisation and pseudonymisation with regards to GDPR. It provided a really neat ballpark of data that constitutes "user information" on two separate levels.

Direct identifiers include such material as: name, address, phone number, all kinds of national identifiers, biometrics, device identifiers and clinical trial record numbers.

Indirect (or "quasi-direct", a new word for me) include: gender, date of birth, postal codes or other geographic grouping identifiers, first language at home, marital status, ethnicity, ....


If you look at the two groups, there's a pretty clear distinction. Anything that would allow to send a highly personalised communication to a person is direct. Anything that allows to target marketing cohorts is indirect.

The indirect ones may not sound important on the surface, but once you start doing group intersections, their combinations can become extremely narrow pointers.

IP addresses are identified as personal data in GDPR. They're not exposed in the frontend, but HN might use them e.g. for logging.

Also things like deletion, takeout and consent/opt-out need to be supported (provided that HN falls under GDPR).

Yes, but you need to explicitly target the EU. What that exactly means will be determined will eventually be determined in court, but some examples:

- If you offer your products in Euros, which is the currency in most of the EU - If you offer payment methods which only exist in the EU or one of its members - Otherwise suggest you target EU citizens

Hacker News exists as a generic website on the internet, but it does not to target any country or region specifically. Therefore HN should be exempt from the legislation.

That is incorrect. You don't need to specifically target the EU. If you handle data from European citizens, the GDPR applies to you.

I'm baffled. Why the downvotes? See for applicability: https://gdpr-info.eu/art-3-gdpr/

Also, in the case of HN, YC offers a service. Just like a forum is a service, this discussion and news platform is a service. It's irrelevant if it's paid for or free.

I'm baffled. Why the downvotes?

Because HN is now like Reddit, but for techno-snobs. If you don't follow the tightly defined groupthink, you'll get downvoted.

Many years of discussion groups have proven that downvoting has a chilling effect on discussion groups. Allow upvotes, and "spam" flags.

For me the question that a lot of people will be asking after 25th May, is what happens if they don't?

I would bet on nothing. The GDPR is there to catch the worst offenders, the other 99% of offenders will feel nothing.

> I would bet on nothing. The GDPR is there to catch the worst offenders, the other 99% of offenders will feel nothing.

No. The danger is that Internet goliaths will use the GDPR to intimidate or even shut down smaller competitors. Think of patent trolls, just worse - because the GDPR has really huge fines attached and is damn easy to get wrong in implementations.

While the GDPR was intended to be beneficial to EU consumers, I fear it will end up being most beneficial to lawyers.

I'm interested in how you think this would work. As far as I can tell, the enforcing authority for the country where the individual affected resides would need to investigate. And frankly, where a smaller entity was playing fast and loose with data, I would want the authorities to investigate.

For instance, in the UK the plan appears to be for the ICO to work with companies and fine where there's a major breach and appropriate security wasn't implemented.

Now, perhaps some individuals will band together and complain, but they do not stand to gain from the enforcement in the same way that patent trolls do.

We're going from an era where companies can claim AES encrypted at rest and AES encrypted over the wire whilst running an ancient stack full of vulnerabilities and, above a certain scale, not even worry about it. I personally have high hopes that the GDPR will at least make people running companies like that worry a bit.

Or decouple the content from the username/email, GDPR approved, content is still alive

They "do not support that". Agree that it would be a nice workaround. Should also be technically trivial.

>Should also be technically trivial.

It would be technically trivial for a forum built with the typical MVC architecture with data backed up in a relational database - just change some templates, point the user ID to a global 'deleted' user, and done, or something like that.

But Hacker News is a project site built in a custom Lisp variant that runs on one core, mostly in RAM from what I understand, with all of the data in flat files, and I don't even know if they have a development server. Obviously, they can do it, but it may not be that trivial.

Or maybe they could bang it out in an hour, I don't know. It would be nice if they put up a devlog and talked about some of the issues they have with updating the site and what their future plans with it were. Maybe talk up Arc and Lisp development a little.

We're working on it.

For months now. That is not credible. Seems like you actually need legislation as a deadline.

This is the case with most organisations. You have a finite amount of resources and attention, therefore you need to prioritise.

Most GDPR chatter started picking up only in the last few months (of course big orgs have been preparing for the May deadline for a while already).

Downvoted, deadline hasn't passed. No reason to stress about it

What happens when I ask Google to go through everyone's gmail inbox and remove my information and all emails I've sent?

Interesting question. Google might argue you should direct your request to those individuals you emailed to. Google storing the emails doesn't necessarily mean that they're responsible for processing your deletion request under the GDPR (or maybe it does, I'm just speculating).

Google still makes available to its Gmail users the previous emails I've sent to them.

Yes, but the GDPR makes a distinction between data controllers and data processors. The data controller is obligated to process your request, but Google could argue they're just the data processor, and redirect you to the users (again still speculating... not a lawyer)

Granted I've only sat in on a few GDPR meetings, but I don't think it works like that.

