I just wondered about the following (unrelated) triggered by this:
Am I entitled under GDPR to get the internal writeups on my interview performance when I interviewed at a company? Does it matter whether I am in the EU but interview at a US company?
Why do people write ‘Claude thinks’ or ‘ChatGPT says’? It’s literally less reliable than ‘some guy down at the bar said’ or ‘my mother’s cousin’s ex-boyfriend’s cat’s previous owner’s dad thinks.’
it's part of being honest and citing your possibly unreliable source, you should be very glad about people who do this. The real problem is that he didn't post any actual information in his comment.
I'm pretty sure that ChatGPT or Clause is more reliable than a random guy on any particular subject, although less reliable than an expert on the subject.
> Subjective information such as opinions, judgements or estimates can be personal data. Thus, this includes an assessment of creditworthiness of a person or an estimate of work performance by an employer.
> Does it matter whether I am in the EU but interview at a US company?
Yes, in practice. GDPR applies any time that EU/EEA residents' personal data is processes. If the company doesn't operate in the EU/EEA directly it's likely you are going to have a hard time getting this data, and more likely to not be given this data at all. It's up to you as a resident to formalize a complaint through your regional DPA (Data Protection Authority) in those cases.
I know the last company I worked for had each interviewer interview separately, then had each person write up a few paragraphs of thoughts. Then they were allowed to discuss with each other.
Another case of people thinking that GDPR is a magic word that can make any wish come true.
> I replied with a (not so-friendly) email pointing out that I was entitled to a copy of any messages because they contain my personal data.
Hum, no? You are entitled to a copy of the data that you provided to the data processor. Your messages, your records, even your IP address for the sessions on your devices.
A message that someone mentions you is not your data.
I don’t think that’s correct? Section 39 doesn’t say anything about data you’ve provided, but data that’s collected: the onus is on the data processor to process data in a legitimate way.
Imagine I am in a dating site and want to find out all the people that expressed interest on me. I go then and file a GDPR request, claiming that those that mentions of me is "data collected about me" and therefore I am entitled to it.
Someone talking about you, or references about your PII are not PII themselves. To try to claim otherwise is absurd.
I don't believe the "I'm entitled to all messages discussing me because of the GDPR" is correct, though the UK GPDR may be different in a way I don't know about.
It's an interesting take (what is "data" anyway? does it include "the CEO thinks <person> is a dick" if that record is kept on company infrastructure?) but I don't think it'll hold up in court. If the author decides to press the ICO to take action, perhaps we may find out one day.
That said, scraped data about you definitely falls under GDPR protections even if you never provided any data yourself.
I don't think you are correct. It doesn't matter who provides the data.
> If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
I was asking for how my data was being processed. An email saying "Please perform action XYZ on this specific user" would, I think, fall under that description.
Not quite. If, for example, you used a 3rd party to get data about me, that's still my personal data. Whether I explicitly gave it to you or not is immaterial.
If I have given you my email address, and then you process it, I think I am entitled to know how you've processed it. If you've stuck it in a DB, forwarded it to people via IM, or put it in a spreadsheet, etc.
You may think it is absurd, but my experience of filing DSARs is that most companies will send a suitably redacted copy of everywhere my data has been. And, yes, that includes emails.
How: "your email address is stored in our servers and kept until your account is active, then delete 90 days after. We also may share it with Jane Corp, because you gave us consent to, but not David Inc, because you did not give consent for it"
You are asking "show me the complete record of my ban, because I want to know who did it and I am entitled to it because that requires someone knowing some of PII." It's not that your data ended up somewhere you did not consent to or that they did not tell you how your data is processed, you are just uttering "gee-dee-pee-arr" and expecting to be enough to give you some information about you.
To repeat the example a gave in a sibling thread: you can not go to a dating site filing GDPR requests to find out who liked/disliked you. That would be a violation of their privacy.
Yes, I agree. There are competing rights. When I've received internal emails about me, the sender's name and contact details have been redacted. That's both normal and expected.
