New GDPR (General Data Protection Regulation) and phpBB

[LaxSlash1993]

This is not an obligation, because no one forces you to use phpBB. This is an element of competitiveness on the market. Which software should I choose - lawful or having a legal problem?
Extensions are ok, but as I and others wrote, the extension is today, and tomorrow there is no because the author has abandoned it. That is why key elements should be in the core.

Why others can do it?
https://volunteers.joomla.org/teams/com ... ary-20-21-

I don't know Maybe phpBB is to small for achieve this? Why don't organize crowdfunding for GDPR goal?

Because not everyone wishes to have a GDPR compliant forum.

I may be wrong in my interpretation of what you're saying, so please by all means correct me if I am, but it sounds like you want GDPR functionallity to be built-in to the core, and it be forced upon us (encrypted IPs, e-mails, etc)... not all of us want this, or any of this. A lot of existing extensions would have to be written, and doing any kind of direct database work could potentially be made much harder.

Such as yesterday's high court ruling in http://www.bbc.co.uk/news/technology-43752344 which now prevents Google from returning legitimately published official details of a court ruling from 10 years ago. Not that the information was inaccurate (which might have been cause for concern, or even deletion) but simply that it should no longer be possible for anyone to search for it as it is "obsolete", even though it is a matter of public record. All of which is rather like a Library being allowed to store old books and newspapers, but having to destroy any index-cards telling researchers where to find them.

Wow.

See, what amazes me is that Google and other big companies haven't read the writing on the wall, closed their Ireland branches and EU datacenters, and just moved completely to running everything and hosting everything in/from the US. Running anything in the EU is corporate masochism, if there even is such a thing.

Don't get me wrong, I do understand that there is some merit in the ideals behind the GDPR, but like everything else that the EU does, the actual implementation appears to be wordy (54,000+ so far), officious, over-bureaucratic, over-reaching nonsense once you see it in the real world.

Andre

I do too, for *some* of the things in it. But not all things that have merit should be written into regulation/law.

[Mick]

the actual implementation appears to be wordy

Much like this topic.

[stevemaury]

So we should say that we might be disinterested in implementing writing from right to left?
It is easy to fall into the limit of discrimination

Pretty sure writing right to left is not mandated by any law, nor does failure to do so come with legal penalties.

[tojag]

I may be wrong in my interpretation of what you're saying, so please by all means correct me if I am, but it sounds like you want GDPR functionallity to be built-in to the core, and it be forced upon us (encrypted IPs, e-mails, etc)... not all of us want this, or any of this. A lot of existing extensions would have to be written, and doing any kind of direct database work could potentially be made much harder.

Of course, I prefer to have it in the core, but the official extension supported by the Team would also be good. It is a matter of continuous supervision over the lawfulness of the software. Yes I know it is time + people + money. Hence my proposal for intentional financing.

See, what amazes me is that Google and other big companies haven't read the writing on the wall, closed their Ireland branches and EU datacenters, and just moved completely to running everything and hosting everything in/from the US. Running anything in the EU is corporate masochism, if there even is such a thing.

Maybe data centers are in the US, but each of these large companies has its official representative in the EU, which can be addressed by the EU authorities in terms of compliance with law or others and with which Europeans conclude agreements. Personally, I have an AdSense deal with Google Ireland Ltd. and not with Google USA. This has changed many years ago although at the beginning I had a contract with Google USA.

In the EU for a few years, the right to be forgotten works (with which I do not necessarily agree) and in the search results Google displays:
"Some results may have been removed under European data protection law. More information"

You can send a form to Google and ask for to be forgotten.
That means that great players respect the law even if they don't agree with it.
I renew my request. Let's not write about whether the GDPR is good or bad, but about what to do and how would phpBB comply with this law.

[Lumpy Burgertushie]

most likely phpbb does not need to comply with the law or at least with every possible situation as you seem to think.
If the law as it stands remains very long at all, I would assume that many many parts of it will be struck down in courts all over the world.

but there is absolutely no reason to put something this bloated and crazy into the code. If someone wants to try and create a extension for each country that tries to help board owners to comply that of course is up to them.
the whole idea of trying to include something this convoluted into the code of any piece of software seems like total insanity to me.

especially if the law goes away or gets changed by the time the code was figured out etc.


robert

[CHItA]

This topic is getting way too long, and it seems to me that basically we just going around in circles. I probably already wrote these points before, but let's do it again so it might help out with creating a set of features that might be implemented in the core.

