Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Think transactional mailers, marketing mailers, billing systems, payroll, zendesk, etc.

GDPR has explicit provisions for all of these legitimate interests (notifications, clients, employees, customers). Most of these services are aware of and planning for GDPR, I wouldn't want to work with any that aren't.

> And even an RSS reader is scary. What if someone follows a series of blogs about HIV treatments, or internal trade union politics? If that means you could infer the person is poz or is a member of that trade union, you now have heightened scrutiny data in your possession.

Right, and I like that! Attempting to derive sensitive information should require consent, transparency, right to rectification, and stringent data handling requirements. It sounds like overkill for an RSS reader, but why the heck does an RSS reader need to do that kind of profiling in the first place? Maybe that's the right level of scrutiny and prior applications were unwarranted?

On the other hand, there are no concerns with simply storing the followed blogs.

> Except the GDPR is full of hand-wavy stuff.

Can't win, legislation is either micromanaged or hand-wavy... it's worth noting that some of the hand-waving is actually business friendly.

I'm not saying these laws are perfect. There is definitely room for improvement, but this is still a consumer win over the pre-GDPR wild west.



3rd party: the fact remains that doing deletions, both as a consent withdrawal and a privacy by design, is extremely complex. Particularly when privacy is withdrawn before a LI expires. You can hand wave it away as gdpr provides for this -- which isn't at all responsive to what I said -- but it's difficult to do nonetheless.

I never said the RSS reader is profiling. They don't have to be. Does the mere presence of the inescapable user data -- ie what feeds they monitor -- create heightened scrutiny, because someone else could infer with that data, were it to be leaked. It well may. I would seriously consider blocking EU users until this is sorted out.

Worse, the RSS reader could offer suggested feeds, and accidentally find themselves in possession of such data, entirely accidentally. Even if users were clearly asked if they wanted to see suggested data, or allow their data to be used to suggest feeds. They may not intend to derive sensitive data to possess it.

Or suggest you have a site like YC, and someone puts "hi, I'm poz" in their description. Tada, sensitive data.

The GDPR should have defined when a DPO is required, what a LI balancing test is, etc. Alternatively, the orgs could have pretended to be competent and issued guidance before -- oh right, they haven't issued final guidance yet. I'm sure 6 weeks is plenty of time.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: