Jump to content

AVEN GDPR Upgrade & Policy Update


Coleslaw

Recommended Posts

1 minute ago, sea-lemon said:

(assuming of course that you meant that last post lightheartedly)

 

I did indeed.

Link to post
Share on other sites
Skycaptain

I've linked the GDPR text from the EU into the related thread in site comments. It runs to 85 pages 

Link to post
Share on other sites

@Tercy





IP logs are covered by the GDPR. The log (or indeed any other data) would need to be relevant to some ongoing legal/criminal/other proceeding for you to have any grounds to keep it after the user has requested erasure.


I'm not sure which paragraph you refer to but legitimate interests are at least not dependant on ongoing legal proceedings.

Article 6(1)
...
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

also see:
http://www.privacy-regulation.eu/en/recital-49-GDPR.htm

so if e.g. a spammer has created multiple accounts in the past it is very likely covered by the legitimate interest of the site owner to keep the IP-address in a blacklist indefinitely even if he requests erasure.

Concerning deletion of posts one should also keep in mind that it might be in the legitimate interest of other users that the posts are not deleted. Removing quotes from some other user's posts just because the quoted user has requested so clearly results in a conflict of interests. And what about private messages? Should they be deleted from other users' inboxes on request?
Link to post
Share on other sites

@Maz Article 6(1) concerns the "lawfulness of processing" - not the right to erasure. If someone starts spamming your server, it's lawful for you to capture their IP (e.g. in a blacklist) because you have a legitimate reason to do so. The point being that you don't need consent or another reason to hold that data and it be lawful. However, if a user then requests erasure, you're still obligated to delete it.

 

This might be easier to digest if you consider things like: the unsolicited traffic (spam, DDoS, whatever) may have been caused by malware installed on the user's computer - and maybe they've since cleared out the malware and they're no longer a threat; or maybe someone used their WiFi and it has since been secured; or maybe they were just going through their script kiddie phase a few years prior and now they want to leave it all behind them (note that they're still lawfully "innocent" if they've never been sentenced - and there's no basis for you to overrule their rights and impose vigilante e-justice on them regardless of what evidence you may have).

 

I imagine the proper approach would be to remove the IP from the blacklist upon request - and then if it starts causing trouble again, add it back. Article 12(5) becomes relevant here.

 

The above also covers your statement about the "legitimate interest of other users."

 

45 minutes ago, Maz said:

Removing quotes from some other user's posts just because the quoted user has requested so clearly results in a conflict of interests.

 

This one is even more complicated to my mind and I think there would at least be some legitimacy to the idea of keeping quotes in posts - especially if they're not attributed in a way that they could be connected to other posts by the quoted user. You could argue that quoting is an extension of the quoting user's freedom of expression, but you could also argue that the forum software's quoting mechanism complicates matters because someone saying "x said y" is very different to software "proving" that x must have said y (for it to be quotable in the first place) i.e. it's no longer an opinion or a claim being made by a user, but a confirmation by the forum that the user did in fact say it. Or something.

 

53 minutes ago, Maz said:

And what about private messages? Should they be deleted from other users' inboxes on request?

 

This same question has been asked (and answered) about emails. Intuitively it may feel like email is a separate issue, but ultimately emails are still just (potentially personal) data being handled by a controller/processor. Personal copies (e.g. saved in a file or a mail client's cache or something) would obviously be excluded, but technically the GDPR would still apply to emails you've sent and the service providers who store those emails. Again, the potential for abuse of this is covered by Article 12(5). (It'll be interesting to see if this ever gets put to the test - and what the outcome will be.)

Link to post
Share on other sites
Quote


note that they're still lawfully "innocent" if they've never been sentenced - and there's no basis for you to overrule their rights and impose vigilante e-justice on them regardless of what evidence you may have).

It's not like banning someone from a site is a legal sentence or anything. It's more like removing someone from your private property and of course you have the right to do so even without reason. The main difference is that it's much harder on the internet and you can't just say "x is no longer allowed to use this site".

 

Quote


I imagine the proper approach would be to remove the IP from the blacklist upon request - and then if it starts causing trouble again, add it back. Article 12(5) becomes relevant here.

I don't think it is technically possible to recognize an Ip is causing trouble without storing it somehow before it causes trouble.

But in the end potentially personal is the term it all comes down to. Let's say someone uses a tor proxy to access a site (sadly enough spammers quite frequently do that). It is practically impossible to identify the real person behind that ip so it would be really weird to call this ip address potentially personal data from the viewpoint of linking the ip to a real person. On the other hand it's much easier to recognize the same user is accessing the site again e.g. after he has been banned than it would be if a regular dynamic dialup ip had been used because most people just don't use tor proxies. So a tor Ip  would be "very personal data" from that viewpoint.

