Coleslaw

AVEN GDPR Upgrade & Policy Update

Recommended Posts

Coleslaw

Hello,

As many of you will be aware, the European Union has updated the law regarding privacy and consent over use of personal data, and this updated law (GDPR, General Data Protection Regulation) will come into effect on the 25th of May 2018. It’s a regulation for all individuals within the European Union, and it also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data; it also addresses the export of personal data outside the EU.

 

From Wikipedia (which summarises it well): the GDPR provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties. The GDPR also brings a new set of "digital rights" for EU citizens in an age of an increase of the economic value of personal data in the digital economy. (more info here).

 

There are only a few ways AVEN is concerned, and a couple of changes to our members:

 

1. Our registration form will include more explicit wording around how your data is stored and used on AVEN. Invision Power Board was updated this past weekend to meet GDPR compliance and now prompts for cookies & privacy message adjustments, so everyone can stay up to date with software privacy changes.

 

2 All of our members, regardless of the date they registered, will have more control over their personal data. The only personal information (as defined by GDPR) that AVEN stores is members’ email addresses and IPs; we don't send out mass emails, such as newsletters, and don't plan to. If you are receiving emails from AVEN, that is connected to your account's Followed Content choices, which can be changed at any time in your User Settings.

lNRU2kIiF5GDvQKWzeOn8OLu3mvgedzrj2mw0gj9

The way in which members will have more control over their data is with regards to how long AVEN stores your data. Should a member desire to have their account removed in order to have their email & IP record deleted from our servers, they now have that option. This is an update to our current rules, which will be reflected soon in the Terms of Service, and will be available from the 25th of May.

 

The above change means that our Admod Team will honour account deletion requests; this does not mean they will need to delete the content posted by that account. As it has been until today, deleting posts will still be down to the individual members, and will have to be done before requesting deletion. Members can ask for help with regards to deleting information in locked/archived posts if the posts include personally identifiable information (unique name, address, phone number, email, IP, etc).

 

As always, we hope our members enjoy their stay on AVEN and will not wish to leave any time soon.


Thanks,
AVEN BoD

  • Like 15

Share this post


Link to post
Share on other sites
Kimmie.

Don´t you have to ask every memember if they agree with this? And should not the "delete all posts" thingy be made as easy as possible like on one button that deletes all posts ever made including quotes by other members?

 

Anyway it is great that you are taking this cerious.

  • Like 1

Share this post


Link to post
Share on other sites
daveb
32 minutes ago, Kimmie. said:

Don´t you have to ask every memember if they agree with this? And should not the "delete all posts" thingy be made as easy as possible like on one button that deletes all posts ever made including quotes by other members?

No and no.

 

To expand. I think the first part is just complying with new laws. I think it's mandatory, not something people can opt out of. The second thing can be very destructive, especially if it's so easy to do. I saw a lot of information that was basically community property on another forum get lost forever because one person left and wiped out everything they had ever been a part of. We lost a lot of history and community lore (and fun stuff, too). It was very sad. And there was little if any personal info involved. :( 

  • Like 5

Share this post


Link to post
Share on other sites
daveb

That said, I don't know what the new EU law entails or requires.

Share this post


Link to post
Share on other sites
Kimmie.

Yeah that sounds fair.

Share this post


Link to post
Share on other sites
ithaca
On 5/24/2018 at 6:49 AM, Kimmie. said:

Don´t you have to ask every memember if they agree with this? And should not the "delete all posts" thingy be made as easy as possible like on one button that deletes all posts ever made including quotes by other members?

 

Anyway it is great that you are taking this cerious.

Hi! 

 

As anyone who live in the EU will be able to tell you (if you don't), our email inboxes have been flooded by all sorts of companies and websites informing us of their changes to data privacy rules and alike. The GDPR is more complicated than it looks at first sight, and does not mean that anything someone wants deleted should be deleted. Companies don't even have to ask you if you want to agree to them keeping you on their newsletter (most of them are using something called 'legitimate interest'). You can find more info here and in this article about how many companies are getting it wrong.

 

What must be deleted if someone asks is personally identifiable information, which is a list that has some clear items on it (such as full name, address, emails, IPs, phone number, etc.), and some that are less clear (the Information Commissioner's Office itself says the list is non-exhaustive). This is because what it really boils down to is whether or not that info identifies a specific, unique individual (e.g. could I figure out it's you out of all the people in your country/city/town etc?).

