Hacker News new | ask | show | jobs
by cedsav 3013 days ago
I'm not a lawyer, but HN is not established (AFAIK) in the EU, and while it has EU users, it likely does not meet the threshold of actively offering goods or services to EU residents. Being accessible from the EU in itself isn't sufficient to trigger the GDPR.
4 comments
agotterer 3013 days ago
I'm not a lawyer either, but have been going through the GDPR process at my job. It doesn't matter if you operate or are established in the EU. If you have EU visitors/users they gain the protections of the GDPR and you have to comply.

GDPR affects any org/site that collects personal or sensitive data. Amongst many others IP address and email address are considered PII under GDPR. We use IP address for some high level geolocation data and decided to drop the last octet so it's not tied directly to an individual visitor. The specialists we spoke with had concerns about free form input fields because anyone can write anything they want in them.

In the case of hackernews it seems like email address, ip, profiles, and comments could contain personally identifiable data. I'm also curious how HN similar sites are supposed to comply with GDPR removal requests when it can destroy the usability and functionality of the site.

link
DoreenMichele 3013 days ago
In the case of hackernews it seems like email address, ip, profiles, and comments could contain personally identifiable data.

You aren't required to put anything in the profile. If you choose to put information in the profile, you can remove it yourself at any time you so choose.

link
gregmac 3008 days ago
The GDPR also requires personal information be removed from backups, or at least after a backup is restored (eg: restoring from backup does not negate the original Right To Be Forgotten request).

So while you can remove some of that info yourself, I don't think that can be seen as fulfilling GDPR requirements.

Disclaimer: I am neither a lawyer nor GDPR expert.

link
brightball 3013 days ago
I'm very interested to see how such requests would actually work...mainly because I'm curious to see what actual authority the EU has to enforce its laws outside of its borders.

I understand it applying to companies that are doing business in Europe but beyond that...?

link
ryanlol 3013 days ago
There's a plenty of measures the EU could take within it's jurisdiction to enforce it's laws around the world.

It might suck if the EU started blocking payments to you.

link
billconan 3013 days ago
please read: https://blog.axeptio.eu/en/2018/03/20/gdpr-and-united-states...
link
ubercow13 3013 days ago
>Does your online activity lead you to sell goods or services in the European Union?

HN is not selling anything

link
madez 3011 days ago
YC does not need to sell anything. HN is a service offered by YC: a news and discussion platform service.
link
Erlangolem 3013 days ago
HN is selling HN, their associated startups, job postings, and so on.

Edit: who are they selling to? Would-be founders... you understand how the VC model works, right?

link
HeyLaughingBoy 3013 days ago
? Who are they selling it to?
link
dmix 3013 days ago
I wonder how this applies to SESTA/FOSTA, as many escort listing sites are apparently already operating from overseas.
link
ddebernardy 3013 days ago
There are cases out there, like LICRA vs Yahoo! [1] that could suggest otherwise.

[1]: https://en.wikipedia.org/wiki/LICRA_v._Yahoo!

link
cedsav 3013 days ago
I'm not sure how this case suggests otherwise, but Yahoo is not HN/YCombinator, and Yahoo is most definitely impacted by the GDPR.
link
huac 3013 days ago
my understanding is that these conditions apply to people in the EU, i.e. that EU residents must be able to delete their content from HN (but HN has no obligation to non-EU residents)
link
akerl_ 3013 days ago
How would EU law compel a non-EU entity to delete content based on the residency of the user?

As an example of the opposite state, where this does definitely apply: Tarsnap complies with Canadian law around collecting names/addresses for users who are located in Canada, because Tarsnap is operated as a Canadian business. But if Tarsnap were located in the US, it would not be responsible for collecting that information from Canadian users.

link
nabla9 3013 days ago
> How would EU law compel a non-EU entity

Because US and EU have singed agreements to that effect. It's the price US must pay for EU to allow American internet companies to serve EU customers.

It obviously applies to any company with direct business operations in any one of the 28 member states of the EU. But financial transaction is not nessesary for the extended scope of the law to kick in. Collecting personal data from EU citizen is enough.

link
akerl_ 3013 days ago
Which agreement between the US and EU mandates this?
link
nabla9 3013 days ago
EU-U.S. and Swiss-U.S. Privacy Shield Framework.

It came to effect 2016 and replaced the Safe Harbor agreement.

link
akerl_ 3013 days ago
"While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law."

From https://www.privacyshield.gov/Program-Overview

link
madez 3013 days ago
> But if Tarsnap were located in the US, it would not be responsible for collecting that information from Canadian users.

