Isn't this a clear violation of GDPR and CCPA?
HN will anonymize usernames, but that does not remove personally identifying links or data from comments and submissions.
Will this ever change? Will it ever be possible for a user to be completely deleted from HN (remove all comments and submissions)?
Also, if they don't store IP or actively deident, then I'm not sure either reg applies. HN isn't collecting PII. Just because you chose to type some info into a free form text box doesn't mean that the are liable for treating that data as PII, unless they're doing the tagging and extraction themselves or you inform them you're in CA/EU and the post contains PII. ianal.
https://gdpr-info.eu/art-17-gdpr/
In particular, there are sections about archiving and freedom of expression/information which I believe would apply to an online discussion forum where all comments are made public by virtue of them being posted in the first place.
Part of the problem is also that the government agencies tasked with regulating these things are hopelessly slow in pursing matters, especially when non-EU companies are concerned.
Sure, it's a bit weird to force them to stay up, but the GDPR is mostly about PII. You can probably have your email address, username, and contact information removed from the database, but the comments themselves are different.
I don't know much about the CCPA, but from what I've read, I don't think it covers this use case.
As for if YC needs to follow the GDPR: YC does business in the EU so they'd be foolish to ignore it. If you believe your rights are being infringed, contact your local DPA and file a complaint.
You cannot regulate a steel manufacturer in China from the EU. Similarly, you cannot regulate how a company and server is setup in another country. It’s where the company is operating.
In the case of hacker news the CCPA probably does have an impact. So i suspect they follow the appropriate law there. That’s because that’s where they are operating out of.
That said, HN is moderated pretty well. I suspect if you ask them they’ll tell you and / or delete what ever you ask.
Long answer: it depends on the regulation. To the best of my understanding yes under the GDPR. If you are interested in what constitutes personal data and when an organisation needs to or does not need to comply with a request under the GDPR and the CCPA take a look here: https://yourdigitalrights.org/#faq
(I am one of the founders of YourDigitalRights.org. We help people send data deletion and access requests. I am not a lawyer and this is not a legal advice.)
HackerNews doesn't collect personal data.
Deleting anything someone wants deleted isn't covered
1. Processing that takes place in the context of processors and controllers that are in the Union, regardless of whether or not the processing itself takes place in the Union.
2. Processing the data of subjects who are in the Union by controllers or processors who are not in the Union if the processing is related to offering goods or services to such subjects in the Union or the processing is related to monitoring the behavior of such subjects that takes place in the Union.
3. Processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
If none of those cover an entity, that entity's processing is not covered by GDPR.
#2 would probably be the only relevant one for HN.
Is HN offering goods or services to subjects in the Union? Sure, people in the Union can access HN and even make accounts. But that might not be enough. One of the recitals for Article 3 elaborates:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Does HN envisage offering services in the Union, or is it simply a site that happens to work when accessed from the Union but was not envisaged to do so?
Another recital elaborates on the monitoring of behavior of subjects in the Union:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
HN seems to collect minimal data. It might not rise to the level of monitoring that would be needed to count as monitoring behaviour.
Some parts of GDPR at least call out company size explicitly, other parts allow for "cost of implementation" to be considered, which for HN would probably be "prohibitively high" regardless of triviality, considering the team size.
Ina short anwer : YES, but not because what you think.
Under GDPR you have the right to ask your PII to be erased from production (it still goes under archive for a some time depending on legal constraints)
So it is valid demand for HN to ask your comments to be erased from be “live” in production
Are your comments PII? Yes, as they are linked to a user, username that is linked to an email and bio, and they may contains also PII inside.
So you could ask it to be removed.
Can HN avoid that deletion? Yes only if they prove they have a more valid reason with a legitimate interest to keep it, or that there is any relevant legal obligation to keep it
Do they have ? Not really in that case, however they could also rely on the existence of a particular legitimate interest to inform (if they prove that they are a media), or that there is a legitimate interest relying on the impossibility to understand conversations if you cut off some parts of the discussions and the related feeds.