GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

dollylama

Amalgam wrote: »

I don't agree with what boards are trying to convey to users, it is not a take it or leave it situation, it is a progressive one, very much balanced in favour of the user, not the forum. The GDPR isn't here to accommodate boards in any way, it is here to accommodate users.

My guess is boards is going to push back/obscure options, until a legal precedent is set (a good or bad one..), in an Irish court.

I run a PHPBB board and it is very much head in the sand on their support forum, the software is currently not compliant. Everything has to be erased. The problem is, for the sake of log reporting, the nature of tables, PHPBB and similar forum fronts hold onto traces of information like hairs on a toffee apple..

My board will probably be left like a swiss cheese because of the GDPR, but I understand why it exists and am perfectly happy to be compliant.

Surely we won't end with a situation where a user can request posts be deleted but quotes of those posts remain? That just defeats the purpose entirely

Amalgam

dollylama wrote: »

Surely we won't end with a situation where a user can request posts be deleted but quotes of those posts remain? That just defeats the purpose entirely

PHPBB may implement a quote delete solution in a future release, so, the issue is certainly being discussed online. The problem is a geographical one, if you depend on software written in the US, they may care less about your GDPR needs, whereas in Germany, most likely, GDPR will be keeping the courts busy, at some point..

Batzoo

Boards.ie: Sean wrote: »

Therefore, the process for requesting your personal data is as follows:

• For identity verification purposes the data access request must be sent via a Private Message (PM) to the following recipient Boards.ie: GDPR (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).
• Data access requests will only be processed for the user account from which the PM was sent. We will not process data access requests for personal data related to 3rd party accounts

You may need to get some more legal advice in regards to this as the above although advisable and a good place to start, it is not entirely accurate!

A subject can use a designated third party to request information on their behalf, you cannot or have no right to prohibit this.

While you can and should specify a means of verification such as the PM, the method of the data request cannot be imposed or be exclusive. Technically if I was to request my information in this post (which I am not at this time), it is a valid subject access request and you would have 30 days to respond. All mods should be made aware of this possibility and be able to pass access requests to the designated data controller without haste. The request does not even have to state it is a request, so long as it is obvious to a casual reader of the intent. To me this seems crazy, but hey I did not make it up.

While there also appears to be confusion over user names and IP addresses, I can assure you that if you use your user name on any other site, or your user name @gmail.com etc; A huge amount of information can be mined from it. This information can then be used to build a bigger profile and so on. Likewise with IP addresses. While they may be dynamic, the pool of addresses will not be too great that a profile cannot also be gathered and cross referenced with other info, all without any priveleged or elevated access. Basically a username or IP address can be used to identify a data subject.

While I legally cant state with certainty if posts(or quoted posts) have to be deleted under GDPR when requested, I can sure as hell tell you that I can use posts from specific users(not every user) here and tell you where they live to the house number. What colour car the drive, where they work, what they eat for breakfast, what colour their wife's hair is, how many children they have and so on. I can extract this data manually in a few hours. I am sure I could script it even quicker. So yes posts, even just a user name are part of a bigger picture that is a subjects ID and if I can do it without elevated access, boards can do it with admin access. So IMHO posts, user names and even IP addresses are identifiable and should be deleted if requested.

Again, run the first bit of this post past your legal team, and if they think I am wrong on this point, you should get a new legal team as they are given bad advice. Designated 3rd party's are allowed, and although you should(and correctly have) specified a method for requests, you cannot exclusively specify the method of the access request. All written requests by paper, email, pm or even an in forum post are equally valid(but you can specify a verification method in response to this request).

dudara

I think you might have mixed up the different meanings/uses of the term “third parties”. Yes, requests from authorised third parties (e.g. agents) are permitted under GDPR, and have to be verified that they are indeeed authorised to act on your behalf.

Howerever, what Sean is saying is that you cannot request data for someone else’s account (e.g. a third party). You can only request access for your own data (either directly or via an agent).

Batzoo

dudara wrote: »

I think you might have mixed up the different meanings/uses of the term “third parties”. Yes, requests from authorised third parties (e.g. agents) are permitted under GDPR, and have to be verified that they are indeeed authorised to act on your behalf.

Howerever, what Sean is saying is that you cannot request data for someone else’s account (e.g. a third party). You can only request access for your own data (either directly or via an agent).

Again, not looking for an argument, but why say I mixed it up and not "Sean" or Boards? The original statement says:

Data access requests will only be processed for the user account from which the PM was sent. We will not process data access requests for personal data related to 3rd party accounts

There is no ambiguity here. The statement is false and wrong. You are obliged to process access requests regardless of which account they where sent from. And again, you cannot dictate the method or format in which these requests are sent. And you are obliged to process third party requests for third party accounts so long as you can verify the owner of the requested account has authorized the third party as an agent. The only thing that is crucial is that you can verify that the data owner/subject has authorized this, regardless of which 3rd party account requested the information.

