Go Back   English Forum Switzerland > Support > Support > Forum support  
Reply
 
Thread Tools Display Modes
  #1  
Old 14.09.2020, 09:54
Forum Legend
 
Join Date: Mar 2009
Location: Zurich
Posts: 12,401
Groaned at 921 Times in 654 Posts
Thanked 17,117 Times in 6,721 Posts
Chuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond repute
Public forums and GDPR... right to be forgotten and requesting account deletions etc

I decided to make a separate thread for this as I have seen it come up a lot lately after members have clearly requested account deletion to Editor Bob. These deletions result in the account essentially being nuked and all data and posts deleted. So, I thought it would be good to have an open discussion about it.

****PLEASE NOTE THIS IS NOT SOME DEFINITIVE LEGAL ADVICE THREAD AND I AM NOT A LAWYER, EVERYTHING HERE IS MY OPINION.****

--------------------------------------

GDPR has been mentioned, along with people saying why it does or does not apply to public forums. Well, in my view it is safe to say that GDPR certainly does apply to public community forums, especially ones like this. I want to respond to a nice post from Sean Connery in the forum upgrade thread and give my view:

Quote:
View Post
I still don't actually understand why people think GDPR is applicable in the context of an Internet forum

Quote:
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data[/wikipedia]

It's about personal data. There may be edge cases where someone actually uses their real name on the forum and there might be a requirement to remove an email address from the account record in the DB - but it really does not extend much more.

I would dare to say that the second clause in the quote above, namely safeguarding the data, are not in place here anyway.
I think it is fair to say that the GDPR regulations (like many regulations) do not give examples for each and every scenario in which GDPR rules may be breached, they provide general principles and some interpretation and commonsense needs to be applied. I have done a fair of research on this myself and have concluded that it does indeed apply to public forums, because any information you give that may lead to you being identified is considered personal data.

General:

It is important to note that:
  1. EF is run by a registered company, The Local, who are based in Sweden.
  2. Sweden is within the EU and subject to the full force of GDPR regulations and consequences.
  3. EF holds email addresses and I.P. addresses which are considered personal data.
  4. EF contains many, many hundreds of thousands of forum posts, many of this contain data that could be considered personally identifiable (see below).

What can constitute personal data?:

During the lifetime of most posters, some making many thousands of posts, it is very possible that they have wittingly or unwittingly posted things that could be considered to be personally identifiable. Not only do some users put personally identifiable data in their usernames and/or profiles when they register, but this forum deals with many sensitive topics. These can be employment, tax advice, medical advice, sexual advice, sexual orientation, religious stances, political views and discussions just to name a few of the heavy hitters. There are so many instances where people post things like: "I am x and have x and live i x" etc etc. People also sell things and give portions of their home address, and al of this rich variety of potentially sensitive data, in combination with many other things that are posted from the things I listed earlier, could certainly (and quite easily in many cases) lead to a personally identifiable situation.

Right to be forgotten:

Right to be forgotten: https://gdpr.eu/right-to-be-forgotten/

The above principles can then be combined with a users "right to be forgotten", which means that a user can request deletion of all information that can be considered personal. When you factor in the above and the potential ways data can lead to identifiable situations, this then also makes things very tricky.

Practical application of this for forum owners:

Now, can you imagine Editor Bob going through all of these posts to find and identify that data? Of course not, it is completely impractical unless there are only a very small number of posts for a user requesting deletion. So, the account and posts are deleted and this then avoids any potential GDPR-related issues, fines and/or lawsuits.

This view is supported by many forum admins and users worldwide asking and answering the same questions (often consulting lawyers) and the admins often just deleting the accounts and posts.

Quote:
Ok, I've finally got my definitive answer and it's not what I wanted to hear: as I suspected, the GDPR does apply to an individual who's running a forum in a non-profit manner, even with no ads. This means that all the onerous conditions and sanctions will apply.

As I'm just one guy with shallow pockets who wants to run a hobby forum, that dream is now gonna have to die as I don't want to be liable for potentially getting sued with possible heavy sanctions applied to me. You can just imagine a disgruntled member who's just been banned wanting to get their own back at me through the GDPR for the kind of trouble that this can cause.

The answer is definitive, because today I asked a couple of people at work who manage the GDPR for the organisation (a fairly large one) who are experts in this. This saved me the expense and inconvenience of going to a lawyer.
What are the consequences of non-compliance?

This document lists a good summary: https://www.gdpr.associates/data-breach-penalties/

Can I get my forum account deleted?

If you are in the situation where you feel this is appropriate then you need to send a PM to Editor Bob as he is the admin and only he can decide that.

--------------------------------------

So yeah, that's why I believe that GDPR certainly does apply to this forum and why the admins have already been deleting accounts when faced with such specific requests.

Hopefully this can generate some relevant discussion and who knows, maybe Editor Bob can clarify his stance on this if he gets chance.
Reply With Quote
The following 5 users would like to thank Chuff for this useful post:
This user groans at Chuff for this post:
  #2  
Old 15.09.2020, 21:28
Forum Legend
 
Join Date: Sep 2006
Location: Albisrieden
Posts: 4,846
Groaned at 107 Times in 75 Posts
Thanked 7,191 Times in 2,658 Posts
nickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Gosh Chuff, you should be head moderator of this forum. We need more people like you to rescue the place!
Reply With Quote
The following 4 users would like to thank nickatbasel for this useful post:
  #3  
Old 15.09.2020, 22:34
baboon's Avatar
Forum Legend
 
Join Date: Apr 2007
Location: Rheintal
Posts: 3,768
Groaned at 143 Times in 126 Posts
Thanked 6,410 Times in 2,997 Posts
baboon has a reputation beyond reputebaboon has a reputation beyond reputebaboon has a reputation beyond reputebaboon has a reputation beyond reputebaboon has a reputation beyond reputebaboon has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
I decided to make a separate thread for this as I have seen it come up a lot lately after members have clearly requested account deletion to Editor Bob. These deletions result in the account essentially being nuked and all data and posts deleted
Actually the posts are not deleted. They just have the poster's name deleted and show up as posted by "guest"
Reply With Quote
  #4  
Old 16.09.2020, 00:15
Forum Legend
 
Join Date: Mar 2008
Location: ZH
Posts: 6,888
Groaned at 62 Times in 51 Posts
Thanked 9,976 Times in 4,086 Posts
doropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
Actually the posts are not deleted. They just have the poster's name deleted and show up as posted by "guest"
Yes, that is a big, central difference.
Is it possible for a user to have all of his/her posts deleted? I think it should be available as an option.
Reply With Quote
The following 2 users would like to thank doropfiz for this useful post:
This user groans at doropfiz for this post:
  #5  
Old 16.09.2020, 06:06
Forum Legend
 
Join Date: Mar 2009
Location: Zurich
Posts: 12,401
Groaned at 921 Times in 654 Posts
Thanked 17,117 Times in 6,721 Posts
Chuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
Actually the posts are not deleted. They just have the poster's name deleted and show up as posted by "guest"
Hmm, I had it in my head a couple had their deleted. I think though that under GPDR regulations that they should be able to have this done if requested with good grounds.
Reply With Quote
  #6  
Old 16.09.2020, 07:33
Forum Legend
 
Join Date: Jun 2008
Location: Zurich
Posts: 7,759
Groaned at 281 Times in 210 Posts
Thanked 17,258 Times in 6,060 Posts
k_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
Yes, that is a big, central difference.
Is it possible for a user to have all of his/her posts deleted? I think it should be available as an option.

It's not a GDPR requirement as the posts are anonymized.
Reply With Quote
The following 2 users would like to thank k_and_e for this useful post:
  #7  
Old 16.09.2020, 07:37
Forum Legend
 
Join Date: Mar 2009
Location: Zurich
Posts: 12,401
Groaned at 921 Times in 654 Posts
Thanked 17,117 Times in 6,721 Posts
Chuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
It's not a GDPR requirement as the posts are anonymized.
The post content, if visible, also has to be anonymized, not just the usernames. Otherwise, the post content could still be used to identify someone.

Making the posts invisible would be the only way to ensure this was not possible, but then the personal data, if existing, would still be retained on the servers and still potentially in breach of GDPR.
Reply With Quote
This user groans at Chuff for this post:
  #8  
Old 16.09.2020, 07:46
Forum Legend
 
Join Date: Jun 2008
Location: Zurich
Posts: 7,759
Groaned at 281 Times in 210 Posts
Thanked 17,258 Times in 6,060 Posts
k_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
The post content, if visible, also has to be anonymized, not just the usernames. Otherwise, the post content could still be used to identify someone.

Making the posts invisible would be the only way to ensure this was not possible, but then the personal data, if existing, would still be retained on the servers and still potentially in breach of GDPR.

Posting private details and contact details are not allowed as per the forum rules. Would one be able to force the forum to remove such posts after breaking the rules themselves?
Reply With Quote
This user would like to thank k_and_e for this useful post:
  #9  
Old 16.09.2020, 07:58
Forum Legend
 
Join Date: Mar 2009
Location: Zurich
Posts: 12,401
Groaned at 921 Times in 654 Posts
Thanked 17,117 Times in 6,721 Posts
Chuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
Posting private details and contact details are not allowed as per the forum rules. Would one be able to force the forum to remove such posts after breaking the rules themselves?
The forum rules obviously do not override the fundamental principles of GDPR that must be adhered to.

