New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
david63
Jr. Extension Validator
Posts: 13894
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by david63 » Tue Mar 06, 2018 11:26 am

Let's try and keep a sense of perspective about this and not overreact.

In a vanilla install of phpBB there are three possible pieces of data that may fall within GPDR
  • Username - unless your board specifically requires "real" names then this cannot be directly referenced to a person.
  • IP address - as the vast majority of IP addresses are dynamic then this again cannot be referenced to a person, only a location. Should IPv6 ever get implemented then this may be a different issue.
  • Email address - again on its own it cannot identify an individual
I am not saying that these regulations should be ignored but as far as a "hobby" board is concerned I would argue that there is not a lot to worry about - there are far bigger fish in the sea for the authorities to get their teeth into.
tojag wrote:
Tue Mar 06, 2018 11:08 am
If someone wants to use phpbb then he must know if he will meet the requirements of GDPR.
If somebody wants to use phpBB then they should be aware of all legal requirements that relate to using any software in their own country.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2688
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by HiFiKabin » Tue Mar 06, 2018 11:29 am

The thing to remember when talking about a forum is the GDPR has a 'right to archive'

Otherwise it would be impossible to keep a 'banned' list

As long as the archive is justifiable then I can not see any real problem implementing the GDPR. I have adapted David63's Cookie Policy Extension to include a Privacy Policy which the user has to agree to before they are allowed to log in or join the forum.

The main points of my provacy policy are
Your personal details you give us when you sign up will be used solely for the purposes of Forum Functionality. They will not be used for anything else and neither will they be passed on to a third party without your explicit consent.

The only other information about you is that you decide to post on the forum, whereupon it is considered to be 'publicly available' as it will have been indexed by Google (and other search engines) as well as On Line Archive sites.

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 11:40 am

HiFiKabin wrote:The main points of my provacy policy are............
HiFiKabin but it is only privacy policy.
GDPR says:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

These are really difficult issues.

USA has a COPPA and UE has a GDPR.

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2688
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by HiFiKabin » Tue Mar 06, 2018 11:43 am

tojag wrote:
Tue Mar 06, 2018 11:40 am
HiFiKabin wrote:The main points of my provacy policy are............
<snip>Silence, pre-ticked boxes or inactivity should not therefore constitute consent. </snip>
Using the extension I referenced the user MUST accept before being allowed to log on/register. If the do not accept, then they can not join or post

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GPDR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 1:41 pm

GDPR is not only the cookies policy.
Eg. probably contact form should have a checkbox to indicate consent to the processing of data sent by the form, there may be the name and email of the person sending the form.
I am using joomla for the home page and phpbb for the forum. Eg. this is an example of a GDPR compatible joomla form https://www.rsjoomla.com/blog/view/433- ... rmpro.html
Joomla has special GDPR Compilance Team. The team deals with various aspects of compliance with GDPR. Eg.
https://volunteers.joomla.org/teams/com ... ary-20-21-
https://magazine.joomla.org/item/3306-g ... -in-series
https://volunteers.joomla.org/teams/com ... er-20-2017
I miss this in phpbb, and the case is quite serious. I know, it certainly costs and requires commitment, but I would not want phpbb to be eliminated in any way because of the lack of adaptation to the law.

Interestingly, joomla uses phpbb to run its own forum :)

silenus
Registered User
Posts: 7
Joined: Tue Aug 15, 2017 4:56 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by silenus » Tue Mar 06, 2018 5:31 pm

Hi

Sorry for my error quote during editing.
AmigoJack wrote:
Tue Mar 06, 2018 11:08 am
Resolving an IP address to a name only means you have the internet access owner, not necessarily the person having used said address. Several law suits found out about this obviousity.
In France, since 2016, IP adress is a personnel data (court of cassation)
(french langage) https://www.courdecassation.fr/jurispru ... 35424.html

European commission has the same assertion :
"Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address. "
( english langage http://europa.eu/rapid/press-release_IP ... ?locale=en )



( some open source projets now label "GDPR compliant" http://opensourceforu.com/2018/03/open- ... %e2%80%8b/ )

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 1499
Joined: Mon Sep 01, 2014 1:00 am
Name: Kailey Truscott
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by kinerity » Tue Mar 06, 2018 5:45 pm

silenus wrote:
Tue Mar 06, 2018 5:31 pm
( some open source projets now label "GDPR compliant" http://opensourceforu.com/2018/03/open- ... %E2%80%8B/ )
Not sure where you're going with this. The link points to an open source solution for financial Institutions​, which phpBB is not. I also don't see a list of open source projects that are "GDPR compliant". Can you provide a reference?