I realize this may be confusing times for admins who are lumbered with this task and they receive different advice from many parties but I can assure you there is no confusion or misunderstanding on my behalf. I will also remind you that terms and conditions cannot and should not be written in confusing or easy to misinterpret ways. They are required to be clear and unambiguous.

Beasty

Just to be clear all requests are dealt with by the office. Admins and Mods have nothing to do with that

Whatever views we express here are our own, and we are really not in a position to argue the legalities. Again that's an office responsibility

dudara

Batzoo wrote: »

Again, not looking for an argument, but why say I mixed it up and not "Sean" or Boards? The original statement says: There is no ambiguity here. The statement is false and wrong. You are obliged to process access requests regardless of which account they where sent from. And again, you cannot dictate the method or format in which these requests are sent. And you are obliged to process third party requests for third party accounts so long as you can verify the owner of the requested account has authorized the third party as an agent. The only thing that is crucial is that you can verify that the data owner/subject has authorized this, regardless of which 3rd party account requested the information.

I think we're saying similar things but in different ways. Verifying the identity of the requestor is crucial, as an organisation does not want to disclose the personal data of an unrelated party. I believe that this is what Sean was referring to when he referenced third parties. I do not believe he was referring to authorised third party agents.

I realize this may be confusing times for admins who are lumbered with this task and they receive different advice from many parties but I can assure you there is no confusion or misunderstanding on my behalf. I will also remind you that terms and conditions cannot and should not be written in confusing or easy to misinterpret ways. They are required to be clear and unambiguous.

I'm quite well versed in the GDPR as an individual, but I am not responsible for GDPR compliance at Boards. That is a matter for HQ, not for the Admins and Mods. I am discussing it here as an individual, the same as all of us.

Batzoo

Beasty wrote: »

Just to be clear all requests are dealt with by the office. Admins and Mods have nothing to do with that

Whatever views we express here are our own, and we are really not in a position to argue the legalities. Again that's an office responsibility

Even though you feel you have nothing to do with it, you are part of Boards. Boards have authorized you to administer forums and as such, all admins should be made aware of what an access request is and how to recognize them and who to forward them on to.


So to break it down.
If I PM a Subject Access Request to any admin or mod on any forum on Boards.ie, they are responsible for it. This is stipulated. They should forward it on to the Data Controller without haste as it is a valid request. The 30 days start from when I make contact with any representative of Boards, not from when the Data Controller gets wind of it. As a Boards Admin you should have been made aware of this from the office or HQ. Again, not looking to make requests or cause headaches, just trying to clear some confusion.

Batzoo

dudara wrote: »

I believe that this is what Sean was referring to when he referenced third parties. I do not believe he was referring to authorised third party agents.

As I said ambiguity is frowned upon. What you believe was the meaning is not what I read. These things should be clear and not open to opinion or believe as such.

dudara wrote: »

I'm quite well versed in the GDPR as an individual, but I am not responsible for GDPR compliance at Boards. That is a matter for HQ, not for the Admins and Mods. I am discussing it here as an individual, the same as all of us.

Again I realize that Admins and mods are individuals and in many cases volunteers, but you are authorized entities of Boards and as such you are Boards. You are responsible whether you like it or not and cannot wash your hands of this responsibility.

Basically what I am getting at is, If I was to make a request by PM to you, here and now! Would you know who to forward this request onto in the Boards empire as such. You technically cant spread it willy nilly to all and sunder in the admin circle. You have to send it directly to a specific individual assigned or hired for the role.

Just to throw another log on the flames, but I am sure it is already accounted for. An access request would also include PM's sent between admins that mention the user that makes the request. So if an infraction occurred and the admins were discussing this through PM, the subject is entitled to these PM's. These should also not be redacted to any major degree unless they specifically reveal information about another uninvolved 3rd party as such.

Beasty

The site has taken legal advice and I am sure someone from the office will be considering the points you raise

Amalgam

Beasty wrote: »

The site has taken legal advice and I am sure someone from the office will be considering the points you raise

:rolleyes:

Steve

Batzoo wrote: »

Just to throw another log on the flames, but I am sure it is already accounted for. An access request would also include PM's sent between admins that mention the user that makes the request. So if an infraction occurred and the admins were discussing this through PM, the subject is entitled to these PM's. These should also not be redacted to any major degree unless they specifically reveal information about another uninvolved 3rd party as such.

Not sure if there is truth to that, besides, you are assuming such discussions take place on the boards platform. They may not.

dollylama

Boards really need to clarify how they will handle quoted posts when a user requests their posts be deleted.

