Ask HN: Does GDPR and CCPA Apply to Hacker News?
98 comments
If HN stores IP addresses or does any sort of de-anonymization on their end, then probably yes. They cover this in their privacy policy, at least for California [1], but their terms of use (right to refuse deletion) seem inconsistent with CCPA.
Also, if they don't store IP or actively deident, then I'm not sure either reg applies. HN isn't collecting PII. Just because you chose to type some info into a free form text box doesn't mean that the are liable for treating that data as PII, unless they're doing the tagging and extraction themselves or you inform them you're in CA/EU and the post contains PII. ianal.
[1] https://www.ycombinator.com/legal/#calprivacy
Also, if they don't store IP or actively deident, then I'm not sure either reg applies. HN isn't collecting PII. Just because you chose to type some info into a free form text box doesn't mean that the are liable for treating that data as PII, unless they're doing the tagging and extraction themselves or you inform them you're in CA/EU and the post contains PII. ianal.
[1] https://www.ycombinator.com/legal/#calprivacy
[deleted]
.
GDPR PII is defined as such:
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4)
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4)
Nonsense. If you're made aware you're storing PII, fine. That's different. If it's a field designed for something else, and you have no knowledge it's being used to store PII? You're not going to get a penalty for that.
This isn't American law, where everything seems to be decided based on technicalities and the exact wording of the law. These decisions are made by reasonable human beings who review the facts of the situation and come to a judgement.
This isn't American law, where everything seems to be decided based on technicalities and the exact wording of the law. These decisions are made by reasonable human beings who review the facts of the situation and come to a judgement.
> Any free-form field must be treated as PII.
I've definitely never received this advice. I think your DPO/counsel are being excessively risk-averse, but IANA(EU)L.
I've definitely never received this advice. I think your DPO/counsel are being excessively risk-averse, but IANA(EU)L.
HN is a respite from those awful cookie banners, that's something.
Dark pattern banners I call them. One day I clicked the 'more options' button on a foreign website and it was a list of over 1000 different third parties listed each with their own toggle.
Use Firefox's built in privacy blocking tools as a bare minimum.
Personally, I use uBlock, the built in privacy list, and most crucially: Cookie AutoDelete.
I have it set such that if I unload a domain for 30 minutes, all of its cookies are deleted. The end result is that I have something that works decently, while preserving history and passwords.
Personally, I use uBlock, the built in privacy list, and most crucially: Cookie AutoDelete.
I have it set such that if I unload a domain for 30 minutes, all of its cookies are deleted. The end result is that I have something that works decently, while preserving history and passwords.
That's actually how it's supposed to work. Only the most recent ruling, and it was Google specific, forced them to add "Reject all" button.
afaik the law says rejecting all should be as easy as accepting all, which is google got the ruling they did, even having to click "more options" before "reject all" is against the letter of the law, though I don't know that that one will ever actually be enforced.
afaik technicalities like this can be adjusted by member states and it's country specific. EU court overruled Google case for whole EU.
broken as designed.
And those banners aren't even mandatory. Someone did it without learning the actual law and almost everybody does that.
They are mandatory if by browsing a website your data ends up in a 3rd party, which means almost all websites.
No, banner isn't mandatory. Information is mandatory. I don't remember exact page now but it was some govt page here in Poland that had info about cookies in page footer, and it was also ok
[deleted]
It's only 'mandatory' (see comment below) if they (whether the primary operator or the subcontractor) is doing things that aren't strictly for functionality.
The problem is that while the EU hopes that disclosures are designed to introduce friction to make the site more privacy-friendly... let's say that money is still a strong motivator for a lot of websites. I even spotted cookie prompts that were essentially that "close door" button on lifts.
The problem is that while the EU hopes that disclosures are designed to introduce friction to make the site more privacy-friendly... let's say that money is still a strong motivator for a lot of websites. I even spotted cookie prompts that were essentially that "close door" button on lifts.
Advertising agencies offer to install these banners to get higher bids from advertisers.
Webmasters have a choice.
Most choose money.
Why would HN need to follow rules from EU or China? This OP must be kidding. What about following Cameroon law? What makes EU more important? What if they conflict? Pass all the laws you want to in Bolivia for PII, HN should just ignore it. No they shouldn't hand all our data to Pakistan to abide by their laws either.
CCPA is not from China https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...