There is a lot of exceptions and area for redaction, but the most significant in this case would be disclosing information that identifies another individual. As an example they have a fictional employee requesting a HR file. The HR file is likely to include information identifying managers and colleagues, or may include revealing information that relates to and identifies another individual. Redacting the names could be enough, or the emails might be heavily redacted down to only strict information regarding the employee without any parts of decisions or input given by the manager. If the intent of the requester is to get "what did my manager say about me", then that would not be valid.
Just to be clear, getting banned from a slack got you mad enough to spend weeks (?) arguing with some random guy over email about GDPR - all because you desperately need to know what was said about you in a groupchat? And then you write an article about your experience to get sympathy on HN?
An operation as large as Wordpress.com or .org should be GDPR compliant. I don't see any cry for sympathy here but more that OP is holding someone to a baseline standard expected of entities operating in Europe.
If it isn't a cry for sympathy, it is almost certainly a bitter attempt to cause grief in revenge. I'm definitely thinking the latter rather than the former.
But neither of those things are mutually exclusive with each other or holding a company to account to relevant standards. It isn't wrong to hold them to the standard, of course, but to claim that is only what is happening would be rather disingenuous (unless the author has a track record of defending people against transgressions of those standards when they themselves do not have something petty to be petty about in return).
I didn't get that vibe. Making the GDPR request is like exercising a muscle - use it, or lose it, so to speak. If organizations aren't challenged to be compliant, they won't ever be. So this read to me more of an opportunity to press that. This really seems like a story about GDPR adherence at a company that has been considered relatively user-aligned (and what that might suggest about the operation in general) told as an anecdoprolonged. Instigating prologue.
It's missing the ad hominem harpiness that would suggest your version.
Natwest/Coutts gave Nigel Farage internally generated documents about him in response to a subject access request (according to this and my memory of other reports https://news.sky.com/story/key-points-from-coutts-dossier-on... ). Its not something that they would have done unless they had to and I assume they have competent lawyers so it does look like you can request copies of email about you.
its looks like internal discussions about someone are within scope of GDPR.
This case is odd. I haven't heard a single lawyer saying that a conversation talking about someone undoubtedly qualify as protected data, so I'm more inclined to believe that Farage was already in possession of those emails (or made aware of them) and the bank thought that trying to hide them would make things worse?
> You are entitled to a copy of the data that you provided to the data processor
This is absolute nonsense and there is no such limitation in the GDPR which, if you had even a passing familiarity with it, you would know. Maybe don't ramble about things you don't understand?
In particular, art 14 is:
> Information to be provided where personal data have not been obtained from the data subject
Sure, he presents some alternative options, that's all good, but at the end of the day, HN refuses to delete personal data.
One day someone with a bone to pick with HN and large enough pockets will test it in the courts. Until then, we must exercise great caution when commenting on HN.
> One day someone with a bone to pick with HN and large enough pockets will test it in the courts.
One day that may happen. I hope HN prevails. I'm a EU citizen and a big proponent of GDPR. However, I also believe in the value of the commons, our shared conversations. I consider the mass deletions on one's entire history of comments to a public forum, to be a very selfish act, harmful to society. I'm very much with 'dang here: community and society at large[0] has a stake here, too. Conversations here are part of public record, they contain wealth of knowledge useful to people who find it in the future. It's not that different from Stack Exchange, really. I'd like to believe GDPR would be fine with a more surgical deletion approach, as 'dang proposes, but I guess we'll have to wait for some court to opine on it.
Possibly relevant: I consider this entitlement to have all one's contributions to public boards deleted under GDPR to be the same kind of selfish, antisocial thinking as the whining about LLMs training on one's published Internet comments without attribution (and subsequent desire to delete them, or not to publish anything again on-line). I may be weird, but I don't believe anyone is entitled to all value their labor provides in perpetuity. Society can't function when everyone tries to capture everything for themselves; it works best when people let other use some of the value freely. We need the commons.
That thread provide a fairly strong argument that hn would not need to delete comments. All hn would need to do is to annomynize/delete the profile of a user.
"Refuses" --- that is not what I read in the Dan's comment, on the contrary. Deleting specific comments is just fine.
The GDPR doesn't mean you can delete everything you have written on the Internet wholesale, it means to be forgotten .. and renaming an account is exactly in line with that.