In your example you were the one that sent your information to some other 3rd party, so you would be the one responsible for that data transfer and its consequences.

Is that not exactly what OP is asking for, but for HackerNews instead of Gmail? Gmail is hosting the data I sent. Not to mention that I sent the emails to their servers, not some third-party.

While laws like this allow for large grey areas where all of this is up for debate, the focus of the GDPR is largely on two things.

(1) Companies that collect data and "process" it. If you're hosting it with reason, it's no big deal. If you're actively doing something with it, then you can run afoul of the law.

(2) Companies that share their information with third parties. It puts a much larger onus on companies that have your data to use it appropriately and only for intended purposes.

If you read through the wording of the law, it's perfectly possible to have an e-mail service that complies with everything.

I think the crux of this particular argument though is whether or not you "own" the emails you sent. I think at the most if you pushed this issue to the max you could get a company to scramble your email address so that it doesn't identify you anymore... but all of this is more a thought exercise about minute details. The true intent of the law is the major points above.

I agree it would cause problems with the discussion threads, but a solution to this would be for HN to substitute the username & message with "Removed due to GDPR request" or similar.

Maybe the easiest thing to do is for websites to place a banner that if you are a EU citizen, you are not welcome or allowed to view the website and are violating the terms of service.

Forced labor? Forced speech? Demanding others time without compensation? What is Europe becoming?

I have never understood why HN does not do like Reddit – replacing the username by [deleted] or ghost.

Are they under any obligation to?

The regulation applies if the data controller, an organisation that collects data from EU residents, or processor, an organisation that processes data on behalf of data controller like cloud service providers or the data subject (person) is based in the EU.

The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."


So all web sites (most, anyway) are subject to the GDPR because they may record EU IP addresses in logs?

Yup, which is what makes GDPR so dangerous.

Massachusetts is attempting to promulgate sales taxes on out of state Internet purchases using similar logic applied to cookies [0]. It seems that all it takes is nouns being put on these things, for that parasitic ambient authority to attempt to jam itself in.

Having said that, as a USian, it seems like it's at least possible for EU regulation to have its intended effects (/me glances at uUSB connectors on everything). So, especially because I bear no responsibility for its existence, I'm cautiously optimistic that the GPDR will do some good pushing back against the surveillance industry, rather than simply being yet another tool to strip individuals' freedoms away.

[0] Hey, maybe if it holds up in court, it will spur development and adoption of browser-based nym management!

It seems a little different if we're talking about selling and shipping goods to a territory.

Per US federal law, retailers are only responsible for collecting a given state's sales tax if they have a physical presence in that state. The legal theory specifically relies on considering the cookie on the user's computer as a physical presence in the state.

So how is this going to be enforceable on organizations outside of the EU?


Right, so the data controller in this case is HN... which is based in the United States. What am I missing?

> The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU.

So, no?

HN certainly processes IP and email addresses of individuals within the EU.

So what? Countries don't get to make laws for other countries. That's the point in having markets of ideas.

Nice idea, but not 100% consistent with reality. Several countries apply their laws to their citizens, even if they aren’t in their own country.

For example ”Your worldwide income is subject to U.S. income tax, regardless of where you reside.” (https://www.irs.gov/individuals/international-taxpayers/us-c...)

Other example: the “Hague invasion act” which authorizes the US president to invade Europe in order to liberate US citizens (https://en.wikipedia.org/wiki/American_Service-Members%27_Pr...)

Third example: many countries prosecute their citizens for child pornography, even if the crime happened outside their borders (https://travel.state.gov/content/travel/en/international-tra...: ”U.S. citizens are subject to the laws of foreign countries. Furthermore, some laws are prosecutable in the United States regardless of local law”)

If I am in my country, I am only bound by the laws in my country. Sure I can piss off another country (violate their blasphemy laws for example) and then I better remember to not go there.

Not if an extradition treaty applies.

Extradition for? Doing something that is legal in my country while in my country?

Yes, that is possible.

I can't imagine the US is going to extradite anyone for violating the GDPR, but there is no principle barring it. Kim Dotcom's case is probably of interest here.

In the case of the US, you are incorrect. The US Constitution is the supreme law of the land, having a extradition treaty changes nothing. Kim was not in the US, and "we" pulled strings to get to him in NZ. I'm not arguing that was right (it was not!) but that's a NZ problem. No US court is ever going to extradite a US citizen for _not_ breaking a US law. This goes directly to why we have the 2nd.

If you claim otherwise, I would appreciate an example.

What part of the Constitution would bar this?

Start here: https://en.wikipedia.org/wiki/United_States_Declaration_of_I...

Then move on to what juries are, and what peers are.

In the US we have 3 boxes, the ballot box, the jury box, and the ammo box. It's a beautiful system. I realize it might be hard to understand that we are not chattel, and make our own laws, but that's the way it is.