What we could do:

• The data export, account deletion etc.
• Displaying your privacy policy or whatever on registration
• We could add a checkbox to the contact form (however it seems strange to me, as you don't store any data there just send an email, so by the same logic, shouldn't email clients have a button where you consent to sending an email?)
• Maintain a list of potential personal (by type) data stored.

And this is it off the top of my head.

We will not:

• encrypt IPs and emails. It is not required as far as I know, and it also makes zero sense in this case.
• write your privacy policy.
• work out your data handling processes (which is to be honest the most important thing to comply).

This is enough to comply for most people, if you handle more sensitive data and you need more features, then it is your responsibility to implement them. In general, it is your responsibility to comply with any laws that you're a subject of, and in case of GDPR we are not able to solve everything for every one, see the "We will not" list.

If you feel that something is missing from the list, or disagree or whatever, feel free to say so.

And no, it cannot be enforced anywhere outside the EU. If you are not a company, who would want to process data given to you by someone in the EU (and you are not in the EU yourself), GDPR cannot be enforced, so you can just ignore it. With that said, I suggest we stop debating why or why not ppl from outside the EU should care about GDPR.

[zorni]

While there has been talk here, the german forum is already working on a solution.

Thread: https://www.phpbb.de/community/viewtopi ... 9&t=241354
Author: https://tas2580.net/downloads/phpbb-privacyprotection/
Git: https://github.com/tas2580/privacyprotection

There's a first version of the engl translation of this ext included as well.
If you need help with the translations at the german forum just use: https://www.deepl.com

Features so far:
User must agree with the registration that admins may send him mails
User must accept the privacy policy upon registration
Users can download their profile data as CSV file in the profile
Users can download all their posts as CSV files
Link to privacy policy can be replaced by any URL
Inserts a link to the privacy policy in the footer
In the ACP you can force all users to accept the privacy policy
Anonymize IP adresses (all IPs are set to 127.0.0.1 and the IP info part is removed from MCP)

Todos/Bugs
Block the forum until the user has accepted the new privacy policy

[LaxSlash1993]

This topic is getting way too long, and it seems to me that basically we just going around in circles. I probably already wrote these points before, but let's do it again so it might help out with creating a set of features that might be implemented in the core.

What we could do:

• The data export, account deletion etc.
• Displaying your privacy policy or whatever on registration
• We could add a checkbox to the contact form (however it seems strange to me, as you don't store any data there just send an email, so by the same logic, shouldn't email clients have a button where you consent to sending an email?)
• Maintain a list of potential personal (by type) data stored.

And this is it off the top of my head.

We will not:

• encrypt IPs and emails. It is not required as far as I know, and it also makes zero sense in this case.
• write your privacy policy.
• work out your data handling processes (which is to be honest the most important thing to comply).

As long as the new features can all be turned off (not fond of data export especially) and disabled, looks good.

[andrewilley]

As long as the new features can all be turned off (not fond of data export especially) and disabled, looks good.

The problem seems to be (as far as I can tell anyway) that the Eurocrat legislators believe that their new law should extend anywhere in the world, to wherever EU citizens' data happens to be stored (which would appear to include their IP addresses, along with any posts voluntarily made to social media/forums/etc).

But the EU legislators are working on the basis that the website owner is providing a 'service' to the local EU citizen, and as such any of their personal information should be covered by the law of the country where the user is based. I don't quite see how they think they can enforce that though, especially when site owners, the webserver, and any data storage are all based in a non-EU country. Surely it's the same as ordering something by mail-order from another country - you have to apply the legal framework of the seller's location, not the customer's, as that is where the transaction took place.

My running of a small phpBB forum is a bit convoluted though. The server and data storage are both in the USA, and the site's subject-matter is a USA resort hotel so the vast majority of traffic is US-based but with a small but significant minority in the UK, and a tiny number of visits from the rest of Europe. However I, as site owner and administrator, happen to live in the UK. So now I have no idea where I stand - well not until the UK gets itself the hell out of the whole European behemoth in about 12 months.

Andre

[tojag]

What we could do:

• The data export, account deletion etc.
• Displaying your privacy policy or whatever on registration
• We could add a checkbox to the contact form (however it seems strange to me, as you don't store any data there just send an email, so by the same logic, shouldn't email clients have a button where you consent to sending an email?)
• Maintain a list of potential personal (by type) data stored.

This is it what we need. It can be realized as one or a few separately extension or as a functionalities built in the core.

While there has been talk here, the german forum is already working on a solution.