Sorry I was referring to GDPR
I’ve had all my submissions deleted when requested so not sure what the issue is
How does that work with downstream replies? Do they vanish as well or get attached to a sibling/parent of your comment?
And I've had that request denied. That you have to make a case to a single person who can choose what to do about it is the issue as I see it.
But that's not a legal issue, as long as they agree to deletion if you're CA/EU and your data is PII.
I agree on principle that all communication mediums should allow users to delete and edit their own posts. Retraction is speech.
I agree on principle that all communication mediums should allow users to delete and edit their own posts. Retraction is speech.
Short answer: no.
https://gdpr-info.eu/art-17-gdpr/
In particular, there are sections about archiving and freedom of expression/information which I believe would apply to an online discussion forum where all comments are made public by virtue of them being posted in the first place.
https://gdpr-info.eu/art-17-gdpr/
In particular, there are sections about archiving and freedom of expression/information which I believe would apply to an online discussion forum where all comments are made public by virtue of them being posted in the first place.
There seems to be a legal theory that public discourse is not to be removed under the GDPR. Discord, for example, will also not delete your messages.
Part of the problem is also that the government agencies tasked with regulating these things are hopelessly slow in pursing matters, especially when non-EU companies are concerned.
Part of the problem is also that the government agencies tasked with regulating these things are hopelessly slow in pursing matters, especially when non-EU companies are concerned.
Discord was fined 800k euros just today for keeping deleted account's data for too long among other things, which is something at least.
https://www.cnil.fr/en/discord-inc-fined-800-000-euros
https://www.cnil.fr/en/discord-inc-fined-800-000-euros
Failure to ensure the security of personal data (Article 32 of the GDPR)
At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted.
The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.
Kind of surprising the GDPR is so prescriptive about password requirements!Is it actually prescriptive, or does it say (in more legalese form) "use industry best practices to protect user data". Six characters is laughably bad and would fail pretty much any password requirements I've seen in the last decade (except for my credit union who only updated like 5 years ago after finally migrating to a better back end).
The GDPR is actually surprisingly understandable and 'plain English' (obviously, lawyers have their own interpretations of everything).
Key section is probably this one: https://gdpr-info.eu/art-32-gdpr/
Key section is probably this one: https://gdpr-info.eu/art-32-gdpr/
Reading the summary you linked, it isn't clear if Discord is being fined solely over retaining account information alone, or if that includes comments/messages.
Because, as has been pointed out ad nauseam THEY HAVE NO JURISDICTION to tell US companies what to do.
Of course, every time I point this out, people get mad at me because they happen to like the law (ie, they like the idea of privacy, and privacy theatre is comforting to them).
I'm personally of the opinion that one government telling me what to do is quite enough, thank you very much.
Of course, every time I point this out, people get mad at me because they happen to like the law (ie, they like the idea of privacy, and privacy theatre is comforting to them).
I'm personally of the opinion that one government telling me what to do is quite enough, thank you very much.
US companies that act internationally are not immune from the laws of the states they act within.
True. Putting a website online available to anybody to visit does not mean I’m acting in Europe, though.
> Because, as has been pointed out ad nauseam THEY HAVE NO JURISDICTION to tell US companies what to do.
Actually in practice many important US companies do have market activity or assets in the EU, arguably including Y Combinator. Also, the EU (or its governments) wouldn't bother a random plumber in Iowa or honestly even in Prague (unless in the latter case someone have bothered to complain).
Actually in practice many important US companies do have market activity or assets in the EU, arguably including Y Combinator. Also, the EU (or its governments) wouldn't bother a random plumber in Iowa or honestly even in Prague (unless in the latter case someone have bothered to complain).
This is actually incorrect. The US and many other countries have entered into trade agreements with each other. For example, if a company does business in Europe (sells goods or services to EU customers), they are subject to EU regulations in a whole host of areas. The GDPR is only one example of such law.
You, personally, are not subject to EU laws since you are, presumably, not running a business with EU customers or data subjects.
You, personally, are not subject to EU laws since you are, presumably, not running a business with EU customers or data subjects.
The GDPR is explicitly not the same as those laws, claiming that it applies to anybody anywhere who puts a website online for any reason irregardless of any trade agreements.
GDPR is intentionally written to be extraterritorial in scope. If you're collecting data on EU citizens while being located anywhere in the universe, it applies to you.
