New GDPR (General Data Protection Regulation) and phpBB

tojag · Post by **tojag** » Sun May 20, 2018 4:04 pm

But everyone say that problem no exists

So, thanks for topic specially for me

LaxSlash1993 · Post by **LaxSlash1993** » Sun May 20, 2018 6:35 pm

@tojag - I've read the GDPR too, which is why I'm so vehemently against it.

This law's getting dangerous. I'm starting to see threads of people broadcasting that they've disabled webserver and database server logging on their systems, and broadcasting it as a bonus of using their services/sites. Do we want to take bets on how long it will be before hackers just nail the Hell out of these sites and services?

tlem · Post by **tlem** » Sun May 20, 2018 8:57 pm

CHItA wrote: ↑Sun May 20, 2018 2:44 pmAlso, please try to keep this a civilized discussion.

it doesn't matter, I expected that kind of response.

I will just complete what you said because this will be useful for those who consider my arguments valid because they are issued by an authority:

CHItA wrote: ↑Sun May 20, 2018 2:44 pmThis was also already answered. Don't process them based on consent and then you don't have to (except on a case by case basis if the author requests it and the request is reasonable). If you process them based on consent then you probably have to remove the personal data from the posts and probably from quotes, replies, whatever else.

If you live in the European Union, I invite you to consult your equivalents to the French CNIL which corresponds to the data protection authority of your country (European DPA).

Put yourself in the place of an Internet user who wants to delete personal data on a site and look what are your rights and how to implement them. You will discover that you must make the request to delete your personal data in writing and have a valid reason to make this request. ^^

On the site of the CNIL, there is a section "Courier" which allows to recover the model of this Courier.

here is the translated document issued by the French data protection authority:

Dear,

Information about me is currently posted on your website on the following pages:

[ Url ]

Also, in accordance with article 38 of the law "Informatique et Libertés" of January 6, 1978 modified, thank you for removing the following information:

[ info_to_remove ].

I wish this information to be deleted because:

[ reason_of_deletion ]

I thank you for doing the necessary to ensure that these pages are no longer referenced by search engines.

I remind you that you have a maximum of two months following receipt of this letter to respond to my request (Article 94 of the Decree of 20 October 2005 for the application of the law of 6 January 1978 as amended).

Please accept, Madam and Sir, the expression of my best regards.

so you can see that it is up to the user to specify the pages in which he wishes to delete his personal data. Moreover, you will find that he must also indicate a valid reason for his request.
If, despite requests to the site, the user does not obtain satisfaction, then he will have to make a complaint to his local data protection authority.

I put myself in the place of a user wishing to fill up and I carried out the process on this link.
And surprise ...

Blog, forum

You want to delete or anonymize personal data or contributions

Address your request to the blog / forum where the information is posted. His answer may be the anonymisation of your contributions.

To know: if you use a pseudonym you will be able to exercise your rights "computer science and freedoms" only if you can demonstrate that it identifies you indirectly.

It doesn't matter, I go on to say that "The response of the blog/forum is not satisfactory"

If the blog/forum has anonymized your contributions, the CNIL considers this answer sufficient for the protection of your data.

In other cases, send a complaint to the CNIL.

Documents to provide in support of your approach: a copy of your initial request and, if it answered, a copy of its answer.

These elements are essential to the investigation of your complaint.

Whouaaa, it's Christmas before the time. ^^

After that, if you persist, you must fill out a very nice form.

https://goopics.net/i/RPNqm
There, I say, it really takes time and a very good reason to want to delete personal data.

To conclude this long message, here is "another point of view"

regarding the GDPR :
The original text can be found here.
In this text you can find 4 points :

European Data Protection Regulation: what do you need to know?

1. Where to find the text?
2. When will the European Regulation be applicable?
3. What are the changes made by the European Regulation for professionals?
4. What are the changes made by the European Regulation for citizens?

In the second point, you can read :

It applies to all companies (including their works councils), administrations and associations that process personal data.

So if you have a community and non-commercial forum or you are not a part of an association, you are not concerned.
but having said that, you're still responsible for data security that is a part of the GDPR.

Somes interesting links that you can read in your natural language (you can change with the link at left of the Search box) :
https://ec.europa.eu/info/law/law-topic ... /reform_en (main link)
https://ec.europa.eu/info/law/law-topic ... al-data_en (note that it speaks only of business and not private use).
https://ec.europa.eu/info/law/law-topic ... w-apply_en (note that it speaks only of business or entity and not private use).
https://ec.europa.eu/info/law/law-topic ... ly-smes_en (same as above).

after all this, I maintain that the administrator of a non-commercial phpBB forum can sleep soundly.
Now, nothing prevents you from doing the minimum by adding a security policy where you explain as do most large companies, that if the user continues to use your service, he agrees to the collection of personal information necessary to functioning of the forum as well as the acceptance of operating cookies.

