The GDPR's super complicated, but I'm pretty sure its Right of Erasure, and specifically Article 7(3), which gives data subjects the right to withdraw consent at any time and the clause “it shall be as easy to withdraw consent as to give it" trumps any ridiculous "irrevocable" license to distribute your content in any form forever.
Also importantly, the GDPR requires that a controller not make a service conditional upon consent. Hacker News is likely not in compliance unless they make such data processing optional and require anyone interested to explicitly opt in.
But, then again, I'm not a lawyer, and even if I were, actual lawyers don't seen to know what the hell the GDPR actually requires either.
its Right of Erasure, and specifically Article 7(3), which gives data subjects the right to withdraw consent at any time and the clause “it shall be as easy to withdraw consent as to give it" trumps any ridiculous "irrevocable" license to distribute your content
Correct. You can certainly attempt to assert your right of erasure with YC to erase your PII from their data (i.e. Hacker News).
But..! Because we give YC the right to distribute our content freely, we simultaneously realize that there may be many duplications and reproductions of this data. The consequence of this is that we must contact any/every user of that data yourself on a one-by-one basis to assert your right of erasure - there is no legal obligation for HN to track everyone who might have downloaded a legal archive of their data.
IAANAL, and I don't mean to single you out here, but this seemingly rational argument strikes me as subtle FUD. It's the type of argument that someone with a vested interest in collecting user data for profit might put forth in the hopes of polarizing the tech community and painting GDPR as out of touch with technical common sense.
Again, I'm not accusing you of anything here, I'm just pointing out who benefits from framing the conversation this way. So far there is a lot of precedent for small operators shutting down their sites out of fear of GDPR, but there is actually no precedent for regulators having actually gone after small operators for anything resembling reasonable practices. The day may come where EU regulators try to crack down on forums for who are unwilling or unable to redact users messages post-facto, but we're nowhere close to that today and I don't see strong reason to believe that's where we're headed either.
What about this is out of touch with technical common sense? If you export all your user data and syndicate it, why would it be so unreasonable to have a system in place to be able to syndicate requests to delete data as well?
All of us here are users of this forum, so this concerns the legal rights to our personal information. It’s not FUD for us to discuss how those rights are affected by things like this.
Let's leave syndication aside for a moment; I don't think it's unreasonable for a forum to have terms of use that you are participating in a public forum that needs to maintain integrity. If people just go deleting their posts then it screws up the public discourse. I've actually had the experience of building and running a forum that allowed deleting your content in this way, and we had to remove the capability as trolls used it in a specifically destructive capacity.
Now this position is certainly debatable, but I think it's at least a reasonable argument that you could take to regulators. Contrast that with the bullshit that Facebook, Google and a zillion ad-tech companies are doing with our data every day. You're free to object to the syndication of HN data, but personally I feel that is a distraction from the issues GDPR is meant to address, and I am hoping regulators feel the same way.
That honestly scares me, though. A law that everybody is violating but that is only rarely enforced is a law that will be used to go after whoever the government doesn't like. Imagine a European hate speech forum that gets a lot of press sometime. The government will just step in and say "oops, looks like you're not in GDPR compliance!" and sue them into nonexistence.
Also importantly, the GDPR requires that a controller not make a service conditional upon consent. Hacker News is likely not in compliance unless they make such data processing optional and require anyone interested to explicitly opt in.
But, then again, I'm not a lawyer, and even if I were, actual lawyers don't seen to know what the hell the GDPR actually requires either.