GDPR regulations

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: GDPR regulations

Post by AmigoJack »

John connor wrote: Sat Jan 27, 2018 4:16 amThat would be met with so much backlash it wouldn't be funny.
I guess history would repeat with "Freedom Fries".
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: GDPR regulations

Post by thecoalman »

John connor wrote: Sat Jan 27, 2018 4:15 am Well, lets see. COPPA stands for The Children's Online Privacy Protection Act and is for children under 13. That makes more sense to me then an asinine bunch of crap about IP addresses and cookies.
To protect their privacy the law requires you to collect all kinds of data on them....just saying... In any event it's a stupid law that accomplishes nothing and unless your site is intended for minors you can pretty much ignore it. .
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR regulations

Post by LaxSlash1993 »

warmweer wrote: Fri Jan 26, 2018 9:36 pm When all sites registered with European reseller or hosted by a European host are forced to comply.
If a US based domain registrar or host tried that against an American website/company for not complying with a bs EU law, they'd be hit with a lawsuit faster than roadrunner evading a coyote trap.
I'm thinking about sending a notice to all my members that I'm not going to comply with the GDPR and if that's a problem their account can be inactivated (without deleting any data connected to that account).
Contemplating this as well.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26502
Joined: Fri Aug 29, 2008 9:49 am

Re: GDPR regulations

Post by Mick »

LaxSlash1993 wrote: Mon Jan 29, 2018 10:41 pmContemplating this as well.
Do you need to tell anyone, I doubt your users even know what GDPR is?
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6671
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: GDPR regulations

Post by HiFiKabin »

After driving my self even more insane from reading the Three Volume Novel (ie the regulations) my PERSONAL opinion of the GDPR in relation to the phpBB software is:-

1) A person needs to be delegated as being responsible for the security for the data entered by the user (thats you as the admin)

2) Should there be a breach of that data the person above needs to report the breach and/or inform the users (thats you as the admin again)

3) Delete the users details should s/he request it (this can be ignored for people who constantly sign up/request deletion)

4) You do not need to delete the users posts as they are considered archive and/or public information as it has been indexed and therefore available elsewhere. ip information is also considered archive in this instance.

5) Should the user information (ie email address) be used for ANYTHING other than Forum Functionality you MUST get explicit permission from the user (a pre ticked "yes" box is not acceptable)

I am no lawyer (obviously) but only my opinion.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: GDPR regulations

Post by david63 »

HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm A person needs to be delegated as being responsible for the security for the data entered by the user (thats you as the admin)
There is an argument that that is the responsibility of you host. There is only so much that you can do as there is no way that you can secure a host's server.
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm Delete the users details should s/he request it (this can be ignored for people who constantly sign up/request deletion)
There is one major problem with phpBB in this respect and that is where a member whose details are to be deleted has been quoted in posts - possibly where they have been mentioned in posts.

My view about this, and I am not being complacent, is that that there will be bigger fish to catch than the "hobby" boards - certainly in the short term. How many cases have there been under the "old" acts against hobby boards? Very few, if any, I would guess.
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR regulations

Post by LaxSlash1993 »

HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm After driving my self even more insane from reading the Three Volume Novel (ie the regulations) my PERSONAL opinion of the GDPR in relation to the phpBB software is:-

1) A person needs to be delegated as being responsible for the security for the data entered by the user (thats you as the admin)

2) Should there be a breach of that data the person above needs to report the breach and/or inform the users (thats you as the admin again)
I have mostly no issue with either of these two. I do take a slight issue with requiring the second one to be done within 72 hours, as that's not always enough time to fully determine the scope of a breach accurately, and may lead to either a false alarm or sense of security.
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm 3) Delete the users details should s/he request it (this can be ignored for people who constantly sign up/request deletion)
Not every forum (ie. ours) wishes to offer this option. We keep and retain as many details as possible about an account to, for example, identify multi-accounters. Plus, with the amount of modifications and integrated systems we have, deleting accounts and data would be a nightmare. The entire right to erasure is (one of) the huge reasons that we are not going to comply with this reg.
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm 4) You do not need to delete the users posts as they are considered archive and/or public information as it has been indexed and therefore available elsewhere. ip information is also considered archive in this instance.

