> I suspect Hacker News would simply delete the user's information from the site and explain that they control no data on the subject.
No, that would be illegal. Hacker news can set itself up so that it doesn't keep user data longer than 30 days, and then it can just always say it has no data, but, excluding that, you can't respond to an export request by deleting the user's data and then telling them have no data - that violates the user's right to see what data you have on them.
I don't think there's a requirement that HN has to keep delete personal data that they don't need, and FYI the Hacker News privacy policy they publish[1] argue they don't have to do it if they don't want to:
You agree that any termination of your access to the Site under any provision of this Terms of Use may be effected without prior notice, and acknowledge and agree that Y Combinator may (but has obligation to) immediately deactivate or delete your account and all related information and files in your account and/or bar any further access to such files or the Site.
so we're really out on a limb here anyway. But let's assume that HN is GDPR compliant, and say that they delete all personal data after 10 years and on request, etc... Are they then required to keep that data for ten years?
My guess is not. The ICO suggests[2] repeatedly that you not keep data any longer than is necessary, and that you repeatedly review whether it is necessary.
The ICO also says[3]:
However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request
which makes it sound like it's acceptable, except:
it is not acceptable to amend or delete the data if you would not otherwise have done so.
which then suggests that HN only needs to have policy that they delete personal data whenever if it is identified for export. If I were HN, and I actually wanted to do this (however), I would probably call the ICO to confirm.
The text calls out "routine use" - this clause is to permit, e.g. the last access date on the account to be the date of access to the GDPR export request portal (deleting the prior value).
The point of GDPR is to force companies to explain the data they retain and show it to users on request. Setting up a scheme where data is retained but is never available to users for export is a great example of acting in "bad faith" that is likely to increase the possibility that a judge will make an example out of you.
No, that would be illegal. Hacker news can set itself up so that it doesn't keep user data longer than 30 days, and then it can just always say it has no data, but, excluding that, you can't respond to an export request by deleting the user's data and then telling them have no data - that violates the user's right to see what data you have on them.