If you never have any plans to step foot in the EU, then they can't do anything to you.
If you never have any plans to step foot in the EU, then they can't do anything to you.
[deleted]
Interesting
Definitely not how my employer interprets GDPR.
I can’t wait for the day the EU actually tries to enforce their laws on individuals and companies with no presence there. Will be a fun extradition battle to watch
No EU country would ever try to extradite anyone over a GDPR violation...
International companies that choose to process data from EU citizens but blatantly ignore the regulation will be subject to enforcement action from the country's supervisory authority. The supervisory authority has the power to "order the suspension of data flows to a recipient in a third country or to an international organisation" or "to impose a temporary or definitive limitation including a ban on processing".
In practice, this means you can say goodbye to doing business with your EU customers if you don't want to play by the rules. I doubt it'll be much of a loss for them to lose access to services provided by a company that doesn't care about their customers' privacy.
As ever, a significant minority of Americans on Hacker News really Just Do Not Grasp the benefit of the EU or its regulations such as GDPR. "All regulation must be bad!!" It's quite tiresome, really.
International companies that choose to process data from EU citizens but blatantly ignore the regulation will be subject to enforcement action from the country's supervisory authority. The supervisory authority has the power to "order the suspension of data flows to a recipient in a third country or to an international organisation" or "to impose a temporary or definitive limitation including a ban on processing".
In practice, this means you can say goodbye to doing business with your EU customers if you don't want to play by the rules. I doubt it'll be much of a loss for them to lose access to services provided by a company that doesn't care about their customers' privacy.
As ever, a significant minority of Americans on Hacker News really Just Do Not Grasp the benefit of the EU or its regulations such as GDPR. "All regulation must be bad!!" It's quite tiresome, really.
> As ever, a significant minority of Americans on Hacker News really Just Do Not Grasp the benefit of the EU or its regulations such as GDPR. "All regulation must be bad!!" It's quite tiresome, really.
Now you know how we feel when Europeans pontificate about issues in the US without really knowing anything beyond the headline.
Also, FWIW a lot of HN participants are in California, which has CCPA. Your stats may well be objectively wrong anyway.
Now you know how we feel when Europeans pontificate about issues in the US without really knowing anything beyond the headline.
Also, FWIW a lot of HN participants are in California, which has CCPA. Your stats may well be objectively wrong anyway.
It wouldn't be extradition, it would be sanctioning. Same mechanisms and difficulties apply as trying to sanction Russian oligarchs.
I assume all they'll do is block the websites so EU citizens can't reach them.
It's such an absurd thing to even try and attempt. I have no doubt they will.
[deleted]
This is all pretty much spelled out in the Legal link at the bottom of HN.
https://www.ycombinator.com/legal/#calprivacy
https://www.ycombinator.com/legal/#calprivacy
What part of the GDPR specifies that a company must remove your posts?
Sure, it's a bit weird to force them to stay up, but the GDPR is mostly about PII. You can probably have your email address, username, and contact information removed from the database, but the comments themselves are different.
I don't know much about the CCPA, but from what I've read, I don't think it covers this use case.
As for if YC needs to follow the GDPR: YC does business in the EU so they'd be foolish to ignore it. If you believe your rights are being infringed, contact your local DPA and file a complaint.
Sure, it's a bit weird to force them to stay up, but the GDPR is mostly about PII. You can probably have your email address, username, and contact information removed from the database, but the comments themselves are different.
I don't know much about the CCPA, but from what I've read, I don't think it covers this use case.
As for if YC needs to follow the GDPR: YC does business in the EU so they'd be foolish to ignore it. If you believe your rights are being infringed, contact your local DPA and file a complaint.
This is a misconception. GDPR is about any data relating to a potentially identifiable person, not only data which actually identifies them. The thoughts you've posted on HN certainly relate to you!
I’ve always found it funny people think GDPR matters outside of the EU.
You cannot regulate a steel manufacturer in China from the EU. Similarly, you cannot regulate how a company and server is setup in another country. It’s where the company is operating.
In the case of hacker news the CCPA probably does have an impact. So i suspect they follow the appropriate law there. That’s because that’s where they are operating out of.
That said, HN is moderated pretty well. I suspect if you ask them they’ll tell you and / or delete what ever you ask.
You cannot regulate a steel manufacturer in China from the EU. Similarly, you cannot regulate how a company and server is setup in another country. It’s where the company is operating.
