Updated GDPR policy and new Terms of Use

Franz Von Peppercorn · 05-12-2018 1:51pm

Jay Gigantic Plantation wrote: »

I acknowledge that it makes it more difficult to identify a user, but I disagree that it makes it impossible.

In some long-running chat threads on Boards, some contributors have posted hundreds if not thousands of times within the same thread. Even if the poster's ID is changed for each thread, hundreds or even thousands of posts could remain grouped together -- which, in aggregate, can contain more than enough information to render a specific individual identifiable.

These cosmetic protections fall far short of what is provided for in the right-to-erasure provisions of the GDPR. I appreciate that you're acting under orders from your higher-ups here, but I'd caution against claiming that these provisions make it impossible for someone to be identified. They don't. They just make it less likely.

Can you find any legal case against any forum that actually proves your point?

Franz Von Peppercorn · 05-12-2018 1:53pm

Jay Gigantic Plantation wrote: »

Personal data under the GDPR extends far beyond a person's name, address, phone number, email address, and PPSN. It is defined as "any information relating to an identified or identifiable natural person," including "factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

That’s an awful lot of information. A person's gender, hair colour, job, purchases, social and political views, favourite books, hobbies, health issues, etc., could all be considered personal data under the GDPR.

Saying that you will remove personal data on request sounds good in theory -- but if a person has thousands of posts, is she supposed to comb through them all for factors specific to her physical, physiological, genetic, mental, economic, cultural or social identity?

Apparently some other user is expected to do that, work out who the alias in every thread is referring to, and find the identifiable natural person.

Franz Von Peppercorn · 05-12-2018 2:02pm

Jay Gigantic Plantation wrote: »

It's interesting that pointing out issues with this new policy draws an accusation of trying to start an "argument."

Boards is entitled to put in place any policy it likes. But refusing to remove a user's posting history in its entirety, which, in the view of many legal experts as well as "laymen," is the only meaningful way to respect the right to erasure to which data subjects are entitled under law, is likely to be tested in the courts at some point.

Boards sought legal advice back in May, and was told to put in place a mechanism by which users could delete all their posts. But the implementation was only ever partial, because numerous quoted posts were left untouched. People were eventually informed of a glitch under which the deletion script did not remove posts that had been quoted using the Touch site -- but, even months later, there was no fix for that issue. Some affected posters followed up with Boards.ie: GDPR but received no reply, despite sending repeated messages over the course of months.

Now there is another policy under which Boards will not erase posting histories, but endeavor to prevent posts from being tied together under a single identifier. That certainly makes it more difficult to attribute posts to an identifiable individual, but it by no means makes it impossible, as staff are claiming. It is yet another partial fix to the problem.

There’s nobody making this argument but you. Seriously. The data commissioner is in place. There are data commissioners all over Europe. There are probably hundreds of forums. Most are annoymizing user data on close. And that is the software that WordPress added.

5starpool · 05-12-2018 2:55pm

I'm guessing that this anonymizing doesn't extend to changing the mentioning of a username in a post? If someone replies to a post and says something like "Well 5starpool, as you well know....." I assume this will remain in tact as it is part of a post body rather than data connected with a post?

Impossible to do properly without possibly replacing loads of actually meaningful words (not in my usernames case obviously), but just wondering out of curiousity if anything around this was considered?

nim1bdeh38l2cw · 05-12-2018 4:55pm

5starpool wrote: »

I'm guessing that this anonymizing doesn't extend to changing the mentioning of a username in a post? If someone replies to a post and says something like "Well 5starpool, as you well know....." I assume this will remain in tact as it is part of a post body rather than data connected with a post?

Impossible to do properly without possibly replacing loads of actually meaningful words (not in my usernames case obviously), but just wondering out of curiousity if anything around this was considered?

Well 5starpool, I would suggest that if you were to exercise your Article 17 right, and this post remained unedited, then that would be a breach of the regulation.

vargoo · 05-12-2018 7:21pm

What is the penalty for someone breaching this law?

Franz Von Peppercorn · 05-12-2018 7:34pm

Seth Spicy Miser wrote: »

Well 5starpool, I would suggest that if you were to exercise your Article 17 right, and this post remained unedited, then that would be a breach of the regulation.