There doesn't need to be a self-service mechanism, you just need to be able to ask. Skimming the privacy policy indicates you should be able to email `privacy@ycombinator.com` with your request.
The GDPR only applies personal data (name, ID number, IP address, etc), not all data in general. Your comments on a forum are generally not personal data.
They most definitely are not, you're misinterpreting the link you're referring to.
> The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted [...].
This does not mean any data, it only means personal data as described under GDPR. Why is this the case? Because the GDPR is explicit that it only applies to personal data, that's the scope of the whole regulation. I recommend reading the text of the regulation itself, it's fairly digestible. The legal text uses "personal data" throughout to avoid the ambiguity, unfortunately many summaries do not. Article 1 of GDPR:
> 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
I've read the link, it doesn't say what you think it says. Similarly, the original legal text of the regulation doesn't agree with you. So what's your point exactly? Even the title of the page you're linking to says it's only talking about personal data.
Personal data also covers political and religious opinions, sexual orientation and anything else that can be grounds for discrimination. GDPR certainly gives you the the right to demand deletion of personal data like that.
Under specific circumstances. It could be easily argued that deleting comments would fall under the first example of the link you posted -- unless you're a minor.
The GDPR doesn't require any means to download data though, and it is mainly for PII.
GDPR Article 15 says that you (as data subject) have the right to obtain access to personal data being processed by the controller.
This can certainly apply to certain types of messages about you but is also limited to the personal data about you. In other words the controller can and usually even must redact the messages.
The usual GDPR limitation apply, especially the request can be denied if it is unfounded or excessive.
So, while in practice you most likely would not get anything useful out of such a request, I don't think the quote from the original article is as far fetched as you and sibling comments make it sound.
I think it's quite funny he's complaining about someone else's knowledge of GDPR but links to GDPR UK and not GDPR EU which is he is really referring to. WordPress not being a UK entity in any way, would mean it's outside of GDPR UK. And him being a UK citizen and resident would mean he is not covered under GDPR EU.
The author lives in the UK, so the UK GDPR is relevant, not the EU one.
It doesn't matter that WordPress isn't a UK entity. WordPress does do business in the UK so they need to comply with the UK GDPR as well as the EU one. If they don't want to comply with UK laws, they need to stop doing business with UK customers (or provide free services to UK citizens, but enforcing decisions against companies outside of the country's borders is rather difficult).
> It doesn't matter that WordPress isn't a UK entity. WordPress does do business in the UK so they need to comply with the UK GDPR as well as the EU one. If they don't want to comply with UK laws, they need to stop doing business with UK customers (or provide free services to UK citizens, but enforcing decisions against companies outside of the country's borders is rather difficult).
WordPress.org does not do business in the UK. It doesn't do business at all. It has no UK entity. The courts would have no recourse to enforce anything upon WordPress.org. UK Law does not just apply to everyone. UK law applies to businesses operating within the UK.
If you want to test this, go complain to the ICO and they'll tell you that they have no power.
Read the actual court documents instead of linking to a news report, which actually disagrees with your point.
Automattic are being very clear about them not operating WordPress.org. And have submitted to the court that WordPress.org is operated by Audery Captial another one of Matt's companies. A company used to help to blur lines and deal with personal matters.
dotorg being run by a private citizen who receives no payments does not exempt it from GDPR, because GDPR doesn't make that distinction.
There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.
Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".
It might be quite difficult to enforce against a private citizen, but that's not the same as it not applying.
> dotorg being run by a private citizen who receives no payments does not exempt it from GDPR, because GDPR doesn't make that distinction.
The dot org being run by an American citizen who does not operate within the UK that country 100% means UK courts do not having standing. Remember GDPR UK is not GDPR. It's based on it but case law is different and other stuff. Remember, just because one country does not allow something or requires something does not mean everyone whose website is accessible within that country has to follow that law. But for UK law to apply to someone there has to be a connection. Not just "I can connect to that website" or they're processing my data.
Legal opinion has also been shared from lots of sources that small businesses operating out with the EU aren't covered by GDPR. I believe there is EU law that says EU law only applies to companies with a significant number of customers who are EU citizens.
> There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.
Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household. That is UK case law. But again, there is no standing for even the Data Protection Act to apply because there is no connection.
> Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".
Yea, but there is no standing for the UK to apply its laws on Matt. The EU may have a better claim since he has servers in the EU. However, as pointed out GDPR does not apply for that person because he is neither an EU citizen or a resident as far as I can tell. Their entire claim would be to apply UK law to someone not operating within the country.
The entire point of commercial activity is that there would be a connection and would give UK courts standing is silly. It's basic law 101. Hence, why I said in my first comment that OP didn't understand the law.
GDPR (including the UK GDPR) is extra-territorial by design.
It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.
I suspect that you and I would agree about the wrongs of any law being extra-territorial, but it's where things on both sides of the pond have landed us.
You already linked to the relevant part of the ICO's guidance but *appear* to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.
That's not the case, it applies just as much to free services.
Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) *collecting and processing data* is offering a service.
> Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household
They do indeed. In fact, it's not just cameras: as soon as you publicly share information you can't rely on the exemption because it doesn't cover it.
> Yea, but there is no standing for the UK to apply its laws on Matt.
You keep using the word standing, which is very much as US-centric term. I'm not, for a second, suggesting that anyone would try and enforce this in a US court.
Being able to enforce is (as I've already said) an entirely different kettle of fish.
> Their entire claim would be to apply UK law to someone not operating within the country.
Yes. Welcome to the intended design of GDPR.
Although you're right that EU GDPR and UK GDPR are now two seperate things, they're not actually particularly different things: we didn't really amend it after leaving the EU - the two are seperate since Brexit, but the way that they work is the same, albeit absent a few years of caselaw.
In fact, it's not GDPR that's extra-territorial (or intended to be). Have you seen the stuff they've been trying to bring it to make the internet "safe"? That's extra-territorial in nature too.
Ever since the US passed the CLOUD act, politicians on this side of the pond seem to have decided that what's good for the goose is good for the gander.
> GDPR (including the UK GDPR) is extra-territorial by design.
> It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.
That is now how the law works. A court must have standing or jurisdiction or whatever word you want to use since you seem to think semantics are at the core of this issue here.
> You already linked to the relevant part of the ICO's guidance but appear to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.
No, that's UK case law. Basic law 101. That is what the legal definition of goods and services is within the UK. If you don't understand that there are legal definitions for things then we're at the crux of your complete misunderstanding of law. And really we won't get anywhere.
>Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) collecting and processing data is offering a service.
Not under UK law. UK law defines a service as something that is being paid for. This is hundreds of years old.
You would be heavily rebuked by a judge if you tried this nonsense in court of trying to redefine hundreds of years old case law to suit your opinion.
> Being able to enforce is (as I've already said) an entirely different kettle of fish.
No, that's the entire point. THE ENTIRE POINT. A court will not take up a case where it can't do anything.
Quite simply, your entire argument fundamentally depends on you not understanding UK GDPR, GDPR, or even basic law fundamentals.
Private messages, notes and such are usually excepted(in the vast majority of cases). Giving out someone else's messages or notes, however...
> This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
You most likely have rights to access messages and notes about your account and person in CRM. Or directly related to it.
On other hand you likely do not have right to get all emails or chat messages even if your name is mentioned. As this is not discovery like in legal process.
Indeed that's how I read it too. It's also worth noting that GDPR is implemented separately in each country so it can in fact differ quite a lot country to country.
Eu law is not enforced by what is written, but rather what the law writers intention when they worked on the law. If a person try to expand the interpretation of a law then it will be up to them to demonstrate that the expanded interpretation is what was intended.
I could make an argument that any database with my personal information is "personal data" and thus i should have a right to get the whole database sent to me, but i doubt a judge would agree. I would unlikely to be what the law writers intended.
That seems like a terrible idea for government. “Well actually I meant”, and off went the goalpost into the atmosphere. If a law is so complex that you can’t effectively write it in a locked in medium then the concept of said law is probably flawed.
