Ask HN: Is HN GDPR compliant?
After reading this post https://news.ycombinator.com/item?id=16954306 I thought about the small sites I like to visit. Things that started out like hobby projects such as Lobsters and HNews. I wonder, is HNews GDPR compliant? It doesn't really seem to be. Some topics mentioned in articles about GDPR:
- Ability to export data - Ability to delete your account - Disclose tracking (the voting ring detection must do some sort of tracking)
112 comments
[ 0.22 ms ] story [ 192 ms ] thread[1] https://www.oaic.gov.au/media-and-speeches/news/general-data...
I've banned all non-local IP addresses from the website with a splash page which tells them why they're unable to access content.
This also doesn't stop my local ISP's and hosts eventually giving up on hosting my content as they're sick of reviewing DMCA's from US-based copyright-holders. Many of the smaller ones simply give me 24 hours notice or no notice at all, nobody wants to risk a lawsuit from the big-bad US media companies.
I get several hundred letters and emails a year with copyright holders threatening lawsuits and legal action. I suspect similar issues will arise for non-GDPR compliant services in the form of user support tickets.
I could host it in a country that would ignore requests, but the point of the website is to do everything correctly. If I hosted my content in a country that doesn't care about copyright or DMCA, I'm putting myself at risk if I was brought into court as I've purposefully skirted around laws.
My country has proven we are held to US copyright law - see the Kim DotCom case. What would usually be considered a matter for civil court was brought into criminal court because it crossed borders and unfounded claims were made against the accused (namely money laundering) who's now being extradited.
I simply want to provide a free, legal media service to those in my country. There's no money in it - I don't even run AdSense, I simply pay for hosting. So far, so good.
If I do get dragged into court, I expect a precedence to be set for future cases. This will also open up a lot of free historical media for government-run TV and streaming services, and local media producers.
It's kind of like a weird tech protest against goofy copyright laws.
Where I am, you should receive an IP rights notice and an interim injunction to remove the works. I've never received anything like that.
Wasn't it criminal because he was doing it as a business and earning money from it?
It doesn't.
It's made to force you to comply when you become bigger.
Just don't accept European customer's data and you're fine.
I don't live in Pakistan.
My servers aren't in Pakistan.
Pakistan can't force me to comply with their laws just because a Pakistani national uses my site.
Same thing with EU laws.
The mere fact that a Pakistani or European uses my site doesn't subject me to the laws of Pakistan or the European Union.
Also i think there are lot of tech companies in Germany they just target german audience.
Unlike eg Kinder Eggs? https://www.cbp.gov/newsroom/national-media-release/dont-be-...
But as a corollary to that, GDPR laws seem to only apply where there is data that can personally identify a user. The usage of nicknames and throwaway accounts on here may mean that GDPR requirements may be able to be ignored as long as there is no piece of data that can be linked back to an identifiable user (such as an email address in their profile etc.)
Note: IANAL - So please take this as my opinion, and not a legal finding.
Of course that doesn't actually scale. That's why most all the big players are providing export features.
I suspect that the line here will be decided in some court.
Sure. At the end of the day though people shouldn't be using GDPR as an excuse to avoid making stuff or launching their projects. As long as you make a reasonable effort to do what people are asking for via email then you're probably not going to be the test case.
Source: https://ico.org.uk/for-organisations/guide-to-the-general-da...
Edit: mis-referenced article 15 as export instead of access.
"Google may charge a fee (based on Google’s reasonable costs) for any data deletion under Section 6.1.2(a). Google will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion."
Not meaning to be argumentative, but is there a reference for that beyond Article 12 Section 5? (I probably missed that too.) But that section seems to suggest you can only charge a fee (or even decline to act) if the requests are unfounded or repeatedly excessive:
https://gdpr-info.eu/art-12-gdpr/
"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
refuse to act on the request.
(Google's clause was opting to charge for any deletion request that is not yet automated.)
https://news.ycombinator.com/user?id=lamlam https://news.ycombinator.com/threads?id=lamlam https://news.ycombinator.com/submitted?id=lamlam https://news.ycombinator.com/favorites?id=lamlam
If I was a linux nerd I'd turn that into a cat / curl combo.
This is because we've received only a handful of requests and because there isn't an automatic system for the extra layer of authentication comparable to answering an email with a token in it.
