Ask HN: Is Hacker News GDPR Compliant?
- While most users use pseudonyms, there are some users who do not, and most users (hypothesis from my side here) use their actual email address, and not a throw away email address or an email address exclusively created for HN.
- Hacker News has an API, though they (obviously) do not disclose the email addresses of any of its users in the API, they do however include HN usernames which alongwith the public posts also available in the API are attributable to given users, and therefore is indirectly personal information.
- Hacker News doesn’t support the deletion of comments and posts after a certain 24-48 hour period. Upon research I’ve learnt that one can contact PG or the HN News mods to have your content deleted on the platform, however this delete wouldn’t be enforceable on API consumers of HN, who may have a cache or a permanent archive of the data in any location (analogous to how FB is getting Cambridge Analytica to delete any of the user data which CA still has).
- HN’s severs with all user data is (I believe) located in California. Data residency in the EU doesn’t seem the case. Even if the case is made that all HN user information is in public forum, personal data such as users’ email addresses and favorites are private information stored on HN.
- Finally, the point about consequences. All the above points would seem null if HN really doesn’t have any revenue for it to be charged the 2-4% of global revenue as penalty for violating GDPR. However to this point I would like to issue a reminder that Hacker News is by all legal matters owned by Y Combinator (also on the company domain name *.ycombinator.com), and YC sure does rake in the revenue. Would HN legally be argued as some sort of a free non-profit forum, and thus not connected to YC for any GDPR violation? Currently YC companies have their hiring posts artificially promoted on HN’s front page, so there’s that thorn.
21 comments
[ 4.9 ms ] story [ 76.3 ms ] threadI'd love to see someone with a legal background provide their thoughts here!
That said, it's an interesting thought experiment to understand what the implications would be if it was hosted in a GDPR country.
Having said that, what about CDN's? I'm certain that lots of comment data is located in CDN's across the EU, US, and Asia.
> In May of 2018, a major upgrade to Europe’s overarching data protection framework becomes enforceable. This will be followed by a companion piece of legislation pertaining to data in transit. The extraterritorial nature of these two frameworks — they protect the privacy rights of people in Europe regardless of where their data is collected — means that they will become the de facto standard for privacy around the world. [1]
[1] https://www.smashingmagazine.com/2018/02/gdpr-for-web-develo...
Someone more knowledgeable than me please correct me if I am wrong.
In that case, either the tourist who bought it is the one in the wrong and will need to forfeit it at the border, or the law does not apply.
I see no reason why the conclusion about the GDPR cannot be "EU companies on EU soil need to comply, but EU citizens touring the internet via non EU sites are on their own and proceed at their own risk, without protection from the GDPR."
IANAL, but I have had a couple of law classes. Also, one of the things I do know is that we have no world government and laws regarding international internet stuff are breaking new ground daily because it is an unprecedented circumstance that doesn't one-for-one compare to historical legal precedents.
I imagine if we ever get a world government, it will be an emergent event and it will grow out of the current trend of multiple countries joining together to form blocks like the EU. But I see absolutely no reason why any country outside the EU should be presumed to be subject to EU laws just because EU citizens are capable of accessing their sites via internet.
If someone has an article that shows this has been established as a precedent the world accepts, I would be interested in seeing it. But I am not aware of any established precedent suggesting the EU will by default be accepted as having the authority to dictate standards across the globe.
> Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.
- https://stripe.com/guides/general-data-protection-regulation...
https://news.ycombinator.com/item?id=16661323
https://news.ycombinator.com/item?id=16698937
https://news.ycombinator.com/item?id=16751656
On a side note: There still isn’t an answer to the question in matter.
That action in itself would not be enough to be GDPR complaint. User generated content is associated with a user. To be compliant, all user data would have to be removed. It would be really simple for FB to be GDPR complaint if all that was required was to delete a user profile and none of the respective user activity on the platform.
They don't need to have a delete button or even any action items in the UI - just be able to provide the service if/when requested.