[solved] Does the GDPR apply to a forum?

[DeathtoGnomes]

I hate to admit it but this is a great quote. Where did you find it ?

Freedom isn't free. My right to privacy supersedes your right to expose my private information while I maintain my status as a private citizen. And for sure, you should not be able to profit from my personal information I did not give you permission to have or use.

-----------

Did you know that even a username is considered to be personal data under the GDPR? An IP address, too. This wasn't the case before.

Sure, storing a minimum amount of data will help to shield against liability and the due diligence, but the risk is still there and the other things I've mentioned are still an issue. As I said, I'll look at this again when the new system has settled down.

Oh and why do you think my real name isn't qubit?! I'm a quantum animal.

From my understanding they decided to protect IP and usernames to keep them from being associated with each other, so the witch hunts could stop.

 

[Vayra86]

@Vayra86 Sure, GDPR is great if you're the user who's organisation has data on you, but not so when you're a small operator. Of course it's not rocket science, but the fact that a user can demand all data held on them and in particular this right to be forgotten are problematic. Imagine a user with 5000 posts who's been banned or had some other infraction imposed on them demanding that all their posts be deleted. They now have that right and could compel the forum in law, which would put big holes in the forum threads. It could well happen to TPU at some point, so what do they do then?

Thanks @FordGT90Concept, I hope this becomes more practical at some point for me without worrying about liability too much.

What I'll do is let the situation stabilize and then take stock, whenever that will be. It could well be that there will be services that are willing to take on this responsibility and liability for a monthly fee and it's likely that forum software itself will be hardened and tuned to be GDPR compliant. All this put together might mitigate the risk and liability sufficiently that I'll be satisfied with the level it's at and would consider doing this again. I reckon it's gonna be longer than shorter though before this happens, if it does.

@Bill_Bright Sure, it's great for protecting us against the likes of Facebook and Cambridge Analytica and it's those kinds of abuses which have rightly helped shaped this regulation. It's just unfortunate that it places a big burden of liability on someone wanting to start up a small hobby forum such as me, as I've explained above. Can't be helped, I guess.

What they do is put a similar thing to 'low quality post' in place that becomes a placeholder with a message on it that says 'Comment removed under GDPR' or something along those lines. Done. So there are holes in threads? Who cares? This person wanted to be forgotten. How does that damage the rest of the world or the forum and its readers? If that person was a valuable asset to the community, he is not forgotten anyway, only in a digital sense. The only bit that is annoying is that you need to actually build and implement such a feature, along with an easy way to effectively remove a user entirely from your database. Which is why its much easier for a startup to implement this from the start than it is for existing databases.

The biggest issue with GDPR and business is not the fact that it needs to be implemented (in a good way), it is the good old data hunger that companies have that they can no longer satisfy. And I think that also affects people like you, who start to realize what a tremendous amount of value is represented in all that data of all those users. Its no longer a free for all with anyone's data now. That takes some getting used to. And that is a very healthy learning process in my view. Not just for companies but for the users.

 

[FordGT90Concept]

Entities can't collect what they aren't given. What GDPR does that's frankly weird is mandate that websites allow the complete deletion of a user. In other words, a retraction of everything the user did and said online. What if that data is criminal in nature? GDPR compels a website to destroy evidence which is, in turn, a criminal act.

There's also the issue of websites that share data with third parties be it advertisers, payment processors, or research firms. GDPR can't possibly be expected to reach every single party the data was shared with, especially when the data is anonymized.

GDPR strikes me as a "feel good" policy that punishes the lawful (through regulation and litigation) and has no impact on the lawless (would require search warrants on servers to prove any wrong doing which isn't going to happen).

EU seems to forget that maintaining data has financial costs: websites that have no vested interest in keeping the data will delete it simply to reduce costs regardless of GDPR.


For those saying GDPR is fantastic, enjoy your $322 billion tax.

 

[btabke]

> What GDPR does that's frankly weird is mandate
> that websites allow the complete deletion of a user.

