Updated GDPR policy and new Terms of Use

threetrees · 05-12-2018 12:55am

The changes are great but please, how many time do you want me to agree? The constant banner and request to agree is ridiculous.

nim1bdeh38l2cw · 05-12-2018 12:57am

Franz Von Peppercorn wrote: »

What? She posts here?

No, but some bloke called Robert Galbraith does. I personally don't believe that this new policy is compliant, people have a posting style - it's how re-regs are spotted so quickly.

Franz Von Peppercorn · 05-12-2018 3:28am

Seth Spicy Miser wrote: »

No, but some bloke called Robert Galbraith does. I personally don't believe that this new policy is compliant, people have a posting style - it's how re-regs are spotted so quickly.

reregs are not identifiable natural personsif they are posting under a pseudonym.

pleas advice · 05-12-2018 3:41am

Franz Von Peppercorn wrote: »

reregs are not identifiable natural persons if they are posting under a pseudonym.

you could say that about any account

Franz Von Peppercorn · 05-12-2018 8:53am

pleas advice wrote: »

you could say that about any account

I would say that about most accounts.

xi5yvm0owc1s2b · 05-12-2018 10:41am

Kirby wrote: »

Does this actually comply with GDPR though? Just deleting/randomizing the posters name?

Probably not.

Article 17 of the GDPR states that: "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay..."

Assuming that erasure means actual erasure, and not "we have taken additional steps to make it more difficult to identify the person behind the posts," then this new process would not seem to be GDRP-compliant, at least not to the letter of Article 17.

The OP states that "Boards, as a service, needs content in order to be useful." This is simply Boards putting its business interests ahead of posters' interests in insisting that Boards should retain all of its users' posted content, whether they like it or not.

Or, since users are asked to email privacy@thejournal.ie if they have issues with the use of their data, it is worth asking who is now pulling the strings.

Boards.ie: Mark · 05-12-2018 11:21am

We have sought further legal advice on this and ensured that we were compliant. We wouldn't have been allowed change anything otherwise.

As said above, we delete all Personal Data that is known to us; we delete all fields in a user profile, including their e-mail address and sign-up IP, and will anonymise their username per thread while deleting the "Find All Posts By..." history. These steps ensure that it is not possible to identify a user. The content of every post is not Personal Data and while Personal Data may remain in posts users can highlight this by contacting us at datarequests@boards.ie so that we can delete the data in question.

xi5yvm0owc1s2b · 05-12-2018 11:47am

Boards.ie: Mark wrote: »

These steps ensure that it is not possible to identify a user.

I acknowledge that it makes it more difficult to identify a user, but I disagree that it makes it impossible.

In some long-running chat threads on Boards, some contributors have posted hundreds if not thousands of times within the same thread. Even if the poster's ID is changed for each thread, hundreds or even thousands of posts could remain grouped together -- which, in aggregate, can contain more than enough information to render a specific individual identifiable.

These cosmetic protections fall far short of what is provided for in the right-to-erasure provisions of the GDPR. I appreciate that you're acting under orders from your higher-ups here, but I'd caution against claiming that these provisions make it impossible for someone to be identified. They don't. They just make it less likely.

Boards.ie: Mark · 05-12-2018 11:55am

We are acting based on legal advice received.

With regards to chat threads or any other thread

Boards.ie: Mark wrote: »

While Personal Data may remain in posts users can highlight this by contacting us at datarequests@boards.ie so that we can delete the data in question.

xi5yvm0owc1s2b · 05-12-2018 12:09pm

Personal data under the GDPR extends far beyond a person's name, address, phone number, email address, and PPSN. It is defined as "any information relating to an identified or identifiable natural person," including "factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

That’s an awful lot of information. A person's gender, hair colour, job, purchases, social and political views, favourite books, hobbies, health issues, etc., could all be considered personal data under the GDPR.

