Any pointers on how to report them?
I wouldn’t expect companies to hard delete in this day and age. I fully expect that they all soft delete, sadly.
Which is a GDPR violation and should be treated as such when they get caught
And what jurisdiction does the gdpr have over servers hosted in America?
We’re all still waiting for the court case that sets this precedent.
*According to Article 3(2), a business that targets individuals in the EU for offering goods or services (even if it’s free) or monitoring their behaviour falls under the scope of GDPR. Monitoring activities such as tracking through cookies or other technologies, behavioural advertising, geolocation, market surveys etc performed by a non-EU business can be subject to GDPR. A US business that has no establishment in the EU, but sells goods or services to consumers in the EU, will fall under the scope of GDPR in the US. Note that the law extends to any resident of the EU, irrespective of citizenship. *
Source: https://www.cookieyes.com/blog/gdpr-in-the-us-a-checklist-for-compliance/
Many US companies were fined, it doesn’t matter where your servers are, it matters if you target EU customers. In this case, Reddit very clearly targeted EU citizens.
Can you cite a case where an American company with no holdings or dealings in the EU was fined successfully?
If the company has no infrastructure within the jurisdiction of the gdpr, how can they hope to enforce it?
Reddit has holdings in Dublin, Ireland, where they have a large contingent of employees. thus they are required to adhere to GDPR.
IANAL and this obviously won’t happen (because it’s one of if not the stupidest way to go about it right from the get go) but still:
They can literally demand any and all European ISPs block all their traffic, they can still raise the fees and if they don’t pay accrue interest/late claims on it. Will this change anything? Not immediately, but the moment that company does anything the courts can reach they are in a whole lot of trouble.
Anyway besides this are there really companies that are so US centric that a European court can’t (like really absolutely can’t) reach them?
Reddit has employees and servers in Europe, including EU countries. GDPR most definitely applies.
I just found out my account that I deleted, was in fact not deleted.
Sounds like you need to contact your nation’s data protection authority
Wasnt it only for us residents? Gdpr is european
I got this email in the UK guessing they are just Feering it at every account with a verified email against it
I got the email in the UK. I don’t think Reddit was looking at what countries users were from when sending it.
I’m in Europe and have gotten this message too through Reddit.
Reddit may not track that, which isn’t a defense against GDPR violations.
That would not surprise me
On purpose GDPR violation is 4% of global yearly revenue fine for the company, which in reddit’s case would be 32M USD.
Still I assume OP has not actually done “forget me” request for reddit, just deleted the account. Delete is not same thing, as requesting to destroying all identifiable data of you.
GDPR doesn’t care were company is located, if you handle European citizens data, you must comply.
Delete is not same thing, as requesting to destroying all identifiable data of you.
This is what I don’t get. How are Reddit accounts not pseudo/anonymous? Back when I had an account (~5+ years ago at latest) they had nothing personally identifiable on me, in which case there are no GDPR rights to speak of. Even if I were to make an Art.17 request and go above and beyond by supplying a copy of my ID card with the request, Reddit would have no way to even verify that my ID is associated to the acct.
That’s true, but if OP is European and received this Mail, it is a GDPR violation regardless of if the content is relevant or not. As far as I know, not a lawyer.
But did they have anything or selected listed that they were from Europe, I wonder? Like, I tend to bounce around on my ip address with my vpn.
Just checked my old empty (now) account i didnt get such an email and im european. Maybe they do a send all in steps or something and see who bites. Anyway if ppl want to file a compllaint here is a link with countries and departments to file a gdpr complaint:
You also had to be over (what appears to be) an overall karma threshold to get the invite. It wasn’t sent to all users (I have a dormant second account that did not receive this notice). I received this message about 2 days ago.
theres definitely a threshold. my account with like 100k comment karma was invited, another with like 100 didnt.
Huh, my account was over 100k and I never received an email.
From what I was hearing the cutoff is 25K karma.
I’m on 41K comment + 21K post and I got it
Not if they provided incorrect info during signing up. Which is very likely if they received an email only US accounts have been getting.
Aussie here with deleted accounts getting the email.
oh shit me too i think lol
Does the GDPR have teeth against this kind of violation? Could Reddit be hit hard with violation fees?
If the user resides in Europe then yeah. This means they didn’t follow GDPR and still retain data on user(s).
It’s in the GDPR jurisdiction but Reddit accounts are anonymous AFAIK. IMO the GDPR does not protect anonymous data.
/cc @Gork@lemm.ee
E-mail counts as user identifying information per the GDPR, so clearly they have kept user identifying information so the GDPR applies.
Even an IP address is user identifying information per the GDPR, which is why if for example a website wants to be compliant without obtaining explicit user authorization, it needs to do things like not maintain logs with IP addresses for longer than it would be necessary to track down problems with the website or intrusion attempts.
Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.
Excuse my ignorance but how is this a violation?
GDPR requires deleting data if you ask them to delete data. How did they get your email address if they supposedly deleted your information?