Spirit of the law vs. letter of the law. You can't go all-in on the letter of the law because language is imprecise and very contextual, and cannot aptly express the intent behind the law perfectly for all edge cases.
That's how American law works. The law as written has very little to do with the law as practiced. Everything comes down to how courts interpret the letter of the law as it relates to the messy reality of meatspace.
Writing the law is like writing code. You can attempt to reason through each instruction and apply all sorts of static analysis, but you can't actually be certain it will work until you try to run it in production. The courts are the debugger for legal code. Courts attempt to interpret what the letter of the law means and how it applies to the very specific scenario in front of them.
Consider a law that simply states carrying a sword in public is illegal. Without common law, this rule applies in 100% of scenarios unless explicitly stated otherwise. If a foreign dignitary comes and expects officers with ceremonial swords, they all go to jail. We interpret law because the ideal vacuum universe in which the law was written does not have unforseen circumstances. A court applies an interpretation to circumstances to come to the judgement that diplomats are allowed to have ceremonial sabers in their entourage.
Think about it some more and ask yourself how a society could function in the long term without the ability to reinterpret law to fit particular circumstances. Every law rigidly applied exactly as written forever into the future. The only option to revise a law is by passing a new one.
I don't think so. You might be entitled to get the specific row of a database which contained your information. But why would you be entitled to the entire DB?
A full row can have any arbitrary number of columns, and have foreign keys to rows in other tables or itself in any length of chains. Any columns could also be data structures like json with arbitrary number of keys and values. In order to have the full context of how the information relate to the identified individual, an argument can be made that you need the full database.
The other extreme interpretation is that personal data only refer to data that personal identify someone, and not any information that is related to personal data (in contrast to being related to an identified individual). In the case of an email that would be the email address without the message. In term of slack, the personal data of a user would be the username, full name, and email, since those and not messages is what relate to identified living individuals.
I agree with the question "is Wordpress.org GDPR compliant?", but I think that the scope can be widened: "Is Wordpress.org subject to illegal management?"
80 comments
[ 1.2 ms ] story [ 128 ms ] threadI just wondered about the following (unrelated) triggered by this: Am I entitled under GDPR to get the internal writeups on my interview performance when I interviewed at a company? Does it matter whether I am in the EU but interview at a US company?
https://gdpr-info.eu/issues/personal-data/
> Does it matter whether I am in the EU but interview at a US company?
Yes, in practice. GDPR applies any time that EU/EEA residents' personal data is processes. If the company doesn't operate in the EU/EEA directly it's likely you are going to have a hard time getting this data, and more likely to not be given this data at all. It's up to you as a resident to formalize a complaint through your regional DPA (Data Protection Authority) in those cases.
> I replied with a (not so-friendly) email pointing out that I was entitled to a copy of any messages because they contain my personal data.
Hum, no? You are entitled to a copy of the data that you provided to the data processor. Your messages, your records, even your IP address for the sessions on your devices.
A message that someone mentions you is not your data.
Imagine I am in a dating site and want to find out all the people that expressed interest on me. I go then and file a GDPR request, claiming that those that mentions of me is "data collected about me" and therefore I am entitled to it.
Someone talking about you, or references about your PII are not PII themselves. To try to claim otherwise is absurd.
It's an interesting take (what is "data" anyway? does it include "the CEO thinks <person> is a dick" if that record is kept on company infrastructure?) but I don't think it'll hold up in court. If the author decides to press the ICO to take action, perhaps we may find out one day.
That said, scraped data about you definitely falls under GDPR protections even if you never provided any data yourself.
> If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
https://cy.ico.org.uk/for-organisations/uk-gdpr-guidance-and...
I was asking for how my data was being processed. An email saying "Please perform action XYZ on this specific user" would, I think, fall under that description.
This is the case where you are a website, e.g, using "Login via GitHub" and GitHub sent you the users email address.
What you are asking is for a third party to tell you of any possible instance where your email address is mentioned. This is absurd.
If I have given you my email address, and then you process it, I think I am entitled to know how you've processed it. If you've stuck it in a DB, forwarded it to people via IM, or put it in a spreadsheet, etc.
