New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
LaxSlash1993
Registered User
Posts: 152
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 » Sun Apr 15, 2018 4:12 am

tojag wrote:
Sat Apr 14, 2018 9:31 pm
tojag wrote:
Sat Apr 14, 2018 9:46 am
This is not an obligation, because no one forces you to use phpBB. This is an element of competitiveness on the market. Which software should I choose - lawful or having a legal problem?
Extensions are ok, but as I and others wrote, the extension is today, and tomorrow there is no because the author has abandoned it. That is why key elements should be in the core.
Why others can do it?
https://volunteers.joomla.org/teams/com ... ary-20-21-

I don't know :( Maybe phpBB is to small for achieve this? Why don't organize crowdfunding for GDPR goal?
Because not everyone wishes to have a GDPR compliant forum.

I may be wrong in my interpretation of what you're saying, so please by all means correct me if I am, but it sounds like you want GDPR functionallity to be built-in to the core, and it be forced upon us (encrypted IPs, e-mails, etc)... not all of us want this, or any of this. A lot of existing extensions would have to be written, and doing any kind of direct database work could potentially be made much harder.
andrewilley wrote:
Sat Apr 14, 2018 5:39 pm
Such as yesterday's high court ruling in http://www.bbc.co.uk/news/technology-43752344 which now prevents Google from returning legitimately published official details of a court ruling from 10 years ago. Not that the information was inaccurate (which might have been cause for concern, or even deletion) but simply that it should no longer be possible for anyone to search for it as it is "obsolete", even though it is a matter of public record. All of which is rather like a Library being allowed to store old books and newspapers, but having to destroy any index-cards telling researchers where to find them.
Wow.

See, what amazes me is that Google and other big companies haven't read the writing on the wall, closed their Ireland branches and EU datacenters, and just moved completely to running everything and hosting everything in/from the US. Running anything in the EU is corporate masochism, if there even is such a thing.
Don't get me wrong, I do understand that there is some merit in the ideals behind the GDPR, but like everything else that the EU does, the actual implementation appears to be wordy (54,000+ so far), officious, over-bureaucratic, over-reaching nonsense once you see it in the real world.

Andre
I do too, for *some* of the things in it. But not all things that have merit should be written into regulation/law.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18872
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Mick » Sun Apr 15, 2018 8:25 am

the actual implementation appears to be wordy
Much like this topic.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 48891
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by stevemaury » Sun Apr 15, 2018 3:12 pm

3Di wrote:
Sat Apr 14, 2018 8:57 pm

So we should say that we might be disinterested in implementing writing from right to left?
It is easy to fall into the limit of discrimination ;)
Pretty sure writing right to left is not mandated by any law, nor does failure to do so come with legal penalties.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Sun Apr 15, 2018 9:09 pm

LaxSlash1993 wrote:
Sun Apr 15, 2018 4:12 am
I may be wrong in my interpretation of what you're saying, so please by all means correct me if I am, but it sounds like you want GDPR functionallity to be built-in to the core, and it be forced upon us (encrypted IPs, e-mails, etc)... not all of us want this, or any of this. A lot of existing extensions would have to be written, and doing any kind of direct database work could potentially be made much harder.
Of course, I prefer to have it in the core, but the official extension supported by the Team would also be good. It is a matter of continuous supervision over the lawfulness of the software. Yes I know it is time + people + money. Hence my proposal for intentional financing.
LaxSlash1993 wrote:
Sun Apr 15, 2018 4:12 am
See, what amazes me is that Google and other big companies haven't read the writing on the wall, closed their Ireland branches and EU datacenters, and just moved completely to running everything and hosting everything in/from the US. Running anything in the EU is corporate masochism, if there even is such a thing.
Maybe data centers are in the US, but each of these large companies has its official representative in the EU, which can be addressed by the EU authorities in terms of compliance with law or others and with which Europeans conclude agreements. Personally, I have an AdSense deal with Google Ireland Ltd. and not with Google USA. This has changed many years ago although at the beginning I had a contract with Google USA.