In the case of hacker news the CCPA probably does have an impact. So i suspect they follow the appropriate law there. That’s because that’s where they are operating out of.
That said, HN is moderated pretty well. I suspect if you ask them they’ll tell you and / or delete what ever you ask.
HN is part of YCombinator which does business in Europe (see: https://www.ycombinator.com/companies?regions=Europe).
Companies doing business in Europe must follow European law, just like European companies doing business in the USA need to follow American law.
The solution is quite obvious: don't do business with Europe and the GDPR doesn't apply. Don't do business with the USA (including companies like Amazon and Google) and American law doesn't apply. The EU won't try to fine Walmart and Target, the USA probably won't try to fine Système U.
(Unless it's about oil, government influence, or copyright infringement, of course, then the USA will force the issue; probably not relevant for most companies)
Companies doing business in Europe must follow European law, just like European companies doing business in the USA need to follow American law.
The solution is quite obvious: don't do business with Europe and the GDPR doesn't apply. Don't do business with the USA (including companies like Amazon and Google) and American law doesn't apply. The EU won't try to fine Walmart and Target, the USA probably won't try to fine Système U.
(Unless it's about oil, government influence, or copyright infringement, of course, then the USA will force the issue; probably not relevant for most companies)
The EU is desperate to get the sort of funding YC provides so they would never say "no".
lol ycombinator investing in companies is not the same as "doing business".
That's a very poor analogy, as you can put tariffs on Chinese steel and disallow imports unless they adhere to EU standards.
That's not regulating the production of steel, but adding a tariff on an industry. You could obviously block someone from selling in your country, but that doesn't mean you have the right to regulate them.
Just like you could block a website within your country. That said, you can't force them to adhere to anything.
Put a different way, if I run a news paper in Russia, sure you can block the distribution in the EU. The EU cannot tell the news paper what to publish.
Just like you could block a website within your country. That said, you can't force them to adhere to anything.
Put a different way, if I run a news paper in Russia, sure you can block the distribution in the EU. The EU cannot tell the news paper what to publish.
[deleted]
[deleted]
Short answer: they probably have to delete your personal data.
Long answer: it depends on the regulation. To the best of my understanding yes under the GDPR. If you are interested in what constitutes personal data and when an organisation needs to or does not need to comply with a request under the GDPR and the CCPA take a look here: https://yourdigitalrights.org/#faq
(I am one of the founders of YourDigitalRights.org. We help people send data deletion and access requests. I am not a lawyer and this is not a legal advice.)
Long answer: it depends on the regulation. To the best of my understanding yes under the GDPR. If you are interested in what constitutes personal data and when an organisation needs to or does not need to comply with a request under the GDPR and the CCPA take a look here: https://yourdigitalrights.org/#faq
(I am one of the founders of YourDigitalRights.org. We help people send data deletion and access requests. I am not a lawyer and this is not a legal advice.)
to put it bluntly, nobody outside the EU has to give a damn about the EU law.
If you conduct business (even if only over the internet) in the EU, the EU considers you subject to their laws. Same as with the United States (and probably every other jurisdiction).
Do you have to comply with EU law if you conduct business there? It depends on whether the EU can enforce judgements against you. If you live in the EU, then the EU can certainly enforce judgements against you. If you live in a cooperating jurisdiction, like the US, then I'm pretty sure that EU judgements can be enforced against you. That would take more effort on the EU's part, but if they really want to, I believe they can ask and get the US courts to enforce judgements.
If you live somewhere where the courts will not enforce EU judgements, then yeah, you don't need to care about EU laws. At least, until you travel someplace that does...
Do you have to comply with EU law if you conduct business there? It depends on whether the EU can enforce judgements against you. If you live in the EU, then the EU can certainly enforce judgements against you. If you live in a cooperating jurisdiction, like the US, then I'm pretty sure that EU judgements can be enforced against you. That would take more effort on the EU's part, but if they really want to, I believe they can ask and get the US courts to enforce judgements.
If you live somewhere where the courts will not enforce EU judgements, then yeah, you don't need to care about EU laws. At least, until you travel someplace that does...
[deleted]
CCPA states:
The right to know the personal information that businesses have collected from an individual
The right to opt-out of the sale of consumer data collection
The right to delete personal information collected from them
HackerNews doesn't collect personal data.