 

Quote


This same question has been asked (and answered) about emails. Intuitively it may feel like email is a separate issue, but ultimately emails are still just (potentially personal) data being handled by a controller/processor.

That's where it gets totally weird. So if someone writes an email requesting the removal of personal data it will contain personal data again (at least the email address). If this it not enough to identify the user the site owner will have to ask for even more personal data to check whether the request for erasure is legitimate. By doing so a lot of personal data is transferred (probably more than was ever stored before) and if the site owner wants that to be removed on the user's side after the case is closed he will have to request that it'll be deleted by sending another mail containing personal data and so forth ;)

 

Quote


Personal copies (e.g. saved in a file or a mail client's cache or something) would obviously be excluded

As far as I remember GPDR applies to all ways of storing data and it doesn't matter where this data is stored. Database, text file, mail client or even a printout in a ring binder. So love letters would have to be destroyed on request by the former partner ;)

Link to post
Share on other sites

I'm content to leave it to legal experts and those who are responsible for the site. Everything else is pointless, in my (non-legal) opinion. :P 

Link to post
Share on other sites
28 minutes ago, Maz said:

It's not like banning someone from a site is a legal sentence or anything. It's more like removing someone from your private property and of course you have the right to do so even without reason.

 

You have every right to ban people - as long as you follow the law in the process. You don't need a reason to ban people, but you do need a legitimate reason to store data about them and/or to reject their requests for erasure.

 

Imagine the scenario: Someone throws a tantrum, gets themselves banned and then says, "OK, I'll leave the site, just delete everything about me so we can all forget this ever happened." Your reason for keeping them on your ban list is to stop them signing up again, but they've just expressed that they have no interest in trying to sign up again. Arguably, even if they don't explicitly state that they have no intentions to try to sign up again, you don't necessarily have any reason to assume that they will - especially if you've made it clear that they're not welcome anymore. If they do then sign up again, you can ban them (again) and now you have a stronger case for keeping their details on a ban list. Either way, you'd be wise to adhere to the "data minimisation" principle and maybe store their IP/email/whatever as a hash instead (although I can think of a few practical arguments against this).

 

Again... the GDPR is about the human rights of the 'data subject', not the convenience of organisations and website admins. People's human rights trump your desire to have an easy life without needing to follow protocol.

 

58 minutes ago, Maz said:

I don't think it is technically possible to recognize an Ip is causing trouble without storing it somehow before it causes trouble.

 

The IP will surely be logged along with the trouble in question? Whatever it may be.

 

1 hour ago, Maz said:

As far as I remember GPDR applies to all ways of storing data and it doesn't matter where this data is stored. Database, text file, mail client or even a printout in a ring binder. So love letters would have to be destroyed on request by the former partner ;)

 

Nah; we already covered this one from Article 2(2)(c):

 

Quote

This Regulation does not apply to the processing of personal data ... by a natural person in the course of a purely personal or household activity

 

Link to post
Share on other sites

Ok so love letters are no problem but a forum admin is not a natural person in the course of a purely household activity.

and:

"(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;"

 

So filing systems can exist in a non-digital form and a private mail program also clearly has functions to access data based on specific criteria. Maybe Ip blacklists in a text file are not covered by this as they are not structured in such a way.

 

 

Quote


 "OK, I'll leave the site, just delete everything about me so we can all forget this ever happened."

You can't do that in real life either.

 

Quote


Again... the GDPR is about the human rights of the 'data subject' ...

Human rights seems a bit exaggerated to me especially in minor cases like ip addresses or first names (or maybe even hair colour). You can't even remove your telephone number from printed telephone books.

Apart from that it's not like admins of websites tend to break their users' privacy all the time. It's not even the big companies like facebook but it's mainly their users who break other users' privacy. I can totally understand that users who "just want to uses the services" tend to blame the systems they use. But as a matter of fact basically everyone who uses e.g. whatsapp has actively broken privacy laws by uploading telephone numbers of other people without asking for their permission first.

 

edit btw.:

 

Quote

Either way, you'd be wise to adhere to the "data minimisation" principle and maybe store their IP/email/whatever as a hash instead (although I can think of a few practical arguments against this).

Hashing ip addresses seems pretty useless to me. There are only roughly 4 Billion ip4 adresses in use so mapping hashes to ip is very easy at least unless the hash alogoritm is unknown to whoever processes the data.