Saying that you will remove personal data on request sounds good in theory -- but if a person has thousands of posts, is she supposed to comb through them all for factors specific to her physical, physiological, genetic, mental, economic, cultural or social identity?

nim1bdeh38l2cw · 05-12-2018 12:12pm

Boards.ie: Mark wrote: »

The content of every post is not Personal Data and while Personal Data may remain in posts users can highlight this by contacting us at datarequests@boards.ie so that we can delete the data in question.

Why should the data subject have to tell the data controller where the data is held?

Boards.ie: Mark · 05-12-2018 12:15pm

Necronomicon wrote: »

It's still happening to me, and I've been using the site pretty consistently today. The notice is still appearing in a thread I've visited 6-7 times during the day. Using touch.boards.ie.

threetrees wrote: »

The changes are great but please, how many time do you want me to agree? The constant banner and request to agree is ridiculous.

Can I ask what device, browser, and OS you're using? And are you logged in or out, are you using incognito mode, and do you have any addons such as Privacy Badger or Ad Blockers running? Thanks.

Boards.ie: Niamh · 05-12-2018 12:25pm

Jay Gigantic Plantation wrote: »

Personal data under the GDPR extends far beyond a person's name, address, phone number, email address, and PPSN. It is defined as "any information relating to an identified or identifiable natural person," including "factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

That’s an awful lot of information. A person's gender, hair colour, job, purchases, social and political views, favourite books, hobbies, health issues, etc., could all be considered personal data under the GDPR.

Saying that you will remove personal data on request sounds good in theory -- but if a person has thousands of posts, is she supposed to comb through them all for factors specific to her physical, physiological, genetic, mental, economic, cultural or social identity?

With respect Jay Gigantic Plantation, your opinion on the meaning of GDPR and it's terms is based on your layman's interpretation (for want of a better term).

We have referred to and conferred with a legal team who are experts in this field and they have given their advice and approval of our new policy change to the letter.

There is no argument to be had here, the policy will remain as it is now until, perhaps, some point in the future when something new or some new aspect might come to light.

Boards.ie: Niamh · 05-12-2018 12:29pm

Seth Spicy Miser wrote: »

Why should the data subject have to tell the data controller where the data is held?

If a user doesn't notify us that there is personal data in their posts, then we do not know that there is personal data in their posts, to put it simply.

We do not and cannot (due to sheer volume) read through all posts on the site or even all posts of some individual users where they have thousands of posts over a period of years so we need to be notified of such content before we can find it and remove it.

nim1bdeh38l2cw · 05-12-2018 12:31pm

Boards.ie: Niamh wrote: »

If a user doesn't notify us that there is personal data in their posts, then we do not know that there is personal data in their posts, to put it simply.

We do not and cannot (due to sheer volume) read through all posts on the site or even all posts of some individual users where they have thousands of posts over a period of years so we need to be notified of such content before we can find it and remove it.

You don't need to read anything, you need a proper data classification system. Your data is structured, there is software available to specifically find PII in structured data

Boards.ie: Niamh · 05-12-2018 12:39pm

Seth Spicy Miser wrote: »

You don't need to read anything, you need a proper data classification system. Your data is structured, there is software available to specifically find PII in structured data

If we ever update to such a system, the policy will be amended at that time I'm sure but we have to deal with how we work right now, today, and right now it is as posted in Mark's OP.

Will I Am Not · 05-12-2018 12:46pm

Would this interfere with mod tools for recognising re reg accounts? If someone was banned from a particular forum, requested the removal of their details and had their account closed, would they then be able to register a new account and fly under the radar a lot easier?

xi5yvm0owc1s2b · 05-12-2018 12:52pm

Boards.ie: Niamh wrote: »

There is no argument to be had here, the policy will remain as it is now until, perhaps, some point in the future when something new or some new aspect might come to light.

It's interesting that pointing out issues with this new policy draws an accusation of trying to start an "argument."

