GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

seamus

Bob24 wrote: »

I don’t have any legal right to use boards, but boards has a legal requirement to ensure that the option of accessing their service is not bundled with any condition/consent which prevents users from enjoying their full rights under GDPR.

Forcing a full account closure when someone makes a partial deletion request is borderline doing that, and possible crossing the line (essentially it is like saying: “as soon is you invoke GDPR, you’re banned” whereas GDPR clearly grants a right to request partial data deletion or correction).

Banning someone after complying with a GDPR request is not the same as making you waive your GDPR rights as a condition of your registration.

I can see how the argument can be made, but at no point is the individual's GDPR rights being removed or restricted.

Also, I wouldn't see a ban after a partial GDPR deletion request as necessary, as over time people may inadvertently and innocently reveal information about themselves.

But any request to delete everything should be regarded as an intention to terminate use of the service, closing the account in the process.

Bobeagleburger

Permabear wrote: »

This post had been deleted.

Report them is probably the best advice there.

Bob24

seamus wrote: »

Banning someone after complying with a GDPR request is not the same as making you waive your GDPR rights as a condition of your registration.

I can see how the argument can be made, but at no point is the individual's GDPR rights being removed or restricted.

If you are making it clear that as soon as someone invokes GDPR they will be banned, you are not very far from making them waive their rights. Essentially you are saying that GDPR is a once off right and you don’t allow partial use of people’s rights under GDPR. As I said it is probably a grey area, but I definitely see a legal argument here to be made saying that forcing someone to leave the service anytime they invoke GDPR is effectively restricting GDPR protections.

Franz Von Peppercorn

Bob24 wrote: »

I’d say if you do indeed have copies of PMs from boards mods linking your current account to previous accounts, you have a very strong legal case to demonstrate that the content of these account is potential your identifiable personal data.

Even if there is no logical link between those accounts on the boards database, the simple fact that a mod has it stored anywhere that those accounts are related is data managed by boards which links that old account to you.

yes I agree with that. If boards is going to handle deletion of posts then it should be for closed accounts. And indeed if a mod has sent a PM about your previous accounts then that should be enough.

Franz Von Peppercorn

Bob24 wrote: »

If you are making it clear that as soon as someone invokes GDPR they will be banned, you are not very far from making them waive their rights. Essentially you are saying that GDPR is a once off right and you don’t allow partial use of people’s rights under GDPR. As I said it is probably a grey area, but I definitely see a legal arguments here to be made saying that forcing someone to leave the service anytime they invoke GDPR is effectively is restricting GDPR protections.

People make things up as they go along. Getting kicked out of boards because you requested a deletion of all your posts, is exactly the same as getting kicked out of a website because you don't accept cookies.

I don't think there should be a universal delete option anyway, but saying that people have to close their account to delete isn't in contravention of the GDPR but in accordance with it.

In fact most of the GDPR is about data that a company has kept after you close your account. Theres all kinds of caveats to necessary data for business use while the account is open. Which is why my email is still associated here. And yours.

Permabear

This post has been deleted.

seamus

The record, I disagree that it's petty and vindictive. The user has clearly illustrated their wish to remove their content from a content-sharing platform and there's a non-negligible cost to the platform to comply with this request.

So they're perfectly within their rights to view it as a cost/value transaction and refuse to allow that user to continue using their platform.

That they choose to allow the account to remain open is benevolent generosity, rather than the correct thing to do, or upholding the rights of the individual.

My 2c.

Bob24

Franz Von Peppercorn wrote: »

People make things up as they go along. Getting kicked out of boards because you requested a deletion of all your posts, is exactly the same as getting kicked out of a website because you don't accept cookies.

And for the record, preventing someone from accessing a website because they refuse non-essential cookies is illegal under GDPR.

For exemple boards (or any website) doesn’t need consent to use cookies to maintain our login session as it is core functionality. But if they want to use advertisement-related cookies they need our consent, and it is illegal not to let us access the website because we don’t provide consent.