I've done a quick spot check of some posters in this thread and most have somewhere in the region of 25 - 50% of their posts quoted. So even if you request your posts be deleted, up to half of them will be left behind as quoted posts are not removed!

If a user is to have the right to have their posts deleted, surely quotes of their post can't be left behind. If they are left behind, it just makes a mockery of the right to deletion and will deter users from requesting a deletion at all as it is only 50% effective!

It can't be too difficult to look for quoted posts against the current and past usernames and strip them from the post that quoted them

Steve

dollylama wrote: »

Boards really need to clarify how they will handle quoted posts when a user requests their posts be deleted.

As of now, from what I have read, their position is to not delete them except were there is personally identifiable information. This has been the case for many years previous to GDPR.

If a user is to have the right to have their posts deleted, surely quotes of their post can't be left behind. If they are left behind, it just makes a mockery of the right to deletion and will deter users from requesting a deletion at all as it is only 50% effective!

'Surely' 'Probably' 'It should be thus' 'It's an outrage' is not relevant when applying a legal directive and determining the appropriate action.

As I said previously, the 'appropriate action' may not be known for some time to come until the directive / law is tested in a court of law.

hullaballoo

Batzoo, where does the GDPR say that a data subject can request access via a non-party?

Amalgam

I have recieved a warning from hullaballoo for a rolleyes.

To clarify:

boards.ie is trying to put the cart before the horse, it is not for boards.ie to decide to accommodate users.

Banned or not, 'active' or not, users have a right to manage data. Banning or stonewalling does not remove the forum's obligation to act on the new legislation.

The dry statement by Beasty above, says quite a lot by saying nothing, or help to alleviate fears that boards.ie will indeed be 'combative' towards the GDPR.

hullaballoo

As I have been pointing out since the beginning of this thread, many people are misunderstanding the purpose and scope of the GDPR.

It quite clearly does not make data subjects the supreme arbiters of everything like many are suggesting. It gives data subjects rights over their personal data and the treatment of it as against data controllers, yes. It certainly does that.

But what people here seem to be repeatedly missing is that personal data isn't everything you've ever posted on the internet. It's also not your IP address. Your emails address is personal data if it can be used to identify you. If your email address is asdflaknasdf@spammail.com then no, that's not personal data.

Also as I have said before, the GDPR does quite an admirable job at providing scope for proportionality and reason when it comes to the obligations on processors and controllers.

In this post, I'm not targeting anyone specifically but what seems abundantly clear to me is that many of the self-proclaimed GDPR experts haven't read/understood the document. It is quite a remarkable and beneficial step towards protecting individuals against those who would use their personal information against their will and it is to be commended on that basis. It is not a stick to beat small businesses that don't process data other than for the purposes it was given with.

Beasty

Amalgam wrote: »

The dry statement by Beasty above, says quite a lot by saying nothing, or help to alleviate fears that boards.ie will indeed be 'combative' towards the GDPR.

How the hell can I say anything else? I am not a lawyer. The Office are dealing with this. They are offline.

You may think I have nothing better to do than read the GDPR legislation, but even if I did, I would expect guidance from those consulting lawyers rather than commenting off the hoof on someone's own legal interpretation

Batzoo

Steve wrote: »

Not sure if there is truth to that, besides, you are assuming such discussions take place on the boards platform. They may not.

This is fact, if you are discussed in a pm between admins, this is part of your online profile and data and falls under GDPR. But it is true to say that it could be denied that any discussion ever took place and unless the data is audited it would be hard for a data subject to prove otherwise.

Also I make no assumptions, it is common knowledge and can be seen on these boards in dispute resolution, where people object to an infraction and one admin says they will talk to the admin or mod who issued it to clarify the reasons and get back.

Basically if it is stored in a db or filing cabinet and mentions you or anything that can identify you its your data and covered under GDPR. It does not matter if it was not meant for your eyes originally, you are entitled to see it now should you request. The only exceptions I am sure of, are if it is related to an ongoing legal investigation or such.

dollylama

I'm gonna be upfront and say I've little to no understanding of what GDPR permits or not and I'm certainly no legal eagle

I'm just highlighting what is a bizarre situation whereby Boards will allow you to have posts deleted but will not delete those very same posts when in a quote. Ignoring GDPR here... why bother deleting posts at all if they're only gonna do a half effort

Batzoo

hullaballoo wrote: »

Batzoo, where does the GDPR say that a data subject can request access via a non-party?

Who said that, I did not.

I said the data subject can designate a 3rd party to act on their behalf, but the verification of the data subjects and that consent has to be confirmed. This is bigger than the GDPR. This 3rd party could be representing someone with an impairment, could also be a legal firm authorized to act on behalf of an injured party, could be a son or daughter acting on behalf of an elderly parent or may just be my mate Barry from down the pub who is good at dealing with these things.

