Have you tried emailing hn@ycombinator.com and it got denied? Or what you mean there is no easy way to request the data deletion? AFAIK they don't scrub the comments but if you request it, your username will be replaced with [deleted] for all your comments.
I remember trying that with an old account a few years ago (suggesting your solution of just hiding the username) and was denied. Maybe things have changed since then though.
Ah well, I guess "easy" is relative. I'm sure if you send them one email, they'll confirm it with you once within a month and then delete the data.
Compare that to Coinbase, which has forms, buttons and seems it's mostly an automated process instead of manual email, but I've tried getting Coinbase to delete my account + data for over 6 months now to no avail, multiple emails back and forward where they confirm the deletion, say it's in progress, I email back after a month and they ask me to confirm the deletion again.
So even with a button, doesn't mean the process is easy, and there is also a lot more to consider than just how you initially the request.
This is such a grey area. Do emails others sent to me belong to them? Do my HN comments make the entire conversation partially mine? If one of my comments is "well said", and the parent deletes their comment, is not my comment diminished? What do we do about quotes? Etc.
Solved problem already: Hash the username + a salt and change that everywhere. Every comment is from a unique author + the comment body is still there + all the replies are still there but, author name has been removed.
That's a decent solution. But I think simply replacing the usernames with [deleted] is better. It leaves the comment but detaches the user and breaks the link between all the users comments.
It becomes very hard to track conversations with N+2 users though, if more than one has the [deleted] username. Hence the hashing to get a unique [deleted] username for each user.
Hn has no EU presence so doesn't have to follow EU laws, no? Or do they have to ip block Europeans? What would the EU actually do to hn if they did decide to enforce the rules here?
GDPR is about data, not companies. It applies to all entities regardless of where they are established as long as they're doing business in the EU or processing data of EU citizens.
True, but GDPR does not automatically apply to global companies that just happen to get used by EU citizens. There are two separate conditions, either one is sufficient, but if neither are met then GDPR does not apply. The company must either offer services to EU citizens directly, or profile behavior of EU citizens, e.g. via direct advertising within Europe. See Recitals 23 and 24 https://gdpr.eu/Recital-23-Applicable-to-processors-not-esta...
> Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, [..] the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
> it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
So, I'd say no. The mere fact that HN is accessible to people in the EU does not show intent. HN is an English forum, which is the native language of the country where it is established, and does not offer its services in additional European languages, and does not advertise products in the Euro currency. I'm unable to know for sure, but I don't believe HN is using my posts here to predict or analyse my personal preferences either.
I'm inclined to say that's a wrong interpretation. You don't have to sell anything to be required to be compliant with GDPR. My understanding is any entity (not necessarily a company, mind you) collecting personal or behavioral data of EU citizens needs to comply to the GDPR. Were HN to collect such data, EU laws would apply. But take that with a pinch of salt, I'm no lawyer or anything.
Question: are you an EU citizen, and is there any way for HN to know whether you are an EU citizen? (Your public profile page has no personally identifiable information.)
GDPR is an EU law that applies to sites that market directly to EU citizens. How and whether it applies to sites outside the EU has been debated. GDPR can prevent a site from operating in the EU. But GDPR does not apply to a US citizen using a US-run web site.
Edit: speaking of personally identifiable information, GDPR defines the information that is subject to download as “personal” information, only when it can be identified. Do you have data on HN servers that is subject to GDPR even if you live in the EU? (I don’t think I do.)
Note that it also includes indirect identification, which means that if combined with other data it would identify you. Recital 30 might be of use here too;
>Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
My HN username (Rygian) is PII because it can be used to identify me indirectly (HN has a log of my username connecting from IP x.y.z.w, and my IP address is PII).
In the US there is precedent (existing court rulings) against IP address being PII. Obviously, IP address is not very good PII, and never guaranteed to be able to identify someone.
Whether HN has a log of it is an assumption I don’t have a way to verify. Lots of privacy-conscious sites purge connection logs often and/or refuse to keep them for this very reason.
Most people have an email address on their profile, that's PII. One could post one's name, that's definitely PII and AIUI that affects all the data then on the site, as it's now associated.
Article 4(1) of the GDPR states the relevant definition: "Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
That should be read in light of the recitals, for instance recital 26:
"The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."
From these I think it should be obvious that forum comments may be (and even probably are) considered to be personal data under the GDPR.
It’s also obvious that many comments might not be PII too, right? Whether they are depends entirely on whether the user has chosen to share PII, but in any case it’s not automatic, it’s not structured data that’s easily searchable in general, and typically depends on whether other identifying information is available. In other words HN doesn’t ask for PII, has no way to know what comments are PII in general, has no way to reliably identify EU citizens, does not operate in the EU or target EU citizens, has no structured way to profile EU citizens. I’m wildly in favor of online data protections, and I think the GDPR has done many good things, but this particular example does not seem to constitute a clear example of either GDPR applicability nor (tangentially & IMO) of need for data control.
>GDPR is an EU law that applies to sites that market directly to EU citizens.
That is wrong. The GDPR does not make reference to citizenship.
It explicitly notes that it applies when either when the data subject is physically in the EU/EEA, or when the data controller/processor is based in the EU/EEA.
You’re right, I described it incorrectly. GDPR applies to “subjects (natural persons) within the Union”. As an example, EU citizens living abroad are not covered by GDPR. Americans visiting HN from the Bay Area also shouldn’t expect to have the rights that GDPR grants to subjects within the Union, right?