 

So for example, if I wanted to leave AVEN and remove all personal info on me, first I'd have to figure out if anything in my posts includes personally identifiable data, and then sort that out by editing them. Last, I'd ask my account to be deleted (which deletes email and IPs, all data AVEN stores as a website). if I had posted a post on AVEN that I want deleted, and it's not 'archived'/locked, it's up to me to edit it out/remove it (and I can do that with anything at all, including non-identifiable data, though we hope members don't). If it's locked, I can ask Admods to edit it out/remove it, and they will only HAVE TO (by law) if (see above) it REALLY identifies me.

 

Some examples:

-Welcome Lounge post: "Hi, my name is Mary from London, so excited to be here!" = not really identifiable info, there are hundreds of thousands of Marys in London. Admods would not have to remove this.

-Welcome Lounge post: "Hi, my name is John Smith, from the UK" = not really identifiable info, there are hundreds of thousands of John Smith in the UK. Admods would not have to remove this.

-Welcome Lounge post: "Hi, my name is Mary Shnoodzly, I live in London, so excited to be here!" = more identifiable, don't imagine many Mary Shnoodzly in London, would have to be deleted if asked.

-Off-A post: "Hi, my name is Jack and I work in the Royal Mail service, anyone else?" = not really identifiable info, loads of Jack most likely work in the Royal Mail service. Admods would not have to remove this.

-Meetup post: "Hi, my name is Jack and I work in the Royal Mail service at the little office of Stoke Holy Cross in Norfolk, anyone else lives around here?" = there's likely to be only one Jack at the little office of Stoke Holy Cross in Norfolk, so someone could identify him. This would have to be deleted if asked.

 

I hope this helps, as you can see from the way people post on AVEN, most posts are not covered by the 'right to be forgotten', because they don't include personally identifiable data, so would not have to be deleted, and we therefore do not need a 'delete all posts' button. 

 

Any questions, shout (though I can't promise I'll be able to answer them all, or not all quickly).

  • Like 7

Share this post


Link to post
Share on other sites
Kimmie.

@ithaca Okay the funny thing is that i get different info from ever place i check. Some "experts" says that everything should be deleted if the user ask for if it dosent mater why it just should. 

 

Well it is enough that one person knows who i am fo it to be personally identifiable data.

 

Anyway it personally don´t really mater to me. But this is the most importent one for me:

Opt-in rather than Opt-out

Under the GDPR, companies have to switch from an opt-out approach to an opt-in approach. That is – rather than giving users an option to opt-out of having their data collected and stored, users must give permission to have their data collected and used. This applies to newsletters and other platforms where their data may be collected.

 European users have the legal right to question or appeal how their personal information is presented by algorithms such as those used by search businesses and the likes.

 

And i want to be clear i am not trying threaten you here at all. I am just worried that someone might use this law to hurt AVEN. There so much at my work that has been done. We have had to trough away so much paper archives. It is enough to have a just a name no adress. It could be okay but we dont want to risk it. And it takes to much time to contact every person and ask if it is okay for us to have that info.

 

 

  • Like 1

Share this post


Link to post
Share on other sites
ithaca
25 minutes ago, Kimmie. said:

@ithaca Okay the funny thing is that i get different info from ever place i check. Some "experts" says that everything should be deleted if the user ask for if it dosent mater why it just should. 

 

Well it is enough that one person knows who i am fo it to be personally identifiable data.

 

Anyway it personally don´t really mater to me. But this is the most importent one for me:

Opt-in rather than Opt-out

Under the GDPR, companies have to switch from an opt-out approach to an opt-in approach. That is – rather than giving users an option to opt-out of having their data collected and stored, users must give permission to have their data collected and used. This applies to newsletters and other platforms where their data may be collected.

 European users have the legal right to question or appeal how their personal information is presented by algorithms such as those used by search businesses and the likes.

 

And i want to be clear i am not trying threaten you here at all. I am just worried that someone might use this law to hurt AVEN.

 

 

That is all fine. Our users never needed to opt out of anything in the first place, so we don't need to swap to opt-in. They all actively choose to register, leaving their email for registration purposes (which will be explained more clearly in the registration form). We do not send out newsletter or emails that people need to actively opt in rather than opt out, so that doesn't change anything for us :) 

 

A lot of companies used to automatically opt you in newsletter and discount-deal emails when you were buying something online, without asking for permission, and left you to have to opt out after already emailing you. That will not be allowed anymore (but again doesn't apply to us).

