this post was submitted on 16 Jun 2023

83 points (98.8% liked)

Reddit Migration

293 readers

1 users here now

### About Community Tracking and helping #redditmigration to Kbin and the Fediverse. Say hello to the decentralized and open future. To see latest reeddit blackout info, see here: https://reddark.untone.uk/

founded 2 years ago

Flood Reddit with GDPR / CCPA delete requests (kbin.social)

submitted 2 years ago by [email protected] to c/[email protected]

17 comments fedilink hide all child comments

Reddit can restore your deleted posts. However, if people flood them with GDPR / CCPA delete requests, they may become liable for lawsuits if they don't comply.

It sounds like their current policy is to not delete your posts even when deleting your account, but there may be grounds for legal action here.

all 20 comments

sorted by: hot top controversial new old

[–] [email protected] 4 points 2 years ago (2 children)

Strongly suggest overriding all comments and posts (using something like PowerDeleteSuite) before submitting a GDPR request though. Replace it with “use kbin/lemmy” or similar.

Not sure whether it will work out but I am planning to do that before API is gone (assume ~28th of June or something).

[–] [email protected] 3 points 2 years ago

I did this and my comments are back.

[–] [email protected] 2 points 2 years ago

They'd probably recover the original content, even though it is illegal for them to do so.
Don't worry, their IPO will surely be a success after part of the community leaves + possible GDPR fines.

[–] [email protected] 4 points 2 years ago (3 children)

If you can prove that the data you're asking to have deleted is or contains PII, I'm sure they'll comply to the letter of the law. Outside of that, all content submitted to Reddit belongs to Reddit, Conde Nast, Advance Media, and all subsidiaries.

[–] [email protected] 6 points 2 years ago (1 children)

Surely this is wrong? If the content I posted is not deleted and it still shows as being made from my account, it traces back to me, so it should be deleted if I requested so. In addition to this, would you apply the same logic to private messages? With or without your name or username, if you send a message to someone and cancel or delete it, no one should be able to recover it unless you consent to it.

Let's go more in depth now. According to the UK's Data Protection Act 2018 (GDPR) and EU's Regulation (EU) 2016/679 (General Data Protection Regulation):

Examples of Personal Data (excluding the most obvious ones): (here and here)

race

ethnic background

political opinions

religious beliefs

trade union membership

genetics

biometrics (where used for identification)

health

sex life or orientation

Processing Meaning: (here)

Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Examples of processing include:

posting/putting a photo of a person on a website;

With this in mind, you can no longer only be identified by your username (in case it says "Deleted"), you could potentially be identified by your post's content (and post history). If consent is withdrawn and you wish that the company stops processing your data, the company must comply (here).

With the heat Reddit is taking, and probably the wave of complaints that's about to happen, I'm eager to see what's going to be the regulator's response.

[+] Steeve 2 points 2 years ago* (last edited 1 year ago) (1 children)

[deleted]

[–] [email protected] 1 points 2 years ago (1 children)

I’m sorry but that’s not what the User’s agreement and Privacy Policy says. It’s pretty obvious who’s the content’s owner and what rights we have over it. The only way reddit can keep that content is by making a derivate of the content, like stated above. As I can see some of my original posts being recovered after deletion, these are obviously not derivative of anything, they’re the original content.

As of right now, I haven’t deleted my account, so this includes my username. That’s definitely personal data, and as such, they’re not allowed to recover the post without my consent. Maybe the solution to the problem at the moment is to keep an account in order to have more control over our content and make sure stays deleted. In case they change their UA or PP regarding this matter, then we should request the account’s deletion.

[+] Steeve 2 points 2 years ago* (last edited 1 year ago) (1 children)

[deleted]

[–] [email protected] 0 points 2 years ago (1 children)

Personal data only matters from a GDPR point of view. Regarding Reddit's UA and PP, that doesn't have any relevance. They also specifically cover our current problem as an example:

Please note, however, that the posts, comments, and messages you submitted prior to deleting your account will still be visible to others unless you first delete the specific content.

Which is exactly what I (and many other people) did, and yet they've restored our content without our permission. And once again, at least in my case, I only deleted my posts and not my account as of right now. This means every single one of my restored posts has my handle on it, which is personal data.

An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.

It really doesn't get any easier to understand, but please make sure to keep glazing spez.
I'm sure he appreciates any support he can get right now.

[+] Steeve 1 points 2 years ago* (last edited 1 year ago) (2 children)

[deleted]

[–] [email protected] 1 points 2 years ago

Right, but let's suppose the following:

I run some software to remove all my posts and comments (like PowerDeleteSuite), then go to some of these posts/comments and screenshot them, gathering proof the posts were in fact deleted. After a few days, if I go to these same posts/comments and screenshot them proving they were in fact restored by Reddit without my consent, wouldn't this be a ToS/PP infringement by their part, thus opening the door for some legal action?

Note that I'm not talking about GDPR since it only covers EU citizens and only applies when PII is involved (thanks for clarifying btw)

[–] [email protected] 0 points 2 years ago (1 children)

Surely you have loads of experience, yet you lack reading capabilities. I suggest you re-read the information above and draw your own conclusions. I won't be discussing this any longer, as you must be clearly trolling or lacking in the reading department.

[+] Steeve 1 points 2 years ago* (last edited 1 year ago) (1 children)

[deleted]

[–] [email protected] 0 points 2 years ago* (last edited 2 years ago) (2 children)

I was answering a comment regarding Reddit's ownership of our content and if we're allowed to delete it or not.
From OP:

Reddit can restore your deleted posts.
It sounds like their current policy is to not delete your posts even when deleting your account, but there may be grounds for legal action here.

I'm sure my comments are still well within topic here?
Lil bro tried to read a second time and still failed, please don't try again. 😭😭😭😭

[–] [email protected] 1 points 2 years ago* (last edited 2 years ago)

GDPR applies to all data that can be used to identify a living person (you). The Terms of Service are your contract with reddit, and intellectual property right in portions of your comments that are not personal data would apply to that. The privacy policy applies to everything, because it is the company's notice about what they do and don't do, and they must stick by that, or else they violate the FTC's rules on consumer fairness (among other things). Most companies would simply allow users control over their comments to ensure GDPR compliance, although technically reddit is not required by GDPR to delete or afford any rights related to personal data... UNLESS, they have specified so in their privacy notice and/or terms of service. There, that's my second comment ever in kbin. I'm personally very sick with Reddit's conduct. It's definitely enshitification. Either way, EU data protection authorities would take a very dim view of the willy-nillly way in which Reddit reinstated supposedly deleted comments even without considering the specific content. I suspect the FTC would not be real keen on it either.

[–] [email protected] 4 points 2 years ago

I believe it's less straightforward than that. Under GDPR, consent can be withdrawn, you can't give an irrevokable consent.

See https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-161522 and https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-149886

[–] [email protected] 1 points 2 years ago

It doesnt' belong to Reddit. You give them a license (transferrable and non-revocable) to use the content. But in the EU that is superceded by the GDPR.

[–] [email protected] 3 points 2 years ago (1 children)

Any hope for Canadians? Not sure if using GDPR or CCPA would work in that case.

[–] [email protected] 9 points 2 years ago

Reddit's Privacy Policy and User Agreement apply to you either way, so I'd assume you'd be able to make a request based on that. Due to the EU's GDPR regulations, most companies make their policies GDPR-compliant, meaning fewer variations, less work, and better consumer protections.