As for the law itself, I would love to see the EU come after someone in the US with US-based servers that run their board as a hobby. Just because the EU makes a law doesn't mean other countries have to abide by it.
Kailey Truscott - Community Team

silenus
Registered User
Posts: 7
Joined: Tue Aug 15, 2017 4:56 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by silenus » Tue Mar 06, 2018 6:43 pm

kinerity wrote:
Tue Mar 06, 2018 5:45 pm
Not sure where you're going with this. The link points to an open source solution for financial Institutions​, which phpBB is not.
It is important not to confuse software editor (phpBB team) and end-user (webmaster) which use phpBB software.
When I use phpBB, it is not phpBB'team which collect personnal data, but me using phpBB software.
phpBB team will not be involved if I collect unlawfully personnal data using phpBB, of course.
My major concern is if I am a webmaster GDPR concerned, is phpBB software GDPR compliant (because of its functionality) ?
As webmaster who don't want to become reprehensible, I must consider is my software is compliant (there are sofware aspects and organizationals aspects to consider in GDPR compliant).

Each company, administration, (and private individual if tracker, ads or commercial use... [1]) who collect european citizens personnals data is GDPR concerned. That's a lot of phpBB users.

[1] "(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities."
http://eur-lex.europa.eu/legal-content/ ... 79&from=FR
kinerity wrote:
Tue Mar 06, 2018 5:45 pm
I also don't see a list of open source projects that are "GDPR compliant". Can you provide a reference?
I don't know a list too.
I want to say, looking about GDPR and open source, a late consideration seems rising on several open source projets.

Another open source GDPR compliant software add-on example : . Drupal CMS extension : https://www.drupal.org/project/gdpr

( facebook goes to GDPR compliant : https://www.facebook.com/business/gdpr )

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2688
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by HiFiKabin » Tue Mar 06, 2018 6:57 pm

As I have said previously, the GDPR has a 'right to archive'

The way I read that (as a non lawyer) is as long as you use the information the user provides for the purpose(s) they provided it for you are complying to the GDPR (which is a Regulation, NOT a Directive which means that each country within the EU can interpret the GDPR as they see fit) You (as the forum owner) therefore has the right to keep usernames, email and ip addresses for banning purposes.

Tell the users what information you 'collect' and what it is used for. Sorted.

Also (again IMHO) by posting information on a publicly readable forum, the user has decided to make that information publicly available to any and all who care to read it. Therefore the 'right to be forgotten' does not apply as the post (even if deleted) will be still be available on Google, other search engines and archive sites.

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 7:09 pm

Thanks Silenus!

Joomla and Wordpress too.

So few people here understand the necessity of compliance with GDPR. It will not be a joke now because all serious companies have taken care of it and have ready-made solutions - Google, MS, IBM, Oracle, Facebook....
Anyone who wants to operate on the European market must implement it. Even if it's a private hobby site, but if you can register on it by submitting your data like email and ip, then it must follow GDPR!
ip and email are defined explicitly as personal data and it is not subject to discussion here.

silenus
Registered User
Posts: 7
Joined: Tue Aug 15, 2017 4:56 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by silenus » Tue Mar 06, 2018 7:49 pm

HiFiKabin wrote:
Tue Mar 06, 2018 6:57 pm
Tell the users what information you 'collect' and what it is used for. Sorted.
Not only.
Look at 4th post of this topic for phpBB admin function not actually available (amigoJack proposes SQL query... no moderator user interface to do that.. ).

If a forum user request a file with all his personnal datas ?
((68)
To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.
=> actual technical interpretation in Europe is to provide a XML, JSON or CVS file with personnal datas).

An experimented admin will develop SQL requests to export (all database datas with ip adresse attached, ...) . Ok. But webmaster who are not able to develop theses scripts themselves, if phpBB (or a GDPR mod add-on (there are few new functions : "export user personnal data as XML, anonymyze user account...") can easily execute GDPR imperatives? "right to archive" or "right to sentence" ?...

These are well intentioned debates.

User avatar
posey
Registered User
Posts: 702
Joined: Tue Oct 06, 2009 7:34 pm
Location: The Netherlands
Name: Gijs

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by posey » Tue Mar 06, 2018 7:54 pm

silenus wrote:
Tue Mar 06, 2018 7:49 pm
Don't you think that somme webmaster will not migrate to another forum software GDPR compliant ?
If I may ask, which forum software is this and what have they specificly done?

And, what is the short version you want to have / able to do?
For example completely encrypting data etc will take a lot of work and code changes.
However, if you only need a spreadsheet per user with some specific data, that's easily creatable per an extension.

I think there are quite a few users on here (including myself) to write such an extension, if it's clear what exactly needs to be available and where. Without changing the entire code, but providing and 'interface' for what AmigoJack described, is not that hard. But people need to know what exactly it is you want.
''I'm pretty sure there's a lot more to life than being really, really, ridiculously good looking. And I plan on finding out what that is.''

User avatar
tojag
Registered User
Posts: 240
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag » Tue Mar 06, 2018 9:49 pm

Small article "How Invision Community's tools can help with GDPR compliance".
https://invisioncommunity.com/news/prod ... nce-r1052/

Many things are similar to phpbb but there are small but significant differences, such as collecting information about the consent of data survival.

