GDPR: Can a city request deletion of all personal data that uses a certain domain for logins?

Question

A city in Finland asked me to delete all data for everyone whose login uses a certain domain. The domain contains "edu" in it and "oppilas" (which translates to "student"), and my website doesn't have data that anyone is going to mind losing, so I have already deleted that data, however, I have some concerns about what to do in the future if the decision is less easy:

• I'm a little worried that I shouldn't allow certain domains to be used as logins in the first place, especially ones that might be school related
• I'd like to have some idea for future reference if there's any case where the GDPR would require me to comply with such a request
• I want to figure out the right way to reply to emails like this one
• Is deleting the data actually more of a legal liability than not deleting it in some cases? (People shouldn't be able to delete other people's accounts.)

I searched quite a bit but couldn't find anyone discussing the possibility of any of these things:

• an organization asking for the deletion of personal data
• requests to delete data for more than one person
• the GDPR saying anything about school-related domain names

What makes this request seem wrong is probably pretty obvious, judging from the very straightforward wording of the GDPR:

• an individual can ask for deletion of their own data, and a guardian acting on a specific child's behalf can ask for data deletion, but there is no mention of any other situation
• you can (should?) ask for a reasonable amount of identification for the individuals, but in a case like this, it would require the city to identify all logins and prove that they are acting on behalf of all these people, which would, itself seem like a breach of privacy (unless they have a specific list for the ones visiting my website)

This seems like a pretty blatant misuse of the GDPR even if it is well-intentioned, and I'm wondering if I should notify some authority about it. I wouldn't bother if it were a teacher or some other small group, but it's the government of a city with a population of tens of thousands of people, and it seems like they're just blasting this request out to every website that has been visited by their users, without even providing a way for anyone to verify that they are, in fact, government officials.

I should note that I'm a US citizen living in the US and I'm the sole proprietor of the website, and the website doesn't pertain to the EU specifically in any way, which, as far as I understand it, means the GDPR doesn't require me to do anything about deleting private data, even by their own standards. However, I'd still prefer to comply with it even if I don't really have to.

Answer 1

Can a city request deletion of all personal data that uses a certain domain for logins?

Well, they can, but they have no legal backing to make it happen. Their chances of succeeding are about as good as me requesting a Ferrari, a Yacht and a Mansion. I can make that request. People will laugh. I will not get it.

I'm a little worried that I shouldn't allow certain domains to be used as logins in the first place, especially ones that might be school related

You have no way to know who owns what email address. And it's none of your business. Your only interest should be in whether the address is owned by the person that is creating the account. You probably already do that by sending a confirmation link to the email address when people sign up.

I'd like to have some idea for future reference if there's any case where the GDPR would require me to comply with such a request

The only way you have to comply with such a request is if the owner can prove their identity. As far as I understood, the "Finnish city" was three degrees away from that. They could not provide any proof they are who they said they are, they could not provide a finite list of accounts they claimed to own and they could not even provide proof they own those accounts. They literally just wrote an email with zero legal meaning.

I want to figure out the right way to reply to emails like this one

The correct way to handle this is have a feature on your website where the account owner can delete their own account. GDPR compliant. Then you make a text template explaining how to use that feature and reply with that template to every request, no matter how stupid (like this case) they are.

If they cannot identify themselves to you by proving they have access to their "own" email, they have no business wasting your time. Legally, they could provide you with a different method of identification. In case of a Finnish school, that would probably need to be power of attorney from all children's legal guardians and a specific way to identify the accounts that is consistent with the data given (for example if they entered their full name and address on your website). You would probably in your rights to demand a certified translation if it's all in Finnish. Apart from the fact that you as a private US citizen have no real means to check the validity of all that paperwork, personally, if I saw hundreds of pages of certified translated paperwork, I would probably just comply. Not sure it it were actually enough, but it certainly gets an A+ for effort to delete data from a private website. But a real lawyer might give better advice with a real case on their hands.

Is deleting the data actually more of a legal liability than not deleting it in some cases? (People shouldn't be able to delete other people's accounts.)

Indeed. You should not delete people's data because a random punk on the internet sent you an email. You need to identify who the request is from and if they are allowed to make such a request.

Whether you have a legal duty to actually keep data, is up to you or your lawyer to find out. It depends on your data and laws. It is perfectly legal to make a website with a textfield that deletes any data you enter after a second. Destruction of data you own is only a problem if you break other laws with it. For example the IRS might not be amused if you destroyed invoices and other proof of taxable income. "Some dude claimed I must in an email" is not going to fly with them.

That said, again, please, identify who you deal with, find out if their claim is valid. Don't do stuff because random internet punks write you an email. Because the next mail you get, will be from a Nigerian Prince. Please wisen up before opening that one. People on the internet, through stupidity or malice, might not have your best interests at heart. Don't believe random emails.

Answer 2

A school may be a legal guardian

At common law (so not necessarily Finnish law), a school stands in loco parentis - “in the place of the parent”. That gives them the legal authority, in some circumstances, to act as a legal guardian of their students. Probably including declining with what is done with a school issued email. I don’t know of any case law on this point.

However, this just moves the goalposts because it is likely that staff emails are indistinguishable from student emails and the school’s authority to act as guardian only extends to the students, not the staff.

As others have said, the GDPR only requires you to honour data deletion requests in certain circumstances, including that you have identified that the person requesting the deletion is who they say they are and has the authority to make the request. While you have identified an issue with this specific request, it appears that you have not addressed this for any request - you need to fix that.

When you can delete data without such a request will depend on the terms of service you have with your customers. The GDPR requires that you only keep data as long as necessary so you should have a data retention policy and procedures to purge no longer needed data anyway.

The GDPR almost surely applies to you. It only doesn’t if you are conducting a hobby (which doesn’t seem to be the case), or your operations do not include Europe. “[T]he website doesn't pertain to the EU specifically in any way” is not enough - it needs to be specifically targeted at somewhere not in the EU. A worldwide operation is covered by the GDPR if part of it is available in the EU. For example, Amazon has an EU based subsidiary, partly for tax reasons but also so Amazon US is not operating the EU; Amazon Europe has to comply with the GDPR, Amazon US does not keep PII of people in Europe nor sell into Europe so it doesn’t have to comply.

Answer 3

That could be a false flag - the writer may not even be from that city, and may have gotten everyone's data deleted as a prank. So this could be a social hack by malicious actors.

I would give the email writer the following instructions:

1. Lock the account holder out of their email address.
2. When that is done, let me know and I will send a message to each email address with an authorization code. (just basically rand().)
3. Open those emails with your administrative powers, and send me back the authorization codes I emailed to those addresses.

If they quarrel with it, say "Sorry, due to GPDR I can't help you."

That would prove they own the email address. It's hardly a perfect solution - really, you should provide a "GPDR Delete" function for the end user... and make the city log into each student email, take control of the account using "Forgot Password" and then do the delete.

Answer 4

Probably a complicated situation, which may also depend on where in Europe that school is.

First assumption, all the email accounts in question are actually administered by the school and belong to students. Assuming the city "owns" the domain, that's probably the case.

When a school or a teacher instruct a student to go to your site, they should probably have a data processing agreement with you before they do, which would spell out that the school does own the data (and that the school admin can order the deletion). Since you were surprised, I'll assume that no such agreement exists.

So now you are holding PII which is associated with a number of data subjects (the students) who used their school accounts to log in, but who may or may not have been using them for educational purposes only. If the data subjects are minors, you would have to deal with their legal representatives, which could (for these purposes) either be the parents or the school officials.

So you probably need a specialist lawyer to find out. (I also agree with nvoigt that you need to authenticate who asks what, but I'm less dismissive of the possibility that you do have to do as they ask. After you ascertain that the mail accounts are administered by the school, and what Finland has to say about students' rights to their own data.)

Answer 5

I should note that I'm a US citizen living in the US and I'm the sole proprietor of the website,

I am French living in France and if I had a case like yours coming from the US I would not even read it till the end^(*). GDPR is a local rule invented by the locals for the locals.

GDPR can claim whatever it wants (including that it pertains to non-EU) but its jurisdiction ends at its borders.

Now: if you find yourself, someday, somehow, within this jurisdiction then you could be in trouble.

^(*)I want to be able to travel to the US so in reality I would read that document till the end and see how the request impacts me (personally, workload, legally, ...)