 

We are lucky that very little needs to change because of how very little personal data we request, store or use as an organisation.

  • Like 3

Share this post


Link to post
Share on other sites
Tercy

To my knowledge there exists no "clear list" of what is considered "personal data" and the definition remains vague - possibly intentionally so, for at least one good reason: there's an important grey area. I've done what you might call some casual PI work (read: stalking) in the past and often I've been able to identify people using some of the most unsuspecting details. The more you profile a person, the more you can tie together as possibly/probably being linked to them. On the surface it may seem like one post about something very common can't be used to identify you, but someone scouring your entire post history (who has possibly already scoured your history elsewhere on the internet) can figure out a lot about you - and by following the breadcrumbs, find other sites you're on, other usernames you use, other contact details (email, Facebook, whatever) and before you know it, you done been ID'd.

 

Even in the best case scenario, anyone is kidding themselves if they think this is just about email addresses and names. Plenty of (official) sources have included things as simple as hair colour in their definitions - so even a post about someone dying their hair blue needs to be deleted.

 

As a site owner, you would have to ask yourself whether you'd want to take the risk of being sued/whatever because someone was able to track down (and murder? for sake of emphasis) one of your site's users because you didn't delete a post they made 4 years ago about owning a rare tropical fish or some shit. Personally, I'd just play it safe and delete everything.

Share this post


Link to post
Share on other sites
ithaca
8 minutes ago, Tercy said:

To my knowledge there exists no "clear list" of what is considered "personal data" and the definition remains vague - possibly intentionally so, for at least one good reason: there's an important grey area. I've done what you might call some casual PI work (read: stalking) in the past and often I've been able to identify people using some of the most unsuspecting details. The more you profile a person, the more you can tie together as possibly/probably being linked to them. On the surface it may seem like one post about something very common can't be used to identify you, but someone scouring your entire post history (who has possibly already scoured your history elsewhere on the internet) can figure out a lot about you - and by following the breadcrumbs, find other sites you're on, other usernames you use, other contact details (email, Facebook, whatever) and before you know it, you done been ID'd.

 

Even in the best case scenario, anyone is kidding themselves if they think this is just about email addresses and names. Plenty of (official) sources have included things as simple as hair colour in their definitions - so even a post about someone dying their hair blue needs to be deleted.

 

As a site owner, you would have to ask yourself whether you'd want to take the risk of being sued/whatever because someone was able to track down (and murder? for sake of emphasis) one of your site's users because you didn't delete a post they made 4 years ago about owning a rare tropical fish or some shit. Personally, I'd just play it safe and delete everything.

As discussed in the OP, users can delete/edit out their own posts. Because we offer this option (meaning our website is not one of those where you can't edit your own posts), we don't need to worry of having to do that ourselves.

  • Like 1

Share this post


Link to post
Share on other sites
Tercy
18 minutes ago, ithaca said:

As discussed in the OP, users can delete/edit out their own posts. Because we offer this option (meaning our website is not one of those where you can't edit your own posts), we don't need to worry of having to do that ourselves.

 

Out of interest, do you have any sources for this readily available?

 

Just to throw a few points out there:

 

1) The wording of the regulation does suggest the onus is on the "controller" (e.g. the site staff) to delete the data, not for the user to delete their own data.

 

2) In these matters there's often the question of "fairness" - and I wouldn't fancy your chances in court, expecting your users to go through and vet/delete their own 40,000-strong post history one by one.

 

3) What about posts where you have been quoted? These are out of your control, but still contain your information.

 

Again... why even risk it? :P 

Share this post


Link to post
Share on other sites
ithaca
2 minutes ago, Tercy said:

 

Out of interest, do you have any sources for this readily available?

 

Just to throw a few points out there:

 

1) The wording of the regulation does suggest the onus is on the "controller" (e.g. the site staff) to delete the data, not for the user to delete their own data.

 

2) In these matters there's often the question of "fairness" - and I wouldn't fancy your chances in court, expecting your users to go through and vet/delete their own 40,000-strong post history one by one.

 

3) What about posts where you have been quoted? These are out of your control, but still contain your information.