You may think it is absurd, but my experience of filing DSARs is that most companies will send a suitably redacted copy of everywhere my data has been. And, yes, that includes emails.
How: "your email address is stored in our servers and kept until your account is active, then delete 90 days after. We also may share it with Jane Corp, because you gave us consent to, but not David Inc, because you did not give consent for it"
You are asking "show me the complete record of my ban, because I want to know who did it and I am entitled to it because that requires someone knowing some of PII." It's not that your data ended up somewhere you did not consent to or that they did not tell you how your data is processed, you are just uttering "gee-dee-pee-arr" and expecting to be enough to give you some information about you.
Are you sure that this is the intent of the law?
Yes. At least, that's my reading of https://www.legislation.gov.uk/eur/2016/679
If a decision has been made about me, I have the right to get information about it.
You are, of course, free to disagree.
There is a lot of exceptions and area for redaction, but the most significant in this case would be disclosing information that identifies another individual. As an example they have a fictional employee requesting a HR file. The HR file is likely to include information identifying managers and colleagues, or may include revealing information that relates to and identifies another individual. Redacting the names could be enough, or the emails might be heavily redacted down to only strict information regarding the employee without any parts of decisions or input given by the manager. If the intent of the requester is to get "what did my manager say about me", then that would not be valid.
But neither of those things are mutually exclusive with each other or holding a company to account to relevant standards. It isn't wrong to hold them to the standard, of course, but to claim that is only what is happening would be rather disingenuous (unless the author has a track record of defending people against transgressions of those standards when they themselves do not have something petty to be petty about in return).
It's missing the ad hominem harpiness that would suggest your version.
its looks like internal discussions about someone are within scope of GDPR.
This is absolute nonsense and there is no such limitation in the GDPR which, if you had even a passing familiarity with it, you would know. Maybe don't ramble about things you don't understand?
In particular, art 14 is:
> Information to be provided where personal data have not been obtained from the data subject
https://gdpr-info.eu/art-14-gdpr/
Can I download my data? No.
Can I delete my data*? No.
--
*Yes, GDPR requires the ability to delete data:
https://commission.europa.eu/law/law-topic/data-protection/r...
https://news.ycombinator.com/item?id=23623799
Sure, he presents some alternative options, that's all good, but at the end of the day, HN refuses to delete personal data.
One day someone with a bone to pick with HN and large enough pockets will test it in the courts. Until then, we must exercise great caution when commenting on HN.
One day that may happen. I hope HN prevails. I'm a EU citizen and a big proponent of GDPR. However, I also believe in the value of the commons, our shared conversations. I consider the mass deletions on one's entire history of comments to a public forum, to be a very selfish act, harmful to society. I'm very much with 'dang here: community and society at large[0] has a stake here, too. Conversations here are part of public record, they contain wealth of knowledge useful to people who find it in the future. It's not that different from Stack Exchange, really. I'd like to believe GDPR would be fine with a more surgical deletion approach, as 'dang proposes, but I guess we'll have to wait for some court to opine on it.
Possibly relevant: I consider this entitlement to have all one's contributions to public boards deleted under GDPR to be the same kind of selfish, antisocial thinking as the whining about LLMs training on one's published Internet comments without attribution (and subsequent desire to delete them, or not to publish anything again on-line). I may be weird, but I don't believe anyone is entitled to all value their labor provides in perpetuity. Society can't function when everyone tries to capture everything for themselves; it works best when people let other use some of the value freely. We need the commons.
--
[0] - It's a publicly viewable board, after all.
That thread provide a fairly strong argument that hn would not need to delete comments. All hn would need to do is to annomynize/delete the profile of a user.
I feel pretty strongly that it isn’t the place of a government to police non-critical data (read: things that aren’t financial related).
The GDPR doesn't mean you can delete everything you have written on the Internet wholesale, it means to be forgotten .. and renaming an account is exactly in line with that.
> The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted [...].
This does not mean any data, it only means personal data as described under GDPR. Why is this the case? Because the GDPR is explicit that it only applies to personal data, that's the scope of the whole regulation. I recommend reading the text of the regulation itself, it's fairly digestible. The legal text uses "personal data" throughout to avoid the ambiguity, unfortunately many summaries do not. Article 1 of GDPR:
> 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Under specific circumstances. It could be easily argued that deleting comments would fall under the first example of the link you posted -- unless you're a minor.
