https://www.washingtonpost.com/news/act-four/wp/2016/07/15/i...

Shameless plug: We're hiring - https://www.aptible.com/company/

Conclusion: > This leads people who have no interest in academia having to find a way to convince people they've discovered something new and novel so that they can go apply what has already been discovered.

I'm not rejecting the premise, I'm saying the conclusion is not supported by this article. None of the figures mentioned in the article (Daryl Bem, John Bargh, Susan Fiske, Brian Wansink, Amy Cuddy, Simine Vazire, etc) are clinical psychologists. None of the research described in the article is clinical psychology, or even appears to have been performed for clinical psychology.

Maybe clinical psychology has a replication crisis, I don't know, but there is no evidence here for the idea that clinical psychology degree candidates are causing the replication crisis in social psychology.

Disclaimer: we are a vendor that makes a SaaS offering for GDPR

I'm a lawyer, YC alum, and have a CIPP/E cert. I took a crack at the "Does GDPR apply to HN?" question here: https://news.ycombinator.com/item?id=16615351

The answer is "probably not" because HN is neither established in the EU nor do they target the EU specifically. Maybe there are facts I don't know, but YC itself is also probably out of scope (read more here: https://gdpr-info.eu/art-3-gdpr/)

I'm also CEO of Aptible. We make a SaaS platform (Gridiron) that a bunch of YC companies are using for GDPR prep.

GDPR forces you to be able to articulate why you collect or process regulated personal data.

If you provide a service that collects or processes data for fair and transparent purposes, you'll be ok.

Under Article 17, the right of erasure, you're only obligated to delete upon request of the data subject, and only in certain circumstances, the most common being:

- If the data are no longer necessary for the purposes for which they were collected

- If the legal basis for the processing was based solely on consent and no other legal basis exists

- If the processing was based on the balancing test of your "legitimate interests" outweighing the data subject's interests or fundamental rights and freedoms (such as for security or availability), the data subject objects, and your interests don't override theirs

- If you are processing for direct marketing and the data subjects at all

If you're a SaaS provider and they are necessary to meet your availability commitments to your customers, and you can document that necessity, then you're probably going to be able to retain them even if the data subject objects. Data subjects rights are not absolute.

If you're retaining the data for marketing, or based on consent alone, you're going to have to delete them or have a very good excuse for not doing so. If you don't have a great reason, you should probably delete them anyways, or better yet avoid collecting the data in the first place ('data minimization,' Article 5(1)(c)).

That would be different if they marketed/promoted/sold in the EU, offered European language or currency support, or somehow otherwise took action to position themselves for the EU.

As a thought experiment, if HN was regulated by GDPR:

1. Yes, all kinds of user generated content can contain GDPR Art. 9's special categories of personal data. HN would probably rely on the exemption in Art. 9(2)(e), which permits processing "personal data which are manifestly made public by the data subject." The purpose of HN is to let you share your own data on the Internet, that's the entire point. That's fine under GDPR.

2. HN would still need a lawful basis for processing under Art. 6. For a paid service, a Terms of Service would normally be fine. I don't think HN has or wants one of those, and they don't track users at all before registration, so they could collect an explicit consent from users on registration. If they did track prior, a cookie popup could collect the consent. Also, under Art. 8, the default minimum age of consent is 16, so we'd want to consider age confirmation too.

3. Archiving posts on the Internet forever is not a problem, if that's the intended use of the site, which it is. My guess is that deleting a user and their posts is feasible at the application/database layer. The problem would be deleting personal data from backups of the site if the user withdraws their consent and requests Art. 17 erasure. In that case, only retaining the backups as long as necessary and documenting that justification internally is probably sufficient.

4. Article 22 restricts "automated processing, including profiling, which produces legal effects concerning [the data subject] or similarly significantly affects" the data subject. Ranking, voting, and anti-spam probably don't qualify as weighty enough subjects to be restricted. Recital 71 ("Profiling" https://gdpr-info.eu/recitals/no-71/) sheds some light on what the EU is trying to prevent.

5. They'd have to get a data protection agreement or other Art. 46 agreement with hosting vendors. Cloudflare is on top of this: https://www.cloudflare.com/gdpr/introduction/ Not sure what other subprocessors are involved.

6. Being able to see most of your own data on HN means you have Art. 15 access, which is nice. I think they'd have to also give you any hidden metadata as well. Not sure what that might be (vote weight score?).

6. There's a bunch of other stuff they'd probably do, like appoint a data protection officer, publish a privacy policy, add the ability to delete your account, etc.

They're widely respected, but you're right it remains to be seen whether UK and EU enforcement will diverge.

I'm a lawyer but not your lawyer and I have no idea about specific YC or HN details, so take this with a grain of salt, but I think the best argument for why HN is exempt or at very low risk for enforcement is that it does not hold itself out into the EU market for business and is not otherwise subject to EU law(as far as I know, and I have no special knowledge). Users may be from the EU, but HN has no particular nexus to EU law that I'm aware of.

This is important because Article 2 of GDPR ("Material scope") expressly says "This Regulation does not apply to the processing of personal data ... in the course of an activity which falls outside the scope of Union law"

With a good system of record, you can track and manage all of the rest of the information and issues raised in the letter.

That said, in a large company with a lot of legacy systems, it may be tough to extract the actual data itself (or even know if your system of record is complete).

The right can only be enforced against a "controller," which is the entity that "determines the purposes and means of the processing of personal data."

It's worth noting that GDPR does not give the data subject the right to request everything in the letter. Only a more limited set of things.

The practical effect for SaaS companies is that they should keep track of data and the systems and services where data is processed. With good preparation and a system of record for security/privacy management data, you can prepare for this kind of request very well. My company does just that - helps others prepare.