Ask HN: Is Hacker News GDPR Compliant?

30 points by rajnathani ↗ HN
Few points relevant to a discussion around this question:

- While most users use pseudonyms, there are some users who do not, and most users (hypothesis from my side here) use their actual email address, and not a throw away email address or an email address exclusively created for HN.

- Hacker News has an API, though they (obviously) do not disclose the email addresses of any of its users in the API, they do however include HN usernames which alongwith the public posts also available in the API are attributable to given users, and therefore is indirectly personal information.

- Hacker News doesn’t support the deletion of comments and posts after a certain 24-48 hour period. Upon research I’ve learnt that one can contact PG or the HN News mods to have your content deleted on the platform, however this delete wouldn’t be enforceable on API consumers of HN, who may have a cache or a permanent archive of the data in any location (analogous to how FB is getting Cambridge Analytica to delete any of the user data which CA still has).

- HN’s severs with all user data is (I believe) located in California. Data residency in the EU doesn’t seem the case. Even if the case is made that all HN user information is in public forum, personal data such as users’ email addresses and favorites are private information stored on HN.

- Finally, the point about consequences. All the above points would seem null if HN really doesn’t have any revenue for it to be charged the 2-4% of global revenue as penalty for violating GDPR. However to this point I would like to issue a reminder that Hacker News is by all legal matters owned by Y Combinator (also on the company domain name *.ycombinator.com), and YC sure does rake in the revenue. Would HN legally be argued as some sort of a free non-profit forum, and thus not connected to YC for any GDPR violation? Currently YC companies have their hiring posts artificially promoted on HN’s front page, so there’s that thorn.

21 comments

[ 4.9 ms ] story [ 76.3 ms ] thread
This is an excellent question. I feel like the right to be deleted/forgotten is certainly not supported by the current implementation, and the relationship to a VC fund certainly could introduce an element of this being an attractive target. I don't know about the comment caching though, for example, I'm sure Twitter doesnt solve for this either, is this actually a requirement? Or are those caching Twitter comments simply in violation of the Twitter TOS?

I'd love to see someone with a legal background provide their thoughts here!

Hacker News is hosted in the United States, so it is not liable to GDPR, at least currently.

That said, it's an interesting thought experiment to understand what the implications would be if it was hosted in a GDPR country.

My understanding was that GDPR requirements apply to all citizens of the EU regardless of where the company is located. Someone else can chime in if that's not accurate!
The last time I touched on this with our legal team (and it was not related to GDPR, it was just related to data storage of EU Citizens) the storage location was a very relevant key point.

Having said that, what about CDN's? I'm certain that lots of comment data is located in CDN's across the EU, US, and Asia.

It doesn't care about anyone's citizenship, but it can apply to US-based entities if they're sufficiently targeting Europe in offering goods or services.
But is HN targeting Europe or any geographic area? If someone from Europe decides to participate, isn't that a conscious decision to participate in a forum outside of Europe and thus outside of the GDPR? Should someone expect their own, local laws to apply around the world?
Don't think so:

> In May of 2018, a major upgrade to Europe’s overarching data protection framework becomes enforceable. This will be followed by a companion piece of legislation pertaining to data in transit. The extraterritorial nature of these two frameworks — they protect the privacy rights of people in Europe regardless of where their data is collected — means that they will become the de facto standard for privacy around the world. [1]

[1] https://www.smashingmagazine.com/2018/02/gdpr-for-web-develo...

IANAL, but as far as I know, the world has not yet tested the legal authority of the EU to impose rules upon entities outside the EU. So my general impression is that the EU is possibly overstepping their authority and the world might decide they are not allowed to dictate standards globally.

Someone more knowledgeable than me please correct me if I am wrong.

It's not a question of legal authority. It's a matter of if a company wants to do business in the EU, they have to follow EU laws. The EU isn't imposing laws on other countries. If a company does no business with EU citizens and collects no data on EU citizens, they don't have to follow GDPR. If they do collect data on EU citizens, they have to follow the law, regardless of where they're located, or face fines. It's a consumer protection law. It's no different than, for example, requiring products from Chinese companies to pass US safety regulations before they're allowed to be sold in the US.
The problem with your example is that the internet does not work exactly like meat space. Why not compare it to tourists shopping while on vacation in China and purchasing items that could not be sold in the US, then bringing them back in their luggage?

In that case, either the tourist who bought it is the one in the wrong and will need to forfeit it at the border, or the law does not apply.

I see no reason why the conclusion about the GDPR cannot be "EU companies on EU soil need to comply, but EU citizens touring the internet via non EU sites are on their own and proceed at their own risk, without protection from the GDPR."

IANAL, but I have had a couple of law classes. Also, one of the things I do know is that we have no world government and laws regarding international internet stuff are breaking new ground daily because it is an unprecedented circumstance that doesn't one-for-one compare to historical legal precedents.

I imagine if we ever get a world government, it will be an emergent event and it will grow out of the current trend of multiple countries joining together to form blocks like the EU. But I see absolutely no reason why any country outside the EU should be presumed to be subject to EU laws just because EU citizens are capable of accessing their sites via internet.

If someone has an article that shows this has been established as a precedent the world accepts, I would be interested in seeing it. But I am not aware of any established precedent suggesting the EU will by default be accepted as having the authority to dictate standards across the globe.

So what you are arguing is that China can enforce their laws around censorship on EU companies when their citizens use a site hosted in the EU?
I don't think that's correct. My understanding was that GDPR applies to organizations that are used by EU citizens or residents. See:

> Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

- https://stripe.com/guides/general-data-protection-regulation...

I think GDPR should be based on Gltd's and ccGltd's. That way you know when you leave the comfort of a .nl or .eu and enter the .com you have been warned. Just like signing an agreement that says which state laws you agree the contract uses.
While it works elegantly for websites, I would be curious as to how a solution like this be implemented for mobile applications?
I didn’t see those threads before posting this. Thanks for the links.

On a side note: There still isn’t an answer to the question in matter.

'sctb did state that they are "working on" a way to decouple the content from the username/email which should allow them to delete user accounts without removing their content: https://news.ycombinator.com/item?id=16661687 (plus the context two comments higher in the thread).
Thanks for sharing that comment.

That action in itself would not be enough to be GDPR complaint. User generated content is associated with a user. To be compliant, all user data would have to be removed. It would be really simple for FB to be GDPR complaint if all that was required was to delete a user profile and none of the respective user activity on the platform.

AFAIK - entities are required to be able to provide a computer and human readable formatted document about all personal information, when requested, within a reasonable time period.

They don't need to have a delete button or even any action items in the UI - just be able to provide the service if/when requested.

How is this different from an email list? If I send an email to a email list can I a few years later request the hosting site to delete my email, delete that part of the monthly digest (or all the monthly digest) and also request that the hosting site forward the deletion request to Gmail, Hotmail, Yahoo(mail), ...
Whilst we are here is WhatsApp gdpr compliant with end to end encryption? Can they force your old messages to be deleted off someone else's phone even if they are long deleted off your phone and you can't access them to delete them?