Basically the right of an individual to designate someone as a representative of their interests extend throughout history and is not new or exclusive to the GDPR. But this is not a "non-party" it is a designated 3rd party.

Batzoo

hullaballoo wrote: »

As I have been pointing out since the beginning...

...But what people here seem to be repeatedly missing is that personal data isn't everything you've ever posted on the internet. It's also not your IP address. Your emails address is personal data if it can be used to identify you. If your email address is asdflaknasdf@spammail.com then no, that's not personal data.

IP's or email address's in general are considered personally Identifiable information. I have used these many times over the years to identify individuals. These pieces of information are among the first things I would use to identify and profile someone. But even with VPN's and anonymous email servers, the information can be used, especially if they reuse it on other sites which they nearly always do. You may be amazed at how little information is required to open the door on someones life. With that in mind, people tend to re-use usernames across sites. So any post which contains a users name is personal identifiable information as it can be traced back to an individual.

hullaballoo wrote: »

It is not a stick to beat small businesses that don't process data other than for the purposes it was given with.

This I will agree on. Many people will abuse the requests, especially since they are free. It would have been wise to charge a token €5 fee for all requests, just to discourage misuse.

Max Prophet

hullaballoo wrote: »

As I have been pointing out since the beginning of this thread, many people are misunderstanding the purpose and scope of the GDPR.

It quite clearly does not make data subjects the supreme arbiters of everything like many are suggesting. It gives data subjects rights over their personal data and the treatment of it as against data controllers, yes. It certainly does that.

But what people here seem to be repeatedly missing is that personal data isn't everything you've ever posted on the internet. It's also not your IP address. Your emails address is personal data if it can be used to identify you. If your email address is asdflaknasdf@spammail.com then no, that's not personal data.

Also as I have said before, the GDPR does quite an admirable job at providing scope for proportionality and reason when it comes to the obligations on processors and controllers.

In this post, I'm not targeting anyone specifically but what seems abundantly clear to me is that many of the self-proclaimed GDPR experts haven't read/understood the document. It is quite a remarkable and beneficial step towards protecting individuals against those who would use their personal information against their will and it is to be commended on that basis. It is not a stick to beat small businesses that don't process data other than for the purposes it was given with.

Your IP address Is considered personal data under GDPR - why do you May such sweeping and incorrect statements like they are facts? Perhaps it’s you that is missing the point ?

Beasty

Max Prophet wrote: »

Your IP address Is considered personal data under GDPR

Is, or may be?

Plenty of us use IPs that are shared, either via wi-fi connections at work, in cafe's or other public areas. Equally some access via mobile phone connection - those IP addresses cannot be traced back to individual users can they?

.......

This post has been deleted.

Max Prophet

Beasty wrote: »

Is, or may be?

Plenty of us use IPs that are shared, either via wi-fi connections at work, in cafe's or other public areas. Equally some access via mobile phone connection - those IP addresses cannot be traced back to individual users can they?

CJEU rules that personal IPs can't be stored, unless to thwart cybernetic attacks or similar. Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites

Beasty

Max Prophet wrote: »

CJEU rules that personal IPs can't be stored, unless to thwart cybernetic attacks or similar. Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites

The ones I am referring to are not personal, are they?

There are several thousand people sharing the IP address I am posting from now. I accept an IP address in combination with an e-mail address "can" (not necessarily "will") ID someone. But I'm asking about public/corporate IP addresses not ones that "can" be linked to your home address

LoLth

Max Prophet wrote: »

CJEU rules that personal IPs can't be stored, unless to thwart cybernetic attacks or similar. Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites

pretty sure the CJEU said dynamic IPs were personal data once some additional criteria were met which pretty much set out that you had to be an ISP (capable to tying a dynamic IP allocated to a customer at that time) or an agency capable of gathering that data through legal meant (LEA etc).

Where boards may fall under this is if the user provides additional data that identifies them personally alongside the IP (such as a real-name email address or a site-owner email, or even their real name if it is unique enough to combine with an IP to identify the individual). scraping OSINT sources does not fall under this category even though it could be argued that this would be "in combination with other data" but then you could argue that anything can be used in combination and I dont think this has been tested , legally, to that extent yet.

even then, if the user consents to allow their IP address to be stored then that would allow boards to do so as long as they did not use it for any other purpose other than that which the user has agreed to (post attribution, account services etc). already there under closed accounts, nuisance measures and user accounts.

dudara

It will be interesting to see how this plays out as case law and practical application develops. The GDPR is great step forward, but there are areas for intepretation which will be tested. I've personally learned a lot from working with lawyers over the past year and I'll be following this area with interest in the future.

Permabear

This post has been deleted.