This is a very short guide that discusses not all issues.
I do not know yet what with data anonymization. Of course, having access to the database I can do it using sql or extension.
When it comes to cookies, in some countries the website can not saved its until the user agrees. So unless you click OK on the cookie message, they should not sign up.
Can posts be treated as personal data and do I have to delete them together with the user's account or are they not personal data and do not have to do this? It would be safer to delete posts but it is known that it deprives the site of content and site owners would prefer not to delete them. But can they not delete?
posey wrote:
Tue Mar 06, 2018 7:54 pm
But people need to know what exactly it is you want.
This is the problem and hence my initiating question. Has anyone from the phpbb team taken the problem of GDPR seriously? Maybe the team should to use the lawyer's advice to analyze and evaluate what and how to comply with GDPR?
This is a really hard subject but very important for further use of phpbb in accordance with the law. Administrators / Owners need to know if they can violate the GDPR laws using phpbb.

CHItA
Development Team Member
Development Team Member
Posts: 109
Joined: Sat Dec 06, 2008 10:27 pm
Location: Budapest, Hungary

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA » Tue Mar 06, 2018 10:08 pm

Well, my two cents is what needs to be discussed is what features can we provide to help our users comply with GDPR. Although I strongly believe that we will never be able to ship phpBB "GDPR compliant" whatever that might mean. As you, as the admin need to disclose what data you collect, and get consent for that. And as the data protection/privacy laws are different in every EU state, even after GDPR there could be some differences. Thus we simply cannot do that for anyone. We also cannot do it, as non-EU sites would probably still use custom profile fields and whatever functionality they want.

I guess post could qualify technically as personal data, however you cannot delete them. Or you would have to delete the post under it, which says "username123: No, the Earth is not flat". Now, as you see, you have his username and a brief summary of what his post was about, so if you would feel obligated to remove posts because of the "Right to be Forgotten", then just don't start a board at all.

Export tools are fine, import tools are not really needed in our case, The "right to be forgotten" tool could remove everything but the username and posts (and inactivate the account). These seem fine.

Encryption is a no from me. It doesn't make sense. We cannot use symmetric keys, cause in this case they are worthless, and asymmetric encryption is very expensive. I think no one in their right mind could possibly fine you, for not encrypting e-mail addresses or IPs. Those are not sensitive data at all.

Also just a last note, GDPR states that everyone has to comply who handles EU citizens data, but we kinda all know that this just bullshit. No one outside the EU will. If they do, then it is because they want to be data processors for some company, which cannot give them their data unless they comply with GDPR. This is obviously unrealistic for phpBB.

User avatar
posey
Registered User
Posts: 702
Joined: Tue Oct 06, 2009 7:34 pm
Location: The Netherlands
Name: Gijs

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by posey » Tue Mar 06, 2018 10:25 pm

tojag wrote:
Tue Mar 06, 2018 9:49 pm
Has anyone from the phpbb team taken the problem of GDPR seriously?
Can I just say that I find this very rude.
There are multiple phpBB team members, including developers, in this topic discussiong the situation and what could be done.
If you've looked further down this board, you will see that does barely happen. So yeah, they're taking it seriously.

Moreover, I think - and yes, this is my opinion - it is also a large responsibility for the forum owner itself to comply with these rules, as they (can) differ per country and state and therefore it's rather hard for phpBB itself to provide a 'all including' solution for it. And that's the only way they could provide it, cause if they provide a not all-including solution, administrators will think they are automatically complying but in fact might not be.

However, after reading your above linked post from Invision Community, to summarise what they posted:
  • Individual Rights
    1. Privacy policy
      1. On change, send out a new notice
      2. What could be in a Privacy Policy
    2. Right to erasure
      1. Users can be deleted already from the ACP.
      2. Remaining posts left by this users, change Author details
  • Lawful bases for processing
    1. Consent
      1. On mass e-mails from the board on registration (defaulted to NO)
    2. Consent regulation
      1. Part of the consent regulation is to record when consent was given. The consent to opt-in for administrator emails such as bulk emails sent via the Admin CP is recorded at registration, and each time they change the setting
    3. Cookies
      1. Provided by david63: Cookie Policy
I'll summarise what has to be added, and once again I think - my opinion - that it should be an extension, for a general compliance.

Privacy Policy
- Clearly accessible from the index
- On change send out a notice requiring a consent (log the consent)

Cookie Policy
- Clearly accessible from the index
- On change send out a notice requiring a consent (log the consent)

Mass e-mail consent
- On registration (log the consent)
- When changed in the UCP (log the consent/dissent)

Right to erasure
- Provide a request form to be deleted
- Option to delete the user (Already provided by default) (avatar, signature, posts, attachments, empty pm outbox)
- Would still leave username in Quotes, which could be searched and replace but will be rather heavy SQL, but is possible.

Transparency
- Provide a request form to view data
- Provide user log with actions performed on this user and their personal action log

---

Is this something that would entail planty?
''I'm pretty sure there's a lot more to life than being really, really, ridiculously good looking. And I plan on finding out what that is.''

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: andrewilley, Exabot [Bot] and 30 guests