Ask EU users: why are you using this shady site that doesn’t comply with GDPR?
Pretty sure that HN is not fully compliant with GDPR, and that only very shady sites that intend to misuse your data are not compliant as of today. How can you stand this blatant violation of your human rights?
OK, I’m being deliberately provocative about it, but it’s a serious question. Is HN actually compliant and I’m just not aware? Or are you giving them a pass for some reason? Or are you all filing complaints right now?
Genuinely curious.
8 comments
[ 3.2 ms ] story [ 28.6 ms ] threadYour comment seems to denote that you think GDPR is a silly european thing and that it restricts companies freedom and that USA doesn't need similar laws to protect user data and privacy. So, are you really ok with Facebook, Google, Amazon and so many other companies spying on us for their own benefit, to profit off personal data, even share that data with three letter agencies or it's just because it's an US vs THEM mentality that everything outside US is strange and slightly frightening? Genuinely curious.
I’m general, yes, I’m OK with Google and Facebook collecting my info. I’m sending it to them voluntarily as a tradeoff for using their services.
Your use of the word “spying” is just propaganda. And the accusations of xenophobia are a cheap shot as well. I love Europe, I lived there for several years, and I’d do so again. I currently visit Europe 1-2x per year.
I’m generally in favor of some of the intent behind the GDPR, and would probably support a more sane version of it here. I’m not in favor of its claims to jurisdiction over any company in the world under the logic that an EU citizen might visit their website. That’s a dangerous precedent.
They go out of their way to ensure you need to give them absolutely minimal data - IP communications won't work without IP addresses, and logging them is pretty harmless in my mind. Geolocation for analytics purposes is also fine in my book.
The biggest part of GDPR is to give individual end users control over their personal data and the way it's processed. The easiest way to sidestep GDPR is to not collect this data in the first place.
As a European and as someone involved in my company's GDPR implementation, I am fully in favour of it, it's what 'normal' users have clamoured for. EU laws are quite powerful and can be applied to any member state, equivalent to federal law in the US. This grants a very good standard of basic rights and legal protection, and I am very glad we have it.
Edit: in fact, I view it as a massive cop-out that so many non-EU sites have chosen to block requests from the EU rather than face up to the fact they do not need to collect and process this data for general operation of their sites - I'm looking at you, US news sites. Frankly, that is also fine by me - if visiting such a site requires me to submit to being clinically profiled and categorised for reading a news article, I'll go somewhere else.
Great, but that's not what the law says?
I think it's fine for sites to block EU visitors, and fine for EU visitors to go somewhere else, whether they're blocked or not. But that's not at issue here, is it? HN isn't blocking EU users, they haven't updated their privacy policy in more than a year, and they're likely collecting data that, while you personally may be OK with it, isn't compliant with the GDPR.
So it seems like you're willing to give them a pass even though they're not compliant? So why the hostility towards other sites that are in the same boat, but take the additional precautionary step of blocking EU users to show that they're really trying not to violate the law, and that they don't want those visitors since they're not compliant?
They have no real name policy and carry no advertising or even GA. The little JS they have is harmless. Looks like they have no personal data unless I elect to type it all out in a message.
Looks like HN is compliant as is.
What about having a DPO or EU rep? (not clear to me whether they need either, and judging by the huge volume of comments on this topic on HN, not clear to a lot of people on both sides of this issue)
I'm surprised they don't have any client side analytics, but if they did, would your position change? Would you stop using it immediately? What if they're using server side analytics?
Also, is not requiring an email good enough? People once people provide an email, don't they need to advise at that point exactly how it will be used and get the user to agree? Unless it's fully under legitimate interest, I guess?
My ISP can tie IP to my account and other info, so for them it is personal data.
If they're not processing personal data they don't need DPO or rep.
I'm not against analytics for helping to make a site better or understand how people are using it, eg piwik or processing access logs (ok that's a bit old school now). GA I block along with other analytics services that work across numerous sites. That's nothing against HN or an individual site that's not wanting an aggregate profile growing with the analytics provider.
Optional email? Choosing to provide it might be enough opt in. Not sure. There's certainly no restriction of service without or pressure to provide.
There seems to be disagreement about this. You might be right, but I've seen passionate arguments on both sides, with links to various opinions, etc.
And on analytics, I think it's reasonable that you're OK with it, but that doesn't make it compliant. And you blocking GA doesn't make it compliant either.