New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6670
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by HiFiKabin »

tojag wrote: Wed May 16, 2018 4:47 pm However, it does not look good. There is a great risk that retaining posts may reveal the identity of a person who does not want to.
If a person decides to post 'personal information' on your forum, that is his decision which he has made knowing it will be seen by everyone. It has nothing to do with the personal data YOU have collected about him. You didn't collect it did you?
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

Yes, I collect data in posts. You do it on your own forum too. GDPR is not limited to private data but applies to all personal data, even those disclosed to the public. This is what the GDPR is for anyone who has previously agreed to the publication so that he can later withdraw it and delete the data. I thought that by deleting user contact details I will anonymize posts, but now I am thinking about these attachments, photos and links.
All big players allow you to delete user content. I do not think it will bypass the forums.
I would like to be wrong.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

You overthink too much. Stop comparing your site with other platforms. Forget about fb and other sites! If you think that some data is personal & may be problematic just remove it.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

tojag wrote: Wed May 16, 2018 6:10 pm Yes, I collect data in posts. You do it on your own forum too. GDPR is not limited to private data but applies to all personal data, even those disclosed to the public. This is what the GDPR is for anyone who has previously agreed to the publication so that he can later withdraw it and delete the data. I thought that by deleting user contact details I will anonymize posts, but now I am thinking about these attachments, photos and links.
All big players allow you to delete user content. I do not think it will bypass the forums.
I would like to be wrong.
Consent can only be revoked if you collected data based on consent. If you collect posts and attachments etc based on your (or someone else's) legitimate interest (e.g. the integrity of discussion, your users interest to be able to discuss a topic or access some information) then they have no right to be forgotten. Legitimate means "reasonable" or "not unjustified" and not "according to law". So I would keep usernames and posts and attachments, and give the user the option to delete their account with all their profile fields, IPs etc. The only thing that GDPR requires is that you describe in your privacy whatever that you collect what data based on consent and what data based on other basis.

This would be GDPR compliant, although your local laws may be stricter but I would guess this could work for most people.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

I mentioned that I have almost 700k posts, so there are a lot of deleted ones. Approx. 30k posts comes from deleted accounts. It is impossible to review all of them and assess whether the data contained there can indicate a specific physical person. GDPR does not make exceptions for me or for you. GDPR is not only for giants like FB, but also for us. All entities, regardless of whether it is a large company or a hobby site, are subject to this regulation.
You try to interpret this law so that it would be convenient for us. I also do it. I also keep posts. I have it in the rules. However, there is such a thing as illegal entries, abusive records. You can not write something in the regulations that is incompatible with a higher law. If someone saves this way, he can be punished and get a restitution order. This implies further consequences such as deleting accounts, posts, etc.
So I want to do everything possible and in accordance with the law in order to be able to continue my forum in the current way. I know, there are no lawyers here. Our interpretations may be wrong. We want the best but it can be bad. We will see after 25 May.
Thank you for every opinion you wrote here.
Best regards.
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

It is in GDPR so you can keep all personal data in posts if you haven't collected them based on consent but other means that are in GDPR. GDPR allows you to collect data on other bases then consent. Legitimate interest is one of them. It seems to me that you want to collect data based on consent in which case you do have to delete posts, however, it is not because GDPR, it is either because you choose to collect them based on consent or some other law specific to your country.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

On the forum you always collect data in posts based on consent which the user expressed by accepting the rules of the forms. Forum regulations are a contract. However, each contract can be canceled. In the same way, you delete profile and PM data because the user terminated the contract. Thinking like you, I could also keep this data. This is nonsense, of course.
At present, I can see that in Google services I can delete my PUBLIC comments which I could not do before. What changed? Only GDPR comes to mind.

