View Single Post
  #12  
Old 14.09.2020, 09:54
Chuff Chuff is offline
Forum Legend
 
Join Date: Mar 2009
Location: Zurich
Posts: 13,271
Groaned at 1,189 Times in 788 Posts
Thanked 19,166 Times in 7,429 Posts
Chuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond repute
Public forums and GDPR... right to be forgotten and requesting account deletions etc

I decided to make a separate thread for this as I have seen it come up a lot lately after members have clearly requested account deletion to Editor Bob. These deletions result in the account essentially being nuked and all data and posts deleted. So, I thought it would be good to have an open discussion about it.

****PLEASE NOTE THIS IS NOT SOME DEFINITIVE LEGAL ADVICE THREAD AND I AM NOT A LAWYER, EVERYTHING HERE IS MY OPINION.****

--------------------------------------

GDPR has been mentioned, along with people saying why it does or does not apply to public forums. Well, in my view it is safe to say that GDPR certainly does apply to public community forums, especially ones like this. I want to respond to a nice post from Sean Connery in the forum upgrade thread and give my view:

Quote:
View Post
I still don't actually understand why people think GDPR is applicable in the context of an Internet forum

Quote:
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data[/wikipedia]

It's about personal data. There may be edge cases where someone actually uses their real name on the forum and there might be a requirement to remove an email address from the account record in the DB - but it really does not extend much more.

I would dare to say that the second clause in the quote above, namely safeguarding the data, are not in place here anyway.
I think it is fair to say that the GDPR regulations (like many regulations) do not give examples for each and every scenario in which GDPR rules may be breached, they provide general principles and some interpretation and commonsense needs to be applied. I have done a fair of research on this myself and have concluded that it does indeed apply to public forums, because any information you give that may lead to you being identified is considered personal data.

General:

It is important to note that:
  1. EF is run by a registered company, The Local, who are based in Sweden.
  2. Sweden is within the EU and subject to the full force of GDPR regulations and consequences.
  3. EF holds email addresses and I.P. addresses which are considered personal data.
  4. EF contains many, many hundreds of thousands of forum posts, many of this contain data that could be considered personally identifiable (see below).

What can constitute personal data?:

During the lifetime of most posters, some making many thousands of posts, it is very possible that they have wittingly or unwittingly posted things that could be considered to be personally identifiable. Not only do some users put personally identifiable data in their usernames and/or profiles when they register, but this forum deals with many sensitive topics. These can be employment, tax advice, medical advice, sexual advice, sexual orientation, religious stances, political views and discussions just to name a few of the heavy hitters. There are so many instances where people post things like: "I am x and have x and live i x" etc etc. People also sell things and give portions of their home address, and al of this rich variety of potentially sensitive data, in combination with many other things that are posted from the things I listed earlier, could certainly (and quite easily in many cases) lead to a personally identifiable situation.

Right to be forgotten:

Right to be forgotten: https://gdpr.eu/right-to-be-forgotten/

The above principles can then be combined with a users "right to be forgotten", which means that a user can request deletion of all information that can be considered personal. When you factor in the above and the potential ways data can lead to identifiable situations, this then also makes things very tricky.

Practical application of this for forum owners:

Now, can you imagine Editor Bob going through all of these posts to find and identify that data? Of course not, it is completely impractical unless there are only a very small number of posts for a user requesting deletion. So, the account and posts are deleted and this then avoids any potential GDPR-related issues, fines and/or lawsuits.

This view is supported by many forum admins and users worldwide asking and answering the same questions (often consulting lawyers) and the admins often just deleting the accounts and posts.

Quote:
Ok, I've finally got my definitive answer and it's not what I wanted to hear: as I suspected, the GDPR does apply to an individual who's running a forum in a non-profit manner, even with no ads. This means that all the onerous conditions and sanctions will apply.

As I'm just one guy with shallow pockets who wants to run a hobby forum, that dream is now gonna have to die as I don't want to be liable for potentially getting sued with possible heavy sanctions applied to me. You can just imagine a disgruntled member who's just been banned wanting to get their own back at me through the GDPR for the kind of trouble that this can cause.

The answer is definitive, because today I asked a couple of people at work who manage the GDPR for the organisation (a fairly large one) who are experts in this. This saved me the expense and inconvenience of going to a lawyer.
What are the consequences of non-compliance?

This document lists a good summary: https://www.gdpr.associates/data-breach-penalties/

Can I get my forum account deleted?

If you are in the situation where you feel this is appropriate then you need to send a PM to Editor Bob as he is the admin and only he can decide that.

--------------------------------------

So yeah, that's why I believe that GDPR certainly does apply to this forum and why the admins have already been deleting accounts when faced with such specific requests.

Hopefully this can generate some relevant discussion and who knows, maybe Editor Bob can clarify his stance on this if he gets chance.
Reply With Quote
The following 5 users would like to thank Chuff for this useful post:
This user groans at Chuff for this post: