11

A city in Finland asked me to delete all data for everyone whose login uses a certain domain. The domain contains "edu" in it and "oppilas" (which translates to "student"), and my website doesn't have data that anyone is going to mind losing, so I have already deleted that data, however, I have some concerns about what to do in the future if the decision is less easy:

  • I'm a little worried that I shouldn't allow certain domains to be used as logins in the first place, especially ones that might be school related
  • I'd like to have some idea for future reference if there's any case where the GDPR would require me to comply with such a request
  • I want to figure out the right way to reply to emails like this one
  • Is deleting the data actually more of a legal liability than not deleting it in some cases? (People shouldn't be able to delete other people's accounts.)

I searched quite a bit but couldn't find anyone discussing the possibility of any of these things:

  • an organization asking for the deletion of personal data
  • requests to delete data for more than one person
  • the GDPR saying anything about school-related domain names

What makes this request seem wrong is probably pretty obvious, judging from the very straightforward wording of the GDPR:

  • an individual can ask for deletion of their own data, and a guardian acting on a specific child's behalf can ask for data deletion, but there is no mention of any other situation
  • you can (should?) ask for a reasonable amount of identification for the individuals, but in a case like this, it would require the city to identify all logins and prove that they are acting on behalf of all these people, which would, itself seem like a breach of privacy (unless they have a specific list for the ones visiting my website)

This seems like a pretty blatant misuse of the GDPR even if it is well-intentioned, and I'm wondering if I should notify some authority about it. I wouldn't bother if it were a teacher or some other small group, but it's the government of a city with a population of tens of thousands of people, and it seems like they're just blasting this request out to every website that has been visited by their users, without even providing a way for anyone to verify that they are, in fact, government officials.

I should note that I'm a US citizen living in the US and I'm the sole proprietor of the website, and the website doesn't pertain to the EU specifically in any way, which, as far as I understand it, means the GDPR doesn't require me to do anything about deleting private data, even by their own standards. However, I'd still prefer to comply with it even if I don't really have to.

nvoigt
  • 7,375
  • 1
  • 17
  • 40
cesoid
  • 211
  • 3
  • 1
    On the last paragraph: my understanding of the GDPR is that if EU citizens use your website then the GDPR protections do apply to them so if they request a deletion you are still required to do it. – quarague Jun 30 '23 at 07:30
  • How old are the students? Are they minors, in which case there will be stricter rules. – Stuart F Jun 30 '23 at 12:29
  • 1
    I am not a lawyer and not really qualified to give a full answer, but remember that destroying someone's data is itself considered a data breach hence technically you just commited one, because a third party entity required to delete personal data without having any authority on it. If you were a company in the EU, you would be forced by law to report it to the relevant Data Protection Authority. – Andrea Lazzarotto Jun 30 '23 at 13:10
  • What is the relationship between the city and the school whose domain is involved? – Barmar Jun 30 '23 at 14:56
  • 1
    Strongly consider ignoring any such requests in the future: https://law.stackexchange.com/questions/81602/why-does-the-gdpr-matter-to-me-a-us-citizen-with-no-property-in-europe/81624#81624 – JonathanReez Jul 01 '23 at 04:41
  • Not sure if it will make any difference to the legal position, but: to the best of your understanding, did the relevant users register for your service individually, or did some agent of this city government register them en masse (perhaps without the individual users' knowledge or consent)? – Daniel Hatton Jul 03 '23 at 11:52

5 Answers5

16

Can a city request deletion of all personal data that uses a certain domain for logins?

Well, they can, but they have no legal backing to make it happen. Their chances of succeeding are about as good as me requesting a Ferrari, a Yacht and a Mansion. I can make that request. People will laugh. I will not get it.

I'm a little worried that I shouldn't allow certain domains to be used as logins in the first place, especially ones that might be school related

You have no way to know who owns what email address. And it's none of your business. Your only interest should be in whether the address is owned by the person that is creating the account. You probably already do that by sending a confirmation link to the email address when people sign up.

I'd like to have some idea for future reference if there's any case where the GDPR would require me to comply with such a request

The only way you have to comply with such a request is if the owner can prove their identity. As far as I understood, the "Finnish city" was three degrees away from that. They could not provide any proof they are who they said they are, they could not provide a finite list of accounts they claimed to own and they could not even provide proof they own those accounts. They literally just wrote an email with zero legal meaning.

I want to figure out the right way to reply to emails like this one

The correct way to handle this is have a feature on your website where the account owner can delete their own account. GDPR compliant. Then you make a text template explaining how to use that feature and reply with that template to every request, no matter how stupid (like this case) they are.

If they cannot identify themselves to you by proving they have access to their "own" email, they have no business wasting your time. Legally, they could provide you with a different method of identification. In case of a Finnish school, that would probably need to be power of attorney from all children's legal guardians and a specific way to identify the accounts that is consistent with the data given (for example if they entered their full name and address on your website). You would probably in your rights to demand a certified translation if it's all in Finnish. Apart from the fact that you as a private US citizen have no real means to check the validity of all that paperwork, personally, if I saw hundreds of pages of certified translated paperwork, I would probably just comply. Not sure it it were actually enough, but it certainly gets an A+ for effort to delete data from a private website. But a real lawyer might give better advice with a real case on their hands.

Is deleting the data actually more of a legal liability than not deleting it in some cases? (People shouldn't be able to delete other people's accounts.)

Indeed. You should not delete people's data because a random punk on the internet sent you an email. You need to identify who the request is from and if they are allowed to make such a request.

Whether you have a legal duty to actually keep data, is up to you or your lawyer to find out. It depends on your data and laws. It is perfectly legal to make a website with a textfield that deletes any data you enter after a second. Destruction of data you own is only a problem if you break other laws with it. For example the IRS might not be amused if you destroyed invoices and other proof of taxable income. "Some dude claimed I must in an email" is not going to fly with them.

That said, again, please, identify who you deal with, find out if their claim is valid. Don't do stuff because random internet punks write you an email. Because the next mail you get, will be from a Nigerian Prince. Please wisen up before opening that one. People on the internet, through stupidity or malice, might not have your best interests at heart. Don't believe random emails.

Community
  • 1
nvoigt
  • 7,375
  • 1
  • 17
  • 40
  • It is actually embarrassing how long it took me to consider that the sender might not be who they say, but generally it's easiest to check what data exists first because a lot of the data on my site is something like a login method or a tiny bit of content someone abandoned. Or, if someone is complaining about something, I'll discover that the thing violates a policy, so it doesn't really matter who emailed me. Anyway, I've told them that if they want me to do anything more they should at least point me to a contact on the city's website, which is enough verification for the current issue. – cesoid Jun 29 '23 at 20:12
  • In terms of a legal obligation to keep the data: I could delete the entire site and all its data whenever I want, but I feel like it's a different story if somebody else is asking me to delete something. Like, you can sell a stock for no reason without getting into trouble, but if somebody working for the company tells you to sell it for some reason that hasn't been disclosed to the public then you might be in trouble. This would obviously not be as risky but it illustrates the point. – cesoid Jun 29 '23 at 20:24
  • 2
    By the way, I keep seeing the spiel about "well you can do it, but it might not be legal" in the answers on law.stackexchange.com, and I always chuckle a little bit, but it's kind of like when you ask the teacher if you "can" go to the bathroom and they ask you if your bladder works. Seems like it would make sense to assume that "can" means "allowed to" (or "what are my legal obligations in the event of", etc.). Just a thought. – cesoid Jun 29 '23 at 20:32
  • 1
    @cesoid Lawyers, getting hung up on finicky semantics? Say it ain't so! – mbrig Jun 30 '23 at 03:46
  • 6
    @cesoid The point is, it is legal. No crime was committed by just sending you an email. They didn't do anything wrong. The same way that "hey, can you tune down that stereo a little, I would like to sleep" is a request with no legal backing. But it certainly isn't ilegal to make it. You can make it. – nvoigt Jun 30 '23 at 04:49
  • "address is owned by the person that is creating the account." -- that only makes sense for vanity domains. Most domains are owned by organizations, not the users whose emails are in the domain. – Barmar Jun 30 '23 at 14:48
  • 2
    @cesoid What bugs me are the responses to "can I sue someone over ..." and they say "you can sue for anything, but you probably won't win". Duh, but what they obviously mean is "do I have a legitimate case, or would I be laughed out of court?". – Barmar Jun 30 '23 at 14:51
  • 1
    @Barmar I think it's reasonable to consider ownership of an address synonymous with controlling that address, distinct from owning the infrastructure of the mailbox it points to, or controlling the domain it is a part of. I've never heard anyone distinguish between "my e-mail address" and "the e-mail address owned by GMail that I have control of". In a pedantic legal sense, "ownership" is probably not the right term at all, regardless of the type of domain, because the address isn't generally treated as subject to property rights. – IMSoP Jul 01 '23 at 15:54
  • @IMSoP I misinterpreted it as "domain is owned by". The answer goes back and forth between talking about domains and addresses, so it's somewhat confusing. And the question is about a request to block all addresses in a domain. This would be like them asking to block all gmail.com accounts. – Barmar Jul 01 '23 at 19:20
  • @Barmar I see where you're coming from, but outside of quotes from the question, the answer never uses the word "domain"; it talks about "accounts" and "addresses", mostly in the plural. I don't see it as "going back and forth" at all, although perhaps it could more explicitly say what it's not talking about. – IMSoP Jul 01 '23 at 20:29
  • @IMSoP What's confusing is that the answer quotes a line about domain (e.g. "I shouldn't allow certain domains"), then replies about account or address ("You have no way to know who owns what email address."). What address are they talking about, the email that sent the request or the email that they're asking to be deleted? – Barmar Jul 01 '23 at 21:11
  • @Barmar Again, I can see how you might misunderstand it, and how it could be spelled out more clearly, but I don't see any actual ambiguity. – IMSoP Jul 01 '23 at 22:37
4

A school may be a legal guardian

At common law (so not necessarily Finnish law), a school stands in loco parentis - “in the place of the parent”. That gives them the legal authority, in some circumstances, to act as a legal guardian of their students. Probably including declining with what is done with a school issued email. I don’t know of any case law on this point.

However, this just moves the goalposts because it is likely that staff emails are indistinguishable from student emails and the school’s authority to act as guardian only extends to the students, not the staff.

As others have said, the GDPR only requires you to honour data deletion requests in certain circumstances, including that you have identified that the person requesting the deletion is who they say they are and has the authority to make the request. While you have identified an issue with this specific request, it appears that you have not addressed this for any request - you need to fix that.

When you can delete data without such a request will depend on the terms of service you have with your customers. The GDPR requires that you only keep data as long as necessary so you should have a data retention policy and procedures to purge no longer needed data anyway.

The GDPR almost surely applies to you. It only doesn’t if you are conducting a hobby (which doesn’t seem to be the case), or your operations do not include Europe. “[T]he website doesn't pertain to the EU specifically in any way” is not enough - it needs to be specifically targeted at somewhere not in the EU. A worldwide operation is covered by the GDPR if part of it is available in the EU. For example, Amazon has an EU based subsidiary, partly for tax reasons but also so Amazon US is not operating the EU; Amazon Europe has to comply with the GDPR, Amazon US does not keep PII of people in Europe nor sell into Europe so it doesn’t have to comply.

Dale M
  • 208,266
  • 17
  • 237
  • 460
  • Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on [meta], or in [chat]. Comments continuing discussion may be removed. – Dale M Jul 01 '23 at 22:20
2

Probably a complicated situation, which may also depend on where in Europe that school is.

First assumption, all the email accounts in question are actually administered by the school and belong to students. Assuming the city "owns" the domain, that's probably the case.

When a school or a teacher instruct a student to go to your site, they should probably have a data processing agreement with you before they do, which would spell out that the school does own the data (and that the school admin can order the deletion). Since you were surprised, I'll assume that no such agreement exists.

So now you are holding PII which is associated with a number of data subjects (the students) who used their school accounts to log in, but who may or may not have been using them for educational purposes only. If the data subjects are minors, you would have to deal with their legal representatives, which could (for these purposes) either be the parents or the school officials.

So you probably need a specialist lawyer to find out. (I also agree with nvoigt that you need to authenticate who asks what, but I'm less dismissive of the possibility that you do have to do as they ask. After you ascertain that the mail accounts are administered by the school, and what Finland has to say about students' rights to their own data.)