5) Should the user information (ie email address) be used for ANYTHING other than Forum Functionality you MUST get explicit permission from the user (a pre ticked "yes" box is not acceptable)

I am no lawyer (obviously) but only my opinion.
All I'm gonna say when considering things such as archiving and legitimite purposes - displaying registrant info is not considered a valid purpose of the WHOIS system, and thus, the WHOIS system as we know it today will have to cease to exist in order to comply with the GDPR.
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6671
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: GDPR regulations

Post by HiFiKabin »

david63 wrote: Tue Jan 30, 2018 7:16 pm
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm A person needs to be delegated as being responsible for the security for the data entered by the user (thats you as the admin)
There is an argument that that is the responsibility of you host. There is only so much that you can do as there is no way that you can secure a host's server.
True, but the basic idea still stands as the breach may just be on your own database (including any local copy)
david63 wrote: Tue Jan 30, 2018 7:16 pm
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm Delete the users details should s/he request it (this can be ignored for people who constantly sign up/request deletion)
There is one major problem with phpBB in this respect and that is where a member whose details are to be deleted has been quoted in posts - possibly where they have been mentioned in posts.
I feel that falls within the realms of being 'publicly available'. YOU (as the user) have put the information in the public domain
david63 wrote: Tue Jan 30, 2018 7:16 pm My view about this, and I am not being complacent, is that that there will be bigger fish to catch than the "hobby" boards - certainly in the short term. How many cases have there been under the "old" acts against hobby boards? Very few, if any, I would guess.
Agreed

LaxSlash1993 wrote: Tue Jan 30, 2018 8:29 pm
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm After driving my self even more insane from reading the Three Volume Novel (ie the regulations) my PERSONAL opinion of the GDPR in relation to the phpBB software is:-

1) A person needs to be delegated as being responsible for the security for the data entered by the user (thats you as the admin)

2) Should there be a breach of that data the person above needs to report the breach and/or inform the users (thats you as the admin again)
I have mostly no issue with either of these two. I do take a slight issue with requiring the second one to be done within 72 hours, as that's not always enough time to fully determine the scope of a breach accurately, and may lead to either a false alarm or sense of security.
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm 3) Delete the users details should s/he request it (this can be ignored for people who constantly sign up/request deletion)
Not every forum (ie. ours) wishes to offer this option. We keep and retain as many details as possible about an account to, for example, identify multi-accounters. Plus, with the amount of modifications and integrated systems we have, deleting accounts and data would be a nightmare. The entire right to erasure is (one of) the huge reasons that we are not going to comply with this reg.
I feel that falls within the 'right to archive' otherwise you would be unable to keep a list of banned email addresses
LaxSlash1993 wrote: Tue Jan 30, 2018 8:29 pm
HiFiKabin wrote: Tue Jan 30, 2018 5:19 pm 4) You do not need to delete the users posts as they are considered archive and/or public information as it has been indexed and therefore available elsewhere. ip information is also considered archive in this instance.

5) Should the user information (ie email address) be used for ANYTHING other than Forum Functionality you MUST get explicit permission from the user (a pre ticked "yes" box is not acceptable)

I am no lawyer (obviously) but only my opinion.
All I'm gonna say when considering things such as archiving and legitimite purposes - displaying registrant info is not considered a valid purpose of the WHOIS system, and thus, the WHOIS system as we know it today will have to cease to exist in order to comply with the GDPR.
Its a set of regulations written by lawyers for lawyers to make money for lawyers (so whats new? :roll: )

I have made the choice to post this message with my opinions under my phpBB.com username and as soon as I have hit the submit button it has become public knowledge. (ie it can be Googled etc) I have therefore explicitly waived my right to any claim to privacy of this post.

Think about it. A TV News reporter interviews me, with my consent, and it is broadcast world wide. Can I then claim privacy and demand that any and all copys of that interview be erased from all media storage, including any private PVR recordings? Of course I can not.

