GDPR compliance is going to be left optional, right?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
LaxSlash1993
Registered User
Posts: 130
Joined: Sat Sep 22, 2012 2:20 am

GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Wed Nov 22, 2017 11:53 pm

I just want to make sure. phpBB is going to leave GDPR compliance completely optional, correct? As in we won't be forced by the board to allow account deletions, data scrubs, encrypted PMs, etc? We have programmers that can remove the enforcement/make it optional again, but if we can save the time and effort of doing so, we'd much prefer that. Having a website hosted in the US, I have no interest in complying with EU data laws.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 47986
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by stevemaury » Sat Nov 25, 2017 3:52 pm

If the initiation of features to comply with legal requirements limited in their geographic application became necessary, they would be able to be optionally activated or deactivated. The current COPPA settings are an example.
For REALLY good and VERY inexpensive hosting CLICK HERE

All unsolicited PMs will be ignored.

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by HiFiKabin » Sat Nov 25, 2017 4:33 pm

Having tried to read through the legislation (all legislation is written BY lawyers FOR lawyers) I think it makes no difference where your site is hosted. If it is aimed at an EU audience, the legislation applies.

BUT I "think" it does not apply to hobby sites. If the purpose of your site is NOT commercial the new rules will probably not apply to you.

I have written to the Information Commissioner’s Office asking for clarification and will post their reply here once I get it.

sakm
Registered User
Posts: 461
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by sakm » Sat Nov 25, 2017 6:38 pm

HiFiKabin wrote:
Sat Nov 25, 2017 4:33 pm
Having tried to read through the legislation (all legislation is written BY lawyers FOR lawyers) I think it makes no difference where your site is hosted. If it is aimed at an EU audience, the legislation applies.

BUT I "think" it does not apply to hobby sites. If the purpose of your site is NOT commercial the new rules will probably not apply to you.

I have written to the Information Commissioner’s Office asking for clarification and will post their reply here once I get it.
This is the take I have on it too! It would be good to read their reply :)

LaxSlash1993
Registered User
Posts: 130
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Sun Nov 26, 2017 7:27 am

Looking forward to this reply as well.

I've done quite a bit of research on this since I made this topic (hours worth), and am left even more lost than I was beforehand. I'm finding about 500 different interpretations online, including ones that say even if an EU citizen inadvertantly touches your site, you must be GDPR compliant. To be honest, at this point it almost makes more sense for American communities to firewall off/geoblock EU access just to prevent the headaches of it all.

Having said that, sparing the details of why (pretty sure there's a character limit here), I'm making a prediction that this entire thing is repealed (within?) 6 months into it. There's no way that a law this strict will:
A) Be upheld universally
B) Have 100% compliance, even in the EU
C) Be completely enforceable, given the extremely large fines set forth as well as the amount of the law left to broad interpretations

I get the for lawyers by lawyers thing, but to be honest, that's why they're lawyers and not judges.

As long as the tools are optional - including encryption of e-mails and the like (to save the headache of having to convert extensions and other related things) - I'm a-ok with whatever's done. I definitely think tools and options to comply should be available to use, but left optional. Your response puts my mind completely at ease about it.

User avatar
AmigoJack
Registered User
Posts: 4999
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by AmigoJack » Mon Nov 27, 2017 10:10 am

LaxSlash1993 wrote:
Sun Nov 26, 2017 7:27 am
extremely large fines
The intention is to make site owners finally treat data responsibly, because in capitalism loosing money hurts most.

Cross linking New GPDR (General Data Protection Regulation) and phpBB.
The worst thing about censorship is ███████████

LaxSlash1993
Registered User
Posts: 130
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Thu Nov 30, 2017 2:46 pm

Consulted with a lawyer, and got some more information.

Unless a website has a server or a company has an office that's actually inside of the European Union, the GDPR is completely unenforceable against a company in the United States, even if they have customers/users that are in the European Union. At least for websites operating in the United States.

From what I understand, the US wouldn't allow enforcement of it against a business or website operating in the United States, because it goes against the minimum regulation statements of CDA 230, and in general, laws don't follow the consumer to the provider. It'd be the same as saying an American website is bound by Chinese speech laws if it attracts Chinese visitors, and that the website is liable to punishment from the Chinese government.

User avatar
AmigoJack
Registered User
Posts: 4999
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by AmigoJack » Thu Nov 30, 2017 4:30 pm

LaxSlash1993 wrote:
Thu Nov 30, 2017 2:46 pm
Consulted with a lawyer
From the USA? From Europe? I mean: how experienced is he with multiple nation's laws, not just one?