Franz Von Peppercorn

Bob24 wrote: »

And for the record, preventing someone from accessing a website because they refuse non-essential cookies is illegal under GDPR.

For exemple boards (or any website) doesn’t need consent to use cookies to maintain our login session as it is core functionality. But if they want to use advertisement-related cookies they need our consent, and it is illegal not to let us access the website because we don’t provide consent.

Thats specifically for advertising cookies. What we are dealing with here is people who want to delete something that should be essential to the business ( i.e. posts) while also continuing to use the service.

Its like me asking my ISP to delete all records they have of me while I continue to use the service. Just delete my address, emails and direct debit info, Ill continue to use the service.

When the op requested his posts be deleted, did he also delete the profile information?
No, because he can still log in.

Yet it is profile information that is definitely covered under the GDPR, other forums don't delete all posts but definitely delete profiles for a GDPR data deletion request.

Boards could easily say " We can delete all posts but we are also deleting your email and login information when we do this"

Which is an automatic closure.

Boards.ie: Niamh

Permabear wrote: »

This post had been deleted.

I think it's only fair that the same rules that apply to a new or re-registered account should also apply to an account that has essentially been reset to zero. You are welcome to post back in Feedback when you have 100 posts, you've already fulfilled the criteria to be registered for three months.

Access to private or access-by-request forums with a minimum post count criteria are not automatically revoked when a post count decreases. I think it's fair to leave it up to the local mods to decide if they want a user to remain or not after they've had their posts deleted.

pleas advice

the posts haven't been deleted, the postcount has just been reset to zero, it could just as easily be set to 50 or 100

Franz Von Peppercorn wrote: »

Boards could easily say " We can delete all posts but we are also deleting your email and login information when we do this"

Which is an automatic closure.

But should it automatically mean a siteban as well? the serial 'close account and re-register' is bad enough, people should be able to keep their username / account after deleting their posts if they want, IMHO

Bob24

Franz Von Peppercorn wrote: »

Its like me asking my ISP to delete all records they have of me while I continue to use the service. Just delete my address, emails and direct debit info, Ill continue to use the service.

No it is not the same.

Your direct debit info is essential to delivering the service (which requires to take payment, so if it is deleted the service needs to stop). Unless you decide to start paying by credit card or another payment method, in which case there will be no problem asking to delete direct debit info under GDPR.

Your whole whole post history is not essential to you using the service, so the service can keep being provided it is deleted (as illustrated by the fact that boards chose to do just that while your ISP would never chose to keep your service active if you don’t have an active payment method).

Franz Von Peppercorn

Bob24 wrote: »

No it is not the same.

Your direct debit info is essential to delivering the service (which requires to take payment, so if it is deleted the service needs to stop). Unless you decide to start paying by credit card or another payment method, in which case there will be no problem asking to delete direct debit info under GDPR.

Your whole whole post history is not essential to you using the service, so the service can keep being provided it is deleted (as illustrated by the fact that boards chose to do just that while your ISP would never chose to keep your service active if you don’t have an active payment method).

The whole post history of everybody is essential to the business case of this service.

You were implying that it would be illegal to kick someone out for asking for a deletion of posts. I don’t think that deletion of non identifiable posts is essential under GDPR anyway but if it were it could easily apply to closed accounts only or cause a close account on request. Why? Because a GDPR request should be about the most pertinent identifying data - emails and ip addresses not posts. So a request to data deletion should be everything.

Look at the knots the forum has gotten into over deleted emails and old accounts. On the one hand we hear that they will allow existing members to delete all old posts for reasons of anonymity. On the other they don’t delete the post history of older accounts.

If posts were identifying this clearly wouldn’t be an issue. They aren’t, so it is.

salonfire

How did a request for full data delete avoid deleting the username and password as well? Surely if this information was removed as well, users could have been able to log in again.

.......

This post has been deleted.

