Ask HN: Does GDPR and CCPA Apply to Hacker News?
Hacker News refuses to delete public comments or submissions even when users request that they do so. HN says it may consider deleting specific comments if a user emails them and explains why a specific comment or submissions should be removed.
Isn't this a clear violation of GDPR and CCPA?
HN will anonymize usernames, but that does not remove personally identifying links or data from comments and submissions.
Will this ever change? Will it ever be possible for a user to be completely deleted from HN (remove all comments and submissions)?
98 comments
[ 3.4 ms ] story [ 174 ms ] threadI agree on principle that all communication mediums should allow users to delete and edit their own posts. Retraction is speech.
Personally, I use uBlock, the built in privacy list, and most crucially: Cookie AutoDelete.
I have it set such that if I unload a domain for 30 minutes, all of its cookies are deleted. The end result is that I have something that works decently, while preserving history and passwords.
The problem is that while the EU hopes that disclosures are designed to introduce friction to make the site more privacy-friendly... let's say that money is still a strong motivator for a lot of websites. I even spotted cookie prompts that were essentially that "close door" button on lifts.
International companies that choose to process data from EU citizens but blatantly ignore the regulation will be subject to enforcement action from the country's supervisory authority. The supervisory authority has the power to "order the suspension of data flows to a recipient in a third country or to an international organisation" or "to impose a temporary or definitive limitation including a ban on processing".
In practice, this means you can say goodbye to doing business with your EU customers if you don't want to play by the rules. I doubt it'll be much of a loss for them to lose access to services provided by a company that doesn't care about their customers' privacy.
As ever, a significant minority of Americans on Hacker News really Just Do Not Grasp the benefit of the EU or its regulations such as GDPR. "All regulation must be bad!!" It's quite tiresome, really.
Now you know how we feel when Europeans pontificate about issues in the US without really knowing anything beyond the headline.
Also, FWIW a lot of HN participants are in California, which has CCPA. Your stats may well be objectively wrong anyway.
Part of the problem is also that the government agencies tasked with regulating these things are hopelessly slow in pursing matters, especially when non-EU companies are concerned.
Of course, every time I point this out, people get mad at me because they happen to like the law (ie, they like the idea of privacy, and privacy theatre is comforting to them).
I'm personally of the opinion that one government telling me what to do is quite enough, thank you very much.
Actually in practice many important US companies do have market activity or assets in the EU, arguably including Y Combinator. Also, the EU (or its governments) wouldn't bother a random plumber in Iowa or honestly even in Prague (unless in the latter case someone have bothered to complain).
If you never have any plans to step foot in the EU, then they can't do anything to you.
You, personally, are not subject to EU laws since you are, presumably, not running a business with EU customers or data subjects.
https://www.cnil.fr/en/discord-inc-fined-800-000-euros
Key section is probably this one: https://gdpr-info.eu/art-32-gdpr/
https://www.ycombinator.com/legal/#calprivacy
unless they want to stop funding/accepting applications from them: it applies to them
You cannot regulate a steel manufacturer in China from the EU. Similarly, you cannot regulate how a company and server is setup in another country. It’s where the company is operating.
In the case of hacker news the CCPA probably does have an impact. So i suspect they follow the appropriate law there. That’s because that’s where they are operating out of.
That said, HN is moderated pretty well. I suspect if you ask them they’ll tell you and / or delete what ever you ask.
Just like you could block a website within your country. That said, you can't force them to adhere to anything.
Put a different way, if I run a news paper in Russia, sure you can block the distribution in the EU. The EU cannot tell the news paper what to publish.
Companies doing business in Europe must follow European law, just like European companies doing business in the USA need to follow American law.
The solution is quite obvious: don't do business with Europe and the GDPR doesn't apply. Don't do business with the USA (including companies like Amazon and Google) and American law doesn't apply. The EU won't try to fine Walmart and Target, the USA probably won't try to fine Système U.
(Unless it's about oil, government influence, or copyright infringement, of course, then the USA will force the issue; probably not relevant for most companies)
HackerNews doesn't collect personal data.
Deleting anything someone wants deleted isn't covered
And that's the problem: the vast majority of HN posts probably don't include personal information. But if someone were to submit a GDPR deletion request to HN, does HN really want to spend the time auditing perhaps hundreds or thousands of comments in order to determine what has personal information in it and what doesn't? And then also making a judgment as to whether the entire comment would need to be deleted, or if only part of it needed to be redacted? So I'd completely understand if HN would comply by deleting all comments.
(I'm intentionally ignoring the fact that it's unclear if the EU could even enforce the GDPR against HN/YC, as I'm not sure if they have any business entities in the EU. Certainly the GDPR as written tries to be extraterritorial in its demands, but enforcement is another matter. HN/YC are of course subject to the CCPA, though.)
But, for example, consider your post here that I'm replying to: I don't think anyone could credibly claim that it contains personal information. I believe HN will anonymize the username on past comments during account deletion (maybe only if requested, though?), so at least the comment wouldn't be attributed to anyone identifiable. But, of course, if someone posted their real name in a comment, or even just information that could identify them, that would be personal information in the comment body itself.
Frankly I'm not a fan of the idea that comments on a public forum need to be deleted as a result of GDPR deletion requests. It would really suck if clicking on an old HN comment thread meant that you'd see a bunch of "[deleted due to GDPR request]" peppered all over the comment threads. Or think of a site like Stack Overflow: it would be a shame if a GDPR deletion request means that SO has to delete all a user's questions (which others may have spent time and effort answering!) and answers (that others would continue to benefit from reading).