LaxSlash1993 wrote:
Thu Nov 30, 2017 2:46 pm
completely unenforceable
At least for
This is mutually exclusive, but I wouldn't be surprised if nobody can give a bullitproof answer. Maybe the question should be about user input, not only website visitors - if I'm European and forced to use ESTA online then I'm not "attracted" to it.
The worst thing about censorship is ███████████

LaxSlash1993
Registered User
Posts: 130
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Thu Nov 30, 2017 4:44 pm

AmigoJack wrote:
Thu Nov 30, 2017 4:30 pm
LaxSlash1993 wrote:
Thu Nov 30, 2017 2:46 pm
Consulted with a lawyer
From the USA? From Europe? I mean: how experienced is he with multiple nation's laws, not just one?
USA. Since there is no treaty associated with the enforcement of the GDPR, the EU can not enforce this law against an American company. Privacy shield, which is voluntary, is the only one that can be enforced... and even then, the US has to enforce it. The EU can't enforce it directly. The EU can not single-handedly override/change a treaty or agreement. Chances are unlikely to "won't happen" that the US would ever agree to a nation wide GDPR agreement, due to the extensive amount of regulation of the GDPR. If anything was agreed to, chances are high that it would be a voluntary program like the Privacy Shield. As to your experience question... experienced with US law. EU law is irrelevant to US entities.
LaxSlash1993 wrote:
Thu Nov 30, 2017 2:46 pm
completely unenforceable
At least for
This is mutually exclusive, but I wouldn't be surprised if nobody can give a bullitproof answer. Maybe the question should be about user input, not only website visitors - if I'm European and forced to use ESTA online then I'm not "attracted" to it.
Based on my understanding of this all and what I was told, even that falls under the privacy shield. However, since ESTA is a travel organization that falls under the DOT, it's considered mandatory (DOC is optional, DOT is mandatory). (My personal theory is that the DOT would only agree to enforcing certain parts, given the level of regulation in the GDPR. Don't quote me on this specific one.) User input is still regulated by US law if it's entered into a US based system/server.

US based forums/communities that are not commercial/donations based only have absolutely nothing to worry about (unless they handle financial transactions for donations directly, instead of through something like PayPal... in which case, normal US consumer would apply), even if attracting a global audience. Commercial entities are only subject to EU laws and regulations when they have a building or location established within the EU.

E: To clarify with ESTA, it's a government organization but also deals with the DOT. I can ask the lawyer I talked to for further clarification as to how it would apply, but my personal theory still applies.

User avatar
thecoalman
Former Team Member
Posts: 2333
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: GDPR compliance is going to be left optional, right?

Post by thecoalman » Thu Nov 30, 2017 8:25 pm

LaxSlash1993 wrote:
Sun Nov 26, 2017 7:27 am
including ones that say even if an EU citizen inadvertantly touches your site, you must be GDPR compliant.
They will be able to enforce this on large US companies that have a physical presence in other countries but not going to happen if you are based entirely in the US.

User avatar
WelshPaul
Registered User
Posts: 202
Joined: Tue Aug 19, 2014 2:09 pm

Re: GDPR compliance is going to be left optional, right?

Post by WelshPaul » Fri Dec 01, 2017 10:14 pm

All very well and good having the ability to delete an account but what about logs? Surely if someone makes a post on your forum you need to maintain some info such as an IP address? What if someone signs up to my forum and posts child porn pics and then deletes their account? If all their info is deleted where does that leave me as the site admin?

LaxSlash1993
Registered User
Posts: 130
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Sat Dec 02, 2017 4:23 am

WelshPaul wrote:
Fri Dec 01, 2017 10:14 pm
All very well and good having the ability to delete an account but what about logs? Surely if someone makes a post on your forum you need to maintain some info such as an IP address? What if someone signs up to my forum and posts child porn pics and then deletes their account? If all their info is deleted where does that leave me as the site admin?
Exactly.

100% of my concern with the GDPR is that it has the potential to become a huge cybersecurity nightmare, and has the potential to turn the EU into Russia 2.0 in terms of the malicious activities that come out of it.

Now, in your case, you'd have the right to retain (a user should *never ever* have the rights to delete their own account - even under the GDPR, idc if the GDPR forces you to allow it. You need to cover yourself in the event of something like this) the data. However, there are some concerns where data archived as far back as multiple years ago can come in handy for both investigating a current situation, as well as for enforcing an administrative decision against a user account.