Do they even have a presence in Europe?
Is deleting an account the same as asking them to delete it though?
Gdpr also requires data only to be kept no longer than is necessary for the purpose for which it was collected. Deleting your account, even it isn’t a request to delete your data removes any purpose for keeping it.
That’s more for people booking flights and what not. With an account, they need a way to contact you if you’ve done something illegal, among a host of other things. It’s not the same scenario.
Until you specifically request it, it’s not gonna happen, and even then, they still need something to keep to trace back to you for legal reasons.
GDPR also requieres that you use the data for the appropiate cause that the user opted in to. So if they have the data for legal stuff this would still be a violation.
How so? The person never requested it to be deleted for that, you consented to all of this when you made your account and linked it to an email.
Article 6 states that there are only 6 reasons why you can process data the one applying here is a
If the data subject has given consent to the processing of his or her personal data;
Informed consent has to be given freely and for each purpose individually each consent option one has to consent to has to be opt in and has to be singular not bundeled.reddit doesnt do that therfore their only right is to use the mail as part of the service. With the deletion of this account they are not further allowed to use this mail for anything else except legal.
That’s wrong
Let’s assume that the dude requested for a deletion of his account (specifically - not all his data) of the basis of gdpr and the execution of his data subject rights; that doesn’t exclude the possibility for reddit to keep his contact details for specific purposes based on the legitimate interest of reddit. Or at least they could play with the argument.
They can keep it but they are not allowed to use it as of article 5&6.
I received one for a dormant account, but am Canadian so I couldn’t use their IPO insider advantage even if I wanted to
Makes me think this thing is gonna Drill immediately after launch, take everyone’s lunch, and eventually rebound (or get bought by Meta/Alphabet/Microsoft/Apple on the cheap)
Its a bad bet imo too. The enshitification of reddit excelerates on an exponential curve, like a shitty inverse of the tech it is based on.
How good is an app if you feel better the less you use it?
Automatic emails have revealed so many LGPD violations with my accounts too (LGPD is the Brazilian version of GDPR).
Does your law specify that deleting an account must perform the full data deletion? GDPR doesn’t, one needs to manually request the procedure via email or postcard. Iirc, they are in fact forced to maintain personal data for X years in case the user requests it.
Kind of. Yes you really should make an Art.17 request to ensure having a strong GDPR case in the event of non-compliance, but technically there is still an Art.5 data minimization rule that applies to data that is no longer needed for performance of the contract.
There are several reasons why the data should still be kept even with art. 5, if for whatever reason legal entities need to contact you for something that you posted long ago that was archived somewhere else, reddit must keep your contact info, albeit just that, in the spirit of art. 5.
Now, if they are allowed to use that contact info to send you promotional content? I don’t think so. Furthermore, this mal has been sent to accounts that had more than X comment karma, and having that info stored still would breach the data minimozation clause, so idk. I wouldn’t try to sue them in these grounds though.
That’s cool, had Brasil mirrored any other EU legislation too?
So cool to hear that Brazil has a GDPR equivalent. That (and the fact that Bolsanaro got booted) makes me want to live there.
Embarrassing that the US can’t get on the ball with this.
it say’s “be US resident”. Why do they believe your a US resident? Maybe using vpn when signing up huh.
If only they were so smart on reddit to check such stuff before sending the email. I also got the email here in EU and I never used VPN in my life.
Same here in Canada.
I’d be curious what the “cutoff” date is for eligibility for this. It could be that they generated the list of accounts they’d be sending this offer to some time ago, and OP deleted his account after that point.
I’ve never used a VPN, and from numerous posts, many of them in my native, non-english language, it would be easy to derive that I’m not an American citizen. I’ve even stated that fact in a number of posts.
I still got an invitation. I reported it as spam.
They’ll communicate through “noreply@reddit.com”. The mark of professionals…
Does the GDPR still apply to the UK after Brexit? I thought it was a EU law.
The UK has its own version of GDPR. That’s actually how the EU works, it sets guidelines and the countries create their own laws within those guidelines.
Yeah but brexit
Brexit means Biscuit!!!
And I just reminded myself that school kids across the UK have started dirty takling each other, with no intention of getting the ball, while shouting “Brexit means Brexit!!”
Upon leaving the EU any laws that were in use made were ‘enshrined’ into UK law. In order for the UK to remove EU laws we’d need to actively remove them through an act of parliament. (At least that’s my vague understanding…) https://www.legislation.gov.uk/eu-legislation-and-uk-law
I’m happy to keep the EU laws, it’ll save time when we rejoin.🇪🇺🇬🇧
When is that going to happen? I would be very happy to have you back in the club 😊
It would take years for the UK to rejoin. First there’d have to be public polling, referendum and a desire by the sitting government to start the process then it’ll be however long it takes for the EU to debate the application and then the UK needs all members to accept the application. Currently neither the two largest UK parties want to even re-open the brexit debates. So basically it’d be at least over a decade.
