GDPR compliance is going to be left optional, right?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
User avatar
david63
Jr. Extension Validator
Posts: 13145
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by david63 » Sat Dec 02, 2017 9:25 pm

Having briefly read these "new" regulations they are based very much on the current Data Protection Act (at least in the UK). Having been heavily involved with the DPA in the past the way that I am reading these new regulations is that with a vanilla phpBB board there would be no issues.

The key element in these regulations, and the DPA, is "personal data" and phpBB does not have any identifiable personal data - unless there have been changes made to the board to collect such data. An IP address is certainly not identifiable personal data, a username is not identifiable user data and it is questionable as to whether an email address on its own is identifiable personal data.

The crux of all of this is whether somebody can be identified by the data that is held in a phpBB database and as I said at the start that does not happen with a vanilla installation.

If somebody chooses to post data that would identify them and they do that voluntarily then that is their problem, but if you have a policy on your board that they have to post personal details then you would, possibly, fall within these regulations - although you would not necessarily know the validity of any such data.

If you have made changes to your board, as phpBB has done with the option of adding your "real name" and "location" then you may start being in a position of having to comply, if your policy for usernames is to be "real names" then again you may fall within the scope of these regulations - but these can easily be dealt with by a few changes to your board.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18119
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: GDPR compliance is going to be left optional, right?

Post by Mick » Sat Dec 02, 2017 9:56 pm

Being a bit thick here, if someone is requested a “real name” or email address or whatever to register, what can be gleaned from that information? It’s the same with the “are you over 18?” sites, we’re all going to be over 18 if there’s something tasty to see. The same with COPPA, you only have the word of the person tapping in the info. The only assumption you can make is all the info is bogus and go from there.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

sakm
Registered User
Posts: 461
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by sakm » Sat Dec 02, 2017 10:06 pm


User avatar
Mick
Support Team Member
Support Team Member
Posts: 18119
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: GDPR compliance is going to be left optional, right?

Post by Mick » Sat Dec 02, 2017 10:30 pm

Mick wrote:
Sat Dec 02, 2017 9:56 pm
The only assumption you can make is all the info is bogus and go from there.
Unless you believe everyone is telling the truth?
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

User avatar
AmigoJack
Registered User
Posts: 4999
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by AmigoJack » Mon Dec 04, 2017 10:01 am

WelshPaul wrote:
Fri Dec 01, 2017 10:14 pm
if someone makes a post on your forum you need to maintain some info such as an IP address?
Those are in your HTTP access logs already. After that you have your database backups. I'm surprised nobody is talking about those.

WelshPaul wrote:
Fri Dec 01, 2017 10:14 pm
What if someone signs up to my forum and posts child porn pics and then deletes their account? If all their info is deleted where does that leave me as the site admin?
When "all their info is deleted" also their posts are gone - you don't need to provide an option of deleting the account but preserving posts.

LaxSlash1993 wrote:there's actually a lot more hate of this law over there than what we see online. The internet is saturated with nothing but good comments on the GDPR because (ironically) it's a huge marketing advantage, and you have all these marketing companies selling their "get compliant" seminars, toolkits, etc. A lot of smaller businesses across the pond are planning on being non-compliant as well, sharing the stance of this being over-regulation and a band-aid fix to a larger problem.
The tears are tripping me, because yet a I have to find a business that is not selling my data. The whole GDPR would probably not exist if the majority of businesses would deal with customer data responsibly - most aren't even able to protect my data against leakage, and I hope that will result in high fines as well in the future.
The worst thing about censorship is ███████████

User avatar
warmweer
Registered User
Posts: 497
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: GDPR compliance is going to be left optional, right?

Post by warmweer » Mon Dec 04, 2017 10:37 am

AmigoJack wrote:
Mon Dec 04, 2017 10:01 am
The tears are tripping me, because yet a I have to find a business that is not selling my data. The whole GDPR would probably not exist if the majority of businesses would deal with customer data responsibly - most aren't even able to protect my data against leakage, and I hope that will result in high fines as well in the future.
Seconded!!
But it's not just leakage. Try unsubscriding to almost any mailing list you've been put on (unconsulted). Yes, you'll be unsubscribed from that list ... but added to another (or more).
A bug is a feature that didn't make it to the manual (yet)

User avatar
WelshPaul
Registered User
Posts: 201
Joined: Tue Aug 19, 2014 2:09 pm

Re: GDPR compliance is going to be left optional, right?

Post by WelshPaul » Mon Dec 04, 2017 11:54 am

AmigoJack wrote:
Mon Dec 04, 2017 10:01 am
WelshPaul wrote:
Fri Dec 01, 2017 10:14 pm
if someone makes a post on your forum you need to maintain some info such as an IP address?
Those are in your HTTP access logs already. After that you have your database backups. I'm surprised nobody is talking about those.
If we can retain some of their information (such as IP addresses) in the form of logs and database backups then i'm guessing we can also retain this information within the phpBB software too?
AmigoJack wrote:
Mon Dec 04, 2017 10:01 am
WelshPaul wrote:
Fri Dec 01, 2017 10:14 pm
What if someone signs up to my forum and posts child porn pics and then deletes their account? If all their info is deleted where does that leave me as the site admin?
When "all their info is deleted" also their posts are gone - you don't need to provide an option of deleting the account but preserving posts.
Not always the case. Screenshots, cache or websites such as waybackmachine could still provide access to the original posts.
AmigoJack wrote:
Mon Dec 04, 2017 10:01 am
LaxSlash1993 wrote:there's actually a lot more hate of this law over there than what we see online. The internet is saturated with nothing but good comments on the GDPR because (ironically) it's a huge marketing advantage, and you have all these marketing companies selling their "get compliant" seminars, toolkits, etc. A lot of smaller businesses across the pond are planning on being non-compliant as well, sharing the stance of this being over-regulation and a band-aid fix to a larger problem.
The tears are tripping me, because yet a I have to find a business that is not selling my data. The whole GDPR would probably not exist if the majority of businesses would deal with customer data responsibly - most aren't even able to protect my data against leakage, and I hope that will result in high fines as well in the future.
I hear you, i'm not saying it's a bad thing but with these things comes confusion. It's knowing what information needs to be deleted and what needs to be retained to protect yourself and others. Allowing users to delete all their posts isn't really a good idea for community boards as a whole...

User avatar
AmigoJack
Registered User
Posts: 4999
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by AmigoJack » Mon Dec 04, 2017 12:02 pm

WelshPaul wrote:
Mon Dec 04, 2017 11:54 am
If we can retain some of their information (such as IP addresses)
Like others pointed out already: GDPR is about personal data, not any data. That's a difference.

WelshPaul wrote:
Mon Dec 04, 2017 11:54 am
Screenshots, cache or websites such as waybackmachine could
...be manipulated. Whoever wants to prove something by screenshot: I'm your man.

WelshPaul wrote:
Mon Dec 04, 2017 11:54 am
with these things comes confusion
One step at a time. If people can't tell personal data from pseudonymic apart I'm sure they're confused - but that also means they have to learn even more.
The worst thing about censorship is ███████████

LaxSlash1993
Registered User
Posts: 129
Joined: Sat Sep 22, 2012 2:20 am

Re: GDPR compliance is going to be left optional, right?

Post by LaxSlash1993 » Tue Dec 05, 2017 3:19 am

Mick wrote:
Sat Dec 02, 2017 9:56 pm
Being a bit thick here, if someone is requested a “real name” or email address or whatever to register, what can be gleaned from that information? It’s the same with the “are you over 18?” sites, we’re all going to be over 18 if there’s something tasty to see. The same with COPPA, you only have the word of the person tapping in the info. The only assumption you can make is all the info is bogus and go from there.
Which is another great point in this all, especially with names. I never used my real name on sites that ask for it, outside of Facebook or GMail. Forums though, I always come up with some form of a bs name. Having said that, my name's not exactly common. If I had a name like "John Smith," I'd probably be far less concerned with the whole anonymity thing.

As I stated before, my whole issue is the scope of what the GDPR wants to protect. Things like credit card numbers... yeah. I totally agree with a law like this for things on that sort of a level. (I'm actually a little bit more towards the opinion that it shouldn't be legal to even store a CC# unless you're a bank or CC company... but that's a story for a different time.) But names/birthdays/things like that? It's overkill.
warmweer wrote:
Mon Dec 04, 2017 10:37 am
AmigoJack wrote:
Mon Dec 04, 2017 10:01 am
The tears are tripping me, because yet a I have to find a business that is not selling my data. The whole GDPR would probably not exist if the majority of businesses would deal with customer data responsibly - most aren't even able to protect my data against leakage, and I hope that will result in high fines as well in the future.
Seconded!!
But it's not just leakage. Try unsubscriding to almost any mailing list you've been put on (unconsulted). Yes, you'll be unsubscribed from that list ... but added to another (or more).
WelshPaul wrote: I hear you, i'm not saying it's a bad thing but with these things comes confusion. It's knowing what information needs to be deleted and what needs to be retained to protect yourself and others. Allowing users to delete all their posts isn't really a good idea for community boards as a whole...
Again, it's an overkill band-aid fix to the problem. The laws need to specifically target this practice, and need to be specifically in the form of requiring disclosure with the sale of information. But anything else... ie, data retention policies, "right to erasure," downloading a copy of all data handled, etc... that should be left to a subscribable standard that can earn a company a "badge of trust" of varying degrees of they support those rights. Make it a voluntary program. Companies that subscribe will have a huge marketing advantage, and the standard will have much more meaning than a regulation. But things like banks, financial institutions, and anyone else that uses mainframes (even those with not as much money as a bank) are going to have a huge cost impact when it comes to people that wish to exercise those rights. Not all information held by banks has legal retention requirements. MIPS aren't free...

Sanborn
Registered User
Posts: 53
Joined: Mon Mar 16, 2015 7:01 pm

Re: GDPR compliance is going to be left optional, right?