Bob24

Franz Von Peppercorn wrote: »

The whole post history of everybody is essential to the business case of this service.

This statement is very questionable as you are now equaling an individual right given to users to delete their post history (which is what we were discussing) to the disappearance of the whole post history on boards. And specifically boards’ management doesn’t agree with that statement as they are indeed allowing this type of deletion while obviously still trusting their business case and thinking it has a future: makes it hard to call something “essential” if the management of the company says is rather fine with doing away with it.

(plus in any case GDPR doesn’t care about “essential to the business model”, it cares about “essential to deliver the core service the user is accessing”)

Also just to be clear, I am not saying it would definitly be illegal to ban a user who requests all their posts to be deleted. I’m saying I can see how a legal case could be made to say it is a limitation of GDPR rights, so I think the original poster who said it would possibly be illegal has a valid point.

Boards.ie: Mark

Sorry Permabear, but a decision was made. You are welcome to provide Feedback, as all users who don't meet the criteria are, via Private Message or by e-mailing hello@boards.ie .

.......

This post has been deleted.

.......

This post has been deleted.

Insect Overlord

:rolleyes:

It's hardly a punishment. If someone wants the site to stick to the letter of the rules, then they should know that the rules will be applied to them too.

Pintman Paddy Losty

Pretty petty interpretation of the rules.

.......

This post has been deleted.

seamus

Apply the rules consistently = Petty

Apply the rules reasonably = Inconsistent

¯\_(ツ)_/¯

Batzoo

Just for some clarity as this thread seems to get sidetracked with irrationality.

Boards can delete, remove or ban accounts, users, data etc; They do not need user permission or legal advice to do so. Boards are an independent service and have no obligation as such to any of us!

Where a user requests to have their own posts deleted under GDPR, boards have no real option but comply. Technically it is meant to be personal and identifiable information, but this is a grey area as no legal precedent has been set yet. The only viable option is a blanket delete of the user posts as the alternative would take too many man hours to decipher what may or may not be considered personal and identifiable.

Another option that is valid is for the user to specifically request that a particular thread post be deleted. This is for boards to decide if that is a feasible action or too much trouble. In this case they can manually delete the thread post, or just run the script to remove all posts by the user. The user cannot insist on boards keeping certain posts available, as boards can delete any post, user or account without seeking that users permission.

The grey area is basically what is considered personally identifiable information. In isolation, one detail will not give you much. An IP address by itself is nothing, but combined with logs and history you could pinpoint an individual. Usernames and emails could be used for several accounts across the net and can be used to profile an individual. But these are some of the obvious things. Writing style and phraseology can also be used to identify an individual. Consistent spelling mistakes with certain words can be used to identify an individual. These are all less obvious but commonly used ways to identify somebody. So with that in mind, basically every post can be considered personally identifiable even if it does not reveal how many kids you have or the name of your dog!

Until some legal precedent is set regarding what is personally identifiable information, the only option boards have is to comply with requests to delete posts regardless of the inane content they may contain. Even if a precedent is set, it would take a long time to go through thousands of posts to confirm if it was personal or not so the feasible option may always be just to delete once the request is made.

Ultimately, users requesting to delete posts will have minimal to no effect of boards as most people don't read threads older than a week or so. Anybody who uses boards zombie threads as some sort of wikipedia really needs to learn to use google.

KERSPLAT!

I've hundreds of emails with various posts included in them. For instance I could tell you Permabears life story without even accessing boards but direct from the emails sent from boards as a subscriber of certain threads.

What's the craic there? Obviously there's not much boards can do regarding my emails.

Are boards users free to discuss relevant information previously disclosed by users but which is now deleted? Or is it like when a user reregs, legitimately, in that you cannot disclose their previous username, etc.?

Beasty

KERSPLAT! wrote: »

I've hundreds of emails with various posts included in them. For instance I could tell you Permabears life story without even accessing boards but direct from the emails sent from boards as a subscriber of certain threads.

