EU Privacy Law Compliance

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
david63
Jr. Extension Validator
Posts: 14645
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: EU Privacy Law Compliance

Post by david63 » Tue Mar 06, 2018 3:47 pm

CHItA wrote:
Tue Mar 06, 2018 3:30 pm
I think if you are worried about private messages, just add a policy that no personal information can be shared in them (so you comply with GDPR).
Even easier - disable the PM system
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
canonknipser
Registered User
Posts: 1598
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: EU Privacy Law Compliance

Post by canonknipser » Tue Mar 06, 2018 3:56 pm

CHItA wrote:
Tue Mar 06, 2018 3:30 pm

tojag wrote:
Tue Mar 06, 2018 2:46 pm
Can e-mail communication reveal the address of the user sending the message? At the moment there is not even a warning that this will happen when we send an email.
Not sure what you are talking about here.
Maybe about this misunderstanding how phpBB's mail system is designed, esp. with the meaning of "hide email adresses"? viewtopic.php?f=556&t=2462606
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

LaxSlash1993
Registered User
Posts: 178
Joined: Sat Sep 22, 2012 2:20 am

Re: EU Privacy Law Compliance

Post by LaxSlash1993 » Wed Mar 28, 2018 6:33 pm

CHItA wrote:
Fri Mar 02, 2018 1:20 pm
thus a better option would be to just allow to not collect them in some contexts (e.g. for post validation/moderation purposes).
This could create a huge security risk, and could create a very unsafe situation when anyone is free to go on a forum completely untracked. Would be a very dangerous option (then again, this entire reg is, but that's a different story).
See the discussions in:
viewtopic.php?f=461&t=2385946
viewtopic.php?f=46&t=2138194
viewtopic.php?f=72&t=1105275
Simply trying to do our best to keep phpBB secure against attacks seems to me as sufficient protection for this kind of data. If you really want to store sensitive information about your users in custom profile fields, then you should take care of the extra security required yourself (this should never happen realistically).
Just FYI, from research of the reg, both are technically required. It classifies simple name and e-mail data as sensitive data now for some stupid reason :roll: .
And finally to your last point: terms of service is a legal document, and as such, we cannot write one which complies with any actual laws, as we do not know nor the law, nor how one of our users handles data. Just by providing some template (which has zero actual value, as which law should we base it on?), some users might think that they have a valid "terms of service page" just by copy-pasting it.
And this is gonna be where a lot of Europeans that own forums get caught off-guard, unfortunately. Not having an EU compliant TOS and Privacy Policy puts them in the cross-hairs.
CHItA wrote:
Tue Mar 06, 2018 3:30 pm
tojag wrote:
Tue Mar 06, 2018 2:46 pm
In my opinion, a good solution would be a user's log that would be available to him. contain:
- IP and registration time,
- IP and change time of password / login / email,
- IP and login time, including unsuccessful login.
GDPR requires reporting incidents related to data protection. With such a log, the user can report to the admin, e.g. attempts to log into his account.
You could a suggest a log like that in the ideas forum. Also it is rather funny, that this idea comes to someone by worrying about GDPR.
As long as the ability to turn off display to that user/other users of this log exists (Can view own log/Can view any log), that would be a cool option to have.
tojag wrote:
Tue Mar 06, 2018 2:46 pm
GDPR requires an analysis of the risk of unauthorized access to personal data. What I suggest in this forum is to make better protection for accounts by introducing two factor authentication (2FA), e.g. using Google Authenticator.
There is an extension for 2FA. Not really sure whether or not you mean phpBB by "this forum" or actually the forum on .com. I think this topic is in general about phpBB's GDPR compliance.
^. This is a good idea for an extension, but not for stock behavior as 2FA can be a pain to setup, and in that case, you're pretty much ensuring that your storing what the GDPR considers to be "private data."
tojag wrote:
Tue Mar 06, 2018 2:46 pm
Another issue is whether private messages should be encrypted in the database? There are opinion that yes.
No way they will be by default in the near future, however, someone might create an extension one day to do so. I think if you are worried about private messages, just add a policy that no personal information can be shared in them (so you comply with GDPR).
I would support this as an option of phpBB, as long as it was an option that was turned off by default.
tojag wrote:
Tue Mar 06, 2018 2:46 pm
Can e-mail communication reveal the address of the user sending the message? At the moment there is not even a warning that this will happen when we send an email.
Not sure what you are talking about here.
If the board has it enabled, yes. But this should be up to the site owner to reflect in the policies if need be.