Next case. As an administrator, you certainly do not want to be responsible for user content. It is known, sometimes they may violate the law. By law, you are not responsible for such content until you know that they are breaking the law because it is not your content. But if you find out, you should block them. You are treated the same way as the hosting service. You provide a place on your platform for posting content by users. The content is theirs, they are responsible for it and they have the right to remove it.
By removing account and user traces, do you take over his posts? Do you take responsibility for the content? Who will you point out, if the police ask? Maybe you did not have such a case, I had and I know what they are asking. They even asked, if the moderation is live or after, or if I could have any knowledge about the content of the post.
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

tojag wrote: Thu May 17, 2018 11:11 am On the forum you always collect data in posts based on consent which the user expressed by accepting the rules of the forms.
Or you specify on what other bases you collect the data. There is nothing in GDPR that would require you to collect posts based on consent and not any other bases that are specified in GDPR. You can choose whatever bases for collecting data you just have to be able to back it up.

Regardless, I don't mind if you want to remove posts or usernames, my only point is that you don't have to.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by thecoalman »

I will remove information that is in posts but it needs to be for good reason. They posted their email address, full name or whatever. I have no legal reason to remove it.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

If someone requests you to delete your account and personal information, then you have no choice. This person does not have to indicate posts containing personal data. All he has to do is make a request. According to GDPR, someone can ask you what personal data belong to him, you have as administrator. If you give him only private data from the profile and in the posts will be still public personal data, which you also keep on your server, You must also provide this data. Therefore, it is safe to provide a link to posts as possible places where personal data is available. But then you also have to delete these posts with the account being deleted. It is simple and logical.
The only possibility is the anonymisation of posts - username and all data in posts that can point to a specific phisical figure including photos and links (because they can lead to profiles on other websites). But that means a lot of work on a deleted account if there are a lot of posts.
However, I see no other way to keep posts.
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6670
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by HiFiKabin »

https://ico.org.uk/for-organisations/gu ... finitions/
Personal data
  • The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
  • This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Read the last 5 words. Now read them again.

Did phpBB collect the information I just placed in this post? No. I placed it there of my own free will. I decided to 'publish' this information.

If you WANT to delete all posts (or selected information within posts) that is your decision, but the GDPR does NOT require it.


If I want to tell everyone my telephone number is Whitehall 1212 it has nothing to do with you (unless such a post is against your forums rules)
sr55
Registered User
Posts: 15
Joined: Mon Aug 27, 2007 5:57 pm

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by sr55 »

https://ico.org.uk/for-organisations/gu ... interests/
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
So, in theory this can be utilised for post content, and thus:

https://ico.org.uk/for-organisations/gu ... o-erasure/
you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
In the case of the forum, there are legitimate interests to continue in many cases. My read of this is forum owners have to use best judgement on a case by case basis.

There is still a lot of ambiguity and frankly, I suspect we'll have to wait and see this tested in court before we know for sure how the courts will land on this.

Just my opinion!
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

tojag wrote: Fri May 18, 2018 12:21 pm If someone requests you to delete your account and personal information, then you have no choice. This person does not have to indicate posts containing personal data. All he has to do is make a request. According to GDPR, someone can ask you what personal data belong to him, you have as administrator. If you give him only private data from the profile and in the posts will be still public personal data, which you also keep on your server, You must also provide this data. Therefore, it is safe to provide a link to posts as possible places where personal data is available. But then you also have to delete these posts with the account being deleted. It is simple and logical.
The only possibility is the anonymisation of posts - username and all data in posts that can point to a specific phisical figure including photos and links (because they can lead to profiles on other websites). But that means a lot of work on a deleted account if there are a lot of posts.
However, I see no other way to keep posts.
There are exceptions to the right to be forgotten. If a post contains personal data, and you collect posts based on legitimate interest you have the right to refuse to remove that said personal data. In this case the only thing that GDPR actually says is that you evaluated that the your legitimate reason (e.g. the integrity of your content, your users right to get informed etc.) is more important then the person's interest to have that data removed. That is what the regulation says.