In the EU for a few years, the right to be forgotten works (with which I do not necessarily agree) and in the search results Google displays:
"Some results may have been removed under European data protection law. More information"

You can send a form to Google and ask for to be forgotten.
That means that great players respect the law even if they don't agree with it.
I renew my request. Let's not write about whether the GDPR is good or bad, but about what to do and how would phpBB comply with this law.

User avatar
Lumpy Burgertushie
Registered User
Posts: 64083
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Lumpy Burgertushie » Sun Apr 15, 2018 11:53 pm

most likely phpbb does not need to comply with the law or at least with every possible situation as you seem to think.
If the law as it stands remains very long at all, I would assume that many many parts of it will be struck down in courts all over the world.

but there is absolutely no reason to put something this bloated and crazy into the code. If someone wants to try and create a extension for each country that tries to help board owners to comply that of course is up to them.
the whole idea of trying to include something this convoluted into the code of any piece of software seems like total insanity to me.

especially if the law goes away or gets changed by the time the code was figured out etc.


robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA » Mon Apr 16, 2018 6:53 am

This topic is getting way too long, and it seems to me that basically we just going around in circles. I probably already wrote these points before, but let's do it again so it might help out with creating a set of features that might be implemented in the core.

What we could do:
  • The data export, account deletion etc.
  • Displaying your privacy policy or whatever on registration
  • We could add a checkbox to the contact form (however it seems strange to me, as you don't store any data there just send an email, so by the same logic, shouldn't email clients have a button where you consent to sending an email?)
  • Maintain a list of potential personal (by type) data stored.
And this is it off the top of my head.

We will not:
  • encrypt IPs and emails. It is not required as far as I know, and it also makes zero sense in this case.
  • write your privacy policy.
  • work out your data handling processes (which is to be honest the most important thing to comply).
This is enough to comply for most people, if you handle more sensitive data and you need more features, then it is your responsibility to implement them. In general, it is your responsibility to comply with any laws that you're a subject of, and in case of GDPR we are not able to solve everything for every one, see the "We will not" list.

If you feel that something is missing from the list, or disagree or whatever, feel free to say so.

And no, it cannot be enforced anywhere outside the EU. If you are not a company, who would want to process data given to you by someone in the EU (and you are not in the EU yourself), GDPR cannot be enforced, so you can just ignore it. With that said, I suggest we stop debating why or why not ppl from outside the EU should care about GDPR.

zorni
Registered User
Posts: 111
Joined: Mon Mar 23, 2009 10:29 pm
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by zorni » Mon Apr 16, 2018 7:10 am

While there has been talk here, the german forum is already working on a solution.

Thread: https://www.phpbb.de/community/viewtopi ... 9&t=241354
Author: https://tas2580.net/downloads/phpbb-privacyprotection/
Git: https://github.com/tas2580/privacyprotection

There's a first version of the engl translation of this ext included as well.
If you need help with the translations at the german forum just use: https://www.deepl.com

Features so far:
User must agree with the registration that admins may send him mails
User must accept the privacy policy upon registration
Users can download their profile data as CSV file in the profile
Users can download all their posts as CSV files
Link to privacy policy can be replaced by any URL
Inserts a link to the privacy policy in the footer
In the ACP you can force all users to accept the privacy policy
Anonymize IP adresses (all IPs are set to 127.0.0.1 and the IP info part is removed from MCP)

Todos/Bugs
Block the forum until the user has accepted the new privacy policy

LaxSlash1993
Registered User
Posts: 152
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 » Mon Apr 16, 2018 3:37 pm

CHItA wrote:
Mon Apr 16, 2018 6:53 am
This topic is getting way too long, and it seems to me that basically we just going around in circles. I probably already wrote these points before, but let's do it again so it might help out with creating a set of features that might be implemented in the core.

What we could do:
  • The data export, account deletion etc.
  • Displaying your privacy policy or whatever on registration
  • We could add a checkbox to the contact form (however it seems strange to me, as you don't store any data there just send an email, so by the same logic, shouldn't email clients have a button where you consent to sending an email?)
  • Maintain a list of potential personal (by type) data stored.
And this is it off the top of my head.

We will not:
  • encrypt IPs and emails. It is not required as far as I know, and it also makes zero sense in this case.
  • write your privacy policy.
  • work out your data handling processes (which is to be honest the most important thing to comply).
As long as the new features can all be turned off (not fond of data export especially) and disabled, looks good.

andrewilley
Registered User
Posts: 87
Joined: Fri Sep 12, 2008 7:28 pm
Location: Birmingham UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by andrewilley » Mon Apr 16, 2018 4:02 pm

LaxSlash1993 wrote:
Mon Apr 16, 2018 3:37 pm
As long as the new features can all be turned off (not fond of data export especially) and disabled, looks good.
The problem seems to be (as far as I can tell anyway) that the Eurocrat legislators believe that their new law should extend anywhere in the world, to wherever EU citizens' data happens to be stored (which would appear to include their IP addresses, along with any posts voluntarily made to social media/forums/etc).

But the EU legislators are working on the basis that the website owner is providing a 'service' to the local EU citizen, and as such any of their personal information should be covered by the law of the country where the user is based. I don't quite see how they think they can enforce that though, especially when site owners, the webserver, and any data storage are all based in a non-EU country. Surely it's the same as ordering something by mail-order from another country - you have to apply the legal framework of the seller's location, not the customer's, as that is where the transaction took place.

My running of a small phpBB forum is a bit convoluted though. The server and data storage are both in the USA, and the site's subject-matter is a USA resort hotel so the vast majority of traffic is US-based but with a small but significant minority in the UK, and a tiny number of visits from the rest of Europe. However I, as site owner and administrator, happen to live in the UK. So now I have no idea where I stand - well not until the UK gets itself the hell out of the whole European behemoth in about 12 months.

Andre
--- Admin of www.portorleans.org

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Mon Apr 16, 2018 8:57 pm

CHItA wrote:
Mon Apr 16, 2018 6:53 am
What we could do:
  • The data export, account deletion etc.
  • Displaying your privacy policy or whatever on registration
  • We could add a checkbox to the contact form (however it seems strange to me, as you don't store any data there just send an email, so by the same logic, shouldn't email clients have a button where you consent to sending an email?)
  • Maintain a list of potential personal (by type) data stored.
This is it what we need. It can be realized as one or a few separately extension or as a functionalities built in the core.
zorni wrote:
Mon Apr 16, 2018 7:10 am
While there has been talk here, the german forum is already working on a solution.

Thread: https://www.phpbb.de/community/viewtopi ... 9&t=241354
Author: https://tas2580.net/downloads/phpbb-privacyprotection/
Git: https://github.com/tas2580/privacyprotection

There's a first version of the engl translation of this ext included as well.
If you need help with the translations at the german forum just use: https://www.deepl.com

Features so far:
User must agree with the registration that admins may send him mails
User must accept the privacy policy upon registration
Users can download their profile data as CSV file in the profile
Users can download all their posts as CSV files
Link to privacy policy can be replaced by any URL
Inserts a link to the privacy policy in the footer
In the ACP you can force all users to accept the privacy policy
Anonymize IP adresses (all IPs are set to 127.0.0.1 and the IP info part is removed from MCP)

Todos/Bugs
Block the forum until the user has accepted the new privacy policy
Very interesting. I will test it soon! Thanks.
Zorni, are You allow to delete posts by user during delete his account? Public posts may contain personal information but do not have to. Do you have your own policy for this?

zorni
Registered User
Posts: 111
Joined: Mon Mar 23, 2009 10:29 pm
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by zorni » Tue Apr 17, 2018 5:55 am

No, I'll don't allow users to delete posts while they're terminating their account. They all gave us the right to use their posts, even if the account was deleted or not.

The GDPR gives users the right, that they can inform us, if there are personal data left to be anonymized or changed or corrected. And of course we'll do that, as we did the last ~16 years). At the moment we're composing a letter with questions for a state data protection officer, and this is one of the questions. (How to handle exactly this situation with usernames / posts / quotes)

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Apr 17, 2018 7:04 am

Zorni, I see that you understand what is going on in GDPR. You have a similar approach to GDPR like me.
I also keep posts after deleting user account, previously anonymize the name of the author. The problem may be personal data in posts belonging to the account being deleted. Despite the provisions in the forum regulations, users do not submit any such post to moderation. It is difficult for yourself to assess whether a post can contain data that allows you to identify a particular person.
Most forums work so that the owners want to have the content of posts, and at the same time do not want to bear legal responsibility for this content. Here can also be a problem, because after IP anonymisation, you can not indicate the person who violated the law, such as copyright law. I do not have a way to solve it yet. I believe that IP can be left without anonymisation. Although, as I know a national data protection office, they will say that someone can have a fixed IP that uniquely identifies him, and that's enough to need IP anonymisation. Currently, you can buy fixed IPs even for a mobile network.
There is still a lot of work and little time. I hope you can solve the problems and share it in the forum.

zorni
Registered User
Posts: 111
Joined: Mon Mar 23, 2009 10:29 pm
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by zorni » Tue Apr 17, 2018 7:26 am

From my understanding the "nickname" and "personal data" thing only is a problem, if there are real personal data linked. IPs are personal data, that makes a nickname to a personal data, cause ip <-> nickname are linked in the database. We avoid this problem by making the IP addresses anonymous (All IPs are 127.0.0.1). In the end, the nickname is not a "personal data" anymore.
tojag wrote:
Tue Apr 17, 2018 7:04 am
Here can also be a problem, because after IP anonymisation, you can not indicate the person who violated the law, such as copyright law.
It's not my job to identify anyone. It's the job of the judicial authorities. If we don't store the IPs, we would be able to help them out with the registered E-Mail address, and from that point on, we don't care anymore.

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Apr 17, 2018 8:48 am

zorni wrote:
Tue Apr 17, 2018 7:26 am
From my understanding the "nickname" and "personal data" thing only is a problem, if there are real personal data linked. IPs are personal data, that makes a nickname to a personal data, cause ip <-> nickname are linked in the database. We avoid this problem by making the IP addresses anonymous (All IPs are 127.0.0.1). In the end, the nickname is not a "personal data" anymore.
My national DPO write me that nickname and email address is a personal data because it can contains real name, surname, localization.
zorni wrote:
Tue Apr 17, 2018 7:26 am
It's not my job to identify anyone. It's the job of the judicial authorities. If we don't store the IPs, we would be able to help them out with the registered E-Mail address, and from that point on, we don't care anymore.
I don't understand... email address is personal data, do You keep it aftera account deletion?? If not, how can You help them to identify author of posts?
I had a situation that the user posted a photo on the forum using the [img] tag, and the photo breaks the copyright. The author demanded compensation from me, I had to write that I do not moderate the forum live and I do not know if the picture breaks copyright. I was summoned to the police to give personal data of the author of the post - nick, ip and email. When I leave posts and I will not have an IP, who should I indicate as an author? This is a big problem.
It's safe to delete posts but I want to have content :(

zorni
Registered User
Posts: 111
Joined: Mon Mar 23, 2009 10:29 pm
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by zorni » Tue Apr 17, 2018 9:15 am

I referred to the status of the usernames that remain visible after the account is deleted (If no Exts are used) In addition, the ip address is still available for posts of those deleted users.

There is no law that requires me to deliver data to law enforcement agencies that I do not store or even collect. The GDPR urges thrift in the collection of personal data. We save ourselves storing this data and that's fine for us, cause I don't see any need to know which IP User r0xx0r1337 used 12 years ago :)

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 20 guests