 

Again... why even risk it? :P 

We would delete the data we require users to give us (email, IP), what users choose to share in their posts is entirely up to them, if that makes sense? Again, very few people share data that would identify them, so not much of a risk on AVEN. Admods can help where someone was quoted :) 

  • Like 1

Share this post


Link to post
Share on other sites
Tercy
12 minutes ago, ithaca said:

what users choose to share in their posts is entirely up to them

 

I'd still be interested to see the source for this. ;)

Share this post


Link to post
Share on other sites
paperbackreader
4 hours ago, Tercy said:

 

Out of interest, do you have any sources for this readily available?

 

Just to throw a few points out there:

 

1) The wording of the regulation does suggest the onus is on the "controller" (e.g. the site staff) to delete the data, not for the user to delete their own data.

 

2) In these matters there's often the question of "fairness" - and I wouldn't fancy your chances in court, expecting your users to go through and vet/delete their own 40,000-strong post history one by one.

 

3) What about posts where you have been quoted? These are out of your control, but still contain your information.

 

Again... why even risk it? :P 

 

4 hours ago, ithaca said:

We would delete the data we require users to give us (email, IP), what users choose to share in their posts is entirely up to them, if that makes sense? Again, very few people share data that would identify them, so not much of a risk on AVEN. Admods can help where someone was quoted :) 

The world is greyer than set out here.. 

 

If users made a request to the site administration that they wish for all of their posts to be deleted, unless there is another overriding legal basis to retain (e.g. where there's a current police investigation / notice in to bullying / harassment, or where the entire post is intellectual property jointly developed and signed to be the property of the site rather than the user - and there was nothing personally identifiable to the user, then pseudomysation rather than deletion would be appropriate) - then it is up to the site to delete the data within 30 - 60 days of the user's request.

 

Also ref Opt in vs Opt out - that only applies where the legal basis for processing is consent... I mean - would you expect to consent to receiving a receipt / invoice, or would you expect to opt out of receiving a paper copy...?  

  • Like 1

Share this post


Link to post
Share on other sites
Sleighcaptain

The responsibility of the site owner to delete data applies to material that only they can access, in the case of AVEN, people's email addresses. It doesn't apply to forum posts, as the individual concerned can edit or remove these themselves at any time. 

The law is aimed more at businesses, so if, for example, you buy something online, they can't store your name, address, credit card details etc without your consent. 

 

What, from an AVEN perspective, would be interesting to see is how the law stands when a post has been quoted. 

  • Like 1

Share this post


Link to post
Share on other sites
Tercy
3 hours ago, Skycaptain said:

The responsibility of the site owner to delete data applies to material that only they can access, in the case of AVEN, people's email addresses. It doesn't apply to forum posts, as the individual concerned can edit or remove these themselves at any time. 

 

I still... would love to see the source for this.

 

If we go back to the beginning and turn to the GDPR itself, Article 2(1) says:

 

Quote

This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

 

The takeaway here is that the GDPR applies to "processing" and "personal data."

 

Also, Article 2(2) says:

 

Quote

 This Regulation does not apply to the processing of personal data:

  1. in the course of an activity which falls outside the scope of Union law;
  2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
  3. by a natural person in the course of a purely personal or household activity;
  4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

 

1. As will be demonstrated below, AVEN and its activities are within the scope of the GDPR.

2. AVEN is not (to my knowledge) involved in policing immigration.

3. AVEN is not a person storing contact details in a smartphone.

4. AVEN is not (to my knowledge) an authority involved in solving crime.

 

I address this in response to this idea that the GDPR is "aimed at businesses." As further evidence, the ICO has a guide aimed at charities.

 

In Article 4(1), 'personal data' is defined as:

 

Quote

... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

I highlighted the "or indirectly" just to reinforce my point that unassuming data by itself may not necessarily identify a person, but can be used as part of a wider operation (e.g. profiling) to identify a person.

 

You may also note it says above, "in particular ... such as a name" but note that "in particular" does not mean "exclusively."

 

Article 4(2) defines "processing" as:

 

Quote

... any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

A few of the terms above could apply to a forum, but "storage" and "otherwise making available" are definitely in the bag.

 

While we're on Article 4, let's just cover "processor" and "controller":

 

Quote

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


We already established that AVEN meets the definition of "processing" - so AVEN is at the very least a processor.

 

Quote

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

 

You'll note here it says that a controller may have whole or joint control. Really this is aimed at organisations working together and sharing data, but I point it out because it illustrates that there's no basis for this idea that AVEN gets a free pass just because other people (e.g. the users) share some form of control over the data.

 

I included this part just to establish that the GDPR applies to both controllers and processors. In Article 24(1) we see:

 

Quote

... the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.

 

In Article 28(1) we see:

 

Quote

... the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

 

Also, this part about implementing "appropriate technical measures" would become relevant in a case where your defense was (paraphrasing, of course) "we couldn't be bothered to implement the technology to mass-delete people's posts." According to the GDPR, you're responsible for implementing such technology if it's necessary for compliance.

 

On the "right to erasure" Article 17(1) says:

 

Quote

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay 

 

To me, this wording suggests that the obligation is on the controller to erase the data. Maybe I'm just reachin'.

 

So far, nowhere have I seen anything that suggests or supports any of the following:

  • Forum posts are exempt.
  • AVEN is exempt.
  • Giving people the tools to spend hours of their life deleting their own data whilst refusing to do it yourself counts as compliance.
  • The GDPR only applies to businesses.
  • The GDPR only applies to email addresses.
  • The GDPR only applies to data outside of the user's control.

 

If anyone can support the above claims, I'd be interested to see it. ;) I don't have an axe to grind here; I'm just concerned by what seems (to me) to be misinformation being promoted on what is potentially an important issue, given the proposed threat of hefty fines for noncompliance. Also, given that it was my responsibility to research the GDPR, its impact on my employer's (a software company) operations and make the final decision on how we should respond to it, I'd welcome anyone who is able to show me where I may have gone wrong. So that I might grow as a human being and shit.

Share this post


Link to post
Share on other sites
Maz

On a general note: anyone who believes that personal data can be (fully) protected by such a law is not aware of how the internet works. Especially the total erasure of data is near to impossible. Any member (or guest/bot in public areas) of this board can copy any public information to their personal PC. Files that were deleted can be restored in many cases so the data might still be out there hidden on one or many hard drives even at hosting companies. Also most sites including Aven were served via http not https for a long time which means that also private messages and passwords could have been stored by third parties with access to that traffic, e.g. secret services, providers, hosting companies, ...

 

Quote

Article 17 – Right to erasure (‘right to be forgotten’)


The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

 

Quote

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;


Seems to me like this is up for interpretation. Personal data that is part of a larger discussion could be considered necessary indefinitely. On the other hand one might argue that e.g. there is no purpose involved anymore as soon as someone leaves the site. So any personal data would have to be deleted by the staff as soon as someone leaves the site.

 

 

Quote

the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;


Could be tricky as well. If someone posts personal data in a forum post the site owner has neither asked for consent nor was consent granted explicitly. What hasn't been granted cannot be withdrawn. Also there are a bunch of legal reasons that might justify keeping e.g. data like ip addresses.

 

 

Quote

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;


I'd say a forum thread might serve the right for freedom of expression and information.
...

 

Quote

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defence of legal claims.


Maybe?

btw. if https://en.wikipedia.org/wiki/EU–US_Privacy_Shield
is declared invalid in the same way that Safe Harbor was declared invalid there might be no legal grounds at all to transfer data of EU citizens to the US and vice versa anymore so the site would have to be split into at least two separate instances to comply with the law which is ridiculous obv.  😉

 

Share this post


Link to post
Share on other sites
Blaiddmelyn

I can tell you now, unless anyone here is a GDPR expert, they won't be able to tell you if AVEN is a processor or a controller because it's not always obvious. My guess would be for stuff like email addresses, personal info and IP addresses, AVEN is the controller and the software company they use for the forum is a processor.


In terms of forum posts, I'd think they're only personal data if you could identify someone through what they write. A lot of forum posts won't qualify (the underlying data, like my IP address for example will, clearly). Otherwise, my guess without thinking about it much is that AVEN isn't the controller in respect of my posts - I decided to write this post so it was me who decided what to do with my data, not AVEN. You can only argue they're a controller on the basis that they tell the software company how to process my post - that is a guess though, without me having done proper research into it.

 

Honestly, though, it's better to speak to a GDPR expert then try to second-guess the legislation if you're concerned. It's hellishly complex and unless you've spent a lot of time getting to grips with it, you're probably not going to get it right. 

 

PS. Re: the EU-US privacy shield - you can still comply if you put into place processes that are adequate by EU standards, IIRC - see Article 46. The US just has terrible data protection laws.

  • Like 3

Share this post


Link to post
Share on other sites
FaerieFate

I'd like to remind users that our BOD handles the legal aspects of AVEN. They are fully aware of the laws and how they affect AVEN. They have to be in order for AVEN to maintain its non profit status in the US.

 

So unless someone is a GDPR expert or works for the legal department in the EU, trust our BOD. If you are an expert or work in the legal department in the EU and you think our BOD needs to do something different, then you can PM them. 

  • Like 3

Share this post


Link to post
Share on other sites
FaerieFate

@Tercy you have the tools. You can totally edit all of your posts to remove all of the text at any point, and we've had members do that. Exceptions are archived threads, but even those you can request edits and it's up to the admod discretion. Only time I may hesitate to remove a post is if it's a World Watch thread because much of those threads show the history of asexuality. 

  • Like 1

Share this post


Link to post
Share on other sites
Kimmie.

As a member you can remove the text in a post but not the post all toghter which can be a problem.

Share this post


Link to post
Share on other sites
Kimmie.
On 5/26/2018 at 10:04 PM, Blaiddmelyn said:

Otherwise, my guess without thinking about it much is that AVEN isn't the controller in respect of my posts - I decided to write this post so it was me who decided what to do with my data, not AVEN.

With that logic the the e-mail and ip is not a problem either because you decide yourself to sign up.

Share this post


Link to post
Share on other sites
Blaiddmelyn
On 5/28/2018 at 6:48 AM, Kimmie. said:

With that logic the the e-mail and ip is not a problem either because you decide yourself to sign up.

That's a requirement of me using the services which is how AVEN is caught by the GDPR at all so arguably different. I have to give that to use the site. I don't have to then post. As i say though, i am guessing - forum posts aren't something i need to know about insofar as i need to know the GDPR.

Share this post


Link to post
Share on other sites
Kimmie.

Yeah that makes sence. What i am worried about is that so many "experts" interpreters it differently. No one seems to agree what it means.

Share this post


Link to post
Share on other sites
Homer
31 minutes ago, Kimmie. said:

Yeah that makes sence. What i am worried about is that so many "experts" interpreters it differently. No one seems to agree what it means.

That's quite fitting though :ph34r:

  • Like 3

Share this post


Link to post
Share on other sites
Sally

TLDR all of this, so won't worry about it.

  • Like 1

Share this post


Link to post
Share on other sites
Tercy

@FaerieFate I'm sure the users are very reassured. ;) As always, I'm just here for the discourse; I have no vested interest in whether or not AVEN gets fined into oblivion. And I'm just putting it out there that my perspective is very different to the one being presented here.

 

As I read back over this thread, I feel it would be helpful to just highlight the motives behind the GDPR and the "right to be forgotten." There seems to be this underlying misconception that it's a purely commercial affair - like it's some kind of reaction to big data companies targeting political propaganda on Facebook and shit. It's not. The EU's stance is that having control over digital data that relates to you is a human right. The "right to be forgotten" isn't the right to not have big data companies profile you; it's the right to not have your digital past follow you around. In other words, being able to do things like decide you no longer want to be associated with a particular online forum is exactly the sort of thing that inspired the existence of the GDPR in the first place.

 

To just address some other things:

 

@Maz's post explores Article 17, but the simple fact is that (as highlighted in said post) only one needs to apply - and you've got quite a list there to choose from. 

 

On 5/26/2018 at 5:44 PM, Maz said:

If someone posts personal data in a forum post the site owner has neither asked for consent nor was consent granted explicitly. What hasn't been granted cannot be withdrawn.

 

There exists the concept of "implied consent" in law so this one wouldn't hold any ground by itself anyway. In any case, consent is one of the requirements for the processing to be lawful in the first place (see Article 6) - so if there's no consent and no other lawful basis for keeping the data (I can't see anything else in Article 6 that would apply) then Article 17(1)(d) would apply and the data would have to be erased.

 

Quote

Also there are a bunch of legal reasons that might justify keeping e.g. data like ip addresses.

