Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Had anyone already had to deal with the GDPR fines / abuse?
50 points by forthispurpose on Aug 3, 2018 | hide | past | favorite | 27 comments
Recently there was a fair amount of concerns about GDPR being a harbinger of doom for smaller companies and fears of user abusing GDPR requests or other companies using GDPR as a tool for taking down competitors.

Had anyone on HN had experience with people / companies / institutions abusing GDPR?




I've had trolls whom I had banned from online forums attempting to use GDPR as a tool for trolling me (with the chore of gathering all data, but I already had an API that did this). And then attempting to use it to gut forums by claiming several identities and requesting deletion of all comments (try and imagine HN if comments by patio11 were deleted throughout).

On the forums I run email is the only identifying property and in my case the trolls (2 of them I think) were unable to sign in as the users in question, so I have refused to recognise the request (and then had the threats of legal action... but what else can one do if someone cannot prove their identity?).


I was wondering about a catch 22 where someone misbehaves, then gets banned, cites GDPR and demands their data be deleted (they can do that right?) ....and signs up again later with the same data.... wash rinse repeat....


You can keep storing an identifier (like email address) without any problems if you have a reason (like to blacklist them)


IANAL. I think you can't store raw email without user consent. It is personal data one wants to be forgotten. However you can keep pseudonymised data [0] [1]. E.g. just keep MD5/SHA hash of the email string.

[0] https://en.m.wikipedia.org/wiki/Pseudonymization

[1] https://www.protegrity.com/pseudonymization-vs-anonymization...


Your right to be forgotten is not absolute, but instead balanced against the business's interests: you can process personal data without consent when you have a legitimate interest in doing so. Recital 47 of the GDPR states: "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned". Storing a hash is likely a better practice for mitigating the damage of a data breach, though you have to process the raw email to get and compare hashes either way.


Hopefully that means you could keep some data like an email address that is key to creating an account to prevent abuses or duplication or other things.


Which bit of GDPR do you think forces you to get permission to store raw email address?


Does signing in really prove identity? What happens if I share accounts with someone else (against TOS potentially) and one person then abuses GDPR to dox the other person? GDPR seems so poorly thought out.


Right now most forums are pseudonynous, which has its own considerations in the GDPR. They also don't require personal data other than the email, which is required to log in, so if someone logs in, it means they already had access to that data by some other means. And data that's made public by the user, which they could ask you to remove, but can't claim that you made it available without their consent.

Forums which collect other personal data, like maybe date of birth, and allow it to remain hidden... those might have a problem, depending on the sensibility of the data, but still if you shared the account details with someone, it seems to me difficult to claim that the forum and not the user is the one responsible.


> if you shared the account details with someone, it seems to me difficult to claim that the forum and not the user is the one responsible.

I kinda wanted to make a larger point on how even if someone logs in to your service you don't know who you are talking with and might be going against wishes of owners of the account which would be unethical if you haven't priorly obtained their informed consent to do so.

Here are scenarios under which third parties might try to unethically obtain access to your user's data, perhaps as you described by logging in or via some other means:

1) PC gets hacked and owner loses control over their email. It's easy for a hacker to replace password and log in. You can't blame user for shity state of this industry when it comes to security. You are talking to a hacker.

2) SIM card is cloned via social engineering and passwords changed if email is improperly secured. You are talking to a hacker.

3) People share computers. Persistently logging out from websites on spouse's computer seems shifty. You are talking with a family member.

4) Not all people agree or understand that for some services people shouldn't share accounts. You can't know which pieces of data belong to whom so you can't give it out. It's also unreasonable to demand from all services to require each account to be used by only one person just for the sake of GDPR to be workable. You are talking only to one user.

5) People trade accounts. It's unethical to give data to a new owner if previous owner wasn't aware of what data you store. You are talking only to the newest owner.

6) People can be forced to sign in to their accounts. You are talking with an abuser.

In all these cases I think it isn't ethical to reveal data that couldn't already be accessed by normal means. It seems to me that GDPR, ironically, weakens users' privacy.


Well, in France yes already (and the links are in French, basically the first one is about a basic hack where you could change the id of the user in the URL of the current page to get others users' invoices -no comment-, and the second one because the users could not decide what cookies could be stored on their computers, they did not offer any choice eg through a CMP or something else)

Optical Center : 250 k€

https://www.clubic.com/rgpd/actualite-844065-sanction-rgpd-p...

Challenges.fr : 25 k€

https://www.legalis.net/actualite/le-conseil-detat-confirme-...


These links are misleading as neither of those fines was imposed based on GDPR: The first article says that the fine was imposed based on a national law due to a data breach in 2017 (and says that the fine could’ve been higher now under GDPR), the fine in the second article was handed out based ePrivacy / Cookie legislation. Neither of those are directly related to GDPR, although the first case would also be punishable under it (but wasn’t when it happened).

I would’ve been surprised if the authorities had handed out fines that fast, as they usually need to give companies a reasonable amount of time to fix problems after they are revealed.


Will the interpretation depend on the country until someone raises the case to the highest court? Do we have to check the precedent of all European countries?


Users always can decide what cookies can be stored on their computers - Europe is braindead on this issue.


How do I allow this site to set the 'user' cookie, but not the '_cfuid' one? Since Cloudflare is proxying, both cookies are first-party.

FF61 on Mac. Solutions for Chrome would also be interesting.

Note that I specifically don't want 'self destructing cookies' or session- or time-limited ones. I just want to white/blacklist by site, cookie name, and perhaps cookie content.

I've briefly looked for suitable extensions, but not yet found anything.


They can't. It may be technically possible, but users can't. Even for power users it's a pain in the ass.


Yes, they can. You are simply wrong.


The first one frames it as lucky because the fine could have been 20mil€...


magnifique!


Drone.io nearly immediately received the Nightmare GDPR letter and closed its Discourse forum to avoid the overhead that providing a forum for an open source tool now causes.

It instead moved to a much less useful Reddit subthread.


Discourse is exactly the kind of thing the GDPR is aimed at.


What do you mean?


https://www.discourse.org/privacy

They collect data about you from every website that you visit that uses Discourse. They share it with a lot of other organisations, including Google analytics.

Do you just want to trust them, pinky promise, they they aren’t (for instance) compiling a record of all your comments on Internet forums, and sending them to job recruiters and HR?


No, they don't collect data from Discourse installs when you host them yourself.

> CDCK sets only its own privacy practices, not the privacy practices of CDCK customers or others who host Discourse forums for themselves or others. You should ask all of those involved in administering and hosting Discourse forums that you use for information about their privacy practices.


Silencing it.


Some shady web development agency sent spam emails to several smaller websites, pretending to be local Data Protection Authority. Email mentions complaints received from users and lists some fake fines. They went so far as buying custom domain and redirecting it to actual website of Data Protection Authority. Later, they contact website owners trying to sell their services.


Given how many sites blatantly ignore or violate GDPR (no opt-out, etc) I'd say there doesn't seem to be any enforcement. At the moment, GDPR is just scare-mongering but in the end is just as useless as the previous privacy directives. I wish this would change but I'm not holding my breath for it.

> Had anyone on HN had experience with people / companies / institutions abusing GDPR?

Any site that gives you a consent box with the bullshit tracking enabled by default, or that lets you know they use cookies with no way to opt-out. Per GDPR tracking should be opt-in so even pre-ticked checkboxes aren't allowed.

The only site that I've seen do this right is Quartz. They have a simple modal "we use tracking for X and Y", do you want to allow or deny?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: