As someone who has first hand experience of such matters (I was part of the EU taskforce working on the GDPR from 2012 to 2014), I often see many people who misunderstand some articles of the GDPR, most often article 17.
Another important thing to note is that many people think the GDPR only applies to EU citizens, or companies, or websites registered in the EU. It's actually much broader than that. As far as companies are concerned, as long as the service you offer is available in the EU, then you have to comply with the GDPR.
Simply put, the only way for a website to not have to comply with GDPR is to geoblock access from any EU and/or EEA (European Economic Area) member country.
Before I dive any deeper though, here's a link to the official text of law, directly from the website of the EU :
GDPR
Now, one thing about GDPR is that wording is VERY important (as with most texts of law tbh).
Article 17 touches about "personal data" and personal data only. Not content, just personal data.
So what IS personal data? It's not a literal translation, as in, it's not data that belongs to you, or data that you make available on the web (ie content). Far from it.
It's any and all things that can be used in one way or another to identify you as a person with your real name.
Common examples often put forward would be your first name, surname, address, phone number...
Pertaining to online use, personal data is a little more detailed thanks to
Recital 30 of the GDPR. That tells us that IP addresses, session cookies, RFID tags, are considered personal data.
So the bottom line is, as far as OCN is concerned, to be GDPR compliant, here's what they need to do if someone contacts them to invoke article 17:
- Delete everything in the "Account details" page of the user profil
- Erase the user's password from their databases, even if encrypted
- Reset the user's timezone to GMT
- Erase the user's signature
- Remove any link to outside accounts (Facebook and Google links)
- Remove everybody from "Following" and "Ignoring" in the user profile
- Remove join date
- Remove any media from the user profile that might include information that could be used to identify them
- Remove any metadata from all medias from the user profile
Now the last 2 points is most often where problems arise.
When you signed up, you agreed to all the content you submit now being owned by OCN.
gonX is absolutely right. The ToS do state this. However it only covers content and not personal data. If the content you upload does contain personal data (even if you don't see if as such, or are not aware it is personal data at the time of upload) in any form, then when you invoke Article 17, VS has to delete said media from your profile.
As an example,
here's a link to a screengrab I uploaded 5 years ago to OCN. As it contains my first name as well as the approximative date at which I purchased a specific product on a specific website the name of which can clearly be seen, any decent investigator could use it to try and track me by obtaining more info from said website. As such, it falls under the personal data category and would have to be removed by VS, even though I did upload it of my own free will back then, even though GDPR wasn't even a law back then.
The same thing goes for metadata of uploaded pics (which is why most websites implement a scrubber that removes all metadata as part of the upload process).
So I know this is a huge wall of text, but I hope it at least helped cleared things up.