What's the craic there? Obviously there's not much boards can do regarding my emails.

Are boards users free to discuss relevant information previously disclosed by users but which is now deleted? Or is it like when a user reregs, legitimately, in that you cannot disclose their previous username, etc.?

There is nothing that can be done about information you have received via e-mail. Those records remain entirely under your control (subject to any restrictions placed by your email provider)

In terms of discussing items that are mentioned in those posts, I think that information has become "private" in your own possession, and I don't think you should "publish" such private information, in the same way as you are not allowed to publish PM content, without the other user's consent. These are my comments as a user of this site, and I have certainly not discussed this with other Admins of the office, who may have alternative interpretations

Having said all of that, these are exactly the sorts of issues where people and businesses need to consider exactly what they can and cannot do, certainly pending clarification, which may only come when we start seeing some test cases (which could be some time off)

seamus

Beasty wrote: »

In terms of discussing items that are mentioned in those posts, I think that information has become "private" in your own possession, and I don't think you should "publish" such private information, in the same way as you are not allowed to publish PM content, without the other user's consent. These are my comments as a user of this site, and I have certainly not discussed this with other Admins of the office, who may have alternative interpretations.

Just for clarity here, the person cannot reproduce, verbatim, the content of the posts which is now stored in their email.

But they absolutely can paraphrase or otherwise recall the information from memory. Boards can (try to) put a ban on users bringing up the content of deleted posts which they read, but it is not legally obliged to.

This is where the grey area exists. If poster B has deleted all her posts and poster A says, "I remember you said you live in Stoneybatter with your 5 kids and 3 parakeets", then poster A has done nothing wrong, but poster B may be able to request deletion of that data from boards.

Another reason why IMO a complete deletion should be an account closure, because then it removes that potential issue and protects all parties involved.

Why does Permabear keep writing 'This Post has been deleted'? And a lot of people look silly now for thanking "This Post has been deleted".

...

Surely somebody could press a button and delete Permabear and everything he's ever written - invariably variants on "Let them eat cake!" - and that's the end of that? It seems more straightforward than putting "This Post has been deleted" in each of his 8 million posts. It also wouldn't break up the thread as much. Additionally, I notice that when somebody quotes him, his quoted post says "This Post has been deleted", but other times you can still see his original post when it's quoted. What's the reason for this difference?

Most people can just close their accounts after all their personal data is (understandably) removed. Talk about a personal melodrama.

Canis Lupus

seamus wrote: »

Apply the rules consistently = Petty

Apply the rules reasonably = Inconsistent

¯\_(ツ)_/¯

Ah in fairness for someone normally so level headed you've surprised me there a bit. I think it's a bit weird to remove Permabears access to feedback. We all know what the 100 post rules is there for. His access revocation is a bit derpy to say the least. Boards mods/admin have for years in the dispute/prison forum made a distinction regarding 'letter of/spirit of' rules.

Boards.ie: Mark

Deleted User wrote: »

Why does Permabear keep writing 'This Post has been deleted'? And a lot of people look silly now for thanking "This Post has been deleted".

...

Surely somebody could press a button and delete Permabear and everything he's ever written - invariably variants on "Let them eat cake!" - and that's the end of that? It seems more straightforward than putting "This Post has been deleted" in each of his 8 million posts. It also wouldn't break up the thread as much. Additionally, I notice that when somebody quotes him, his quoted post says "This Post has been deleted", but other times you can still see his original post when it's quoted. What's the reason for this difference?

Most people can just close their accounts after all their personal data is (understandably) removed. Talk about a personal melodrama.

I may be misunderstanding. Are you asking why the posts don't just *poof* vanish? There are threads like this that would then disappear because of the technology (that's why threads started by re-reg trolls can disappear), while people responding to a post by someone who has lodged a GDPR request may look even sillier as they make a point, seemingly out of nowhere and in response to nothing.

On the quote side of things, Touch handles quotes differently to the Legacy or Responsive sites so we are looking into that issue.