o.m.
  • 17,538
  • 3
  • 37
  • 64
  • In my mind it now breaks down like this: As far as the GDPR goes, they should be specifying which accounts they're referring to, but if they control the email addresses it's kind of a moot point. They can login with those accounts and delete almost all the data that way if they can figure out which accounts were used. Which would probably take too long, but it means that I'm just wasting time making them jump through hoops by asking them to be specific, when really I should just ask them to prove that they own the domain. I'm really just annoyed because – cesoid Jun 29 '23 at 21:03
  • ...because basically they're probably sending an automated email to 50,000 websites and asking them to spend time deleting accounts when they don't even know if there is anything worth deleting. And in the process they are reinforcing bad practices by not providing any obvious means to verify who they are, and they're spreading disinformation about how the GDPR works. They're basically doing whatever they can to save themselves time without regard to how it effects other people. – cesoid Jun 29 '23 at 21:12
  • @cesoid why would it “take to long”. I’m not a great programmer and I could write a script to do it in about an hour. Whether that would work depends on the sophistication of your site’s bot detection. – Dale M Jun 29 '23 at 21:25
  • @DaleM It's possible that you're just really creative but I think you're overlooking some details. It's not always easy to get a list of all accounts of any organization, especially if they might get deleted. The next issue is that many logins use google sign in, in which case the login will succeed regardless of whether it had ever been used, and there would be no indication that it didn't exist yet. I'm not sure where you would go from there, because there are a few options. Most sites don't have a simple way to delete your account, or a simple way to find and delete all content, so if... – cesoid Jun 29 '23 at 21:53
  • ...if you wanted to automate that you'd have to poke around the site trying to find them all. Deleting content often requires confirming the deletion in all sorts of ways that are annoying to try to script, but if you're used to making bots or automated testing that might be not that bad...but I doubt this part of the automation would take less than two hours by itself. Maybe I'm just misunderstanding. – cesoid Jun 29 '23 at 21:56
  • @DaleM, some site use anti-bot countermeasures which are really annoying for automated testing, and probably this use case, too. – o.m. Jun 30 '23 at 04:05
  • 2
    "when really I should just ask them to prove that they own the domain" no. no, no, no. no!. Domain ownership means nothing. It certainly does not give them any right to speak for their customers in legal questions. Do you think Google should have the power to delete your Amazon or Apple account, because you signed up with a gmail account there? Do you thing Google should be able to file your taxes as they see fit? No. Anyone who wants to represent you in legal matters better have power of attorney. Either explicitely written down, or implicit as a legal guardian like a parent. – nvoigt Jun 30 '23 at 04:32
  • @nvoigt, depends how that domain is administered. For a .com, I would agree. For an .edu or .gov, things can look different. A school ist not a normal company, or even a normal non-profit. There are special legal frameworks. – o.m. Jun 30 '23 at 04:46
  • Yes, but no. Owning an .edu domain gives you no special legal powers over things that aren't school matters. Do you think it would be legal if Harvard decided that the student Joe.Random0815@harvard.edu should have their Amazon account deleted and filed a request for that? Or cancelled their doctors appointment under that email, because they saw it was at a time where they should be in class? – nvoigt Jun 30 '23 at 04:54
2

That could be a false flag - the writer may not even be from that city, and may have gotten everyone's data deleted as a prank. So this could be a social hack by malicious actors.

I would give the email writer the following instructions:

  1. Lock the account holder out of their email address.
  2. When that is done, let me know and I will send a message to each email address with an authorization code. (just basically rand().)
  3. Open those emails with your administrative powers, and send me back the authorization codes I emailed to those addresses.

If they quarrel with it, say "Sorry, due to GPDR I can't help you."

That would prove they own the email address. It's hardly a perfect solution - really, you should provide a "GPDR Delete" function for the end user... and make the city log into each student email, take control of the account using "Forgot Password" and then do the delete.

Harper - Reinstate Monica
  • 19,563
  • 2
  • 27
  • 81
-2

I should note that I'm a US citizen living in the US and I'm the sole proprietor of the website,

I am French living in France and if I had a case like yours coming from the US I would not even read it till the end(*). GDPR is a local rule invented by the locals for the locals.

GDPR can claim whatever it wants (including that it pertains to non-EU) but its jurisdiction ends at its borders.

Now: if you find yourself, someday, somehow, within this jurisdiction then you could be in trouble.

(*)I want to be able to travel to the US so in reality I would read that document till the end and see how the request impacts me (personally, workload, legally, ...)

WoJ
  • 2,460
  • 3
  • 18
  • 26
  • Your footnote undermines your entire line of reasoning - the reason laws like the GDPR can be applied internationally is precisely that there can be consequences for breaking foreign laws. In fact, when GDPR came into force, some US companies took the opposite extreme and simply blocked European users from accessing their websites, so scared were they that their data handling wasn't compliant. – IMSoP Jul 02 '23 at 14:02
  • @IMSoP: no it does not. If my company is not doing business over there then this law simply does not apply to me. Any country can request whatever they wish. My footnote added the specific case where my business would have a foothold and I would be worried that this foothold could be taken hostage. Countries routinely bully others that way, the US being the prime example (the EU is too weak to do that except in the most egregious cases such as with Apple or Microsoft). – WoJ Jul 02 '23 at 14:31