I think that too many companies and commercial entities are afraid to voice out against the GDPR for fear of being labeled as an eneemy to user privacy, despite the fact that things in it like the right to erasure and the right to know what information's retained have, and bring up, some extremely valid cybersecurity concerns. Cybersecurity policies are not a one-size fits all solution (which the GDPR makes it out to be), nor should they ever be. Too many people judgement at the surface of something. "More privacy and rights always equals good and no bad" is not always the case, and I think that within a few months of the GDPR being fully enforced, this is going to start coming to light. The EU will realize that the regulation is a huge mistake. Now, whether or not they'll actually repeal it is a different story. We'll see.

If I stop a previously known toxic user from re-registering on our forums, because he submitted a right to erasure request that I ignored and I still had their information retained years later which allowed us to detect an attempted re-registration... am I liable to be (attempted to be) fined by the EU for protecting the interests of my community? The whole GDPR is a mess. Marketing companies playing this up as only a good thing is ten times worse than marketing companies watching every single site I go on (barring incognito mode sites, of course :lol:) I go on, as far as I'm concerned.

User avatar
WelshPaul
Registered User
Posts: 202
Joined: Tue Aug 19, 2014 2:09 pm

Re: GDPR compliance is going to be left optional, right?

Post by WelshPaul » Sat Dec 02, 2017 10:36 am

Most businesses must retain information for a period of time, 6 years or so for HRMC. If someone comes along and posts anything malicious, breaches someones copyright etc and as I pointed out above deletes their account, then what? What if I get a court order or a request from the police to reveal the IP address? What do I say? Sorry but as per GDPR compliance the offender deleted their information and I have none?

I'm all for users having the ability to delete an account but some information must be retained surely? Anything they post could still possibly be found in cache or sites such as waybackmachine?

Very worrying this!

LaxSlash1993
Registered User
Posts: 130
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Sat Dec 02, 2017 4:39 pm

WelshPaul wrote:
Sat Dec 02, 2017 10:36 am
Most businesses must retain information for a period of time, 6 years or so for HRMC. If someone comes along and posts anything malicious, breaches someones copyright etc and as I pointed out above deletes their account, then what? What if I get a court order or a request from the police to reveal the IP address? What do I say? Sorry but as per GDPR compliance the offender deleted their information and I have none?

I'm all for users having the ability to delete an account but some information must be retained surely? Anything they post could still possibly be found in cache or sites such as waybackmachine?

Very worrying this!
The only exception to retention requirements is a "legal" reason, like the HRMC you mentioned above. Past that... as far as I understand it, anything not required to be maintained for a legal reason must be deleted/overrides your policies and rules as a forum owner.

Regarding account deletions, I don't allow users to delete accounts... I instead allow them to request deactivation with a username change beforehand. This is just a preference in regards to how our community's run - I'm not too fond of a law trying to limit what I can and can't decide on my own forum. Hence, our teetering between non-compliance and a geoblock.

Found out something interesting on Reddit the other day as well from someone running a business based in the EU... there's actually a lot more hate of this law over there than what we see online. The internet is saturated with nothing but good comments on the GDPR because (ironically) it's a huge marketing advantage, and you have all these marketing companies selling their "get compliant" seminars, toolkits, etc. A lot of smaller businesses across the pond are planning on being non-compliant as well, sharing the stance of this being over-regulation and a band-aid fix to a larger problem.

User avatar
WelshPaul
Registered User
Posts: 202
Joined: Tue Aug 19, 2014 2:09 pm

Re: GDPR compliance is going to be left optional, right?

Post by WelshPaul » Sat Dec 02, 2017 6:59 pm

LaxSlash1993 wrote:
Sat Dec 02, 2017 4:39 pm
as far as I understand it, anything not required to be maintained for a legal reason must be deleted/overrides your policies and rules as a forum owner.
So retaining an IP address would fall under "legal reasons" yes?

I want to use this extension: https://www.phpbb.com/customise/db/exte ... _account_2

This extension will allow me to retain posts but change the username to something that will not identify the original poster, all other account information will be deleted and their account "closed/deleted". I want to alter this extension to retain the IP address of each post for a period of time. I understand that people use VPN's and stuff and that the IP address won't necessarily lead to their doorstep but should any solicitor, court officer or the police contact us regarding a post, I have something to give them.

Obviously any posts that breaches the sites terms would be removed/deleted anyway. I don't want posts or topics that break the law or someones copyright but with such posts i'd retain screenshots and identifiable information such as username, email address and IP addresses and pass those on as and when required.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 13 guests