Probably not. There’s a concept of best effort in the legislation. Boards has over reacted to Gdpr already. Is now in compliance with its software.

Beasty · 05-12-2018 7:35pm

vargoo wrote: »

What is the penalty for someone breaching this law?

Up to €20m (which is a lot) or 4% of global turnover ( which is diddley squat around here).The higher penalty could apply....

...but there is likely to be a long way to go before anyone gets that sort of fine. I'm sure there will be some test cases probably involving some of the global tech giants. They can afford the best lawyers though and if necessary would defend a the way to the European Court.

If complaints are made I think the local regulator will initially assess compliance and would probably give businesses instructions to comply before going down the penalty route. Equally I suspect any penalties that are sought for now will be towards the lower end of the scale as this legislation beds in.

AndrewJRenko · 06-12-2018 9:20am

Are moderator discussions about the actions of a particular poster included with an access request?

Boards.ie: Mark · 06-12-2018 11:58am

There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

Esel · 06-12-2018 4:20pm

Boards.ie: Mark wrote: »

There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

AndrewJRenko · 06-12-2018 9:15pm

Boards.ie: Mark wrote: »

There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

Thanks for getting back to me. How can you be sure that there is no additional personal data unless you check each discussion? If, for example, a moderator were to say that "I think that poster A is a rereg of poster B, that is personal data of both poster A and poster B".

Boards.ie: Mark · 07-12-2018 1:38pm

Esel wrote: »

Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

No, this will not be anonymised.

AndrewJRenko wrote: »

Thanks for getting back to me. How can you be sure that there is no additional personal data unless you check each discussion? If, for example, a moderator were to say that "I think that poster A is a rereg of poster B, that is personal data of both poster A and poster B".

Poster B is entitled to submit a Subject Access Request themselves through the various channels (PM to Boards.ie: GDPR or e-mailing datarequests@boards.ie), in which case they will be provided with the data that we hold on them. Poster A is not entitled to any Personal Data that we process with regard to another user.

LuckyLloyd · 07-12-2018 10:01pm

I used the facility to delete posts in specific forums from a long time ago. I’m glad I got in on it while it was there. It was clear that it was already being abused and - like the close account feature - was proving detrimental for the flow of the site.

dudara · 08-12-2018 10:39am

Esel wrote: »

Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

Usernames will be deleted where they are part of post metadata (e.g. structured data which is easily searchable etc). But if a username appears within the text string of a post, then my understanding is that it will not be automatically deleted. The script does not, nor cannot, distinguish it from a regular word.

In this case, the data subject should contact Boards and ask for it to be manually removed.

IMPO, while I am not a lawyer or qualified in data privacy but I did gain a lot of in-depth experience in past year through work, this is a good solution. It’s practical and represents a commitment from Boards to address personal data concerns. It works for the site in that posts and discussion flow will be largely maintained while still giving data subjects the ability to request the exercise of their rights.

Necronomicon · 08-12-2018 1:05pm

Boards.ie: Mark wrote: »

Can I ask what device, browser, and OS you're using? And are you logged in or out, are you using incognito mode, and do you have any addons such as Privacy Badger or Ad Blockers running? Thanks.

Sorry I forgot about my previous post, just opened the mobile site again and the banner popped up, reminding me.

Device: iPhone 8
Browser: Chrome
OS: iOS12

AndrewJRenko · 08-12-2018 1:13pm

Boards.ie: Mark wrote: »

No, this will not be anonymised.

Poster B is entitled to submit a Subject Access Request themselves through the various channels (PM to Boards.ie: GDPR or e-mailing datarequests@boards.ie), in which case they will be provided with the data that we hold on them. Poster A is not entitled to any Personal Data that we process with regard to another user.

A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

blackwhite · 10-12-2018 10:35am

AndrewJRenko wrote: »

A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

It's only personal data if it's identifiable.

If all means of identifying Person A has been scrubbed from the site - then one-off references to their username are highly unlikely to qualify as identifiable.

AndrewJRenko · 10-12-2018 3:36pm

blackwhite wrote: »

It's only personal data if it's identifiable.

