reddit is telling it's future investors with recent news and more info on their IPO, that they're currently selling and looking to sell their user's data to companies wanting to train their LLMs, including Google....
As long as the link between data and user is severed, they are compliant with GDPR. […] As long as it’s not personally identifiable, it’s OK.
Wrong.
In the US, data protection refers to “personally identifiable” data, so severing the link is enough. Under the GDPR, all “personal” data is protected, doesn’t matter if it has a link or not to identify the person.
The test under the GDPR, will be whether a comment has any personal data in it. If it’s a generic “LMAO”, then leaving it anonymous might be enough; if it is a “look at me [photo attached]” or an “AITA [personal story]”, then the person can ask for it to be removed, not just anonymized.
places an undue burden onto the user to determine and explain why data might be personal
The other way around: all data originating from a person, is by default “personal data”, and the burden of explaining which one is not, lies with whoever is keeping it.
you can’t look at any messages in any rooms you’ve been kicked out of
If they’re keeping them, then you can request a GDPR export of ALL your data. Doesn’t matter whether some interface or application allows you access to the data or not, or even if you’ve been banned from the whole platform; as long as they keep the data, they have an obligation to honor your rights of:
Access
Correction/Modification
Removal
Even during obligatory data retention periods, when they can’t remove the data and only make it inaccessible, you still have the right to get a copy of your own personal data.
I’ve had to deal with this on the data collection end, and it’s a PITA to build in the mechanisms to fully follow the law. If you’re an EU resident, and especially if the server is in the EU or has to follow EU agreements, then they’d risk some quite high penalties if they didn’t follow it.
Wrong.
In the US, data protection refers to “personally identifiable” data, so severing the link is enough. Under the GDPR, all “personal” data is protected, doesn’t matter if it has a link or not to identify the person.
The test under the GDPR, will be whether a comment has any personal data in it. If it’s a generic “LMAO”, then leaving it anonymous might be enough; if it is a “look at me [photo attached]” or an “AITA [personal story]”, then the person can ask for it to be removed, not just anonymized.
deleted by creator
The other way around: all data originating from a person, is by default “personal data”, and the burden of explaining which one is not, lies with whoever is keeping it.
If they’re keeping them, then you can request a GDPR export of ALL your data. Doesn’t matter whether some interface or application allows you access to the data or not, or even if you’ve been banned from the whole platform; as long as they keep the data, they have an obligation to honor your rights of:
Even during obligatory data retention periods, when they can’t remove the data and only make it inaccessible, you still have the right to get a copy of your own personal data.
deleted by creator
I’ve had to deal with this on the data collection end, and it’s a PITA to build in the mechanisms to fully follow the law. If you’re an EU resident, and especially if the server is in the EU or has to follow EU agreements, then they’d risk some quite high penalties if they didn’t follow it.