Link to post
Share on other sites
Blaiddmelyn
12 hours ago, Tercy said:

 

 

You don't need to be "a GDPR expert" to know if AVEN is a controller or processor; you read the definitions in the regulation and can clearly see that they apply to AVEN one way or another.

 

 

We covered this one as well. The definition of "personal data" in the GDPR includes data that may indirectly identify a person. As an example, I might make a post in a thread about programming. In another thread, I comment on how it takes forever for my hair to dry because it's so long. In another, I may make a comment about buying something for £80. I comment in another thread that I draw cartoons. Now someone can tie together that I'm a programmer who draws cartoons, probably lives in England and has long hair. As all this information adds up, there comes a point where the right (or wrong?) person would tie it all together and either know who you are (if they already know you) or be well on their way to figuring out who you are.

 

There's another subtle issue: Things like gender, location and hair colour (for example) are clearly covered by the GDPR, but this information extends beyond just labels like "male" and "brown hair." Again, I don't need to post "I live in England" for someone to figure out that I live in England; they could figure that out (with reasonable accuracy) from my use of British English, whining about English weather, etc. One's gender might be inferred (again, with reasonable accuracy) from a post about hating wearing bras/dresses or never being able to find a comfortable position for your testicles when lying down, etc.

 

-

 

Just to reiterate: My stance is that, with there being so much open to interpretation - and when weighing the potential consequences against the simplicity of just installing a script to delete/nullify posts - why even take that risk in the first place? And this is a purely legal/lawful question. There exists also the moral question of, why try so hard to find loopholes that keep you from having to grant the wishes of users regarding their data?

 

... and to add to that, I do find it very amusing that AVEN - a site renowned for its mountains of red tape, policies and processes, pomp and circumstance, legal bubble wrap and such - has opted to take the riskier approach to this issue. 😛 If I were an armchair psychologist, it might almost seem as though AVEN just doesn't like the prospect of now being obligated to do something they so deeply detest being asked to do (hence all the "ffs we're not going to delete your posts so stop asking!" threads over the years) - and now they're just digging their heels in. Pure speculation, of course.

 

It obviously applies as a controller in some contexts. It's not always clear, however. I personally know of one task I do frequently where it is not clear whether I act as a controller or a processor (it's a known ambiguity in my field). I cba to work it out for AVEN in every context though. Law is like that (especially EU law!) - filled with things that seem so obvious that you often don't realise it's not. 

 

Tbh, there probably is an argument for saying that the storing of the data is processing and AVEN the controller of that but not that all forum posts can be personal data. You are  reading way too much into the word indirectly if you think some of what you wrote is caught, though I agree that if you decide to post lots and lots about yourself, you do eventually become identifiable ... though if you've posted that much on a public forum, you might want to ask yourself whether you want to be identified...

 

AVEN's stance is, according to Google, a fairly common one among internet forums. Given the lack of enforcement potential against AVEN as well, I probably wouldn't bother trying to sue them because I probably wouldn't get much out of it (unless they have a GDPR representative, in which case I might give it a shot but I'm not convinced the GDPR catches them with that).

 

What I'm more interested in, having just thought about it, is whether people listing their orientations is a special category of personal data - specifically asexuality. Asexuality arguably isn't a sexual orientation in English law, for example, but it'd be weird for it not to be caught. I might look into that if I get a spare moment.

Link to post
Share on other sites
13 hours ago, Maz said:

but a forum admin is not a natural person in the course of a purely household activity.

 

I'm not sure what this is supposed to suggest or relate to.

 

13 hours ago, Maz said:

So filing systems can exist in a non-digital form and a private mail program also clearly has functions to access data based on specific criteria. Maybe Ip blacklists in a text file are not covered by this as they are not structured in such a way.

 

You could argue that an IP blacklist in a text file falls under the definition of a filing system, but it's irrelevant either way because IP blacklists are at least partly processed "by automated means" (when they're retrieved, enforced, etc) - and this is also covered by Article 2(1).

 

13 hours ago, Maz said:

Human rights seems a bit exaggerated to me

 

I didn't just make this up for dramatic effect; as I said already elsewhere in the thread, this is the EU's stance. There's the argument that the "right to be forgotten" is or should be a human right in itself, but at the very least (again, as far as the EU is concerned) the processing of personal data falls under the "right to privacy" (and possibly the right to protection of personal data).

