There seems to be a legal theory that public discourse is not to be removed under the GDPR. Discord, for example, will also not delete your messages.
Part of the problem is also that the government agencies tasked with regulating these things are hopelessly slow in pursing matters, especially when non-EU companies are concerned.
Failure to ensure the security of personal data (Article 32 of the GDPR)
At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted.
The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.
Kind of surprising the GDPR is so prescriptive about password requirements!
Is it actually prescriptive, or does it say (in more legalese form) "use industry best practices to protect user data". Six characters is laughably bad and would fail pretty much any password requirements I've seen in the last decade (except for my credit union who only updated like 5 years ago after finally migrating to a better back end).
Reading the summary you linked, it isn't clear if Discord is being fined solely over retaining account information alone, or if that includes comments/messages.
Because, as has been pointed out ad nauseam THEY HAVE NO JURISDICTION to tell US companies what to do.
Of course, every time I point this out, people get mad at me because they happen to like the law (ie, they like the idea of privacy, and privacy theatre is comforting to them).
I'm personally of the opinion that one government telling me what to do is quite enough, thank you very much.
> Because, as has been pointed out ad nauseam THEY HAVE NO JURISDICTION to tell US companies what to do.
Actually in practice many important US companies do have market activity or assets in the EU, arguably including Y Combinator. Also, the EU (or its governments) wouldn't bother a random plumber in Iowa or honestly even in Prague (unless in the latter case someone have bothered to complain).
This is actually incorrect. The US and many other countries have entered into trade agreements with each other. For example, if a company does business in Europe (sells goods or services to EU customers), they are subject to EU regulations in a whole host of areas. The GDPR is only one example of such law.
You, personally, are not subject to EU laws since you are, presumably, not running a business with EU customers or data subjects.
The GDPR is explicitly not the same as those laws, claiming that it applies to anybody anywhere who puts a website online for any reason irregardless of any trade agreements.
GDPR is intentionally written to be extraterritorial in scope. If you're collecting data on EU citizens while being located anywhere in the universe, it applies to you.
If you never have any plans to step foot in the EU, then they can't do anything to you.
Part of the problem is also that the government agencies tasked with regulating these things are hopelessly slow in pursing matters, especially when non-EU companies are concerned.