Sorry for the length of this message.
Sorry to have delayed writing it, but as the weather was nice, I went gardening.

Edit : Link Update for Courier

Post by **CHItA** » Sun May 20, 2018 9:19 pm

LaxSlash1993 wrote: ↑Sun May 20, 2018 6:35 pm This law's getting dangerous. I'm starting to see threads of people broadcasting that they've disabled webserver and database server logging on their systems, and broadcasting it as a bonus of using their services/sites. Do we want to take bets on how long it will be before hackers just nail the Hell out of these sites and services?

Well, then they have misinterpreted what is actually written in GDPR horribly. It is a misunderstanding of the regulation at least as much as claiming that the only basis for processing is consent. The ICO has pretty good explanation on the regulation along with some checklists and as this is an EU regulation the application of it should be fairly similar all over the EU, thus if the ICO says something is fine then your local authotority will also see it that way.

Actually, GDPR doesn't really change much for most, what it does is actually pretty simple, and IMO even useful. Basically relating to phpBB (or any other discussion board) the only changes are that you have to a) document your internal privacy practices; and b) have your privacy information published (what data you collect and on what basis). So for example compared to the cookie law it is way more sensible as those of your users who are concerned about their data can read about what data you use and how you use it. All your other users who cannot be bothered to read that will not get an annoying pop up in their face, they just have to keep doing what they did since forever, and click the I agree with the privacy policy checkbox (also this is only if you collect data based on consent, which again, you don't have to).

So to sum it up, some features that came up in this topic could improve general UX (e.g. if someone wants to remove their account, why not let them delete their e-mail, IP whatever else if your forum content stays intact?), and there is nothing in GDPR that would force you to remove valuable content from your boards unless it is for good reasons (in which case the decent thing would be to remove that data anyway).

It might be inconvinient for a lot of you, as you are required to produce a bunch of documentation and probably some legal text (which to be sound would probably require a lawyer). However, you only really have to do that once and realistically it is unlikely that anyone will check whether or not you comply with the regulation. So for you as an individual admin it probably sucks. However, most of us could probably agree that due to this regulation at least many of us thought a bit about how we could improve privacy for our/your users. And that to me seems positive. I'm not sure why it is necessary that everybody with a blog has to pay a lawyer for this, and in that regard it is stupid. However, it seems to me that the reaction of many site owners is way dumber than the regulation itself.

sr55 · Post by **sr55** » Tue May 22, 2018 7:01 pm

I think the only thing I'd add to your comment CHItA is
Per https://ico.org.uk/for-organisations/gu ... interests/

Legitimate interest is a valid reason to store information.
There is a reasonable expectation from users that a website is secured and has good security practices.
Part of good security is keeping logs. (Including IP addresses).

The last part might not be 100% clear to users, so as you say, as long as you document this in your privacy policy you can gather and retain this information for a reasonable period and I don't believe users can request you remove it until it goes beyond a reasonable period. (I.e security is no longer a valid reason for keeping that data)

As for account / profile information, I see removal requests as perfectly reasonable (before or after this law). Better UX here is welcome.

Public forum posts is a little bit more grey but I think you could still argue legitimate interest on this. I.e "Record of / Integrity of the public discussion"

tojag · Post by **tojag** » Tue May 22, 2018 9:49 pm

It should also be remembered that wherever lawyers write about legitimate interests, they also write that it can not violate the fundamental rights of the data subject.
How FB, Twitter, Google .... etc. they did not invoke legitimate interests and delete posts with the account? There are also discussions, threads, also public ones. After all, it's content, and content is advertising, and advertising is money. Would they give it up if they could?

hugomez · Post by **hugomez** » Fri May 25, 2018 10:12 am

Hi,

Lately I am receiving new "Privacy Statement" from almost any website where I am subscribe, I guess caused because of the recent problem with Facebook & Cambridge Analytica.

I do not really know what forum administrators should do regarding this. I administrate a very small forum with slightly more than 500 members.

Should I also send an message to all the members of my forum about New Privacy statement?, Any recommendation of what to do? and the last things, Is there any template that can we all (phpbb forum administrators) use?

Thank you very much in advance.
Hugo

david63 · Post by **david63** » Fri May 25, 2018 10:20 am

hugomez wrote: ↑Fri May 25, 2018 10:12 am I guess caused because of the recent problem with Facebook & Cambridge Analytica.

Nothing to do with that - it is about GDPR

hugomez wrote: ↑Fri May 25, 2018 10:12 am Should I also send an message to all the members of my forum about New Privacy statement?

Do you have a "new" privacy statement?

Do you live/operate your board in the EU?

As from today if you are in the EU then sending an email to all of your members nay be considered as a breach of the regulations unless all of your members have agreed to being emailed.