My feelings are that its exactly the same with a publicly available forum, albeit on a smaller scale.
bastones
Registered User
Posts: 5
Joined: Wed Apr 16, 2008 2:05 pm

Re: GDPR regulations

Post by bastones »

HiFiKabin wrote: Tue Dec 26, 2017 4:21 pm The GDPR is confusing at best, and it covers more than just cookies.
That is exactly the torture I have been dealing with at work for the past three months.

My god, no one has a clue what the regulations really mean right now. To make matters worse, we get conflicting advice from different lawyers who are apparently the best in their field. :|

If you are based in the USA, you are not subject to EU data protection law unless you have a presence within the European Union and export data to the United States. You need to be subject to the EU-US Privacy Shield in order for you to lawfully export information protected under EU data protection law because indivduals need to be guaranteed the same rights to their personal information in the US as they are within the EU in these circumstances (this is not the same as saying US companies need to comply with EU data protection law simply because an EU national chooses to do business with them). Essentially the question is this: do you do business or other dealings within the European Union? This also includes whether or not you have servers within the EU. If yes to any of these questions, you are subject to EU law.

As everyone is aware by now, the UK is leaving the European Union in April 2019 (unless an extension is agreed between the member states before then) and GDPR comes from the EU. This means that technically, the UK will no longer be required to implement EU data protection law after jurisdiction is returned to Parliament. However, the UK government will be transferring all European laws into UK law with effect from the same time the UK ceases to be a member of the EU, so initially there will be no legal change in terms of the rights people have, and the obligations companies are bound by, under EU data protection law in effect at the time the transition happens. However, this is dependent on a) whether Parliament even does this, even though it is the government's intention, and b) whether Parliament imports the EU legislation in full or if they choose to make amendments to the law when it is imported.

I highly suspect the UK government will reach an agreement with the European Commission in the future (perhaps before the UK withdraws from the EU) in the same way that the US government reached an agreement with the European Commission to form the EU-US Privacy Shield (and this, by the way, is the successor to the Safe Harbour Principles which were ruled unlawful by the European Court of Justice in 2015). Hopefully the UK's agreement with the US carries a better name than something that sounds like an item from Toys R Us. Anyway, if an agreement is reached between the UK and EU, the UK government might also seek to reach a separate agreement with the US, unless this will be covered in some kind of future trade agreement.

Should clarify this is not legal advice and I might be wrong - I'm not a lawyer.
heinrich_k
Registered User
Posts: 229
Joined: Fri Jul 17, 2009 11:40 am

Re: GDPR regulations

Post by heinrich_k »

John connor wrote: Sat Jan 27, 2018 4:15 amWell, lets see. COPPA stands for The Children's Online Privacy Protection Act and is for children under 13. That makes more sense to me then an asinine bunch of crap about IP addresses and cookies. You would have to live in another universe not to know that all, and I mean ALL websites record your IP address and most if not all use a cookie. Compare that to the protection of children.
Why should I be less protected since I turned 14?

The GDPR is far from perfect. But a fact is, the IPs you use, you use for a whole while. I mean it's not the 1991s anymore, when I had to disconnect from the internet every hour or so, only so that my mum could use the landline. So, you visit a couple of web pages, each and every one of them knows your IP, so what? They don't know of each other, so they don't know much about me... except, the all redirect you to google analytics, and they sell all you data to online marketers. And suddenly a whole bunch of companies, you never even have heard from know your ISP (from the IP), your OS, browser and possibly browser extensions (for the browser told them), the pages you visited and how long you have been there.
And the next time you are back, with a new IP, they still find you, for you visit the some of the same pages and the session cookies not storing any personal information kick in and possibly tie your last session to your new one....

So, for you as individual phpBB board operator it doesn't make so much sense to be forces to adhere to this rules. But it makes sense to globally issue this rules to draw back the influence big companies have over us, and possibly reduce the money they make in selling our information without any cash back for us.
Post Reply

Return to “General Discussion”