I think in this case the GDPR goes too far in making the site owner responsible. Sure, a site owner should absolutely be responsible for personal information it asks for and intentionally collects, but it seems a bit unfair to extend that to information a user may voluntarily submit, in a context where the submission is free-form and unstructured.
Then again, I'm -- perhaps hypocritically -- of the opinion that sites like Facebook should be required to delete all posts and content when someone wants to delete their account. Back when I used it, I'd definitely run into some old post comments where some comments have been deleted (due to account closures), which really confuses the conversation going on in the comments. For some reason my heart is trying to tell me that FB and HN are somehow different here, even though I can't logically support that. I think my feeling is that stuff I post on HN belongs to the community, whereas stuff I (used to) post on FB still belongs to me. Not sure why there should be that difference, though.
There's an email field in the settings.
Also, if they don't store IP or actively deident, then I'm not sure either reg applies. HN isn't collecting PII. Just because you chose to type some info into a free form text box doesn't mean that the are liable for treating that data as PII, unless they're doing the tagging and extraction themselves or you inform them you're in CA/EU and the post contains PII. ianal.
[1] https://www.ycombinator.com/legal/#calprivacy
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4)
I've definitely never received this advice. I think your DPO/counsel are being excessively risk-averse, but IANA(EU)L.
This isn't American law, where everything seems to be decided based on technicalities and the exact wording of the law. These decisions are made by reasonable human beings who review the facts of the situation and come to a judgement.
Some parts of GDPR at least call out company size explicitly, other parts allow for "cost of implementation" to be considered, which for HN would probably be "prohibitively high" regardless of triviality, considering the team size.
But honestly YC probably doesn't even think about any of this, for good or bad. Most companies are super duper behind the ball on privacy regulations, despite the negative consequences.
It's unreal.
CEOs are just writing it off as pesky lawyer shit, even though it’s 100% preventable…
When it comes to lawyer fees, governments seem to have quite a pool of money when it comes to enforcing the law.
it most certainly does
the national authorities should be the first avenue, but if they don't agree with you you can go after the company directly
Even then the recouped damage is minimal if you win. The GDPR is not like many other laws that give way to massive civil suits.
The US is producing a hug excess of natural gas, which it'd almost certainly keep onshore if Americans were at risk of freezing to death. If someone in the Eastern Sierras is freezing to death this winter due to lack of gas, then no one comes out of that scenario unscathed.
Do you have to comply with EU law if you conduct business there? It depends on whether the EU can enforce judgements against you. If you live in the EU, then the EU can certainly enforce judgements against you. If you live in a cooperating jurisdiction, like the US, then I'm pretty sure that EU judgements can be enforced against you. That would take more effort on the EU's part, but if they really want to, I believe they can ask and get the US courts to enforce judgements.
If you live somewhere where the courts will not enforce EU judgements, then yeah, you don't need to care about EU laws. At least, until you travel someplace that does...
1. Processing that takes place in the context of processors and controllers that are in the Union, regardless of whether or not the processing itself takes place in the Union.
2. Processing the data of subjects who are in the Union by controllers or processors who are not in the Union if the processing is related to offering goods or services to such subjects in the Union or the processing is related to monitoring the behavior of such subjects that takes place in the Union.
3. Processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
If none of those cover an entity, that entity's processing is not covered by GDPR.
#2 would probably be the only relevant one for HN.
Is HN offering goods or services to subjects in the Union? Sure, people in the Union can access HN and even make accounts. But that might not be enough. One of the recitals for Article 3 elaborates:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Does HN envisage offering services in the Union, or is it simply a site that happens to work when accessed from the Union but was not envisaged to do so?
Another recital elaborates on the monitoring of behavior of subjects in the Union:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
HN seems to collect minimal data. It might not rise to the level of monitoring that would be needed to count as monitoring behaviour.
Long answer: it depends on the regulation. To the best of my understanding yes under the GDPR. If you are interested in what constitutes personal data and when an organisation needs to or does not need to comply with a request under the GDPR and the CCPA take a look here: https://yourdigitalrights.org/#faq
(I am one of the founders of YourDigitalRights.org. We help people send data deletion and access requests. I am not a lawyer and this is not a legal advice.)
Sure, it's a bit weird to force them to stay up, but the GDPR is mostly about PII. You can probably have your email address, username, and contact information removed from the database, but the comments themselves are different.
I don't know much about the CCPA, but from what I've read, I don't think it covers this use case.
As for if YC needs to follow the GDPR: YC does business in the EU so they'd be foolish to ignore it. If you believe your rights are being infringed, contact your local DPA and file a complaint.
https://gdpr-info.eu/art-17-gdpr/
In particular, there are sections about archiving and freedom of expression/information which I believe would apply to an online discussion forum where all comments are made public by virtue of them being posted in the first place.
Ina short anwer : YES, but not because what you think.
Under GDPR you have the right to ask your PII to be erased from production (it still goes under archive for a some time depending on legal constraints)
So it is valid demand for HN to ask your comments to be erased from be “live” in production
Are your comments PII? Yes, as they are linked to a user, username that is linked to an email and bio, and they may contains also PII inside.
So you could ask it to be removed.
Can HN avoid that deletion? Yes only if they prove they have a more valid reason with a legitimate interest to keep it, or that there is any relevant legal obligation to keep it
Do they have ? Not really in that case, however they could also rely on the existence of a particular legitimate interest to inform (if they prove that they are a media), or that there is a legitimate interest relying on the impossibility to understand conversations if you cut off some parts of the discussions and the related feeds.