Responsibility is not defined by gut-feelings, but by law. So, with a suited law, Tarsnap could also be bound in Canada's jurisdiction even if it were located in the US.

link
akerl_ 3013 days ago
I'm not sure where you derived your comment about gut-feelings from.

Do you have an example of precedent for one country's laws being enforced on a company with no business presence in that country, without there being a law or treaty in a country the business does operate in that mandates compliance with the foreign law?

I don't think anyone would dispute that if the US were to make a law requiring US companies to comply with the GDPR for EU users, that law would apply to US companies. My point is that absent some measure by the US government, EU laws are not applicable to companies without business presence in the EU

link
madez 3013 days ago
> My point is that absent some measure by the US government, EU laws are not applicable to companies without business presence in the EU

They are applicable if they say they are applicable. Effective enforceability is optional to applicability.

The case is pretty simple in my eyes.

We have separate, sovereign jurisdictions and governments. They can do about anything they want, if they have the means to do so and aren't bound by some treaty or law. For example, they can take legal or executive measures against anybody in the world, and it is irrelevant if that person agrees or disagrees. In fact, in the first place, it is also irrelevant what position the sovereign of that entity takes.

Now, can each sovereign entity enforce what they have decided? Well, that depends on many factors, but is optional to their decision.

The sovereign we are dealing with here is the EU. They can, within the bounds by their law and international treaties, judge and take measures against entities not residing under their jurisdiction. Who's stopping them?

See for example the sanctions on Russian officials currently imposed by the EU.

The EU has many tools to enforce it's decisions.

I don't see what's the difficulty of understanding this situation, besides not agreeing with it.

link
akerl_ 3013 days ago
I'll admit to what feels like a pedantic point: Yes, the EU can make a law saying it'll be very very angry if a non-EU entity does not do what it wants. But since this post is asking about HN's compliance with the GDPR, it seems practical to scope the conversation to "Can the EU make and enforce a law that affects non-EU entities".

Otherwise, it's fair to say that I can personally draft a document saying HN must give me $3.50, and sign it into law for the House Of Akerl. But my law is quite uninteresting to HN, given the low odds of any of the YC folks sending me $3.50.

link
cedsav 3013 days ago
I haven't researched that particular point, but I'm not sure that your HN comments qualify as "personal data" under the GDPR (they'd need to personally identify you).
link
M2Ys4U 3013 days ago
"Personal data" is defined quite broadly in the GDPR:

Article 4 states

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

link
bostik 3012 days ago
I just read a pretty interesting white paper (written by a compliance law firm) about data anonymisation and pseudonymisation with regards to GDPR. It provided a really neat ballpark of data that constitutes "user information" on two separate levels.

Direct identifiers include such material as: name, address, phone number, all kinds of national identifiers, biometrics, device identifiers and clinical trial record numbers.

Indirect (or "quasi-direct", a new word for me) include: gender, date of birth, postal codes or other geographic grouping identifiers, first language at home, marital status, ethnicity, ....

---

If you look at the two groups, there's a pretty clear distinction. Anything that would allow to send a highly personalised communication to a person is direct. Anything that allows to target marketing cohorts is indirect.

The indirect ones may not sound important on the surface, but once you start doing group intersections, their combinations can become extremely narrow pointers.

link
mziel 3013 days ago
IP addresses are identified as personal data in GDPR. They're not exposed in the frontend, but HN might use them e.g. for logging.

Also things like deletion, takeout and consent/opt-out need to be supported (provided that HN falls under GDPR).

link
sebazzz 3013 days ago
Yes, but you need to explicitly target the EU. What that exactly means will be determined will eventually be determined in court, but some examples:

- If you offer your products in Euros, which is the currency in most of the EU - If you offer payment methods which only exist in the EU or one of its members - Otherwise suggest you target EU citizens

Hacker News exists as a generic website on the internet, but it does not to target any country or region specifically. Therefore HN should be exempt from the legislation.

link
madez 3013 days ago
That is incorrect. You don't need to specifically target the EU. If you handle data from European citizens, the GDPR applies to you.
link
madez 3012 days ago
I'm baffled. Why the downvotes? See for applicability: https://gdpr-info.eu/art-3-gdpr/

Also, in the case of HN, YC offers a service. Just like a forum is a service, this discussion and news platform is a service. It's irrelevant if it's paid for or free.

link
mdekkers 3011 days ago
I'm baffled. Why the downvotes?

Because HN is now like Reddit, but for techno-snobs. If you don't follow the tightly defined groupthink, you'll get downvoted.

Many years of discussion groups have proven that downvoting has a chilling effect on discussion groups. Allow upvotes, and "spam" flags.

link