We could maybe be on a Norway-style deal sooner than that though… Some things like single market access or Erasmus membership don’t necessarily require the long process of EU accession
This is more probable, because there’s no way the UK is ever going to accept to abandon the pound sterling and migrate to the euro after re-entry.
Then again, a ton of countries haven’t accepted the Euro yet even though they pinky promised they would. Look at Poland
They’re still forced to adopt it as soon as they reach some requirements. The worst player is Sweden, that’s actively trying not to reach the requirements so they can keep the crown
Maybe but that would also mean people from let’s say Poland can live and work in the UK right? I thought that was one of the bigger Brexit points.
That would require Freedom Of Movement, which from my experience living in the UK at the time of the Leave Referendum was the main thing driving the Leave vote, closely followed by the UK having to follow EU directives (i.e. the whole “sovereignty” malarkey).
Looking around (not the just UK), xenophobia has become even stronger since, not weaker and Norway-style is still mainly “following EU directives”, though with some opt-outs in things not to do with Trade or Freedom Of Movement.
Also this time around it would be Spain as an EU member whilst the UK tried to get in (the reverse of last time) so they would probably demand to get Gibraltar back as condition for their vote (which is required since a unanimous vote is required). More in general pretty much any EU member with a bone to pick with the UK would get their chance, which might also be interesting for the likes of Greece (better make sure there isn’t a leftwing government in Greece given how the UK literally intervened militarilly to make sure at the end of WWII that the Fascists ended up in power in Greece, a dictatorship that lasted until the 80s).
Ugh, it sucks to be taken revenge on for things that you literally weren’t even around for to be able to stop.
I think it’s only unfair for people who aren’t nationalists.
Those who think they’re important because they hail from an important country, on the other hand, deserve the bad along with the perceived good. Sadly in my experience Britain is thick with nationalism, heavilly promoted even by the slant of international news on TV (were Britain’s importance to the rest is always exagerated), much more than other countries I lived in.
IMHO, Brexit was powered by that excessive nationalism and even the Remain side displayed a heavilly nationalist streak (I remember the “we should stay and change the EU from the inside” argument, implying that 50 million Britons should lead the other 470 million in the EU) so it’s only fair if others reciprocate.
Personally I think most Britons deserve it, though definitelly not all.
Plus, it’s unlikely that the UK will get the same terms they had when they left. That will have to be negotiated as well.
would we really though? think about them driving around in their austin powers union jack painted minis, just whipping around random roundabouts saying “I say” and “buh herr hear haar”
They gave you a do-over. Things could change in the term, but my expectations are low. See: the US
Yeah, EU directives need to be adopted into local country legislature (with some deadlines), whereas EU delegated acts (usually hierarchically under a directive) automatically apply to all EU members. Hehe, members.
The GDPR is a not a directive. It’s a regulation. Nontheless, I read that the GDPR was specifically mirrored into UK law with a couple minor modifications.
But to answer @automaton@lemmy.world, AFAIK the #GDPR does not apply in this situation anyway because Reddit accounts are “anonymous”. The GDPR only protects identified people.
That’s how I understand the UK situation too, however what is anonymous is left much for debate & sometimes local best-practices. Like, a user can be identifiable by their posts, or even full name.
If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.
As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).
An e-mail address is “user identifying information” per GDPR, so if the UK version does not differ from the EU version on this (and it would be pretty weird if it did), it applies.
Did you delete the account or ask for data deletion?
I did the whole “GDPR, delete my stuff dance”. They replied with “you have to delete your posts yourself”. I didn’t budge, gave them the required 30 day ultimatum, but they gave zero fucks.
I did the same, but i deleted my comments and posts, they brought all back, i guess they fuck around.
Ding ding ding we have a winner. Unless you’ve done an official “right of erasure” request they’re perfectly entitled to keep your data, account deletion and all.
I think the whole discussion is moot when the data is “anonymous”.
But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.
An e-mail is “user identifying information” per GDPR.
So it’s not considered anonymous.
That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?
According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)
The EC also says “an email address such as info@company.com” is not an example of personal data.
This should really be covered by an EDPB Guideline, but I’m not finding one.
Yeah, you are correct and the wording is inded “personal data”.
I vaguelly remember it was treated the same as a phone number.
It’s been years since I had to look into the GDPR.
I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.
GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.
Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.
Is a right of erasure possible at this stage?
I assume they still store the context of a deleted post somewhere and that the AI would still access it.
With cloud or tape backups, it’s nearly impossible to fully delete all data.
By design, you would want to protect it from accidental or intentional deletion.
I don’t know how any company can fully comply with GDPR to be honest.
Ah, you’ve got them now!
Don’t give websites your email, what a silly thing to do
They sent one to my deleted account that was literally called GDPR_Violation lol
0 fucks given
lmfao
There really needs to be a resource where data subjects can pool their evidence and collaborate on GDPR actions against common data controllers.