Post by Sanborn » Fri Dec 08, 2017 6:13 pm

IPs can be considered as personal data, because you can link an IP to an actual person (albeit through the ISP)
Usernames can be considered as personal data, because a lot of people just use their real name for this.
Posts can be considered as personal data, because I can write "Hello I'm John Doe, etc"

Just because a user uses his own name as username or adds personal data in a forum post doesn't make it his problem.
It is your problem if it's on your website. Same goes for pictures, videos, all of that can contain information to identify a person.

Out of the box phpBB has a "location" field in a user profile. There you go, personal data.

There is a difference between personal data and sensitive data. Personal data is your name, your address etc. Sensitive data is your religion, sexual preference etc. GDPR targets personal data, not just sensitive data. If data on your website can contain personal data, then it should be considered as personal data. So eg a username is personal data.

And GDPR enforces you to clean up this info, when a user requests it, or if a user doesn't interact with your website for a period of time.

User avatar
david63
Jr. Extension Validator
Posts: 13145
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by david63 » Fri Dec 08, 2017 7:18 pm

Sanborn wrote:
Fri Dec 08, 2017 6:13 pm
IPs can be considered as personal data, because you can link an IP to an actual person (albeit through the ISP)
How does that work then with dynamic IP addresses where several people can, and do, have the same IP address at some point. I would tend to go along with that when IPv6 becomes a reality.
Sanborn wrote:
Fri Dec 08, 2017 6:13 pm
Out of the box phpBB has a "location" field in a user profile. There you go, personal data.
Doesn't have to be filled in though - and if it is an issue then disable it.

It is not a question of "personal data" it is "personal identifiers". If I say my name is Albert Johnson, and that is the only information that you have, then you would not be able to identify me.

If people post personal data anywhere on the Internet then they have to accept a degree of responsibility for that data and not relinquish that responsibility to somebody else.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Sanborn
Registered User
Posts: 53
Joined: Mon Mar 16, 2015 7:01 pm

Re: GDPR compliance is going to be left optional, right?

Post by Sanborn » Sat Dec 09, 2017 10:57 am

david63 wrote:
Fri Dec 08, 2017 7:18 pm
Sanborn wrote:
Fri Dec 08, 2017 6:13 pm
IPs can be considered as personal data, because you can link an IP to an actual person (albeit through the ISP)
How does that work then with dynamic IP addresses where several people can, and do, have the same IP address at some point. I would tend to go along with that when IPv6 becomes a reality.
An ISP should be able to identify which user was allocated which IP at a given point in time.
david63 wrote:
Fri Dec 08, 2017 7:18 pm
Sanborn wrote:
Fri Dec 08, 2017 6:13 pm
Out of the box phpBB has a "location" field in a user profile. There you go, personal data.
Doesn't have to be filled in though - and if it is an issue then disable it.
It was just an example to show that out of the box, phpBB is subject to GDPR rules.
Ok, so you disable the Location field. I can still upload my picture as avatar, I can still put my real data in some post. If you disable all that, then phpBB has no more value :)
david63 wrote:
Fri Dec 08, 2017 7:18 pm
It is not a question of "personal data" it is "personal identifiers". If I say my name is Albert Johnson, and that is the only information that you have, then you would not be able to identify me.
Unless you are the only person by that name.
david63 wrote:
Fri Dec 08, 2017 7:18 pm
If people post personal data anywhere on the Internet then they have to accept a degree of responsibility for that data and not relinquish that responsibility to somebody else.
True, but GDPR is about providing a solution to people to avoid having their personal data floating around somewhere for eternity.

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by HiFiKabin » Mon Dec 11, 2017 9:55 am

I have been thinking about this some more, as well as trying to read/understand the documents. As I understand it, this is about information held and used by YOU the website owner.

Looking at this from a slightly different angle.

You write a letter to the letters page of The Radio Times. The letter is as follows but you sent it to them with your real name and address.
Dear Sir

I want to complain about the the BBC, so please get them to broadcast something distasteful.

Yours Faithfully

Disgusted

Tunbridge Wells
That letter is then published in the Radio Times. You then want The Radio Times to delete your details, They remove your real details from their database, but not the letter. The magazine has been printed, millions of people have seen it, its in the archives, etc etc

You can not go and remove that information as it exists. I think the same applies to the internet.

The information that you give me in order to join my forum (username, password, email address) can be deleted. What you have decided to post on a public forum for anyone to read can be considered to be the same as a published letter. It can (and will) get archived, indexed by Google etc etc.

All IMHO of course as I am still awaiting a reply to my email

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18119
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: GDPR compliance is going to be left optional, right?

Post by Mick » Mon Dec 11, 2017 10:14 am

Like naughty selfies on FB, once it's published, it's published, it's too late.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: GDPR compliance is going to be left optional, right?

Post by HiFiKabin » Mon Dec 11, 2017 10:33 am

Mick wrote:
Mon Dec 11, 2017 10:14 am
Like naughty selfies on FB, once it's published, it's published, it's too late.
So it IS you in those photos :P

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: JoshyPHP and 25 guests

cron