New GDPR (General Data Protection Regulation) and phpBB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
tlem
Registered User
Posts: 166
Joined: Sun Jan 24, 2016 4:47 pm
Location: Bordeaux (France)
Name: Thierry
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tlem »

Hi,
LaxSlash1993 wrote: Sat May 19, 2018 6:01 am There are hundereds of thousands upon hundereds of thousands upon hudereds of thousands of websites out there collecting millions upon millions of EU citizens personal data. Please, tell me, which one of the governing agencies for this law has the man-power and resources to oversee all of this?
The subject being GDPR and phpBB, let's limit ourselves to that.
There are probably many millions of phpBB forums around the world, so yes, an European government agency does not have the power and resources to oversee all. But you forget that on these millions of forums, there are millions of European users and that each one of them can potentially appeal to the GDPR! Also remember that a government agency can use automated tools to check the GDPR compliance of certain elements of a website (I'm not talking about personal data). ^^

After that, you have to be aware that even though the GDPR applies to phpBB forums, it was initially set up to protect the user of sites that collect much more information than phpBB does. it does not help to close your eyes, just take into consideration some basic elements to simply avoid the potential risk of being bored by a disgruntled user because I very much doubt that the European state comes to you typing on the fingers because of its operating principle your forum phpBB has collected the IP addresses of a user. ^^
I sincerely think that for phpBB forums, it is not a government agency the problem, but the user!

LaxSlash1993 wrote: Sat May 19, 2018 6:01 amIf you want to comply, comply. If you don't want to comply, either geoblock or just ignore it all.
You forget that forums hosted in the European union can not geoblock or ignore ...
If you geoblocked, it means that you exclude a few million users and there you may be subject to other laws concerning discrimination.
Remember that laws change. Internet is not an area of no rights for users.

LaxSlash1993 wrote: Sat May 19, 2018 6:01 amThe only question is if phpBB wants to pull a WordPress and make GDPR features mandatory in its core code. The answer is, as it looks to be, no.
We agree. An extension such Privacy Policy developed by David63 will certainly make the case for phpBB admin.
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

LaxSlash1993 wrote: Sat May 19, 2018 6:01 am If you want to comply, comply. If you don't want to comply, either geoblock or just ignore it all. The only question is if phpBB wants to pull a WordPress and make GDPR features mandatory in its core code. The answer is, as it looks to be, no.
I wouldn't say that there is no chance of getting some functionality into core at some point, however, it seems to me based on this thread that many people who want to comply with GDPR want to comply with it in different ways. So I very much doubt that everything will be covered by the core ever since there is GDPR and there are a bunch of points in it where a EU member state could make the regulations stricter or in some cases less strict. This is just something that is not possible to handle in the core. So basically we are not against supporting any extensions by making some basic frameworks but it is just simply not worthwhile to implement all of your use cases in the core.

Also most of what GDPR requires is not technical solutions, but documentation of your processes and having your privacy policy (or whatever it is called now) published.

I also do think that some features brought up in this topic could be considered for core functionality, such as "closing your account", so whoever wants to allow their users to have a one click option to remove their email address, profile fields, possibly IP data could do that easily. It might be a nice to have, and in regards to GDPR this would also solve some of the problems that are described in this topic. Some other GDPR related features was also mentioned in this topic 50 pages back, and I think those could make it into the core someday as well as optional features.

On another note, I don't really think it makes sense to argue about who should and shouldn't comply with GDPR. If you are in the EU, you must. If you are not and there's no way for the EU to fine you (e.g. not selling products here etc) then you don't have to. And here I would note, that if you are not in the EU, you could still allow your users to e.g. close their accounts if you don't really need their data (which is probably most forums).

Lastly, in my opinion, you can keep the posts (with all the personal data in it) and still comply with GDPR.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tojag »

