As much as I like the idea of "right to be forgotten", it seems to me that an unintended consequence is that non-technical people hosting forums/blogs etc. will be at risk of GDPR requests that they cannot comply with due to lack of technical skills. This will have a silencing effect for people wanting to operate non-profit sites as they won't be able to afford to comply with such requests. They will be forced to either shutdown, or be in breach of law.

Perhaps some people will say "good, if you cannot run a site conforming to all laws of the land then you should shutdown". If you think that, consider this: as these laws pile up it will get more and more difficult to operate, leaving only the very tech/law savvy, and big business.

This is not the democratization of information that the web promised oh so many years ago.

On a semi-related note: if you are a small SASS operator wanting to comply with such requests, what are you meant to do about your DB backups that contain data that is meant to be forgotten?

[edits: punctuation/grammar]

I don’t understand where’s the difficulty in answering this request? If the person doesn’t have a user account anymore on the site there shouldn’t be much data of him/her left anyway. If there is data left just collect it, send it to the person and delete it afterwards (surely there’s a way to search posts by author in their forum software). I can understand that such requests are difficult to answer for companies that run many different IT services, but this case seems pretty trivial to me.

The subtitle is "[d]isgruntled ex-guildie effectively invents new way to grief in EVE" but it sounds like the request in question was sent to a website outside of EVE. This could happen with other games or, you know, websites unrelated to games at all...

Why they don't want to answer request? It's still would be a nice thing to do ever if not required by law.

I wonder if there's business in GDPR trolling websites. Does it count as extortion if you give someone personal data and then say they must delete it or pay you money to not kick up a fuss.

Honestly, it sounds like it should be legal. Like the way ADA or CEQA trolling is. After all, that provides a valuable function.

Guys think about the ranking lists.. you want your data deleted and you kind of also have to delete all related data to that account like everything. I can imagine already some people hacking top 100 ranking list accounts and deleting them to remove them from the ranking to get elevated themselves.

What's interesting, and pointed out by a Reddit comment: https://www.reddit.com/r/legaladvice/comments/acsdf3/comment...

There's no way to identify that the person making the request is who he/she says he/she is. The irony is that for services like Facebook, Facebook could ask for a scan of your id/passport to confirm it's you, (and would it also have to keep that scan saved somewhere in case it later needs to prove that it "authenticated" the gdpr request correctly?)

But in this case, how to determine it's really the user? Should "Bob" identifies himself by disclosing his password, and have the admin test of the login works?!

How would this work if the data was stored on an immutable blockchain?

So the GDPR is only about personal data? What are my responsibilities if I run a chan, i.e., I store no personal data about my posts other than the IP address where they originated? What if I use some tracking technology such as a cookie or localStorage to identify unique browsers regardless of their IP address?

undefined

> the corp in question was blindsided by the request just as many real-life businesses were when the law came into effect last year

“blindsided” bullcrap again