If all means of identifying Person A has been scrubbed from the site - then one-off references to their username are highly unlikely to qualify as identifiable.

I'm not talking about a deletion request scenario.

I'm talking about current data, without any scrubbing.

Ken. · 13-12-2018 9:32pm

Something that just came to my mind and might have been answered already. Lets say AJR above gdpr's his posts and ye do what ye do. Can I then after that request a name change to his name?

Beasty · 13-12-2018 9:45pm

Grinchbot wrote: »

Something that just came to my mind and might have been answered already. Lets say AJR above gdpr's his posts and ye do what ye do. Can I then after that request a name change to his name?

I can't see how we could stop a new user signing up with that name, so equally unless we maintain a list of all usernames where such an "anonimisation" request was made, I can't see how we could prevent anyone wanting to use the name

AndrewJRenko · 15-12-2018 12:29am

AndrewJRenko wrote: »

A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

Can I please get a response to this query. This isn't about deletion requests - just a general GDPR access request.

Beasty · 15-12-2018 11:16am

AndrewJRenko wrote: »

Can I please get a response to this query. This isn't about deletion requests - just a general GDPR access request.

Unless there is irrefutable proof the two accounts have been set up and used by the same person, surely the site cannot reveal details of discussion about user B to user A

In that situation is it not necessary for both user A and user B to submit separate requests?

the_pen_turner · 15-12-2018 11:19am

i can see that you cannont say who you thought the poster was but surely you have to tell them you thought they were another poster

Beasty · 15-12-2018 11:28am

the_pen_turner wrote: »

i can see that you cannont say who you thought the poster was but surely you have to tell them you thought they were another poster

I don't know, and I am not a lawyer. Even if I was I suspect we could be in unchartered legal territory

I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place. However ultimately that's for the site and it's employees to consider - it's certainly above an Admin's paygrade

droidman123 · 15-12-2018 1:29pm

Just to make you all aware,not really related to gdpr,but those admins have access to all your email address,s

hullaballoo · 15-12-2018 2:09pm

I for one sell penis enlargement equipment at a hefty profit with this invaluable resource.

ezra_ · 15-12-2018 2:22pm

droidman123 wrote: »

Just to make you all aware,not really related to gdpr,but those admins have access to all your email address,s

Access to a person's email address (and what is done with that knowledge) pretty much cuts to the heart of principles of GDPR...

oscarBravo · 15-12-2018 5:02pm

ezra_ wrote: »

Access to a person's email address (and what is done with that knowledge) pretty much cuts to the heart of principles of GDPR...

More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

AndrewJRenko · 15-12-2018 11:12pm

oscarBravo wrote: »

More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

No, it's not just 'what you do'. GDPR requires 'privacy by design'. So if you don't NEED access to the email address to do your job, you shouldn't have access to it. It shouldn't rely on your professionalism and goodwill, because someday, there will be someone in the role who doesn't have that professionalism and goodwill.

Beasty wrote: »

I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place. However ultimately that's for the site and it's employees to consider - it's certainly above an Admin's paygrade

They're not anonymous once you link them to real people, using email or other connections.

Beasty wrote: »

Unless there is irrefutable proof the two accounts have been set up and used by the same person, surely the site cannot reveal details of discussion about user B to user A

In that situation is it not necessary for both user A and user B to submit separate requests?

The issue, as you presumably have worked out, is that the standard used by moderators to link two users is not the 'irrefutable proof' standard you mention.

So if moderators are using a different standard to link two users, they can't then turn around later for GDPR purposes and say 'we didn't know it was the same person', shortly after they said 'you're the same person'.

xi5yvm0owc1s2b · 17-12-2018 10:31am

Beasty wrote: »

I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person," while Boards' own privacy policy defines it as "information that identifies you as an individual or is capable of doing so."

Boards users are not anonymous. As the site's own terms of use state: "we cannot guarantee that other users will not be able to determine your identity."

Any information that can help determine a person's identity is personal data. If I know that someone has red hair, drives a Ford Focus, works in IT, is married to an accountant, lives in Galway, has two children, and voted Yes to repeal the 8th Amendment, well, that's all personal data under law, because it all relates to an identifiable natural person.

