GDPR - What does it mean for the forum owner?

[Maddox]

feldon30 I'd appreciate it if you did not quote me out of context to prove a point that another member stated. Yes, the GDPR is open to interpretation depending on what points are being referred to - not ALL of it is open to interpretation, there are many, many parts that explain explicitly what is required, some parts will be open to interpretation, but that is not our job to do the interpreting, that job is down to the courts and until any case is brought under the GDPR we will not know for sure whose interpretation is the one that will have to be adhered to.

It would be beneficial if everyone commenting on the GDPR actually read the document in its entirety and if there are any points that are unclear or lead you to making an interpretation that you are unsure about, consult the enforcing body in your own country within the EU. If you are outside of the EU then you would be better placed to wait and see what transpires rather than making uninformed statements based on your opinion, which may or may not be accurate.

I also understand the anger from some who do not live in the EU and are having to come to terms with this new regulation, but if the ball was on the other foot and that law was coming from your own countries, you would no doubt be attempting to lean the other way. Some laws are regional, some laws are country specific and some laws are international. Depending on the agreements between countries will depend on what laws can cross borders. So until or unless your respective governments say otherwise, it would be in everyone's interests to do whatever you can to comply. After all, we are discussing something that can affect all of us in some pretty unpleasant ways and, quite possibly, already has to many.

Attempting to point score over one another, degrades the discussion and adds nothing useful that can gleaned and applied once this regulation comes into effect on 25th May 2018.

 

[sport_billy]

Just wondering what people are doing with their forum spam services namely -

Stopforumspam
Projecthoneypot
Askimet

We use XF and upon registration XF checks new registrations against the StopForumSpam database, presuming IP, email and username gets checked

I am at pains to stop using these services, but I can't see if they are GDPR compliant and therefore by sending user data that way we'll be breaking GDPR

 

[Nev_Dull]

I have never once said I'm opposed to the idea of a law like this. I am just not happy about the EU assuming they can just force a law on the rest of the world.

Thanks for the reply. I understand that initial reaction -- I had it myself. I was one of the ones early on who was thinking about closing off my forum to EU visitors rather than be subjected to what seemed like a vague, overarching legislation. Given some time to reflect, and to read over the law and what it was trying to do, I've come around to agreeing with the idea, and I've been working to make my own forum compliant, even though I don't believe I need to.

I expected the same sort of response from American forum owners. And while many, like you, have come to say you aren't against the idea of GDPR, I haven't heard many say they were going to support that idea by making their own sites compliant, whether they legally needed to or not. It just seems like the kind of individual rights idea that Americans (and we Canucks) would embrace and run with, just because it is the right direction to go. So I'm guessing the primary reason for not doing it is because of where it comes from, either because it's from the EU specifically, or just externally in general.

Again, this isn't intended as a criticism or dig, just an observation.

 

[iamacyborg]

Free cookie tool in case anyone is doing some last minute scrambling. https://www.civicuk.com/cookie-control

 

[pierce]

Actually google adsense does not "sneakly collect" user data. There is a button at the top right for "Ad Choices"




It will lead you to this.

You can then chose to control your ad settings.




Which gives you that and you can globally turn it off there.

Pierce

 

[mysiteguy]

Received this today:

Dear iubenda user,

With May 25th right around the corner, the GDPR is on a lot of peoples' minds with many also wondering how the use of cookies will be affected by it. Because of this, we wanted to take the opportunity to clarify some of the more common misconceptions related to cookies and the GDPR that we have received by our users over the last weeks and months.

Furthermore, unfortunately there is a lot of false information circulating online in regards to this topic, so we felt it was a good time to clarify this topic.

So, how does the GDPR govern cookies?
Well, the short answer is that it doesn't — cookie usage and it’s related requirements are not governed by the GDPR, they are instead governed by the ePrivacy Directive (or Cookie Law).

You can think of the ePrivacy Directive as currently “working alongside” the GDPR in a sense, rather than being replaced by it. With that said, the ePrivacy Directive is, in fact, going to be repealed soon by the ePrivacy Regulation which is still expected to work alongside the GDPR to regulate the requirements for the use of cookies. The regulation is expected to maintain values similar to the directive with much of the same guidelines applying.

Do I need to list the name of each cookie (including third-party cookies) used on our website or app?
No, the cookie law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose. This decision by the legislative authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.

Must I provide the mechanism for users to manage their cookies preferences (including withdrawal of consent) directly on my website or app?
No, the cookie law does not require that you provide users with the means to toggle cookie preferences directly on your site/app, only that you visibly provide the option for obtaining informed, active consent, provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained. This means the opt-out mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of managing and withdrawing consent.

Do I need to keep records of consent to cookies for each user?
The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn. The simple way to do this would be to use a cookie solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.

This should make creating a cookie solution and designing the cookie banner even easier for everyone.

 

[/dev/urandon]

So I'm guessing the primary reason for not doing it is because of where it comes from, either because it's from the EU specifically, or just externally in general.

My primary reasons for not doing it are:

• It will not solve the underlying problem and most normal people will just ignore any warnings like they have for decades
• It is no ones business how I run my own web server and who accesses it
• It is not my responsibility to be a nanny for children and retarded adults that don't know how to use the internet without constantly leaking their personal information
• Laws attempting to regulate the internet/web are all useless as history has proven
• Facebook/Google/other large tech companies will not be harmed in any way by this nor will they change their ways nor will their users smarten up and change their ways

In short, I'm not wasting my time making modifications to working code because some idiot half a world away says I should. They won't be able to fine me for not doing this, they won't be able to arrest me, they aren't going to block my web server, and even if they did most of the users of my site from the EU already access it via proxy/VPN/tor. I have absolutely no reason to follow this law. In fact, if I did follow it I'd probably lose half the user base because they hate the EU with such enthusiasm that they'll think I'm compromised and will flee to some place else.