Deleting anything someone wants deleted isn't covered
HackerNews doesn't collect personal data.
Deleting anything someone wants deleted isn't covered
> HackerNews doesn't collect personal data.
There's an email field in the settings.
There's an email field in the settings.
Optional and used for recovery purposes and it is self serve for removal and immediately removed
None of that makes it non-PII.
Pretty sure it requires deleting comments if requested, this at least how my employer treats GDPr.
GDPR and CCPA are different laws from different countries.
That's fair, at least at my employer we have simply rolled out GDPR compliance globally so we do not have to do deal with different jurisdictional compliance headaches as much.
I think that depends on if comments contain any of your "personal information" (as defined by the GDPR). Certainly it's much easier (and safer) to just delete all of a user's comments than to audit each one and decide which comments have personal information and which don't, so I suspect that's why your employer (and many others, probably) take that route.
But, for example, consider your post here that I'm replying to: I don't think anyone could credibly claim that it contains personal information. I believe HN will anonymize the username on past comments during account deletion (maybe only if requested, though?), so at least the comment wouldn't be attributed to anyone identifiable. But, of course, if someone posted their real name in a comment, or even just information that could identify them, that would be personal information in the comment body itself.
Frankly I'm not a fan of the idea that comments on a public forum need to be deleted as a result of GDPR deletion requests. It would really suck if clicking on an old HN comment thread meant that you'd see a bunch of "[deleted due to GDPR request]" peppered all over the comment threads. Or think of a site like Stack Overflow: it would be a shame if a GDPR deletion request means that SO has to delete all a user's questions (which others may have spent time and effort answering!) and answers (that others would continue to benefit from reading).
I think in this case the GDPR goes too far in making the site owner responsible. Sure, a site owner should absolutely be responsible for personal information it asks for and intentionally collects, but it seems a bit unfair to extend that to information a user may voluntarily submit, in a context where the submission is free-form and unstructured.
Then again, I'm -- perhaps hypocritically -- of the opinion that sites like Facebook should be required to delete all posts and content when someone wants to delete their account. Back when I used it, I'd definitely run into some old post comments where some comments have been deleted (due to account closures), which really confuses the conversation going on in the comments. For some reason my heart is trying to tell me that FB and HN are somehow different here, even though I can't logically support that. I think my feeling is that stuff I post on HN belongs to the community, whereas stuff I (used to) post on FB still belongs to me. Not sure why there should be that difference, though.
But, for example, consider your post here that I'm replying to: I don't think anyone could credibly claim that it contains personal information. I believe HN will anonymize the username on past comments during account deletion (maybe only if requested, though?), so at least the comment wouldn't be attributed to anyone identifiable. But, of course, if someone posted their real name in a comment, or even just information that could identify them, that would be personal information in the comment body itself.
Frankly I'm not a fan of the idea that comments on a public forum need to be deleted as a result of GDPR deletion requests. It would really suck if clicking on an old HN comment thread meant that you'd see a bunch of "[deleted due to GDPR request]" peppered all over the comment threads. Or think of a site like Stack Overflow: it would be a shame if a GDPR deletion request means that SO has to delete all a user's questions (which others may have spent time and effort answering!) and answers (that others would continue to benefit from reading).
I think in this case the GDPR goes too far in making the site owner responsible. Sure, a site owner should absolutely be responsible for personal information it asks for and intentionally collects, but it seems a bit unfair to extend that to information a user may voluntarily submit, in a context where the submission is free-form and unstructured.
Then again, I'm -- perhaps hypocritically -- of the opinion that sites like Facebook should be required to delete all posts and content when someone wants to delete their account. Back when I used it, I'd definitely run into some old post comments where some comments have been deleted (due to account closures), which really confuses the conversation going on in the comments. For some reason my heart is trying to tell me that FB and HN are somehow different here, even though I can't logically support that. I think my feeling is that stuff I post on HN belongs to the community, whereas stuff I (used to) post on FB still belongs to me. Not sure why there should be that difference, though.
Public comments really aren’t personal information.
If they include personal information, then they absolutely are (a quick search for "GDPR user generated content" is enlightening). If I posted my full name and address in this comment, I believe a GDPR deletion request would indeed legally require HN to delete it (if I lived in the EU, that is, which I don't).
