For those in the know about privacy laws and the such. What is a proper response to reddit's claim that they cannot remove all the information associated to an account without first the user removing all of their posts? en (kbin.social)

As the title says, Reddit replied to my GDPR request to delete all my data saying I had to do it first, which I suspect is in violation of GDPR law.

Reddit's argument is that to comply with GDPR, they just need to dossociate your account from your posts, so the latter cannot be traced back to you. However, the argument could be made that the posts themselves are enough data to be linked to you.

Is there any type of response that could be framed in legal terms to make reddit really remove all the content from my account?

BrikoX,
@BrikoX@vlemmy.net avatar

Contact your Data Protection Authority and file a complaint.

Grumps,

I'm no lawyer, however, having gone through this a couple of times as a service provider this is my understanding:

GDPR and similar laws cover data which the provider has gathered about you and may have been shared with third parties.

Generally, user generated content is not covered under GDPR requests. Any content that you chose to post which is self-identifying was posted at your discretion.

The best examples of where this must be true are mailing list archives and Git reposities. E.g., the email address you gave to GitHub on signups and the email address that you attached to a git commit may have been the same, but only one use case provides for GDPR protection. Mostly.

In practice there's a lot of gray area in GDPR and privacy lawyers often have to find the inflection point somewhere between clearly covered and clearly not covered.

Doll_Tow_Jet-ski,

Got it. Thanks for the explanation

abff08f4813c,

As psychopomp pointed out this is wrong. (Or at least, "unsettled" - meaning that unless you are sitting on big pots of money and are happy to pay up to the gov't if the courts decide against you - you should play it safe.) See https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-140833 - for what it's worth, folks from pre-Musk Twitter who looked into this issue determined that tweets basically did fall under the GDPR.

See also https://mstdn.games/@chris/110553477682106144 https://www.wired.co.uk/article/delete-twitter-dms-gdpr https://techcrunch.com/2023/02/08/elon-musk-twitter-dm-deletion/

Doll_Tow_Jet-ski,

for what it's worth, folks from pre-Musk Twitter who looked into this issue determined that tweets basically did fall under the GDPR.

That's interesting! It does set a precedent. I'm just going to have to wait for a European class action against Reddit. I hope someone with time and money in their hands takes the initiative.

abff08f4813c,

Hmm. I wonder though - could follow BrikoX's suggestion. Might be the case that you don't need a lawyer or to spend any money on it, instead the gov't org will hear complaints from lots of redditors (or ex-redditors) and then send its own lawyers in. If so, then these folks will be using public money from taxpayers and of course they got the time - it's literally their actual job. (Of course I speak in generalities and maybes because i don't know the system in every single EU country and it likely varies somewhat between them.)

psychopomp,
@psychopomp@kbin.social avatar

No, that's not true.

The GDPR doesn't care how the personal data was obtained, that's why Art 4 GDPR specifically calls it "processing", not "collecting". However, it does protect only personal data: https://gdpr-info.eu/art-4-gdpr/

If you sent an Email to a company you could argue the same, that they were not "collecting" it, you handed the data in yourself. It doesn't work that way.

That's why Art 15 GDPR allows you to demand a data takeout of everything they know about you, in case of Reddit that includes all your posts and comments.

And of course the "right to be forgotten" (Art 17 GDPR) covers any of that data as well, but again only if it is personal data.

Reddit now just says that with deleting your username they de-personalised the data, so it isn't covered by GDPR anymore. That's technically correct. But if you wrote a comment with personal data in the comment, e.g., "Hey, my name is Patrick Smithereens, I live on High Street 666 in 1312 Arblfarg" they would absolutely need to delete that.

Nihil,

So, I’m hearing, “Overwrite all my comments to sign my real name at the end”

psychopomp,
@psychopomp@kbin.social avatar

Doesn’t have to be your real name, the scope of Art 4 GDPR is quite broad. An Email address, e.g. fuckspez69@provider.com is personal data if it’s, even just theoretically, possible to identify you…

Gargleblaster,
@Gargleblaster@kbin.social avatar

I don't have a solution to your question, but I started deleting my account annually so that it was harder to track me, spy on me, and sell my information.

Before I started doing that, I had an account with 900,000 karma. When you asked for your account to be deleted, the Reddit automated response was 'Are you sure you want to do this? After one month, all of your content will be deleted.' And that's what happened. If I look on reddit, my posts were gone. On google, I could find people mentioning my username but not any actual posts by that account.

TLDR: They used to threaten you with deleting all of your posts, and, based on my experience, they did exactly that with my old account.

It's kinda funny to see them flip to threatening to keep your content.

HouseMouse,

I think it’s untested whether this is legal or not; it’s in a legal grey zone. Try to find an online script to help you delete all your posts. Alternatively turn the question to your national agency which handles GDPR compliance.

CaptainPatent,

With the API shutting down, I believe there is no longer an automated way to delete all content. I would focus more attention on the latter suggestion.

abff08f4813c,

With the API shutting down, I believe there is no longer an automated way to delete all content.

Actually, the API hasn't shut down. It's just you get a bill if you go over 100 api calls per minute, but existing scripts like github shreddit can be easily modified to include a builtin delay to prevent that from happening. Alternatively you can pay shreddit.com $15 to do this for you and not worry about it (they use their own API key i figure though I don't know the specifics, but I imagine they have a setup that prevents them from going over the limit as well).

I rushed in a bit of a panic to get all of my stuff deleted, not even waiting for the response to my data retrieval request (see https://kbin.social/m/RedditMigration/t/65260/PSA-Here-s-exactly-what-to-do-if-you-hit-the ) before I realized this.

PabloDiscobar,
@PabloDiscobar@kbin.social avatar

Be patient, if you want your content deleted you will have an efficient way to do it soon. Don't count on reddit to do this for you. It seems we have enough access to the API to do it ourselves.

Doll_Tow_Jet-ski,

What would be this efficient way that if coming soon?

abff08f4813c,

I mused in the past that scripts like Power Delete Suite might work as they simulate clicking a button and such on old dot reddit dot com instead of directly calling the API. (Technically they are indirectly using I guess as old reddit uses the API internally but so what - is reddit going to suspend their own API key for going over the limit?) Someone just needs to figure out how to a) modify PDS to be able to accept the archive data and b) longer-term work with the new reddit desktop website instead of relying on old reddit, which a lot of us don't trust to stay around forever.

  • Todo
  • Suscrito
  • Moderado
  • Favoritos
  • RedditMigration@kbin.social
  • random
  • noticiascr
  • CostaRica
  • Todos las revistas
    •