Off-topic personal opinion on this all: Personally, I think that as much of this law should be left to site owners to comply with as possible. There's so many site owners in support of this reg, because they don't have to do anything and most web development stuff today is just handed to those that wish to run a website - I think it's great in the sense that it shows people how much of a headache and a burden over-regulation can be. Maybe we'd have more people that don't blindly support regulations just because they falsely and unrealistically promise something good.

User avatar
Lumpy Burgertushie
Registered User
Posts: 64862
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: EU Privacy Law Compliance

Post by Lumpy Burgertushie » Wed Mar 28, 2018 6:41 pm

and in reality, most normal hobbyist boards would never come under scruntiny for this nor have a problem if they did.
remember, I am not a lawyer here or anywhere else. ( of course one wonders about the ones that claim to be when giving advice about such a stupid
set of regulations )

oh well, it does not apply to me at all so I am out.

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: EU Privacy Law Compliance

Post by tojag » Wed Mar 28, 2018 8:10 pm

LaxSlash1993 wrote:
Wed Mar 28, 2018 6:33 pm
This is a good idea for an extension, but not for stock behavior as 2FA can be a pain to setup, and in that case, you're pretty much ensuring that your storing what the GDPR considers to be "private data."
GDPR talks about the protection of personal data and not private data. Personal data may be private or public. For example, everything that is publicly visible in the user's profile is his personal data but made public (even if only for other users).
2FA only has to increase the security of access to the user's account, so that someone unauthorized can not change you, for example nickname or avatar, or that he can not write posts as you or delete accounts etc. And most importantly, he would not be able to do administrator's work. 2FA is not mandatory but it perfectly increases the access security, which is why it is widely used today.

I was happy when there were no stupid requirements. I kept my website calmly. Every day I work in the field of legal metrology (devices for billing, such as water meters, heat meters, etc.) and I have a lot of legal requirements there, so that someone who uses such a meter is not wronged. I have checks, audits, etc. Lawyers work in every industry, maybe that's why I'm so sensitive.

As I wrote in another topic.. Unfortunately, I think differently than most people here. It seems to me that big players will manage. They have lawyers and money. Small businesses and hobbies will be at risk. It is always the case that the big one becomes even larger as they introduce new legal requirements.

User avatar
3Di
Registered User
Posts: 12893
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: EU Privacy Law Compliance

Post by 3Di » Wed Mar 28, 2018 8:26 pm

tojag wrote:
Wed Mar 28, 2018 8:10 pm
poke
May I ask the link to your board?
A PM will do, you can send it to me this time... if you are ok.

I would like to investigate it, I am really curious now, after reading all of your posts about this stuffs. :)
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

LaxSlash1993
Registered User
Posts: 178
Joined: Sat Sep 22, 2012 2:20 am

Re: EU Privacy Law Compliance

Post by LaxSlash1993 » Wed Mar 28, 2018 10:22 pm

tojag wrote:
Wed Mar 28, 2018 8:10 pm
I was happy when there were no stupid requirements. I kept my website calmly. Every day I work in the field of legal metrology (devices for billing, such as water meters, heat meters, etc.) and I have a lot of legal requirements there, so that someone who uses such a meter is not wronged. I have checks, audits, etc. Lawyers work in every industry, maybe that's why I'm so sensitive.

As I wrote in another topic.. Unfortunately, I think differently than most people here. It seems to me that big players will manage. They have lawyers and money. Small businesses and hobbies will be at risk. It is always the case that the big one becomes even larger as they introduce new legal requirements.
Well, it's like I said elsewhere. I don't picture this law lasting, at least not for foreign owned websites. I'd love to watch the US enact a law that Americans have a right to a taxi to be called and paid for by a bar when they're drunk, even when visiting a foreign bar - and then try enforcing that law on Canadian or Mexican bars.

