New GDPR (General Data Protection Regulation) and phpBB

Affin · Post by **Affin** » Thu Oct 25, 2018 6:33 pm

Is there any extension for this?

CDB · Post by **Crizzo** » Thu Oct 25, 2018 6:35 pm

Affin wrote: ↑Thu Oct 25, 2018 6:33 pm Is there any extension for this?

viewtopic.php?f=456&t=2464776

LaxSlash1993 · Post by **LaxSlash1993** » Wed Dec 12, 2018 2:18 am

Bumping a topic from a bit ago, but this came out recently in case anyone's interested:
https://www.dataprotectionreport.com/20 ... -the-gdpr/

What qualifies as offering goods and services?

The GDPR applies to entities that target data subjects in the EU with goods or services. Here, an entity only need an “intention” to offer goods and services to EU data subjects – there is no requirement that commerce or economic activity occurs. For example, if a company’s website displays languages or currencies commonly used in the EU, then that company would be targeting EU data subjects even if it never made a sale in the EU. One limited example is provided of where this intention is not manifest and that is when a US citizen uses a US news app while traveling in the EU.

The Guidelines also give a list of nine factors that can be taken into account in determining where an intention to offer goods and services exists, including: whether an EU member state is designated by name, advertising campaigns in the EU, the international nature of the activity, mention of addresses or phone numbers reachable from an EU country, use of a top level EU domain name, description of travel instructions from the EU to the services, mention of international clientele or customers in the EU, use of language or currency commonly used in the EU, and whether goods are delivered in EU countries.

What meets the threshold for monitoring EU Data Subjects?

The GDPR applies when entities monitor the behavior of EU data subjects when that behavior takes place in the EU. Per the EDPB, ‘monitoring’ implies that the Controller has a “specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.” Examples of monitoring behavior include the use of common online tools such as cookies, geolocation tracking, and behavioral advertising but also offline monitoring such CCTV.

Bold-italics emphasis is mine. Done to point out things likely relating to forums. Is English considered a common language used in the EU? Also, are moderators considered as "employees" of a forum? Does that mean to fall out of the scope, any EU based moderator or admin would have to be demoted/dropped?

tl;dr for those not interested in reading the article, the EU's throwing a globalist temper tantrum and asserting that it has power that it doesn't have again.

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Wed Dec 12, 2018 5:12 am

LaxSlash1993 wrote: ↑Wed Dec 12, 2018 2:18 am monitoring’ implies that the Controller has a “specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.

that says to me that unless you are collecting data(cookies etc.) for a specific purpose ( other than just simply because it is needed to be able to use the software ), then none of this stupid EU law even applies in the EU much less anywhere else.

robert

timeforhelp1 · Post by **timeforhelp1** » Fri Aug 02, 2019 4:03 pm

This thing is ridiculous, aren't we leaving the EU anyway!

There are sites that I go on in America that can not be viewed on an EU ip because of this crap (https://www.tribpub.com/gdpr/orlandosentinel.com/) and it's unbelievable that the foreign sites do not have an CMP (https://advertisingconsent.eu/cmp-list/) installed as they are surely losing money!

Anyway I've seen a big decrease in my advertising revenue because I did not have a CMP, so I used a free one from quantcast, just put it on today.
(https://www.quantcast.com/gdpr/quantcas ... elf-serve/)

It's not that hard and you're all done.

david63 · Post by **david63** » Fri Aug 02, 2019 4:57 pm

timeforhelp1 wrote: ↑Fri Aug 02, 2019 4:03 pm This thing is ridiculous, aren't we leaving the EU anyway!

Maybe, possibly - but that is irrelevant because GDPR is in UK law and will stay.

heinrich_k · Post by **heinrich_k** » Mon Sep 09, 2019 1:38 pm

Question
GDPR as a general best practice states, that no unnecessary information shall be stored and information shall be deleted if no longer necessary.

Also, IP addresses of users are somewhat personal information. Regardless of the ability to match the information to a person or internet identity anyone of us has.

So, the IP addresses of users' last login or any post or log entry or wherever the forum stores IP addresses are something that in my experience have now value or at least rapidly decreasing value. I mean, they are kind of useful for debugging bus besides that....

So, why store them ?
Why not mask them after a period of time set in the ACP, or delete them all together?