And that's the problem: the vast majority of HN posts probably don't include personal information. But if someone were to submit a GDPR deletion request to HN, does HN really want to spend the time auditing perhaps hundreds or thousands of comments in order to determine what has personal information in it and what doesn't? And then also making a judgment as to whether the entire comment would need to be deleted, or if only part of it needed to be redacted? So I'd completely understand if HN would comply by deleting all comments.
(I'm intentionally ignoring the fact that it's unclear if the EU could even enforce the GDPR against HN/YC, as I'm not sure if they have any business entities in the EU. Certainly the GDPR as written tries to be extraterritorial in its demands, but enforcement is another matter. HN/YC are of course subject to the CCPA, though.)
And that's the problem: the vast majority of HN posts probably don't include personal information. But if someone were to submit a GDPR deletion request to HN, does HN really want to spend the time auditing perhaps hundreds or thousands of comments in order to determine what has personal information in it and what doesn't? And then also making a judgment as to whether the entire comment would need to be deleted, or if only part of it needed to be redacted? So I'd completely understand if HN would comply by deleting all comments.
(I'm intentionally ignoring the fact that it's unclear if the EU could even enforce the GDPR against HN/YC, as I'm not sure if they have any business entities in the EU. Certainly the GDPR as written tries to be extraterritorial in its demands, but enforcement is another matter. HN/YC are of course subject to the CCPA, though.)
Have you tried emailing them and asking for your comments and submissions removed under GDPR/CCPA?
Neither of those laws grants that right.
In general don't think they do unless they're directly or indirectly associated with someone's identity, but my question was more of one curious to the poster's outrage - they're upset about not possibly not having their comments removed, well... did they try to ask?
[deleted]
As far as GDPR goes, according to Article 3 of GDPR it applies to processing if any of three conditions are met:
1. Processing that takes place in the context of processors and controllers that are in the Union, regardless of whether or not the processing itself takes place in the Union.
2. Processing the data of subjects who are in the Union by controllers or processors who are not in the Union if the processing is related to offering goods or services to such subjects in the Union or the processing is related to monitoring the behavior of such subjects that takes place in the Union.
3. Processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
If none of those cover an entity, that entity's processing is not covered by GDPR.
#2 would probably be the only relevant one for HN.
Is HN offering goods or services to subjects in the Union? Sure, people in the Union can access HN and even make accounts. But that might not be enough. One of the recitals for Article 3 elaborates:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Does HN envisage offering services in the Union, or is it simply a site that happens to work when accessed from the Union but was not envisaged to do so?
Another recital elaborates on the monitoring of behavior of subjects in the Union:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
HN seems to collect minimal data. It might not rise to the level of monitoring that would be needed to count as monitoring behaviour.
1. Processing that takes place in the context of processors and controllers that are in the Union, regardless of whether or not the processing itself takes place in the Union.
2. Processing the data of subjects who are in the Union by controllers or processors who are not in the Union if the processing is related to offering goods or services to such subjects in the Union or the processing is related to monitoring the behavior of such subjects that takes place in the Union.
3. Processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
If none of those cover an entity, that entity's processing is not covered by GDPR.
#2 would probably be the only relevant one for HN.
Is HN offering goods or services to subjects in the Union? Sure, people in the Union can access HN and even make accounts. But that might not be enough. One of the recitals for Article 3 elaborates:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Does HN envisage offering services in the Union, or is it simply a site that happens to work when accessed from the Union but was not envisaged to do so?
Another recital elaborates on the monitoring of behavior of subjects in the Union:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
HN seems to collect minimal data. It might not rise to the level of monitoring that would be needed to count as monitoring behaviour.
Maybe the lack of any kind of business relationship matters? I.e. HN isn't making money from the people posting here.
Eh, ycombinator definitely benefits from HN as an advertising method and has information on people that use HN, so there's only no sort of business relationship if you also believe that other major advertisers (such as Google) have no business relationship that applies.
the company solicits business from EU/UK citizens
unless they want to stop funding/accepting applications from them: it applies to them
unless they want to stop funding/accepting applications from them: it applies to them
I'd guess HN isn't big enough for basically any privacy law to apply.
Some parts of GDPR at least call out company size explicitly, other parts allow for "cost of implementation" to be considered, which for HN would probably be "prohibitively high" regardless of triviality, considering the team size.