Come to think of it, this places an even bigger value on email: You can probably get all of someone's private data from external sites once you have their email. As if it wasn't a big enough part of stealing someone's identity already; now you can properly steal people's pasts!
https://gdpr-info.eu/recitals/no-23/
If my random little website isn't GDPR compliant, what is their strategy for getting me to pay the restitution if I'm not doing business in the EU? Where do the fines go? How could they force me to pay them? The worst they can do is block access to the website, but I haven't read anything which suggests that is written in the law.
From what I can gather, if a user in the EU approaches HN and asks for their profile data and posts to be removed, then that falls under the GDPR laws.
Are Europeans permitted to decline to be covered under the GDPR? (In exchange for being permitted to use such sites?)
You don't get to bring your laws and rights with you when you visit a website that's hosted and run in a foreign country.
edit: clarified European based websites
You may not agree with the ethics of that, but that's how it works in practice. Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.
You might learn that the GDPR only applies to businesses located in the EU or who pursue EU citizens. It does not mean that if you Google Analytics and an EU citizen stumbles upon your site you are suddenly in violation. It is not some sort of magical global law that applies to every business in the world.
The amount of FUD and ignorance and nonsense about the GDPR is getting out of control. Why not do some research? Or actually read the regulation?
Anyways I see it's a lost cause but I find it remarkable how much BS about this topic exists from a community that prides itself on its technology acumen.
Your argument about "pursue" falls under the umbrella of
>Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.
Pursue isn't currently a fully defined term. Is pursuing specifically advertising and marketing towards? Or is it simply allowing to register? If I use paypal as a payment service, that allows EU citizens to pay, am I pursuing them since they can now purchase my service?
Fwiw, I agree that its unlikely that HN is violating the GDPR, and its even more unlikely that HN will be chased for any violations it did commit. But calling others' more cautious interpretation of the law "nonsense" isn't particularly productive, especially when I wasn't even commenting on the GDPR in the first place, but instead on broader ways that international law works.
> Pursue isn't currently a fully defined term.
This is pure FUD. This is fully defined that's what makes it a binding legislative act.
Let's go to the actual law:
Article 3: Territorial Scope [1] spells out the explicit territorial scope.
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
Oh, sounds scary. The latter part is clarified [2]:
> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
There's a ton of nonsense about this on HN right now but anybody who's actually read the law should understand that the intention of the law is to prevent non-consensual surveillance of EU citizens. The idea that if somebody who stumbles upon your website and you log their IP address makes you subject is pure FUD. The idea that the EU will pursue American sites who don't target the EU is pure FUD. But the biggest FUD of all is this notion that the EU even has some sort of legal enforcement mechanisms independent of a Member State. As they say, that's not how any of this works. There are no "EU cops" waiting at the airport. Please.
[1] https://gdpr-info.eu/art-3-gdpr/
[2] https://www.gdpreu.org/the-regulation/who-must-comply/
And according to that clarification, having paypal as a payment processor might make it apparent that the controller envisages offering goods or services to data subjects in the union. That's what I said. Or it might not. Its not fully defined. A cautious interpretation makes sense.
>There are no "EU cops" waiting at the airport. Please.
And to be clear, I never said there were. I was making the point that, contrary to g-g-great-grandparent, it is absolutely possible for a country to exert control over the actions of people outside its borders, assuming those people might have interest in international travel.
If you're going to keep yelling FUD about things, you should first confine yourself to calling out things people are actually saying, instead of creating ridiculous strawpeople. Its not productive to call people out for saying ridiculous things that they didn't actually say.
This is not true. Using a payment processor or accepting credit cards in no way constitutes targeting of EU customers. In that scenario you are neither data controller nor processor, in fact. I think, like a lot of posters in this thread, you've spent virtually zero time understanding the law and are just echoing FUD.
It's quite odd that you're calling a statement that amounts to "in the presence of untested law, caution is warranted" FUD.
That's like not even controversial. You're entire argument is predicated on you understanding the law better than everyone else. And well, I'm not particularly confident in a person whose most used word is "FUD" and who began a conversation by misunderstanding what I was saying. What reason do I have believe you?
In that case, I'm not sure how to interpret Microsoft v. Commission (triggered by EC, ruled by ECJ), or how to make sense of the fact that the EU, IIRC, has its own (non-state) representative at the WTO, which in turn has its own (state-independent) dispute resolution system, with capacity to inflict trade sanctions.
The 'cops' analogy might be very misleading here, right?