In the end they are kind of forensic circumstantial evidence, if someone claims a post that was made with his username wasn't made by him or so. But I for one wouldn't want anyone to dig up, 10 years from now, that this very post was made from an IP belonging to my employer's ISP, not my cell phone carrier's.

enter a valid email · Post by **enter a valid email** » Mon Sep 09, 2019 1:55 pm

The problem some Information must be stored by Law for a long period of Time like offers and other who I could ne translate well.
Like a Bill who must be stored for 6 Years here. The include often Multiple Personal Data.

heinrich_k · Post by **heinrich_k** » Mon Sep 09, 2019 2:18 pm

enter a valid email wrote: ↑Mon Sep 09, 2019 1:55 pmThe problem some Information must be stored by Law for a long period of Time like offers and other who I could ne translate well.
Like a Bill who must be stored for 6 Years here. The include often Multiple Personal Data.

True, the GDPR explicitly allows to be uverruled by any other law that requires a entity to store data. Tax and banking laws being the most prominent.

But there is no regulation that requires you to store IP addresses of users when they login, nor is there any reason to log their activity in the phpBBs logs for an indefinite amount of time. In any case, these information has to be machine readable, exportable, and deletable to comply with GDPR, so for full compliance these entries have to be anonymised, at least.
Same goes for web server logs.... if they aren't needed for debugging, there is no legitimate reason to keep them longer than necessary.

I don't know what "necessary" is, nobody does until there are the first court rulings, whoever my form tells me that on Thursday 27. Oct 2011, 15:40 user Hamisch from IP 130.83.xxx.xxx added the user "Turm" to group "Kust Lag".
I can see, that this information provides some information, but the IP really doesn't give any meaningful aspect any more. And if either Hamisch or Turm were to request of deletion of the personal information phpBB doesn't provide the means to anonymise their entries in the logs, or does it ?

apollodriver · Post by **apollodriver** » Fri Jan 31, 2020 4:50 pm

Hello dear all,

many many thanks for this great thread.

i want to run a phpbb in english language and for a global audience.

can i stick with this - in other words - can i run this extension as well!?
https://tas2580.net/downloads/phpbb-privacyprotection/

see more.
https://github.com/tas2580/privacyprote ... e:settings

love to hear from you

yours apollodriver

enter a valid email · Post by **enter a valid email** » Fri Jan 31, 2020 5:47 pm

Yes this should run by 90% of all European Boards.

david63 · Post by **david63** » Fri Jan 31, 2020 6:48 pm

The bottom line here is that it is the board owner who is responsible for complying with the law that appertains to the country that they are in and/or operate in. How they do it and what they use to do it is entirely down to them.

tojag · Post by **tojag** » Fri Jan 31, 2020 8:55 pm

Hello
As the founder of this topic, I want to say that for 2-3 years nothing has changed in the phpBB group's approach to the GPDR directive. It doesn't matter if someone is in the EU or not, it's right when you read it to look coherent and pro consumer, pro human. Currently, even non-EU countries and, as I read, individual US states are implementing similar legal solutions.
Competing CMS or forums software implement solutions enabling compliance with GDPR but phpBB not. Why not?
GDPR is a broad concept. It requires looking at the whole concept of managed business.
We know widely described cases of data leaks and high penalties imposed by regulatory authorities, but as you can see, this does not translate into changes in the phpbb approach of these matters. Detriment

When will we be a consistent approach to protecting personal data in phpBB?

What is needed in my opinion:
- built-in mechanisms for informing about data processing;
- anonymization of unnecessary data (after a set time), technical ways of securing access (e.g. 2FA);
- initial settings in accordance with gdpr requirements;

Of course, this can be an extension, but it should be distributed with phpbb as an integral part.
All in all, I don't understand why nobody worries about it. These are very important issues, which are completely overlooked by the phpBB group. From what I see, only some programmers think about it. Thanks David, thanks Paul.
Regards all.

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Fri Jan 31, 2020 9:06 pm

Maybe because others do not agree with your opinion of the GDPR and how it may or may not affect a board
that is not based in the EU for one thing.

robert

tojag · Post by **tojag** » Fri Jan 31, 2020 9:22 pm

Maybe this is the reason why there are commercial solutions exists and people pay a lot of money for them but they can also be sure that everything works in accordance with the law (at least he tries to make everything comply with the law).