The GDPR doesn't require any means to download data though, and it is mainly for PII.
The WP DPO is correct in their response. Its okay to be mistaken but the sense of entitlement here is a bit much.
(Not a lawyer, but I've implemented GDPR compliance frameworks and worked with the lawyers closely)
In the context described (a private organisation holding messages which refer to you personally) this is unbelievably false.
This can certainly apply to certain types of messages about you but is also limited to the personal data about you. In other words the controller can and usually even must redact the messages.
The usual GDPR limitation apply, especially the request can be denied if it is unfounded or excessive.
So, while in practice you most likely would not get anything useful out of such a request, I don't think the quote from the original article is as far fetched as you and sibling comments make it sound.
It doesn't matter that WordPress isn't a UK entity. WordPress does do business in the UK so they need to comply with the UK GDPR as well as the EU one. If they don't want to comply with UK laws, they need to stop doing business with UK customers (or provide free services to UK citizens, but enforcing decisions against companies outside of the country's borders is rather difficult).
WordPress.org does not do business in the UK. It doesn't do business at all. It has no UK entity. The courts would have no recourse to enforce anything upon WordPress.org. UK Law does not just apply to everyone. UK law applies to businesses operating within the UK.
If you want to test this, go complain to the ICO and they'll tell you that they have no power.
Wordpress.org is run by Automattic, and the owned by Matt Mullenweg personally: https://www.theverge.com/2024/10/4/24262232/matt-mullenweg-w...
Automattic does do business in the UK.
Automattic are being very clear about them not operating WordPress.org. And have submitted to the court that WordPress.org is operated by Audery Captial another one of Matt's companies. A company used to help to blur lines and deal with personal matters.
That is why American companies that deal with people in those countries comply with both. Some American websites block traffic from both.
Wordpress.org is IIRC run by Automattic, which receives payments from the UK so there is even a way to enforce fines.
No. WordPress.org is owned and operated by a private American citizen who receives no payments.
Automattic is a separate for-profit organization which does fall under GDPR. WordPress foundation would also fall under GDPR. WordPress.org does not.
Yea, we were all pretty surprised to hear that WordPress.org is a privately owned and operated site.
There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.
Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".
It might be quite difficult to enforce against a private citizen, but that's not the same as it not applying.
The dot org being run by an American citizen who does not operate within the UK that country 100% means UK courts do not having standing. Remember GDPR UK is not GDPR. It's based on it but case law is different and other stuff. Remember, just because one country does not allow something or requires something does not mean everyone whose website is accessible within that country has to follow that law. But for UK law to apply to someone there has to be a connection. Not just "I can connect to that website" or they're processing my data.
Furthermore, GDPR UK does make a distinction or at least the ICO does - https://ico.org.uk/for-organisations/data-protection-and-the.... Under UK law providing goods and services requires taking payment.
Legal opinion has also been shared from lots of sources that small businesses operating out with the EU aren't covered by GDPR. I believe there is EU law that says EU law only applies to companies with a significant number of customers who are EU citizens.
> There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.
Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household. That is UK case law. But again, there is no standing for even the Data Protection Act to apply because there is no connection.
> Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".
Yea, but there is no standing for the UK to apply its laws on Matt. The EU may have a better claim since he has servers in the EU. However, as pointed out GDPR does not apply for that person because he is neither an EU citizen or a resident as far as I can tell. Their entire claim would be to apply UK law to someone not operating within the country.
The entire point of commercial activity is that there would be a connection and would give UK courts standing is silly. It's basic law 101. Hence, why I said in my first comment that OP didn't understand the law.
It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.
I suspect that you and I would agree about the wrongs of any law being extra-territorial, but it's where things on both sides of the pond have landed us.
You already linked to the relevant part of the ICO's guidance but *appear* to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.
That's not the case, it applies just as much to free services.
Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) *collecting and processing data* is offering a service.
> Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household
They do indeed. In fact, it's not just cameras: as soon as you publicly share information you can't rely on the exemption because it doesn't cover it.
> Yea, but there is no standing for the UK to apply its laws on Matt.
You keep using the word standing, which is very much as US-centric term. I'm not, for a second, suggesting that anyone would try and enforce this in a US court.
Being able to enforce is (as I've already said) an entirely different kettle of fish.
> Their entire claim would be to apply UK law to someone not operating within the country.
Yes. Welcome to the intended design of GDPR.
Although you're right that EU GDPR and UK GDPR are now two seperate things, they're not actually particularly different things: we didn't really amend it after leaving the EU - the two are seperate since Brexit, but the way that they work is the same, albeit absent a few years of caselaw.
In fact, it's not GDPR that's extra-territorial (or intended to be). Have you seen the stuff they've been trying to bring it to make the internet "safe"? That's extra-territorial in nature too.
Ever since the US passed the CLOUD act, politicians on this side of the pond seem to have decided that what's good for the goose is good for the gander.
> It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.
That is now how the law works. A court must have standing or jurisdiction or whatever word you want to use since you seem to think semantics are at the core of this issue here.
> You already linked to the relevant part of the ICO's guidance but appear to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.
No, that's UK case law. Basic law 101. That is what the legal definition of goods and services is within the UK. If you don't understand that there are legal definitions for things then we're at the crux of your complete misunderstanding of law. And really we won't get anywhere.
>Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) collecting and processing data is offering a service.
Not under UK law. UK law defines a service as something that is being paid for. This is hundreds of years old.
You would be heavily rebuked by a judge if you tried this nonsense in court of trying to redefine hundreds of years old case law to suit your opinion.
> Being able to enforce is (as I've already said) an entirely different kettle of fish.
No, that's the entire point. THE ENTIRE POINT. A court will not take up a case where it can't do anything.
Quite simply, your entire argument fundamentally depends on you not understanding UK GDPR, GDPR, or even basic law fundamentals.
> This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
https://gdpr-info.eu/art-2-gdpr/
> The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
https://gdpr-info.eu/art-15-gdpr/
Talk to a lawyer if you are upset.
On other hand you likely do not have right to get all emails or chat messages even if your name is mentioned. As this is not discovery like in legal process.
This is only my non-lawyer option.
I could make an argument that any database with my personal information is "personal data" and thus i should have a right to get the whole database sent to me, but i doubt a judge would agree. I would unlikely to be what the law writers intended.
https://en.wikipedia.org/wiki/Common_law
Law is often open to interpretation. Take a look at how most laws are written.
It might say "owning a sword is illegal", but then the courts have to interpret whether the sharpened blade you are carrying meets that definition.
Writing the law is like writing code. You can attempt to reason through each instruction and apply all sorts of static analysis, but you can't actually be certain it will work until you try to run it in production. The courts are the debugger for legal code. Courts attempt to interpret what the letter of the law means and how it applies to the very specific scenario in front of them.
Consider a law that simply states carrying a sword in public is illegal. Without common law, this rule applies in 100% of scenarios unless explicitly stated otherwise. If a foreign dignitary comes and expects officers with ceremonial swords, they all go to jail. We interpret law because the ideal vacuum universe in which the law was written does not have unforseen circumstances. A court applies an interpretation to circumstances to come to the judgement that diplomats are allowed to have ceremonial sabers in their entourage.
Think about it some more and ask yourself how a society could function in the long term without the ability to reinterpret law to fit particular circumstances. Every law rigidly applied exactly as written forever into the future. The only option to revise a law is by passing a new one.
The other extreme interpretation is that personal data only refer to data that personal identify someone, and not any information that is related to personal data (in contrast to being related to an identified individual). In the case of an email that would be the email address without the message. In term of slack, the personal data of a user would be the username, full name, and email, since those and not messages is what relate to identified living individuals.
Please see this very recent verdict by a California district court: https://techcrunch.com/2024/12/10/court-orders-mullenweg-and...
I agree with the question "is Wordpress.org GDPR compliant?", but I think that the scope can be widened: "Is Wordpress.org subject to illegal management?"