Plus, the forum rules also do NOT forbid posting identifiable details about your life, which can be what I summarised in the OP as information about medical history, sexual orientation etc etc:

Quote:
What can constitute personal data?:

During the lifetime of most posters, some making many thousands of posts, it is very possible that they have wittingly or unwittingly posted things that could be considered to be personally identifiable. Not only do some users put personally identifiable data in their usernames and/or profiles when they register, but this forum deals with many sensitive topics. These can be employment, tax advice, medical advice, sexual advice, sexual orientation, religious stances, political views and discussions just to name a few of the heavy hitters. There are so many instances where people post things like: "I am x and have x and live i x" etc etc. People also sell things and give portions of their home address, and al of this rich variety of potentially sensitive data, in combination with many other things that are posted from the things I listed earlier, could certainly (and quite easily in many cases) lead to a personally identifiable situation.
Reply With Quote
  #10  
Old 16.09.2020, 08:11
Forum Legend
 
Join Date: Jun 2008
Location: Zurich
Posts: 7,759
Groaned at 281 Times in 210 Posts
Thanked 17,258 Times in 6,060 Posts
k_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond reputek_and_e has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
The forum rules obviously do not override the fundamental principles of GDPR that must be adhered to.

Plus, the forum rules also do NOT forbid posting identifiable details about your life, which can be what I summarised in the OP as information about medical history, sexual orientation etc etc:

I understand your point but would how to do that, given that GUEST does not refer to a single poster.



Anyway, may be a good motivation to update the forum software and simply not migrate the guest posts.
Reply With Quote
This user would like to thank k_and_e for this useful post:
  #11  
Old 16.09.2020, 08:26
Forum Legend
 
Join Date: Mar 2009
Location: Zurich
Posts: 12,401
Groaned at 921 Times in 654 Posts
Thanked 17,117 Times in 6,721 Posts
Chuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond reputeChuff has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
I understand your point but would how to do that, given that GUEST does not refer to a single poster.
It doesn't matter what the username is or if they are all "guest", it's the information within the posts that could still be used to identify someone.

Quote:
View Post
Anyway, may be a good motivation to update the forum software and simply not migrate the guest posts.
If that was possible then I think that you are right that would indeed resolve the issue up to the migration, but any cases after that would still need to be dealt with.
Reply With Quote
  #12  
Old 16.09.2020, 14:11
EastEnders's Avatar
Forum Veteran
 
Join Date: Nov 2006
Location: former Biennoise, now in Belp
Posts: 2,084
Groaned at 10 Times in 9 Posts
Thanked 3,054 Times in 1,123 Posts
EastEnders has a reputation beyond reputeEastEnders has a reputation beyond reputeEastEnders has a reputation beyond reputeEastEnders has a reputation beyond reputeEastEnders has a reputation beyond reputeEastEnders has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
Is it possible for a user to have all of his/her posts deleted? I think it should be available as an option.
I would like that option very much, am toying with the thought of leaving here
Reply With Quote
  #13  
Old 16.09.2020, 23:21
Forum Legend
 
Join Date: Sep 2006
Location: Albisrieden
Posts: 4,846
Groaned at 107 Times in 75 Posts
Thanked 7,191 Times in 2,658 Posts
nickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond reputenickatbasel has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

What about where a user goes out of their way to be obnoxious to other users, does drive by groans on a frequent basis then has a name change. Would they want to be identified through their old posts?
Reply With Quote
  #14  
Old 17.09.2020, 20:36
Forum Legend
 
Join Date: Mar 2008
Location: ZH
Posts: 6,888
Groaned at 62 Times in 51 Posts
Thanked 9,976 Times in 4,086 Posts
doropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond reputedoropfiz has a reputation beyond repute
Re: Public forums and GDPR... right to be forgotten and requesting account deletions

Quote:
View Post
I would like that option very much, am toying with the thought of leaving here
Oh, EastEnders, your leaving would be another serious blow to EF! I would certainly miss your posts.

I am saddened by the ongoing exodus of members who've been around for many years.

Please, would you, EastEnders, and others who may be contemplating leaving, write to Editor Bob to set out your reasons? Perhaps something could be sufficiently improved, for you to want to stay. Thank you.
Reply With Quote
The following 4 users would like to thank doropfiz for this useful post:
Reply




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GDPR and EnglishForum higgsboson Forum support 164 06.08.2020 11:31
Freedom of Speech on Public Forums mamasita Other/general 10 03.10.2011 13:08
Policy: Deletions / Edits of messages mark Announcements 142 23.02.2010 19:34


All times are GMT +2. The time now is 06:12.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0