I see that you mostly rely on explanations and interpretations from various third parties. Probably each of them points out that he is not responsible for his interpretation. I know, we not a lawyers either.
HiFiKabin wrote: Fri May 18, 2018 12:30 pm https://ico.org.uk/for-organisations/gu ... finitions/
Personal data
  • The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
  • This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Read the last 5 words. Now read them again.
[...]
HiFiKabin, it is just interpretation. You have to read original document. Article 4 Definitions:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
At now read this one sentence, in particular, notice that it is not only about identifiers but about various other data that can indirectly indicate a particular person. It can all be in posts. E.g. photos or links about which I wrote earlier.
tlem wrote: Fri May 18, 2018 11:15 pm
  • All data collected in an automated way or through a form concerning the activity of the user is part of the data that will have to be processed by the administrator (deletion/anonymisation/modification/transmission).
    .
  • Any "public" data that can be modified/deleted/anonymized by the user is not part of the data to be processed by the administrator in case of request.
    .
  • Any data that can not be modified by the user but not collected automatically by the forum must be the subject of a specific detailed request for deletion/anonymisation/modification.
Regarding the data collected automatically, the deletion of the user account is sufficient. If you use that "Delete My Account" (without deletion of posts) a user can do it himself, for personal data in posts, the user will have to make a specific request
But once you delete user account, user no longer has access to his posts and can not edit or delete them. Besides, on many forums this possibility is blocked in a short time after sending the post. Then the user can not delete his data by himself. And he does not have to remember them.
tlem wrote: Fri May 18, 2018 11:15 pm The bad news is that a user is entitled to request the export of all data collected about him and subject to treatment. This includes all the data in his account as well as his navigation data.
- Profile
- Subscription
- Forum preference
- etc ...
- posts? (if contain personal data)
CHItA wrote: Sat May 19, 2018 9:47 am Also most of what GDPR requires is not technical solutions, but documentation of your processes and having your privacy policy (or whatever it is called now) published.
I agree. Admin can always delete posts. It's not a technical problem. From the beginning I asked how to be consistent with the GDPR law, including the right to forget, and at the same time be able to keep posts.
CHItA wrote: Sat May 19, 2018 9:47 am Lastly, in my opinion, you can keep the posts (with all the personal data in it) and still comply with GDPR.
I don't agree. I still think that anonymisation is the only possibility but in the case of a large number of posts it is virtually impossible.

Indeed, it is only in the courts that it will turn out how it will be enforced.
Regards
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by david63 »

Let's just get a couple of points in perspective.

1. There is no way that on the 25th May that the GDPR "police" will be visiting every board and/or site that there is to check on compliance. I would be my last pound that the GDPR police will never visit 99.9% of sites.

2. 99.9% of board members neither know, nor care, about what rights they have under GDPR.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

@tojag - All questions have been answered many times. You need to re-read everything again, again & again.
The best answer about GDPR is:
CHItA wrote: Sat May 19, 2018 9:47 am Also most of what GDPR requires is not technical solutions, but documentation of your processes and having your privacy policy (or whatever it is called now) published.
As admin you can move all posts to any account with one click, no need to anonymize anything. Moderators can move posts from one account to another as well.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
CHItA
Development Team Member
Development Team Member
Posts: 166
Joined: Sat Dec 06, 2008 10:27 pm
Location: London, UK

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by CHItA »

tojag wrote: Sat May 19, 2018 12:59 pm HiFiKabin, it is just interpretation. You have to read original document. Article 4 Definitions:
You seem to assume that nobody else read GDPR which is not true at all. Also ICO is the UKs agency for enforcing GDPR, so they interpretation of the regulation is as good as it gets.
User avatar
Acorn
Registered User
Posts: 402
Joined: Tue Sep 26, 2006 8:11 am
Location: UK
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by Acorn »

I think the organisations that are responsible for policing the GDPR (the ICO in the UK) will only ever visit a forum if a complaint has been made. They're vanishingly unlikely to ever go out looking for infringements from forum owners who are not big businesses.

If you can demonstrate that you have thought about and work towards the principles of the GDPR - largely, that you are only collecting data that is necessary for the forum, and are looking after it - you will be fine. The very worst that would happen would be being asked to do something specific (but reasonable), and it would then be down to you to do what was asked, to fight it, or to give up.

We are caught in the net of the GDPR, but we are not the people/organisations that it is aimed at.
Getting braver all the time. :D
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

CHItA wrote: Sat May 19, 2018 9:47 am
LaxSlash1993 wrote: Sat May 19, 2018 6:01 am If you want to comply, comply. If you don't want to comply, either geoblock or just ignore it all. The only question is if phpBB wants to pull a WordPress and make GDPR features mandatory in its core code. The answer is, as it looks to be, no.
I wouldn't say that there is no chance of getting some functionality into core at some point, however, it seems to me based on this thread that many people who want to comply with GDPR want to comply with it in different ways. So I very much doubt that everything will be covered by the core ever since there is GDPR and there are a bunch of points in it where a EU member state could make the regulations stricter or in some cases less strict. This is just something that is not possible to handle in the core. So basically we are not against supporting any extensions by making some basic frameworks but it is just simply not worthwhile to implement all of your use cases in the core.

--

I also do think that some features brought up in this topic could be considered for core functionality, such as "closing your account", so whoever wants to allow their users to have a one click option to remove their email address, profile fields, possibly IP data could do that easily. It might be a nice to have, and in regards to GDPR this would also solve some of the problems that are described in this topic. Some other GDPR related features was also mentioned in this topic 50 pages back, and I think those could make it into the core someday as well as optional features.
You missed my dig at WordPress making the features mandatory. I think core functionality would be alright, provided three things:

- It's all optional and off by default, even the smallest aspect of it
- It doewsn't remove default functionality (ie, close account doesn't remove delete account and disabling close account won't turn off delete account/vice versa)
- Compliance does not become required for extensions.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

Well at the moment users can ask to be deactivated or deleted. They can't do those actions on their own (without an extension), but it is possible by a request. So with right wording in policy, it meets requirements.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
User avatar
tlem
Registered User
Posts: 166
Joined: Sun Jan 24, 2016 4:47 pm
Location: Bordeaux (France)
Name: Thierry
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tlem »

tojag wrote: Sat May 19, 2018 12:59 pm But once you delete user account, user no longer has access to his posts and can not edit or delete them. Besides, on many forums this possibility is blocked in a short time after sending the post. Then the user can not delete his data by himself. And he does not have to remember them.
Do you use your car before refueling with gasoline?
Are you leaving home without opening the door?
It is obvious that a user must take the necessary measures to delete or modify his personal data before deleting his account.
In case you consider your users to be stupid, you can stipulated it in Privacy Policy!