It's a good thing I'm not in the EU - it has to be miserable to provide any sort of good or service over there.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19976
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: EU Privacy Law Compliance

Post by Mick » Wed Apr 04, 2018 1:05 pm

Like you, I doubt it will work especially in the UK and personally I’m not getting worked up about it. In fact, I intend to do exactly nothing about it until such time as the stuff hits the fan if it ever does.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: EU Privacy Law Compliance

Post by tojag » Wed Apr 04, 2018 2:46 pm

There are international agreements. If the EU wants to punish someone for breaking the law in the EU (a site from the US for users in the EU), the US may agree. Just as extradition agreements now work - someone commits a crime in the US and flees to the EU - if there is a deal, the EU will send the offender to the US.
GDPR requires representation in the EU if the company is from outside the EU and the main activity is data processing. Every big player like FB or G or MS has his representation in the EU. The EU may demand action from them and may punish them. These are huge penalties.
Of course, the EU will not pursue small businesses, but ... it can be done by John X. or a cunning law firm.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 49457
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: EU Privacy Law Compliance

Post by stevemaury » Mon Apr 09, 2018 3:39 pm

Can anyone refer me to any part of the EU law that imposes any obligation on providers of software, as opposed to site owner/operators?
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 3148
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: EU Privacy Law Compliance

Post by HiFiKabin » Mon Apr 09, 2018 3:46 pm

stevemaury wrote:
Mon Apr 09, 2018 3:39 pm
Can anyone refer me to any part of the EU law that imposes any obligation on providers of software, as opposed to site owner/operators?
There is none Steve. The GDPR applies to owners/operators and varies from EU country to country (as its a Regulation not a Directive)

In other words its a mess as if I have an EU wide board based in the country with the laxest rules do I have to apply the strictest rules as I have a member from that country?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 49457
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: EU Privacy Law Compliance

Post by stevemaury » Mon Apr 09, 2018 4:01 pm

That being the case, and speaking for myself and not the project, I would think that the correct thing for phpBB to do, as far as the distributed hardware goes, is nothing.

First, there is no way we can know or pay lawyers to find out every member country's laws and attempt to make tools to allow the site owner to be compliant.

To make the attempt and fail, in even the smallest regard, would be worse than not making the attempt at all. And the amount of time and work involved would detract from the progress of the project.

I would imagine, capitalism being what it is, that some enterprising entity will market add-ons for various software types to provide tools for compliance.

I also think that if the EU really wants to vigorously enforce this against every site on the web, it will bankrupt itself just in the investigation phase. People will probably make the identity of operators less, not more, transparent, for one thing. To hire people to visit every site in the world, determine its compliance, determine whether there is jurisdiction, identify and contact owners, etc., etc. will not be done for free.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

User avatar
GanstaZ
Registered User
Posts: 404
Joined: Wed Oct 11, 2017 10:29 pm
Location: Zverse

Re: EU Privacy Law Compliance

Post by GanstaZ » Mon Apr 09, 2018 4:28 pm

The law itself does not apply only to owners, but to members/customers as well. And i fully agree, what you said above, every site owner is responsible for their own environment.
"When answer lies in the question,.. question becomes redundant!"

User avatar
tojag
Registered User
Posts: 336
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: EU Privacy Law Compliance

Post by tojag » Mon Apr 09, 2018 10:03 pm

1. But if you do not have the right tools in built-in or external phpBB, then website owners can go to competitive systems that offer such support.
2. phpBB offers services all over the world also for EU users. Anyone can register in this forum. The GDPR requirements must therefore be met by this site so that there will be no problems in the future.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19976
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: EU Privacy Law Compliance

Post by Mick » Tue Apr 10, 2018 9:15 am

This should be an extension (or an idea) even if it’s in the interim. Expecting it to be added to the core any time soon will ruin expectations. You could collude with a prospective author to have exactly what you want.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

Locked

Return to “phpBB Discussion”

Who is online

Users browsing this forum: Yandex [Bot] and 18 guests