Let's say Iran passed a law saying that it's illegal for anyone anywhere in the world to supply alcohol to a citizen of Iran, and that anyone selling alcohol must verify that their customers are citizens of not-Iran. When they attempt to enforce that against a German beer hall, they'll get laughed out of German court. Selling beer to adults is legal in Germany, no matter where they're from.
Likewise, the EU has no ability to enforce laws against American companies that don't have a physical presence in the EU.
Your analogy would be accurate if it went something like that beer garden in Germany decided to start selling beer online, and began taking international orders, including ones from Iran.
Your physical presence on the web is irrelevant. By putting yourself, or your business online, you are subjecting yourself to whatever regulations exist in the place your user is accessing your product.
As stated elsewhere here - enforceability is another topic.
Just floating a crazy alcohol induced idea here don't take it too seriously.
If you are a Non-EU business, that is a business with no legal presence or employees in the EU then you can comfortably skip GDPR compliance with minimal risk (some unknown obscure treaty provision?)
#notalawyer
[1] https://www.forbes.com/sites/forbestechcouncil/2017/12/04/ye...
Dumb example: Blasphemy is illegal in Ireland but Irish Gov can’t enforce that law in France.
The critical issue is that word: "offering."
The language here seems to be about intentions. Has HN "offered" anything to data subjects in the Union? Maybe not. To be sure, people in the EU may have chosen to look at HN, but has HN sought to "offer" to them?
(The presence of a domain such as news.ycombinator.eu would tip to "yes.")
And then there's the soft influence of "we're big enough, we can dictate the rules, because who else will you trade with" which affected things like patent laws and trademarks around the world. It's interesting to see the US finding itself on the other side of that conversation sometimes.
This means that a court in, eg, Spain can "tell foreign citizens how to behave"
More specifically, tuke pointed out the territorial scope of GDPR, and strictnein's response seemed to argue that the underlying premise should be invalid.
My comment was to point to a counter-example that is already widely supported.
Arrogant Americans coming in 'It doesn't have jurisdiction over American companies'. Wholly misinformed.
My personal guess is that everyone with shady business models will move offshore, and the EU will play a marginal game of whack-a-mole trying to coerce them through their vendors and customers, especially payment processors, similar to American enforcement of online gambling laws. I expect the GDPR to be effective on large companies that want to portray themselves as respectable, and ineffective on everyone else.
>Or do you think they'll be successful in pushing enforcement out through the target's customers and vendors, similar to US extraterritorial application of its financial laws on banks?
At least somewhat of a deterrence. As if American KYC & AML laws are completely ineffective.
>My personal guess is that everyone with shady business models will move offshore, and the EU will play a marginal game of whack-a-mole trying to coerce them through their vendors and customers, especially payment processors, similar to American enforcement of online gambling laws. I expect the GDPR to be effective on large companies that want to portray themselves as respectable, and ineffective on everyone else.
Implying the big companies aren't the ones with the 'shady business models'? My view is that this is specifically made for the big companies.
I'd agree that the GDPR is designed for large companies, and will genuinely improve their behavior. I think its effects will be similar e.g. to American cities with very strong and complex tenant protections--we create a class of large, politically-connected operators with the resources to comply, and a class of shady operators one step ahead of the law. There's little in between--if you lack the resources to be absolutely certain you comply, and the punishments for large and small noncompliance are both catastrophic, then you might as well go all the way. (Yes, I expect the regulators to mostly exercise reasonable discretion. No, I don't want the discretion of a mid-level bureaucrat to be the only thing between me and financial ruin.) That part doesn't seem positive to me.
Aside: I wonder how many people promoting heavy-handed enforcement of data protection laws without regard for the second-order consequences have argued against heavy-handed enforcement of drug laws without regard for the second-order consequences...
If you want the GDPR to have jurisdiction over American companies, American companies will simply refuse to do business with you.
Additionally, leaving the European market opens up a big opportunity for EU-companies. Basically, that's the way to go if you want to wreck American dominance over the Internet (and the companies which matter know that very well, which is exactly why they are NOT dropping the EU).
For European citizens it's a win either way. That's why nobody is impressed by your threats - they just look like people pissed off because the EU is now doing what the USA had been doing for decades - meddling in other countries sovereignity. (If you want to interpret it that way, which imho is wrong.)
https://news.ycombinator.com/item?id=16661323
https://news.ycombinator.com/item?id=16698937
https://news.ycombinator.com/item?id=16751656
https://news.ycombinator.com/item?id=16834240