 

IP logs are covered by the GDPR. The log (or indeed any other data) would need to be relevant to some ongoing legal/criminal/other proceeding for you to have any grounds to keep it after the user has requested erasure. As much as it might intuitively feel right to hold on to such data "just in case" something comes up in the future, lawfully you can't just override people's rights on the grounds that they may one day become a suspect. "Presumption of innocence" and all that.

 

(Does AVEN have a process in place to delete such logs?)

 

On 5/26/2018 at 5:44 PM, Maz said:

I'd say a forum thread might serve the right for freedom of expression and information.

 

This clause is to just reconcile the two rights (freedom of expression and right to erasure) so that you can't for example use the GDPR to censor someone. Deletion of your own data doesn't censor anyone else.

 

On 5/26/2018 at 5:44 PM, Maz said:

"for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defence of legal claims."

 

I'm struggling to imagine how posts between normal members of society on a social forum might be of public, academic, historical or scientific interest. ;)

 

On 5/26/2018 at 9:04 PM, Blaiddmelyn said:

I can tell you now, unless anyone here is a GDPR expert, they won't be able to tell you if AVEN is a processor or a controller because it's not always obvious

 

You don't need to be "a GDPR expert" to know if AVEN is a controller or processor; you read the definitions in the regulation and can clearly see that they apply to AVEN one way or another.

 

On 5/26/2018 at 9:04 PM, Blaiddmelyn said:

In terms of forum posts, I'd think they're only personal data if you could identify someone through what they write.

 

We covered this one as well. The definition of "personal data" in the GDPR includes data that may indirectly identify a person. As an example, I might make a post in a thread about programming. In another thread, I comment on how it takes forever for my hair to dry because it's so long. In another, I may make a comment about buying something for £80. I comment in another thread that I draw cartoons. Now someone can tie together that I'm a programmer who draws cartoons, probably lives in England and has long hair. As all this information adds up, there comes a point where the right (or wrong?) person would tie it all together and either know who you are (if they already know you) or be well on their way to figuring out who you are.

 

There's another subtle issue: Things like gender, location and hair colour (for example) are clearly covered by the GDPR, but this information extends beyond just labels like "male" and "brown hair." Again, I don't need to post "I live in England" for someone to figure out that I live in England; they could figure that out (with reasonable accuracy) from my use of British English, whining about English weather, etc. One's gender might be inferred (again, with reasonable accuracy) from a post about hating wearing bras/dresses or never being able to find a comfortable position for your testicles when lying down, etc.

 

-

 

Just to reiterate: My stance is that, with there being so much open to interpretation - and when weighing the potential consequences against the simplicity of just installing a script to delete/nullify posts - why even take that risk in the first place? And this is a purely legal/lawful question. There exists also the moral question of, why try so hard to find loopholes that keep you from having to grant the wishes of users regarding their data?

 

... and to add to that, I do find it very amusing that AVEN - a site renowned for its mountains of red tape, policies and processes, pomp and circumstance, legal bubble wrap and such - has opted to take the riskier approach to this issue. :p If I were an armchair psychologist, it might almost seem as though AVEN just doesn't like the prospect of now being obligated to do something they so deeply detest being asked to do (hence all the "ffs we're not going to delete your posts so stop asking!" threads over the years) - and now they're just digging their heels in. Pure speculation, of course.

 

Share this post


Link to post
Share on other sites
sea-lemon
5 minutes ago, Tercy said:

and to add to that, I do find it very amusing that AVEN - a site renowned for its mountains of red tape, policies and processes, pomp and circumstance, legal bubble wrap and such - has opted to take the riskier approach to this issue. 😛 If I were an armchair psychologist, it might almost seem as though AVEN just doesn't like the prospect of now being obligated to do something they so deeply detest being asked to do (hence all the "ffs we're not going to delete your posts so stop asking!" threads over the years) - and now they're just digging their heels in. Pure speculation, of course.

You're reading waaaaay too much into this :lol:

  • Like 1

Share this post


Link to post
Share on other sites
Tercy
7 minutes ago, sea-lemon said:

You're reading waaaaay too much into this

 

How dare you make baseless speculations on my psychological processes!

Share this post


Link to post
Share on other sites
sea-lemon
1 minute ago, Tercy said:

 

How dare you make baseless speculations on my psychological processes!

Just replying in kind :P

 

(assuming of course that you meant that last post lightheartedly)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now