This website is inherently an egregious GDPR violation. It collects the most highly protected data category, political views, stores it forever, shares it with everyone on the internet, makes opaque automated decisions related to ranking, vote weighting, and anti-spam, and provides no mechanism for takeout or deletion. Because it's publicly available, an unlimited number of unregulated third parties can obtain your data and process it for undisclosed reasons without your opt-in.
Can anyone explain how it's possible to be positive about GDPR and HN at the same time? I'm not surprised that some people like it. I'm stunned to see them commenting here.
> It collects the most highly protected data category, political views
It collects user comments and posts. What you post to this website is entirely under your own control, and there is plenty of opportunity to meaningfully participate here while offering not much more than technical opinions.
Furthermore, none of the information you post here needs to be personally identifiable, under the definition of the GDPR. It is identified by a username, which can be completely arbitrary and unique. You could even use a new one for every post you make.
You don't have to tell HN an email address. They should have appropriate privacy protections in place for the PII they do store, but they should have that even without GDPR.
I do agree that we all can choose what to share on HN. Usernames can be as arbitrary as you like, and not linked in any way to meatspace identity. HN allows registration and posting via VPN services. And maybe even via Tor.
However, it does appear that GDPR will require that HN delete a user's posts upon request. It might even require that HN delete posts that mention other people, including nonusers.
Edit: Yes, also via Tor. It did ask for an email address, for password resets.
HN probably doesn't fall within the material scope of GDPR, unless they perform business activity that falls within the scope of EU law that I'm not aware of.
That would be different if they marketed/promoted/sold in the EU, offered European language or currency support, or somehow otherwise took action to position themselves for the EU.
As a thought experiment, if HN was regulated by GDPR:
1. Yes, all kinds of user generated content can contain GDPR Art. 9's special categories of personal data. HN would probably rely on the exemption in Art. 9(2)(e), which permits processing "personal data which are manifestly made public by the data subject." The purpose of HN is to let you share your own data on the Internet, that's the entire point. That's fine under GDPR.
2. HN would still need a lawful basis for processing under Art. 6. For a paid service, a Terms of Service would normally be fine. I don't think HN has or wants one of those, and they don't track users at all before registration, so they could collect an explicit consent from users on registration. If they did track prior, a cookie popup could collect the consent. Also, under Art. 8, the default minimum age of consent is 16, so we'd want to consider age confirmation too.
3. Archiving posts on the Internet forever is not a problem, if that's the intended use of the site, which it is. My guess is that deleting a user and their posts is feasible at the application/database layer. The problem would be deleting personal data from backups of the site if the user withdraws their consent and requests Art. 17 erasure. In that case, only retaining the backups as long as necessary and documenting that justification internally is probably sufficient.
4. Article 22 restricts "automated processing, including profiling, which produces legal effects concerning [the data subject] or similarly significantly affects" the data subject. Ranking, voting, and anti-spam probably don't qualify as weighty enough subjects to be restricted. Recital 71 ("Profiling" https://gdpr-info.eu/recitals/no-71/) sheds some light on what the EU is trying to prevent.
5. They'd have to get a data protection agreement or other Art. 46 agreement with hosting vendors. Cloudflare is on top of this: https://www.cloudflare.com/gdpr/introduction/ Not sure what other subprocessors are involved.
6. Being able to see most of your own data on HN means you have Art. 15 access, which is nice. I think they'd have to also give you any hidden metadata as well. Not sure what that might be (vote weight score?).
6. There's a bunch of other stuff they'd probably do, like appoint a data protection officer, publish a privacy policy, add the ability to delete your account, etc.
The GDPR doesn't use an expectation-of-privacy standard. Personal data is not just an explicit disclosure of your name and address, it's anything that can be used to identify you. Writing style and the sum total of comments indicating your experiences and the cities and organizations you've been attached to certainly fit that standard.
Well, Mirimir can just request that his posts be deleted.
However, I do see an issue: quotes by other users. That's one of the leaks that took down DPR. He deleted his old posts about Silk Road. But another user had quoted part of a post, which didn't get deleted.
GDPR puts the burden on the company to comply if it processes any in-scope personal data, regardless of whether it's possible for the data subjects themselves to minimize that data.
I'm a lawyer but not your lawyer and I have no idea about specific YC or HN details, so take this with a grain of salt, but I think the best argument for why HN is exempt or at very low risk for enforcement is that it does not hold itself out into the EU market for business and is not otherwise subject to EU law(as far as I know, and I have no special knowledge). Users may be from the EU, but HN has no particular nexus to EU law that I'm aware of.
This is important because Article 2 of GDPR ("Material scope") expressly says "This Regulation does not apply to the processing of personal data ... in the course of an activity which falls outside the scope of Union law"
Can anyone explain how it's possible to be positive about GDPR and HN at the same time? I'm not surprised that some people like it. I'm stunned to see them commenting here.