Some parts of GDPR at least call out company size explicitly, other parts allow for "cost of implementation" to be considered, which for HN would probably be "prohibitively high" regardless of triviality, considering the team size.
Seems like a risky gambit; AFAIK YC owns HN and would have a hard time arguing that that they're a small business incapable of following GDPR regs.
It's not a general "we can't do this" argument, it's got specific criteria, one being company size for certain regs to apply.
But honestly YC probably doesn't even think about any of this, for good or bad. Most companies are super duper behind the ball on privacy regulations, despite the negative consequences.
But honestly YC probably doesn't even think about any of this, for good or bad. Most companies are super duper behind the ball on privacy regulations, despite the negative consequences.
Right. IDK how the size of YC gets calculated for the purposes of GDPR. It's a weird edge case.
I actually operate in this space right now, and you wouldn't believe the number of companies who don't care about privacy, screw it up, get fined hugely, and then... just keep on not caring.
It's unreal.
It's unreal.
Interesting. Care to guess why? Cost of fines < cost of compliance? "not my job" syndrome? Incompetence? All 3?
It’s this idea that if nobody is doing it, or if they handle it poorly, then nobody will care if you also handle it poorly.
CEOs are just writing it off as pesky lawyer shit, even though it’s 100% preventable…
CEOs are just writing it off as pesky lawyer shit, even though it’s 100% preventable…
The other way to look at it is that HN is too small to go after as in it would cost more in lawyers than they could recoup, possibly.
The GDPR doesn't allow people to start lawsuits. The law is upheld by government agencies, which usually give small companies a chance to fall in line before starting a lawsuit. They're also mostly focused on European businesses and most likely won't act until they receive enough complaints.
When it comes to lawyer fees, governments seem to have quite a pool of money when it comes to enforcing the law.
When it comes to lawyer fees, governments seem to have quite a pool of money when it comes to enforcing the law.
> The GDPR doesn't allow people to start lawsuits.
it most certainly does
the national authorities should be the first avenue, but if they don't agree with you you can go after the company directly
it most certainly does
the national authorities should be the first avenue, but if they don't agree with you you can go after the company directly
I suppose, but it'll take months before you can even start taking action by yourself, and you'll have to find a good reason to disagree with the DPA's lawyers. The DPA declaring your case unenforceable certainly doesn't help your chances; maybe if the DPA doesn't have time for your complaint do you have a chance.
Even then the recouped damage is minimal if you win. The GDPR is not like many other laws that give way to massive civil suits.
Even then the recouped damage is minimal if you win. The GDPR is not like many other laws that give way to massive civil suits.
Does HN needs to cancel user comments under GDPR?
Ina short anwer : YES, but not because what you think.
Under GDPR you have the right to ask your PII to be erased from production (it still goes under archive for a some time depending on legal constraints)
So it is valid demand for HN to ask your comments to be erased from be “live” in production
Are your comments PII? Yes, as they are linked to a user, username that is linked to an email and bio, and they may contains also PII inside.
So you could ask it to be removed.
Can HN avoid that deletion? Yes only if they prove they have a more valid reason with a legitimate interest to keep it, or that there is any relevant legal obligation to keep it
Do they have ? Not really in that case, however they could also rely on the existence of a particular legitimate interest to inform (if they prove that they are a media), or that there is a legitimate interest relying on the impossibility to understand conversations if you cut off some parts of the discussions and the related feeds.
Ina short anwer : YES, but not because what you think.
Under GDPR you have the right to ask your PII to be erased from production (it still goes under archive for a some time depending on legal constraints)
So it is valid demand for HN to ask your comments to be erased from be “live” in production
Are your comments PII? Yes, as they are linked to a user, username that is linked to an email and bio, and they may contains also PII inside.
So you could ask it to be removed.
Can HN avoid that deletion? Yes only if they prove they have a more valid reason with a legitimate interest to keep it, or that there is any relevant legal obligation to keep it
Do they have ? Not really in that case, however they could also rely on the existence of a particular legitimate interest to inform (if they prove that they are a media), or that there is a legitimate interest relying on the impossibility to understand conversations if you cut off some parts of the discussions and the related feeds.
staringback(1)
Isn't this a clear violation of GDPR and CCPA?
HN will anonymize usernames, but that does not remove personally identifying links or data from comments and submissions.
Will this ever change? Will it ever be possible for a user to be completely deleted from HN (remove all comments and submissions)?