If you are not in the EU then you have nothing to worry about.

hugomez · Post by **hugomez** » Fri May 25, 2018 3:14 pm

david63 wrote: ↑Fri May 25, 2018 10:20 am Do you live/operate your board in the EU?

Hi David, thanks for your reply.

Yes, I am in Amsterdam (The Netherlands). My forum is in English and the members are from all over the world (even if it is a very small community)

david63 wrote: ↑Fri May 25, 2018 10:20 am Do you have a "new" privacy statement?

I do not have any "New Privacy Statement". I am actually happy as everything was working so far, but I am concern about the fact that all websites I am register and sending emails about similar subjects, so I do not know if there is something that I should also do in my forum to do not break any law.

tlem · Post by **tlem** » Fri May 25, 2018 5:21 pm

- Do you collect more information than the phpBB need for its operation?
- Is your forum commercial?
- Do you sell the information collected?
- Have you installed extensions that collect data from your users for an external company?
- Are your database backups on the cloud?

If the answer is no for each question, for me you have nothing special to do.

If you are afraid of being disturbed by an unscrupulous user, you can simply indicate in your forum's policy basic elements such as those that you can read in the various mails you receive concerning the GDPR update.

However, you remain responsible for the User's Personal Data, so you must be clear about your Protection Policy.

hugomez · Post by **hugomez** » Fri May 25, 2018 5:26 pm

tlem wrote: ↑Fri May 25, 2018 5:21 pm - Do you collect more information than the phpBB need for its operation?
- Is your forum commercial?
- Do you sell the information collected?
- Have you installed extensions that collect data from your users for an external company?
- Are your database backups on the cloud?

If the answer is no for each question, for me you have nothing special to do.

If you are afraid of being disturbed by an unscrupulous user, you can simply indicate in your forum's policy basic elements such as those that you can read in the various mails you receive concerning the GDPR update.

However, you remain responsible for the User's Personal Data, so you must be clear about your Protection Policy.

The answer is NO to all the question. Thank you veeeery much, now i am much more relax about all this matter.

tlem · Post by **tlem** » Fri May 25, 2018 5:43 pm

I would add:
Are your database backups in the cloud or somewhere accessible by a hacker?

On a simple community phpBB forum, the only personal data collected and in your possession, are the pseudo, the password (encrypted), the email address and IP addresses, and the cookies used are simple functional cookies.
So in comparison to big companies that collect by cookies or profiling up to the color of your pants, you can sleep peacefully.

For your tranquility is that of your users, just put a word to reassure them and explain what you collect, that you do not communicate anything to a third party and that your cookies are just functional cookies.

If someone absolutely wants to be able to retrieve the personal information collected by your forum, two solutions:
1 - Use the extension created by David63.
2 - Return the user to the text of the GDPR and say that you are neither a company, nor an administration, nor an association.
You can even tell him his local DPA. ^^

Acorn · Post by **Acorn** » Fri May 25, 2018 5:58 pm

There's some sound advice from a lawyer on the BBC News website.

She said small organisations should relax and apply a simple test: would a person expect to get a message from you?

She gives as an example a swimming club. You would expect to get a newsletter about opening times at the pool or meetings. You would not expect your details to be passed without your consent to a company selling swimming costumes.

She also said that 90% of the emails asking people to resubscribe to lists were unnecessary. If people are on lists because they chose to be there, there is no problem unless the nature of the emails has changed.

Affin · Post by **Affin** » Fri May 25, 2018 9:55 pm

david63 wrote: ↑Fri May 25, 2018 10:20 am
hugomez wrote: ↑Fri May 25, 2018 10:12 am I guess caused because of the recent problem with Facebook & Cambridge Analytica.
Nothing to do with that - it is about GDPR
hugomez wrote: ↑Fri May 25, 2018 10:12 am Should I also send an message to all the members of my forum about New Privacy statement?
Do you have a "new" privacy statement?

Do you live/operate your board in the EU?

As from today if you are in the EU then sending an email to all of your members nay be considered as a breach of the regulations unless all of your members have agreed to being emailed.

If you are not in the EU then you have nothing to worry about.

Facebook does not operate in the EU but needs to send out enlightenment

Post by **Mick** » Sat May 26, 2018 8:36 am

Acorn wrote: ↑Fri May 25, 2018 5:58 pmShe also said that 90% of the emails asking people to resubscribe to lists were unnecessary

Thats been my thinking all along, people do love a good panic, it makes them feel alive. I have to say I’ve been going the route of the author. I’ve been unsubscribing to lots of places I never knew (remembered?) I had, one was from 2008, how did I forget that one? Yesterday I had one from Google that started “Dear Partner”; what? Unsubscribed and gone! Life is much quieter.