 

[feldon30]

Meanwhile...

Most GDPR emails unnecessary and some illegal, say experts
Many firms have the required consent already; others don’t have consent to send a request

The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week.

Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.

https://www.theguardian.com/technol...cessary-and-in-some-cases-illegal-say-experts

 

[cheat_master30]

Honestly, at the end of the day, I feel a large part of the responsibility here rests with the forum software developers rather than the forum owners. I mean, most people can't code that well, and certainly not enough to make a full user data retrieval add on or what not for whatever script they're using. So if people want to see forums 'obeying' this law, it's gonna be up to the XenForo, IPB, vBulletin, etc teams to code it in themselves.

 

[Nev_Dull]

Meanwhile...
https://www.theguardian.com/technol...cessary-and-in-some-cases-illegal-say-experts

No surprise there. Smaller companies especially will tend to err on the side of caution. And, naturally, some are just reacting without taking the time to read and understand the law. We saw the very same thing happen in my country when the CASL legislation came in. Companies were sending out huge volumes of requests for consent emails even though much of it was unneeded.

To be fair to those companies though, they may have no other proof those customers were with them prior to GDPR. No one wants to get caught in a he said/she said argument.

 

[feldon30]

it's gonna be up to the XenForo, IPB, vBulletin, etc teams to code it in themselves.

If you are running a version of vBulletin that is not a steaming pile, then it is up to the forum owner to figure out and add custom code to gain GDPR compliance. Or switch to XenForo at a cost of $250 a board. I have 3 vB3.x boards.

 

[zappaDPJ]

Something I've just found out which surprised me a little is the regulation (specifically Recital 27) does not apply to the personal data of deceased persons although it does go on to say Member States may provide for rules regarding the processing of personal data of deceased persons. It seems none have as yet.

Some of my forums have deceased members with literally hundreds of thousands of posts on their accounts, 203,018 posts in one case. Not having to wade through that lot, something I fully expected to have to do is a bit of a relief.

 

[TheChiro]

Just wondering what people are doing with their forum spam services namely -

Stopforumspam
Projecthoneypot
Askimet

We use XF and upon registration XF checks new registrations against the StopForumSpam database, presuming IP, email and username gets checked

I am at pains to stop using these services, but I can't see if they are GDPR compliant and therefore by sending user data that way we'll be breaking GDPR

I'm going to keep using them. I think Recital 47, 49, and "legitimate interest" has us covered.

https://gdpr-info.eu/recitals/no-47/
1The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. 2Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. 3At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. 4The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. 5Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. 6The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. 7The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

https://gdpr-info.eu/recitals/no-49/
1The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. 2This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.


Now, IANAL and my interpretation of "lawyer speak" may be off, so if someone with a lawyer mind and understanding of run around wording says that I'm interpreting this incorrectly and explaining how/why I am wrong, I'm going to keep processing the data to protect the public's rights and freedoms and that includes checking against spam databases.

I also believe the above will cover you with troublesome users, i.e. banned, and now they are threatening you to remove all their forum posts. 1, forum posts are not personal data...unless it actually contains things like name, address, etc. 2, you do not have to delete their email and IP's thanks to "legitimate interests" such as protecting your users from this bad user and to make sure they can't just come back, without you knowing, and then scamming/harming another member's rights and freedoms.

 

[Nev_Dull]

I agree with all of that. It's pretty much how I read it and intend to proceed.

When it comes to posts, my policy is that we will remove or anonymize any personally identifying information in posts, only if the member sends us a list of posts and the information he/she want's edited. We won't go looking for it on our own. That gets covered in GDPR too, which exempts processors from responsibility for personal information which has been publicly disclosed by the data subject. (Article 9, paragraph 2e).

 

[vbgamer45]

First complaints filled against facebook/google mainly dealing with

The activist group says customers must agree to having their data collected, shared and used for targeted advertising, or delete their accounts.

Source: www.bbc.com/news/technology-44252327

 

[Pete]

As in, it isn't really consent.

 

[zappaDPJ]

Does anyone know if you have to reference the data controller in any way (not the data processor) in your privacy policy? This has legal implications and I can't get a definitive answer.

 

[Maddox]

This was to be expected as very few took this seriously and have been caught on the hop - I suppose in a way it legitimises the regulation when large companies go to such measures to protect themselves; which means that they believe that the reach of the EU does extend much farther than some believed it would.

I imagine a lot of these companies will comply and reopen their doors - the EU is a pretty big place with a lot of potential customers waiting to be plucked.

 

[Pete]

Does anyone know if you have to reference the data controller in any way (not the data processor) in your privacy policy? This has legal implications and I can't get a definitive answer.

Every privacy policy I've seen lists who the controller is even if it's just "Here at [name] we care about your privacy." Also, said privacy policies generally also outline who the DPO is and how to contact them. Some of them don't do it directly in the document but link to it so that the policy isn't doesn't end up being super super long.

https://ico.org.uk/for-organisation...at-should-you-include-in-your-privacy-notice/ may be of help.

 

[mysiteguy]

This was to be expected as very few took this seriously and have been caught on the hop - I suppose in a way is legitimises the regulation when large companies go to such measures to protect themselves; which means that they believe that the reach of the EU does extend much farther than some believed it would.

Yes, it certainly does legitimize that this is a legal overreach.