Boards is entitled to put in place any policy it likes. But refusing to remove a user's posting history in its entirety, which, in the view of many legal experts as well as "laymen," is the only meaningful way to respect the right to erasure to which data subjects are entitled under law, is likely to be tested in the courts at some point.

Boards sought legal advice back in May, and was told to put in place a mechanism by which users could delete all their posts. But the implementation was only ever partial, because numerous quoted posts were left untouched. People were eventually informed of a glitch under which the deletion script did not remove posts that had been quoted using the Touch site -- but, even months later, there was no fix for that issue. Some affected posters followed up with Boards.ie: GDPR but received no reply, despite sending repeated messages over the course of months.

Now there is another policy under which Boards will not erase posting histories, but endeavor to prevent posts from being tied together under a single identifier. That certainly makes it more difficult to attribute posts to an identifiable individual, but it by no means makes it impossible, as staff are claiming. It is yet another partial fix to the problem.

Boards.ie: Mark · 05-12-2018 12:54pm

Will I Am Not wrote: »

Would this interfere with mod tools for recognising re reg accounts? If someone was banned from a particular forum, requested the removal of their details and had their account closed, would they then be able to register a new account and fly under the radar a lot easier?

We don't have the Men In Black tool that allows for memory erasing...and troublemakers tend not to be very good at changing their behaviour.

hullaballoo · 05-12-2018 1:00pm

Jay Gigantic Plantation wrote: »

It's interesting that pointing out issues with this new policy draws an accusation of trying to start an "argument."

Boards is entitled to put in place any policy it likes. But refusing to remove a user's posting history in its entirety, which, in the view of many legal experts as well as "laymen," is the only meaningful way to respect the right to erasure to which data subjects are entitled under law, is likely to be tested in the courts at some point.

Boards sought legal advice back in May, and was told to put in place a mechanism by which users could delete all their posts. But the implementation was only ever partial, because numerous quoted posts were left untouched. People were eventually informed of a glitch under which the deletion script did not remove posts that had been quoted using the Touch site -- but, even months later, there was no fix for that issue. Some affected posters followed up with Boards.ie: GDPR but received no reply, despite sending repeated messages over the course of months.

Now there is another policy under which Boards will not erase posting histories, but endeavor to prevent posts from being tied together under a single identifier. That certainly makes it more difficult to attribute posts to an identifiable individual, but it by no means makes it impossible, as staff are claiming. It is yet another partial fix to the problem.

Not any of the legal "experts" being paid to advise the site. Legal "experts" who carry the risk if their advice is incorrect.

As a legal "expert" myself, and one who specialises in data privacy, I fully endorse the advice given to the site in relation to the GDPR.

Your interpretation (and seemingly that of "many legal experts" unknown) is not one which would be accepted by anyone who has any expertise whatsoever in data privacy laws.

Franz Von Peppercorn · 05-12-2018 1:51pm

Jay Gigantic Plantation wrote: »

I acknowledge that it makes it more difficult to identify a user, but I disagree that it makes it impossible.

In some long-running chat threads on Boards, some contributors have posted hundreds if not thousands of times within the same thread. Even if the poster's ID is changed for each thread, hundreds or even thousands of posts could remain grouped together -- which, in aggregate, can contain more than enough information to render a specific individual identifiable.

These cosmetic protections fall far short of what is provided for in the right-to-erasure provisions of the GDPR. I appreciate that you're acting under orders from your higher-ups here, but I'd caution against claiming that these provisions make it impossible for someone to be identified. They don't. They just make it less likely.

Can you find any legal case against any forum that actually proves your point?

Franz Von Peppercorn · 05-12-2018 1:53pm

Jay Gigantic Plantation wrote: »

Personal data under the GDPR extends far beyond a person's name, address, phone number, email address, and PPSN. It is defined as "any information relating to an identified or identifiable natural person," including "factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

That’s an awful lot of information. A person's gender, hair colour, job, purchases, social and political views, favourite books, hobbies, health issues, etc., could all be considered personal data under the GDPR.

Saying that you will remove personal data on request sounds good in theory -- but if a person has thousands of posts, is she supposed to comb through them all for factors specific to her physical, physiological, genetic, mental, economic, cultural or social identity?

Apparently some other user is expected to do that, work out who the alias in every thread is referring to, and find the identifiable natural person.

Franz Von Peppercorn · 05-12-2018 2:02pm

Jay Gigantic Plantation wrote: »

It's interesting that pointing out issues with this new policy draws an accusation of trying to start an "argument."

Boards is entitled to put in place any policy it likes. But refusing to remove a user's posting history in its entirety, which, in the view of many legal experts as well as "laymen," is the only meaningful way to respect the right to erasure to which data subjects are entitled under law, is likely to be tested in the courts at some point.

Boards sought legal advice back in May, and was told to put in place a mechanism by which users could delete all their posts. But the implementation was only ever partial, because numerous quoted posts were left untouched. People were eventually informed of a glitch under which the deletion script did not remove posts that had been quoted using the Touch site -- but, even months later, there was no fix for that issue. Some affected posters followed up with Boards.ie: GDPR but received no reply, despite sending repeated messages over the course of months.

Now there is another policy under which Boards will not erase posting histories, but endeavor to prevent posts from being tied together under a single identifier. That certainly makes it more difficult to attribute posts to an identifiable individual, but it by no means makes it impossible, as staff are claiming. It is yet another partial fix to the problem.

There’s nobody making this argument but you. Seriously. The data commissioner is in place. There are data commissioners all over Europe. There are probably hundreds of forums. Most are annoymizing user data on close. And that is the software that WordPress added.

5starpool · 05-12-2018 2:55pm

I'm guessing that this anonymizing doesn't extend to changing the mentioning of a username in a post? If someone replies to a post and says something like "Well 5starpool, as you well know....." I assume this will remain in tact as it is part of a post body rather than data connected with a post?

Impossible to do properly without possibly replacing loads of actually meaningful words (not in my usernames case obviously), but just wondering out of curiousity if anything around this was considered?

nim1bdeh38l2cw · 05-12-2018 4:55pm

5starpool wrote: »

I'm guessing that this anonymizing doesn't extend to changing the mentioning of a username in a post? If someone replies to a post and says something like "Well 5starpool, as you well know....." I assume this will remain in tact as it is part of a post body rather than data connected with a post?

Impossible to do properly without possibly replacing loads of actually meaningful words (not in my usernames case obviously), but just wondering out of curiousity if anything around this was considered?

Well 5starpool, I would suggest that if you were to exercise your Article 17 right, and this post remained unedited, then that would be a breach of the regulation.

vargoo · 05-12-2018 7:21pm

What is the penalty for someone breaching this law?

Franz Von Peppercorn · 05-12-2018 7:34pm

Seth Spicy Miser wrote: »

Well 5starpool, I would suggest that if you were to exercise your Article 17 right, and this post remained unedited, then that would be a breach of the regulation.

Probably not. There’s a concept of best effort in the legislation. Boards has over reacted to Gdpr already. Is now in compliance with its software.

Beasty · 05-12-2018 7:35pm

vargoo wrote: »

What is the penalty for someone breaching this law?

Up to €20m (which is a lot) or 4% of global turnover ( which is diddley squat around here).The higher penalty could apply....

...but there is likely to be a long way to go before anyone gets that sort of fine. I'm sure there will be some test cases probably involving some of the global tech giants. They can afford the best lawyers though and if necessary would defend a the way to the European Court.

If complaints are made I think the local regulator will initially assess compliance and would probably give businesses instructions to comply before going down the penalty route. Equally I suspect any penalties that are sought for now will be towards the lower end of the scale as this legislation beds in.

AndrewJRenko · 06-12-2018 9:20am

Are moderator discussions about the actions of a particular poster included with an access request?

Boards.ie: Mark · 06-12-2018 11:58am

There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

Updated GDPR policy and new Terms of Use

Comments