And then how are you going to delete messages indexed by Google, Bing, or any search engine or archived by an online archive site?
This is definitely not possible as it is.

tojag wrote: Sat May 19, 2018 12:59 pm - posts? (if contain personal data)
Not for the moment. A "public message" can not be considered as personal data (in any case not in the current state of the GDPR), If it contains a personal data, then only this personal data can be taken into account for the right to be forgotten and not all the message.

tojag wrote: Sat May 19, 2018 12:59 pm I don't agree. I still think that anonymisation is the only possibility but in the case of a large number of posts it is virtually impossible.
You confuse "Personal Data" communicated to the "controller" for the purpose of automated processing or collected by the forum and "Personal Data" written by the user. If a user want to use his right to forget, he can edit all his posts with personnal data and for those he can not change, he has only to make the request as provided by the regulation. ^^

To conclude, definitely (I hope) this discussion on the part "Can a message on the forum be considered as personal data", I refer you to the official text of GDPR in section (18).
extracted from official GDPR wrote:This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Regarding a phpBB forum, the last part of the text obviously concerns only the personal data used for the registration and navigation of the user (Login, Mail, Password, IP addresses, cookies datas).

I hope this information will reassure you when the GDPR will be implemented in 6 days (maybe :D).
LaxSlash1993
Registered User
Posts: 182
Joined: Sat Sep 22, 2012 2:20 am

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by LaxSlash1993 »

tlem wrote: Sat May 19, 2018 2:27 pm And then how are you going to delete messages indexed by Google, Bing, or any search engine or archived by an online archive site?
This is definitely not possible as it is.
EU mandates that search engines have a Right to be Forgotten feature. A user can request this for themselves, and can also request that you complete it.

https://www.google.com/webmasters/tools ... rd=1&pli=1
https://www.bing.com/webmaster/tools/eu-privacy-request
Yahoo workes through e-mails to customer service I believe
extracted from official GDPR wrote:This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Regarding a phpBB forum, the last part of the text obviously concerns only the personal data used for the registration and navigation of the user (Login, Mail, Password, IP addresses, cookies datas).
I found a new interpretation from the ICO on this a few days ago. This only applies to the users (ie, taking screenshots) of the software. The users of your forum are partaking in an activity due to a hobby. You running the forum is not a hobby.
User avatar
tlem
Registered User
Posts: 166
Joined: Sun Jan 24, 2016 4:47 pm
Location: Bordeaux (France)
Name: Thierry
Contact:

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by tlem »

Again, you confuse the personal data collected and the personal data shared.

It's up to you.
As you have been advised, you should read carefully the various messages of this topic. On it, I leave you with your uncertainties.
Last edited by tlem on Sat May 19, 2018 3:00 pm, edited 1 time in total.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: New GDPR (General Data Protection Regulation) and phpBB

Post by GanstaZ »

Hobby or not, but as mentioned before, both sides are responsible for their actions (gdpr can bite left & right side).
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
Angoid
Registered User
Posts: 63
Joined: Tue Nov 22, 2005 8:28 pm
Location: East Midlands, UK
Contact:

GDPR - non-profit club website

Post by Angoid »

I help with the website of a local model flying club, and the Committee members are currently discussing the ramifications of the GDPR, due to take effect on 25th May this year (2018). Although we charge for club membership, we are not a profit-making organisation.

We are based in the UK, and as such as are affected by this regulation (Brexit does not excuse the UK from compliance although it is an EU regulation).

Is there anything I ought to be aware of that could affect the running of a site that utilises the PHPBB forum software? Obviously we collect PII (Personally Identifiable Information) and the forum software records such things as IP address, but is there anything I should be adding in / removing / switching on / switching off etc?

Sorry for such a generalised question, but I'd like to be as clear as I can on this so I can feed back to the Committee.

If you're in the US, then please don't respond by saying that you're in the US and that this does not affect you - I've seen that sort of thing posted here and in other places online and it doesn't help.
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: GDPR - non-profit club website

Post by GanstaZ »

There is a topic about gdpr => New GDPR (General Data Protection Regulation) and phpBB + google GDPR.
Last edited by Mick on Sun May 20, 2018 7:48 am, edited 1 time in total.
Reason: Edited URL
Post Reply

Return to “phpBB Discussion”