Now, if the user has a good reason to have something removed is reasonable, I would assume that any administrator would remove it regardless of the regulations and laws. In a community that I believe most our users would want to create this would be a no-brainer. What this means is that most of you would just have to continue what they do anyways.
User avatar
tlem
Registered User
Posts: 166
Joined: Sun Jan 24, 2016 4:47 pm
Location: Bordeaux (France)
Name: Thierry
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tlem »

Hi everybody.

I would like to provide some clarification regarding personal data and the GDPR concerning phpBB forums.
I do not pretend to hold the whole truth, but my reading of official texts and the explanations given by official organization (CNIL) lead me to understand this:

There are 3 types of personal data :
  1. Data collected by the forum during the user's navigation (Non-public data - Managed by the admin who acts as controller).
  2. Data sent to the forum through a form eg: internal mail (Non-public data - Managed by the admin who acts as controller).
  3. Data written in the forum ("Public" data transmitted voluntarily by the user or another user)
Like tojag said :
On the forum you always collect data in posts based on consent which the user expressed by accepting the rules of the forms. Forum regulations are a contract. However, each contract can be canceled.
This is true in part. the IP address is personal data collected, but the text of a message is not.

  • All data collected in an automated way or through a form concerning the activity of the user is part of the data that will have to be processed by the administrator (deletion/anonymisation/modification/transmission).
    .
  • Any "public" data that can be modified/deleted/anonymized by the user is not part of the data to be processed by the administrator in case of request.
    .
  • Any data that can not be modified by the user but not collected automatically by the forum must be the subject of a specific detailed request for deletion/anonymisation/modification.

Regarding the data collected automatically, the deletion of the user account is sufficient. If you use that "Delete My Account" (without deletion of posts) a user can do it himself, for personal data in posts, the user will have to make a specific request

The bad news is that a user is entitled to request the export of all data collected about him and subject to treatment. This includes all the data in his account as well as his navigation data.
- Profile
- Subscription
- Forum preference
- etc ...

Sources :
http://eur-lex.europa.eu/legal-content/ ... 32016R0679
https://www.cnil.fr/en/rights-and-obligations
https://www.cnil.fr/fr/reglement-europe ... irectrices (most documents are in English).
https://www.cnil.fr/sites/default/files ... v01_fr.pdf (Not find it in English).
https://www.cnil.fr/sites/default/files ... arency.pdf
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

@some of the people in this thread...

I think (and this is saying something) that you are all getting way too worked up about this. The EU has bitten off more than it can chew with this law, and we'll see it spit it all out and not grab another bite sooner or later.

There are hundereds of thousands upon hundereds of thousands upon hudereds of thousands of websites out there collecting millions upon millions of EU citizens personal data. Please, tell me, which one of the governing agencies for this law has the man-power and resources to oversee all of this? The ICO is witholding compliance on its own services until May 25th. Belgium is refusing to issue any fines within the first year of enforcement (I just recently found this one out). This is telling me they either expect it to get postponed at the last second, and/or they don't expect it to last/be enforced. The internet is too big for regulations like this to be effective.

If you want to comply, comply. If you don't want to comply, either geoblock or just ignore it all. The only question is if phpBB wants to pull a WordPress and make GDPR features mandatory in its core code. The answer is, as it looks to be, no.
CHItA wrote: Fri May 18, 2018 11:06 pm Now, if the user has a good reason to have something removed is reasonable, I would assume that any administrator would remove it regardless of the regulations and laws. In a community that I believe most our users would want to create this would be a no-brainer. What this means is that most of you would just have to continue what they do anyways.
Pretty much exactly this. There's such a thing as common sense. Am I gonna trash some users account just because he wants it deleted? No. Will I delete/modify/redact a post where he put a phone number for someone to contact him? Sure. But, again. We don't need laws to tell us that.
Post Reply

Return to “phpBB Discussion”