Yes, it is a mess.

a) If you delete a user name (with out blocking reuse) a username can be recycled and thus someone can imposter someone else (already happened on another forum yesterday)
b) Almost all modern software allows people to quote one another - there is no way to delete that sub-quoting really
c) Most forums are strictly anonymous. Anon signup - general anon email (gmail/hotmal/yahoo ...etal)
d) Most forums are spidered and cached by third parties including public caching systems, search engines, and even foreign governments.
e) Most of us in the US are required by law to retain data that may be used in legal actions. (say someone slanders someone else in a forum and then asks to have their data deleted - that could be illegal in the US to delete)
f) IP addresses are not Personally identifiable. Tor networks... vpns... private vpns... proxy caches. etal - all mean that you don't know who is a user and who is not. How many Yahoo emails can you sign up?
g) Email addresses are not Personally identifiable. How many Yahoo emails can you signup in one hour? There are hundreds of free email providers - including some that expire in 10mins.


>GDPR strikes me as a "feel good" policy

I totally agree. However; getting websites and software makers to rethink privacy is a net plus for everyone. I do like that the focus is on the end user for a change.

The problem I see is that it is just another thing to drive small websites out of business by raising the bar that only big corporate sites can match.

 

[FordGT90Concept]

d) Most forums are spidered and cached by third parties including public caching systems, search engines, and even foreign governments.

Even archive.org which has a library-like intent that is completely counter to GDPR.

 

[bonehead123]

I'm no lawyer, but the company I work for is based in the UK, with 20k+ employees worldwide, and they have more lawyers than most people have hairs on their bodies

In April, we all had to attend a mandatory training class on the act, and this morning, everyone got a very seriously-toned email stating the it was now in effect as of TODAY (may 25), and that if we had not taken the class yet, to get with the program by COB.

They made it very clear that ANY and ALL personal data WILL be protected in every way possible, and that ALL possible usage scenarios would be disclosed the person providing the information prior to it's collection. This includes our employees, customers, clients, vendors, 3rd party contractors etc etc...

It was also made clear to everyone that the penalties for leakage, misuse, or other breaches would include the maximum allowable monetary fines as well as immediate termination of employment !

So it would seem to be a very serious issue to ensure compliance with the act...

 

[qubit]

What they do is put a similar thing to 'low quality post' in place that becomes a placeholder with a message on it that says 'Comment removed under GDPR' or something along those lines. Done. So there are holes in threads? Who cares? This person wanted to be forgotten. How does that damage the rest of the world or the forum and its readers? If that person was a valuable asset to the community, he is not forgotten anyway, only in a digital sense. The only bit that is annoying is that you need to actually build and implement such a feature, along with an easy way to effectively remove a user entirely from your database. Which is why its much easier for a startup to implement this from the start than it is for existing databases.

You miss the point. It's not the technicalities of implementing a delete-all feature, which isn't too complicated. It's that the forum content is no longer under my control as an admin. I don't want any holes in my forum due to messed up threads, so I don't want someone with a grudge to compel me to delete data from it.

If you remember, W1z implemented a 24 hour timeout on users editing their posts, after which they're locked. This is specifically, because some user was deleting all their posts which was messing up the forum, so I'm not the only one who cares about this. Now he'll have to comply if they demand it.

Can you see the problem now?

 

[ShannonApple]

You know, I was just reading through this thread. I co-run a small non profit forum community. We've had discussions about this ourselves and I've chatted with other forum owners too.

You know that user with the 5000 posts that wants his account deleted? He doesn't have the right to make you delete all 5,000 of his posts that could potentially wreck your site and in turn remove hundreds of other people's posts if he is the thread starter. Anyone could have posted that same exact thread. What gives him that right to remove someone else's posts? What he does have the right to is the removal of all personally-identifying information.

If you delete an account, generally their posts remain. So you could change the name before deleting the account, but also remove any personal threads/posts that they may have made identifying their business or anything personal about them such as where they live. Then delete it.

Someone gained access and deleted my admin account on an old vBulletin forum. I was able to restore all of my posts (10 years worth) onto a new account using some database commands and only because my posts remained on the site as "deleted user." My user number also remained. At least that's how vBulletin behaves on deletion of an account with 50 or more posts.

Alternatively, you would be complying by changing the username, removing the users email from your database, (can be done in admin panel), change the account pw, remove all information from the profile and signature. Run a check on threads created and remove any thread/post that's specifically about them. All done.