Mod/admin discussions about a poster may also contain personal data. It's quite easy to imagine how this is the case. For example, Account A might be linked to Account B because they share the same interests, post in the same forums, express a similar social or political viewpoint, and so on. Those interests and viewpoints are expressly defined under the GDPR as personal data.

seamus · 17-12-2018 10:58am

AndrewJRenko wrote: »

The issue, as you presumably have worked out, is that the standard used by moderators to link two users is not the 'irrefutable proof' standard you mention.

So if moderators are using a different standard to link two users, they can't then turn around later for GDPR purposes and say 'we didn't know it was the same person', shortly after they said 'you're the same person'.

Now you're making a bit of a leap Andrew.

Admins / mods don't require "irrefutable proof" that two users are the same. It's a "best guess". For the purposes of banning and sanctioning, this is good enough.

For GDPR purposes, a "best guess" wouldn't be good enough to risk a breach.

At best you could probably be provided with a list of users whom the site thinks are linked to your account, but with the other names anonymised. Numbered, maybe.

ezra_ · 17-12-2018 11:17am

oscarBravo wrote: »

More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

Yes and no, I think on this one.

Yes - you are 100% spot on from your perspective.

No, in that if Boards.ie Ltd gives access by default to admins and employees then that access, in and of itself, may come under scrutiny, especially given that for such scrutiny to occur, someone has goofed (or is thought to have goofed).

Beasty · 17-12-2018 12:23pm

Jay Gigantic Plantation wrote: »

Boards users are not anonymous. As the site's own terms of use state: "we cannot guarantee that other users will not be able to determine your identity."

Anyone who wishes to be anonymous can be anonymous on all public parts of the site. If people believe they have posted any information that may be Personally Identifiable Information they can ask for it to be removed

What constitutes Personally Identifiable Information is always going to be a matter of conjecture within certain grey areas. It may well be that some court ultimately decides that anything you have ever written in an internet chat-room is considered personally identifiable, but we are no-where near that at this stage.

Regardless of all of this, you cannot wipe another person's mind as easily as you can delete online content, and there is always likely to be some "intelligence" out there that you simply cannot have removed

xi5yvm0owc1s2b · 17-12-2018 12:51pm

Beasty wrote: »

If people believe they have posted any information that may be Personally Identifiable Information they can ask for it to be removed

See, that sounds great in theory. But look at a poster above like seamus, who has been a member of Boards since July 2001 and has 59,515 posts.

What if seamus wanted to remove all potentially identifying information from Boards? He'd have to go through his entire 17.5-year posting history -- which, even at a rate of 1 minute per post, would take him almost a thousand hours, or the equivalent of working 40 hours a week for around six months. He would then submit an enormous list of requested deletions that would give a coronary to whatever poor Boards staffer received it.

It's easy to locate personally identifying information if one has a few hundred posts. It becomes more difficult if one has a few thousand posts. And it becomes impossibly burdensome if one has tens of thousands of posts, as some posters do.

In short, there are some situations where blanket deletion is the only viable strategy for deleting all personally identifying information.

seamus · 17-12-2018 1:07pm

^^^
How would I prove that identifying information has been left behind unless I spend a thousand hours going through my post history?

Beasty · 17-12-2018 1:14pm

I know I have left plenty of PII about myself over the years. The onus is on me to find it if I would like it deleting though - only I posted it, and only I would have the remotest idea of where it may be

Regardless, the site has indicated in the OP a change in approach. I am not a lawyer, but I am one of those "charged" with helping the site run smoothly in line with its ToU and policies. There is nothing I have seen either here or elsewhere that suggests the site's approach is incorrect, other that statements made by certain posters who, it appears, think they know all there is to know about the topic

AndrewJRenko · 17-12-2018 11:13pm

seamus wrote: »

Now you're making a bit of a leap Andrew.

Admins / mods don't require "irrefutable proof" that two users are the same. It's a "best guess". For the purposes of banning and sanctioning, this is good enough.

For GDPR purposes, a "best guess" wouldn't be good enough to risk a breach.

At best you could probably be provided with a list of users whom the site thinks are linked to your account, but with the other names anonymised. Numbered, maybe.