Thread: https://www.phpbb.de/community/viewtopi ... 9&t=241354
Author: https://tas2580.net/downloads/phpbb-privacyprotection/
Git: https://github.com/tas2580/privacyprotection

There's a first version of the engl translation of this ext included as well.
If you need help with the translations at the german forum just use: https://www.deepl.com

Features so far:
User must agree with the registration that admins may send him mails
User must accept the privacy policy upon registration
Users can download their profile data as CSV file in the profile
Users can download all their posts as CSV files
Link to privacy policy can be replaced by any URL
Inserts a link to the privacy policy in the footer
In the ACP you can force all users to accept the privacy policy
Anonymize IP adresses (all IPs are set to 127.0.0.1 and the IP info part is removed from MCP)

Todos/Bugs
Block the forum until the user has accepted the new privacy policy

Very interesting. I will test it soon! Thanks.
Zorni, are You allow to delete posts by user during delete his account? Public posts may contain personal information but do not have to. Do you have your own policy for this?

[zorni]

No, I'll don't allow users to delete posts while they're terminating their account. They all gave us the right to use their posts, even if the account was deleted or not.

The GDPR gives users the right, that they can inform us, if there are personal data left to be anonymized or changed or corrected. And of course we'll do that, as we did the last ~16 years). At the moment we're composing a letter with questions for a state data protection officer, and this is one of the questions. (How to handle exactly this situation with usernames / posts / quotes)

[tojag]

Zorni, I see that you understand what is going on in GDPR. You have a similar approach to GDPR like me.
I also keep posts after deleting user account, previously anonymize the name of the author. The problem may be personal data in posts belonging to the account being deleted. Despite the provisions in the forum regulations, users do not submit any such post to moderation. It is difficult for yourself to assess whether a post can contain data that allows you to identify a particular person.
Most forums work so that the owners want to have the content of posts, and at the same time do not want to bear legal responsibility for this content. Here can also be a problem, because after IP anonymisation, you can not indicate the person who violated the law, such as copyright law. I do not have a way to solve it yet. I believe that IP can be left without anonymisation. Although, as I know a national data protection office, they will say that someone can have a fixed IP that uniquely identifies him, and that's enough to need IP anonymisation. Currently, you can buy fixed IPs even for a mobile network.
There is still a lot of work and little time. I hope you can solve the problems and share it in the forum.

[zorni]

From my understanding the "nickname" and "personal data" thing only is a problem, if there are real personal data linked. IPs are personal data, that makes a nickname to a personal data, cause ip <-> nickname are linked in the database. We avoid this problem by making the IP addresses anonymous (All IPs are 127.0.0.1). In the end, the nickname is not a "personal data" anymore.

Here can also be a problem, because after IP anonymisation, you can not indicate the person who violated the law, such as copyright law.

It's not my job to identify anyone. It's the job of the judicial authorities. If we don't store the IPs, we would be able to help them out with the registered E-Mail address, and from that point on, we don't care anymore.

[tojag]

From my understanding the "nickname" and "personal data" thing only is a problem, if there are real personal data linked. IPs are personal data, that makes a nickname to a personal data, cause ip <-> nickname are linked in the database. We avoid this problem by making the IP addresses anonymous (All IPs are 127.0.0.1). In the end, the nickname is not a "personal data" anymore.

My national DPO write me that nickname and email address is a personal data because it can contains real name, surname, localization.

It's not my job to identify anyone. It's the job of the judicial authorities. If we don't store the IPs, we would be able to help them out with the registered E-Mail address, and from that point on, we don't care anymore.

I don't understand... email address is personal data, do You keep it aftera account deletion?? If not, how can You help them to identify author of posts?
I had a situation that the user posted a photo on the forum using the [img] tag, and the photo breaks the copyright. The author demanded compensation from me, I had to write that I do not moderate the forum live and I do not know if the picture breaks copyright. I was summoned to the police to give personal data of the author of the post - nick, ip and email. When I leave posts and I will not have an IP, who should I indicate as an author? This is a big problem.
It's safe to delete posts but I want to have content

[zorni]

I referred to the status of the usernames that remain visible after the account is deleted (If no Exts are used) In addition, the ip address is still available for posts of those deleted users.

There is no law that requires me to deliver data to law enforcement agencies that I do not store or even collect. The GDPR urges thrift in the collection of personal data. We save ourselves storing this data and that's fine for us, cause I don't see any need to know which IP User r0xx0r1337 used 12 years ago