That's more or less how I've interpreted it. I guess it's important to put all of that into your ToS though so that they understand what they are agreeing to on sign up.

 

[Tatty_Two]

I would figure, unless posts disclosed personal information then there should be no infringement in any case so absolutely no right to have them removed, a forum username does not identify the human and if that human is happy to use their real name as a forum username it makes no difference in any case as "personal information" requires more than just a name...... well that's the way I read it and I have already had to do 4 days of training on this very subject.... possibly bad training!

 

[qubit]

I so wanna reply properly guys, but I'm at work, so can only make quickie forum posts sneeked in between work tasks...

Proper reply later!

 

[ShannonApple]

I would figure, unless posts disclosed personal information then there should be no infringement in any case so absolutely no right to have them removed, a forum username does not identify the human and if that human is happy to use their real name as a forum username it makes no difference in any case as "personal information" requires more than just a name...... well that's the way I read it and I have already had to do 4 days of training on this very subject.... possibly bad training!

Haha! Regardless, I'd change the name anyway. I've done it for people even before this law came out. A username in itself can be identifying if they use the same one everywhere.

 

[Bill_Bright]

I would figure, unless posts disclosed personal information then there should be no infringement in any case so absolutely no right to have them removed

There is no right to have them removed because every (pretty sure "every") site I have joined, I agreed to the terms of the site and those include the fact anything I post becomes the property of the site. So it is no longer mine to demand they be removed.

Also, in most cases (I am one of the few exceptions), most users do not use their real names as their user names, or include personally identifiable information in their profiles (or signatures) when creating their accounts. So except for appeasing a spoiled brat having a puerile temper tantrum, there is no need pay any attention to such requests.

 

[dorsetknob]

W1zz already solved this

posts remained on the site as "deleted user."

Alternatively, you would be complying by changing the username,

BY Changing the User name to Deleted User
All his Forum Threads and Posts were then Displayed as Deleted user ( when i find *.* ill post link )

 

[sepheronx]

I was looking at the title thinking "GDPR? They haven't existed since 1991".

 

[Tatty_Two]

Haha! Regardless, I'd change the name anyway. I've done it for people even before this law came out. A username in itself can be identifying if they use the same one everywhere.

The legislation however requires 2 linked pieces of personal data, so a name/username on it's own is not covered by the legislation, add an age or date of birth for example to the name and then the "controller" is required to take the measures stipulated by the legislation.

 

[Bill_Bright]

Time then to just ask for the year of birth and not the date of birth.

Not sure name and user name should be lumped together, unless like me, they are one in the same.

 

[FordGT90Concept]

Year isn't enough to determine age unless you get the floor of the value and block all content. People who just turned the minimum age would be barred from the website for just under a year.

 

[Bill_Bright]

Better than forever. That said, except for a very select few government, banking, and insurance websites, I have never had to provide proof of my birth date. And as far as I know, members providing positive proof of their identities and birthdates is not a requirement on sites like TPU.

This is another reason I don't think tech forum admin/owners (where anonymity is common) will be held to such high accountability standards as feared.

 

[FordGT90Concept]

United States has a blanket 13 years of age consent requirement. Younger than that requires parent/guardian approval because the user agreement is not bindable.

No, never have to prove it. It's just a legal escape clause if they saw something they shouldn't have and legal proceedings follow. The website operator can point to the user agreement and the fact that the user had to agree to it to access the website. If they lied in agreeing, the website operator can't be held liable for anything the user saw/did that was age inappropriate.

 

[Bill_Bright]

Right but even 13 is an arbitrary number. A 13 - 17 year old person cannot, on their own, enter into a legally binding agreement.

 

[Tatty_Two]

United States has a blanket 13 years of age consent requirement. Younger than that requires parent/guardian approval because the user agreement is not bindable.

No, never have to prove it. It's just a legal escape clause if they saw something they shouldn't have and legal proceedings follow. The website operator can point to the user agreement and the fact that the user had to agree to it to access the website. If they lied in agreeing, the website operator can't be held liable for anything the user saw/did that was age inappropriate.

Right and GDPR has just brought the EU onto that, previously it was under 12's required parental consent.