There is no leap. There is no provision in GDPR for differing standards of proof. If there were, it would undermine the whole principle of GDPR - every data processor in Europe would come up with different standards to ensure that data linked for operational reasons is not linked for GDPR purposes.

If you are linking, for example, me as being the same person as other user(s) for operating purposes, and there is any correspondence that refers to me, including correspondence setting out details of this linkage, that data is my PII, and must be provided to me in an access request. This is NOT about releasing data of those users - it is about releasing data about the linking to those users.

I'd be fairly confident the DPC would confirm this if an access request were referred to them.

seamus · 18-12-2018 9:23am

AndrewJRenko wrote: »

I'd be fairly confident the DPC would confirm this if an access request were referred to them.

Well, until that point, boards is entitled to maintain its GDPR policy.

Boards.ie: Mark · 18-12-2018 10:27am

AndrewJRenko wrote: »

If you are linking, for example, me as being the same person as other user(s) for operating purposes, and there is any correspondence that refers to me, including correspondence setting out details of this linkage, that data is my PII, and must be provided to me in an access request. This is NOT about releasing data of those users - it is about releasing data about the linking to those users.

I'd be fairly confident the DPC would confirm this if an access request were referred to them.

You are not entitled to the personal data of another user. If we were to provide you with another username on the back of an IP address, for example, and you're not that other user, then that would be a breach.

We have set out our legal position, and you have provided feedback, but with all due respect this is not something that is going to be changed as a result of debate.

droidman123 · 18-12-2018 10:48am

I think its important that people signing up for this site are clearly made aware that the admins will have access to their email address,s

18-12-2018 12:25pm

Question: Do non-employees of Boards have any access to personal data, e.g. IP addresses/emails/etc?

Boards.ie: Mark · 18-12-2018 12:49pm

The Terms of Use of the site, which users must agree to upon signup, say:

Moderators and Administrators
In order to allow for the proper administration of boards.ie we make use of third party moderators and administrators. And in order for them to properly carry out their functions as moderators and administrators they require access to personal information concerning you, your boards.ie account and your activity on the site. Such data is only permitted to be used by our third party moderators and administrators for the purposes of administering the site and cannot be used by them for any other purpose.

Only Admins can access e-mail and IP addresses.

18-12-2018 1:12pm

Cheers! I'd worry about the quality of legal advice received if the belief is "we don't need to control access to personal data because we can trust admins to only access data for valid reasons", "allowing third party volunteer access to personal data is a-ok as long as users consent", and they haven't insisted in the strongest possible terms that you pseudonymize personal data such as IP and email addresses.

That said, more power to ye and the likelihood of anything being referred to the DPC is slim-to-none - which is what pretty much every organisation in Ireland is relying upon.

droidman123 · 18-12-2018 1:59pm

I wonder,before now how many people were actually aware that the admins have access to their email address

AndrewJRenko · 18-12-2018 2:04pm

Deleted User wrote: »

That said, more power to ye and the likelihood of anything being referred to the DPC is slim-to-none

Why would you think that?

Under His Eye · 18-12-2018 2:42pm

Deleted User wrote: »

That said, more power to ye and the likelihood of anything being referred to the DPC is slim-to-none - which is what pretty much every organisation in Ireland is relying upon.

Do you realise that anyone can refer something to the DPC?

Simply write to her, send a letter to Portarlington.

xi5yvm0owc1s2b · 18-12-2018 3:10pm

Deleted User wrote: »

Question: Do non-employees of Boards have any access to personal data, e.g. IP addresses/emails/etc?

Yes. Admins are not employees but they have access to your personal data. It's noteworthy that admin access is held not only by those people currently administering the site, but quite a few individuals who seem to hold "honorary admin" status but have not been active on the site for years.

xi5yvm0owc1s2b · 18-12-2018 3:17pm

Under His Eye wrote: »

Do you realise that anyone can refer something to the DPC?

Simply write to her, send a letter to Portarlington.

Or you can just visit the website and click on "Raise a Concern."

Canis Lupus · 20-12-2018 7:56am

droidman123 wrote: »

I wonder,before now how many people were actually aware that the admins have access to their email address

I wonder how many actually care.

Updated GDPR policy and new Terms of Use

Comments