You are making an extraordinary claim, that a US citizen can be extradited for _not_ breaking a US law, the burden is on you.


If you think "the statue" in "words of the statute" means a foreign law I really cant help you since you gotta start redefining what "the" means at that point.

OK, well, if your exegesis of the Constitution begins with citing the Declaration of Independence and includes rants about armed insurrection, I think it's safe to say it's not that well thought out.

Armed insurrection is exactly why the US exists and is not subject to foreign law. Labeling discussion of that a rant does not distract from your failure to back up an unprecedented claim. /rant

There's nothing really "unprecedented" about it -- the whole premise of extradition is handing someone over for violating foreign laws, not violating US laws.

You seem to be attempting to change the subject.

  I said: "Extradition for? Doing something that is legal in my country while in my country?"

  You said: "Yes, that is possible."
Please provide some precedent for your assertion.

To extradite someone, you must first arrest them. In the United States, to arrest someone, you must have probable cause that that person violated a US law[0].

In every case you are going to be able to find, the person wanted by the dest country was either:

a. In that country when they broke the law (which is a different subject with plenty of caveats).

b. Violated US law and the foreign law while in the US (also a different subject).

[0] https://en.wikipedia.org/wiki/Sixth_Amendment_to_the_United_...

The ongoing talks about extraditing Fethullah Gulen to Turkey for his supposed role in the Turkish coup while he was in Pennsylvania seems like a counter-example to me. There is a lot of political back-and-forth over whether that should be done, but I don't see anyone claiming it would violate the Sixth Amendment to extradite him.

First, that has not happened. Second, would it really be so hard to support your claims with sources? If the guy gets extradited, he's going to first get charged with a US crime.

That's not how extradition actually works. If you want to read about Gulen you can type "Gulen" into a search engine as easily as I can.

Don't you find it a bit odd that you keep making claims that you can not or will not support? Is a (non) reference to something that has not happened all you are willing to provide? To extradite someone from the US, you must:

1. Have probable cause to arrest them.

2. Arrest them.

3. Convict them.

4. Extradite them.

Why don't you just say "how extradition actually works"?



Here you go, my friend. I welcome you to find the part of this where it says that someone being extradited has to be found guilty of violating US law or that they have to be convicted before being extradited. As you can see here, the requirements actually have to do with what treaties say and whether there is probable cause (a much lower standard than a conviction).

IANAL but I agree. If an entirely US based company was found guilty in a court of law in the EU, but has no business interests in EU, and has no assets of any kind, then the most the EU could do is ask the US politely to do something about the company FOR THEM. the US would have no requirement (unless there is some treaty around this I'm unaware of) to do anything about it.

If they had assets of some kind in the EU country, they could capture those assets presumably.

But from what I understand with the GDPR at least at the beginning of this, is the EU govt will first try to work with the company to help them comply, before going to such drastic measures as courts and seizing assets.

I imagine the large giants like Facebook, etc will just negotiate through their army of lawyers to minimize the effects of GDPR as much as possible, and delay as long as possible. Before ultimately implementing ~ 1/2 of the best intentions behind the GDPR in about a decade or so.

But countries decide who to punish for what. One thing might not be unlawful in your country, but in another, and that other country can try to go after you.

That fact is rather boring and well-established. What matters is how the other country enforces the punishment.

The thing is, the EU doesn't have sovereignty outside of Europe. If I actually have presence in the EU, or do business with the EU, that's one thing. But they can't tell some rando with a blog living in Boston to delete comments any more than North Korea can pass a law banning making fun of Kim Jong Un in Berlin. They can huff and puff, but at the end of the day they just don't have the authority.

Any jurisdiction can "tell you things" and judge you, even if it's not your own.

Admittingly, without cooperation with your jurisdiction, the EU jurisdiction cannot enforce a meassure if you don't have any presence under EU jurisdiction. However, if your jurisdiction cooperates with the EU jurisdiction, or if you eventually have some kind of presence in the EU, like traveling, they can go after you.

A particularly ugly thing happens if the HN mods for some good or bad reason decide to ban an account: their contributions will be there forever, with no ability to append explanations to previous posts.

This will after May 25 be illegal for services offered in the EU, but I kind of think that the same courtesy should apply to non-europeans.

> no ability to append explanations to previous posts

Nobody can reply to posts that are more than a month old anyway. And the edit window is only a few hours.

I feel like Hacker News should auto-delete threads that old, anyway. Chances are there's nothing there people will care about, and if they do, they can make their own archive.

Not to devalue privacy (at all), but if the GDPR is so far reaching that anonymous posts are expected to comply with this, that destroys much discussion. Don't see why that's a reasonable expectation. That's no longer private but public data.

If you contribute to public knowledge/discussion, then taking your ball and going home leaves huge gaps in history, the same way you see [deleted] throughout many Reddit threads.

Is the GDPR that far reaching?

> Is the GDPR that far reaching?


The GDPR only cares about privacy, not quality of internet threads.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact