New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
Ger
Registered User
Posts: 2108
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Ger »

stevemaury wrote: Wed Mar 07, 2018 6:15 pm When you post on a public forum accessible to Google, that is NOT "personal data".
It's not private, but it is personal.

When I post your name, address, email, etc. on phpBB, it's your personal data.
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:

-Don't PM me for support-
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Mick wrote: Thu Mar 08, 2018 10:03 am I think you (not us) need to decide exactly what you want to suit your country’s laws then either request an extension or add it as an idea. At the moment this is just going round in circles.
Mick, I read GDPR. Some basic issues do not require additional explanation. User consent must be mandatory, not implicit and expressed separately for each purpose. It must be collected by the administrator. This will be mandatory in every EU country.
GDPR wrote: (32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
CHItA wrote: Thu Mar 08, 2018 10:07 am There is already an extension for 2FA. I'm not sure about the contact form, as the data is not stored. I don't think that the default settings make that much of a difference either as far as GDPR goes.
Yes, but this extension is still no validation and users reported bugs. I think about this viewtopic.php?f=456&t=2341856
So I founded the idea of 2FA. viewtopic.php?f=436&t=2438306

The default settings can not presume the user's consent.
I know that GDPR is a long and complicated document, I do not require you to read it but trust me, that I read it constantly and some elements I know by heart.
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28619
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Paul »

tojag wrote: Thu Mar 08, 2018 11:29 am

Yes, but this extension is still no validation and users reported bugs. I think about this viewtopic.php?f=456&t=2341856
So I founded the idea of 2FA. viewtopic.php?f=436&t=2438306
You keep telling that there are bugs in that extension, but you didn't actually tell the extension author what those bugs are. The only thing reported is that "something" isn't working, but that is no help for anyone.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Forgive me Paul, I did not mean to offend you, but it was not me who said there were mistakes.
scriptman wrote: Fri Sep 01, 2017 9:09 pm Did not work on 3.2
Crashed it.
Paul wrote: Sat Sep 02, 2017 9:11 am Without any error it will be hard to fix it.
I support you! I keep looking into your thread topic and I am waiting for the work to be completed and the extension validated. It's really good work!
User avatar
Sajaki
Registered User
Posts: 1390
Joined: Mon Mar 02, 2009 1:41 pm
Location: Amsterdam
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Sajaki »

I run a gamer forum. we use gamer nicks. why should I care about GDPR, a bureaucrat nightmare ?
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

Sajaki wrote: Thu Mar 08, 2018 10:22 pmI run a gamer forum. we use gamer nicks. why should I care about GDPR, a bureaucrat nightmare ?
  • I shoot. doing that on a closed field only. why should I care about gun registration ?
  • I sell honey. which never goes bad. why should I care about food control and print a best before date on it ?
  • I live. don't hurt myself or am ill on purpose. why should I care about paying health funds, which only costs me money ?
  • I run a German website. which is for fun only. why should I care about following the rule to provide an imprint ?
Because there are good reasons against ignoring it. Best reason is: once you can be in the opposite position and suddenly you understand the benefits of everything you previously denied.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

CHItA wrote: Wed Mar 07, 2018 7:25 pm Sir, how dare you underestimate the stupidity of the regulatory bodies of the EU?
There's probably a regulation against doing that somewhere... :lol:
Sajaki wrote: Thu Mar 08, 2018 10:22 pm I run a gamer forum. we use gamer nicks. why should I care about GDPR, a bureaucrat nightmare ?
We're in the same situation. We're ignoring it completely. Being based in the US, we added this to our Privacy Policy, but this is the absolute extent to us budging anywhere on the GDPR:
Section I: Scope and who this policy covers
This policy shall be interpreted to apply to all users that use any service, online or otherwise, of [Community name]. Such services shall include services directly owned by [Community name], as well as the interaction of third-party services that [Community name] interfaces with through the usage of interfaces and facilities such as, but not limited to, APIs and data sharing. By connecting to any service owned by [Community name], or by interfacing with [Community name] through such a third party service, you express your agreement to this policy.

Section II: Legal Jurisdiction
[Community name] is based in the United States of America, and as such, it and all of its users, both domestic and foreign, are subject to United States jurisdiction. [Community name] does not comply with, respect, nor recognize, foreign data privacy laws, and is not under any obligation to be in compliance with them. This includes the laws of such countires and governing bodies that claim to have extra-territorial scope in such laws, such as the European Union. Through your use of [Community name] services, you recognize that your information will be submitted to and stored on servers within the United States of America. In certain cases, servers in other countries may be used to provide services that may store data in a temporary manner... however, all data will be ultimately stored on US servers.
There's also other small things in it, like saying if we were breached and we ever had sensitive data (which we don't collect anyways, but just to cover us or w/e) - we would report it, but would not cooperate in any investigation by agencies outside of the US.

Also, this may be relevant from a quote on Reddit if you are based in the EU:
Recitation 18: Individuals don't count.

If you can plausibly claim that an individual owns the data, and that the others running the site are friends helping the site, then the data-controller is an individual.
Outside of that, I wouldn't worry about it. I don't think that this reg will last for more than a year, if that. It's just the next EU Cookie Law, and the ePrivacy Act will be the same way.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Ger wrote: Thu Mar 08, 2018 11:13 am
stevemaury wrote: Wed Mar 07, 2018 6:15 pm When you post on a public forum accessible to Google, that is NOT "personal data".
It's not private, but it is personal.

When I post your name, address, email, etc. on phpBB, it's your personal data.
This is true!

Yesterday I had a 6-hour paid meeting with lawyers about GDPR.
They basically confirmed 100% what I wrote about here. In addition, they took it even harder than me. Many and perhaps most of the law is imprecise so that lawyers can reach everyone if the need arises.
In principle, the meeting was on topics a bit different, regarding GDPR in the organization which is the company. There were discussed HR, marketing and PR issues,etc. but online activities as well. I did not have time to discuss in detail only the issues of the online forum. However, I asked for consent and their scope, data archiving, activity records, contracts with the hosting company for maintenance, storage, processing of my database.

Generally, I have to have the consent of the person whose data we collect for everything.
The consents should be stored in order to prove that we have legal data. If we change the content of the consent, please keep the previous wording so that the data obtained sometime could in detail refer to something other than what we are now entering.
Each goal is a separate agreement - eg newsletter, forum service, self-marketing, partner marketing, user profiling, etc.
It should be written who and where the data is stored. If there are subcontractors, e.g. a hosting company, it must be described. You should have a data processing agreement with such a company (personally I have it).
The user must be able to withdraw consent.
The user must be able to change, update or delete data.
The user must know to which body he may file a complaint about me regarding personal data (eg the national authority where I run my business).
This is described in the GDPR as an information obligation.

In the case of deleting posts together with the account. It depends. If the posts contain personal information, they should be deleted. It is not important that these data are made public. Everyone has the right to place a address card on the wall and then take it off. GDPR even orders to notify other administrators who might have just deleted data.
Those of you who live in the EU have certainly noticed that Google is already removing data from the search engine at the request of people from the EU. This is the right to forget respected for few years by google (https://www.google.com/policies/faq/ , http://curia.europa.eu/juris/document/d ... cid=276332)

The 2FA I asked for is another aspect. This is one of the technical solutions that can help us achieve better security of collecting and processing data. Of course, we should add SSL, colaborate with trusted hosting companies, and more, more according to the needs resulting from the safety analysis.

And, of course, the procedure. It is necessary to create documentation compliant with GDPR, which describes everything we do - what data we collect, from whom, for what, for how long, description of the IT system, security, areas of action, data entry procedures, securing, deleting, reporting violations, etc. It is necessary to prove that we act in accordance with the law when control comes to us. As a lawyer said, GDPR assumes in advance that the administrator has something illegal and the administrator must prove that he has everything in accordance with the law.
I would recommend to ask people who work in hosting companies what procedures are to keep the security of stored data.

These are not my fantasies. I do not need it! That's only what the lawyers told me yesterday - two legal advisorsand, one data officer, one in the doctoral degree data protection specialist.

I have to put everything in my head. There is not much time left, and the lawyers are happy and they count the money :(
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

tojag wrote: Wed Mar 28, 2018 11:25 amI have to have the consent of the person whose data we collect for
Unless your wording is imprecise: next time ask the lawyer what distinguishes a person from a user. If I need consent of a person, and a user can withdraw that then this only raises more questions. It is one issue to follow all GDPR principles, but it is another issue to identify a person (internet wise). Accounts (read: effectively what then appears as the user) can be used by multiple persons - one could give consent, another could revoke it - is this really intended?

tojag wrote: Wed Mar 28, 2018 11:25 amGDPR assumes in advance that the administrator has something illegal and the administrator must prove that he has everything in accordance with the law.
That would not comply with several law's basic principle in dubio pro reo - it may be difficult to prove you guilty, but it may be impossible to prove your innocence.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

AmigoJack wrote: Wed Mar 28, 2018 3:18 pm Unless your wording is imprecise: next time ask the lawyer what distinguishes a person from a user.
When I wrote this, I used interchangeably: person and user. I'm not a lawyer.
AmigoJack wrote: Wed Mar 28, 2018 3:18 pm That would not comply with several law's basic principle in dubio pro reo - it may be difficult to prove you guilty, but it may be impossible to prove your innocence.
Same as with taxes. If you have money, you must be able to explain where you got it and whether you paid tax.
GDPR requires accountability in relation to the possessed data and its processing. You must show the controller where you got it from and what you did with it or who else it was doing. The proof is the storage of consents and the registration of operations (who, what, when). You have evidence that someone agreed to collect data, you have registered who entered the data (we have a user log in phpBB), you have evidence of what operations were done on the data (we have logs of users, moderators, admins). In this matter, it is not bad except for consents.

I think David63 creates a good extension for this purpose. It shows the user collected data from the profile and more. In my opinion, it should be under the patronage of the phpBB team. It would be best to be included in phpBB as COPPA is.

Today I read that FB introduced the possibility of users downloading all their data, in other words implementing the GDPR requirement. I have to ask my daughter to show me how it works. FB treats all data as personal (personal can be private or public), including posts. I think it also allows you to delete everything. At least officially;)
https://newsroom.fb.com/news/2018/03/privacy-shortcuts/

Unfortunately, I think differently than most people here. It seems to me that big players will manage. They have lawyers and money. Small businesses and hobbies will be at risk. It is always the case that the big one becomes even larger as they introduce new legal requirements.
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

AmigoJack wrote: Wed Mar 28, 2018 3:18 pmUnless your wording is imprecise: next time ask the lawyer what distinguishes a person from a user. If I need consent of a person, and a user can withdraw that then this only raises more questions. It is one issue to follow all GDPR principles, but it is another issue to identify a person (internet wise). Accounts (read: effectively what then appears as the user) can be used by multiple persons - one could give consent, another could revoke it - is this really intended?
You are responsible for differentiating personal info posted by shared accounts in the event of a request.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by AmigoJack »

LaxSlash1993 wrote: Wed Mar 28, 2018 10:17 pmYou are responsible for differentiating personal info posted by shared accounts in the event of a request.
That's the very point: and how should I be able to? No matter with what you come up - I can neither verify that (not even when I personally allow the log in just in time), nor can I tell people apart. IP addresses and usernames may be personal data, but technically an IP address is just a network node without any hint if it's an end or just a gate to countless others. Likewise accounts can be used by zero to many persons (and one person can use zero to many accounts). This is all unsound and, as usual, as vague as possible. As much as I like this new regulation from the point of a customer, as much do I ask myself "how does the opposite know I am demanding this and that, and not just an imposter?"

That being said: how could inspectors verify my compliance? I can fake everything - after all it's just bytes. The user's consent was given at his registration time - I can easily create such data at any time. How on earth does that prove anything? Do you even know a software that uses cryptographically chained entries to render a log unmodifiable? And can you imagine that even then I can easily create just a new one with all the entries I want?

Why does nobody ask these questions?
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

I agree. It is difficult to prove. Controllers usually check if there is a document, if it is ok, if it is not very bad.
But... If the controllers have suspicions as to the accuracy of your data, they will probably start a serious criminal investigation because it is a crime against data that has been established for a long time in other laws.
But now I would not be afraid of it. In phpBB we have logs of users, moderators, admins. Why prepare them if everything works truthfully?
In my opinion, we have to focus on what is not yet in phpBB. And again, I refer to David's extension63. I think it will be what we need now.
User avatar
Acorn
Registered User
Posts: 402
Joined: Tue Sep 26, 2006 8:11 am
Location: UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Acorn »

It might be a good idea to add something to the registration agreement that says that an account may only be held and used by one person. (Assuming there isn't already something there that covers it.)

I'm not sure what the situation would be if an account breached the terms and conditions of the forum, but if such things were covered in the registration agreement there should at least be a recognition of good practice from anyone checking the system or investigating a complaint.
Getting braver all the time. :D
User avatar
Scanialady
Registered User
Posts: 421
Joined: Thu Jan 17, 2013 7:09 pm
Location: Germany
Name: Annette
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Scanialady »

Imho its irrelevant whether you can identify how much persons use this account or not. Its irrelevant whether your users are persons or persons are users in your case or my case. This points the lawyers will explain you in the case you give them a reason.

In fact we have to live with this regulations. Thanks to david63, the only one who tries to help us with it instead of discuss. May be the UK and USA people do not need it, but I do.
My 2 cents: Whether an extension is in the CDB says nothing about its quality. It is more important to read the support topics for it. Better to avoid authors who do not answer support questions themselves, who do not update their stuff, and who do not fix bugs for years.
Post Reply

Return to “phpBB Discussion”