[srrr]

If you live in the EU the article 15 of the GDPR grants you the right to ask about the details. Often companies reply that they don't need to answer because of ¨security¨ but this is not true. You can in detail ask about ALL personal data that was used as an input for this decision, information about the ¨automated decision-making¨ (algorithm), and all personal data that resulted out of this process. https://gdpr.eu/article-15-right-of-access/

If any of this data is false you have the right to rectification. https://gdpr.eu/article-16-right-to-rectification/

[delroth]

> You can in detail ask about ALL personal data that was used as an input for this decision, information about the ¨automated decision-making¨ (algorithm), and all personal data that resulted out of this process. https://gdpr.eu/article-15-right-of-access/

That is only true in specific cases of processing, as detailed by article 22: "a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".

In the case of a domain name used for email I think you could legitimately argue that the decision "significantly affected" you, but it's kind of undefined so far what the bar is for this criterion.

[srrr]

In this case cloudflare has produced a legal effect with putting the domain into pending delete because this is an ownership transfer back to the registrar (of a property they don't even own, so stupid...).

For me deleting my domain would be far worse than deleting my telephone number and significantly affect me. But yes, this is a case by case decision.

I just wanted to say something like: You have rights. Don't be afraid to use them. These companies are not above the law.

[cfsucks]

> a decision based solely on automated processing,

"this account was identified in a recent fraud review, however it appears to have been a false positive"

> which produces legal effects

Deprivation of property.

[tgsovlerkhgsel]

I suspect the workaround on the side of the companies doing this is to include human review (or appeals) to ensure the decision is no longer based "solely on automated processing".

Even if not intended, a reviewer that sees mostly true positives is very likely to become a blind rubber stamp.

[usr1106]

Good point. But even if they (any of those corps running algorithms but no customer support worth the name) comply (which I won't take for granted), you will get some code or keyword that fraudulent activity was detected. Very unlikely that they have technical details of the root cause in their customer DB.

[srrr]

I don't think so. I have not worked on many fraud detection systems but in all cases there was a very detailed record in the logs of what happened and how the decision came to be. In addition, if there was a human review additional data is often generated. You can't just flip a bit in the customer record, or can you? (Edit: And if no information is in the logs I would argue that all information is in the input data and fraud detecting algorithm and thus the algorithm itself gets part of the data. Whatever happened, if the action can not be "replicated" / understood with the data you got after the article 15 request the data is not complete.)

Since the domain and account belongs to you as a person, this is all personal information under GDPR.

[Anunayj]

I've done this with Instagram in the past, and funnily.. after a few emails back and forth.. they just reinstated my account..? and told me to download my data the normal way.

[usr1106]

Well, I'd hope affected users could submit (reasonably anomymized versions) of what they got to HN in the future, so we can stop speculating.

[srrr]

While thinking about it I found an interesting fact: If they don't produce the data that lead to the account ban because they they "don't have it", they don't actually have proof of fraud anymore. If they don't have proof of fraud you can invoke GDPR article 16 "Right to rectification" and "unfraud" your account. Theoretically they can't argue against it because they don't have any data to argue with...

If they don't unfraud you AND don't produce the data they are not in compliance of either article 15 or article 16 and have delivered the proof noncompliance themselves.

[ThePowerOfFuet]

Did you know that you're using umlauts instead of double-quotes? It looks a bit strange.