 

13 hours ago, Maz said:

Hashing ip addresses seems pretty useless to me. There are only roughly 4 Billion ip4 adresses in use so mapping hashes to ip is very easy at least unless the hash alogoritm is unknown to whoever processes the data.

 

There's a few hashing algorithms that are (realistically) protected against rainbow tables. The main issues would really be 1) hashing is expensive; 2) there's the risk of collisions, which runs the (extremely small) risk of false positives; and 3) in the unlikely scenario that someone already knows a given target's IP, they can still match the hash to the IP. None of these are an automatic "oh I'll just do whatever I want then" card; there's ways to minimise the impact and the GDPR expects you to put that effort in.

 

11 hours ago, Blaiddmelyn said:

You are  reading way too much into the word indirectly if you think some of what you wrote is caught,


I can just as easily say you're oversimplifying it. There seems to be this fixed idea in people's minds that "personal data" is strictly easily-digestible identifiers like gender labels and email addresses, like it's the data itself that is relevant. It's not. The importance of the data is what it does - identify a person. Personal data isn't about email addresses, but identifying people using email addresses. If forum posts can be used to identify you in any capacity, why would they not count?

 

And again, people seem to have this completely unfounded misconception that the "right to erasure" is just about having your details deleted from marketing databases. It's not. As aforementioned, it's an extension of your right to privacy i.e. if data being held by an organisation risks infringing on your privacy, you now have recourse i.e. if things you've posted on a forum have the potential to one day intrude on your private life in some capacity, you now have the right to get that data be erased - and AV-- I mean forum admins no longer have the prerogative to just turn around and say "lol fuck your privacy we make the rules and we ain't deleting shiiit."

 

11 hours ago, Blaiddmelyn said:

AVEN's stance is, according to Google, a fairly common one among internet forums.

 

Yeah I did find time to read all the articles, forum posts and such - and much of it isn't just possibly wrong or lingering in the grey zone of subjective interpretation, but objectively wrong. Articles have been posted about all the misinformation coming from all directions - including lawyers. It's frightening just how many posts and articles by people who claim to have "done their research" go on to say things that are just... outright wrong.

 

This is why I prefer referring to the GDPR itself (not just having someone else tell me what they think it says/means); understanding the motives of the EU and the GDPR and what it's all trying to achieve in the first place; and then weighing the effort of playing it safe against the potential consequences of getting it wrong.

 

11 hours ago, Blaiddmelyn said:

Given the lack of enforcement potential against AVEN as well ...

 

Could you elaborate on what you mean by this, where you got this idea, etc?

 

11 hours ago, Blaiddmelyn said:

What I'm more interested in, having just thought about it, is whether people listing their orientations is a special category of personal data - specifically asexuality. Asexuality arguably isn't a sexual orientation in English law, for example, but it'd be weird for it not to be caught. I might look into that if I get a spare moment.

 

I remember all the drama about asexuality not being recognised as a sexual orientation in law, but it would still come under the definition of personal data and probably still "special category data" which ambiguously includes one's "sex life." See also Article 9 and this page from the ICO.

Link to post
Share on other sites


Quote



I'm not sure what this is supposed to suggest or relate to.





If a forum member drops a forum admin (or maybe just another member actually) an email or pm this is not within the scope of "a natural person in the course of a purely personal or household activity" so the admin wouldn't be allowed to keep this mail in a program on his PC and also he wouldn't be allowed to print out such mails or pms and keep them in a ring binder sorted by a certain criterion.




Quote



There's a few hashing algorithms that are (realistically) protected against rainbow tables.





You don't need rainbow tables to search a space that is limited to 4 Billion numbers. For example a good password of proper length hashed only with sha256 is still quite safe even if the attacker knows it's been hashed with sha256 but an ip hashed in the same way could be found on current hardware within 1-2 seconds without using rainbow tables.
 





Quote



There's the argument that the "right to be forgotten" is or should be a human right in itself





"Right to be forgotten" is (hopefully) just a marketing term. First of all there are loads of exceptions to this right even within the scope of the GDPR and also there is no such thing in real life either because it can't be done without burning books or even brain surgery.

Link to post
Share on other sites
23 minutes ago, Maz said:

If a forum member drops a forum admin (or maybe just another member actually) an email or pm this is not within the scope of "a natural person in the course of a purely personal or household activity" so the admin wouldn't be allowed to keep this mail in a program on his PC and also he wouldn't be allowed to print out such mails or pms and keep them in a ring binder sorted by a certain criterion.

 

This would depend on who the data "belongs to" and the context in which it was sent/received, etc. If you send a casual/social PM to an admin on the understanding that it's for them specifically and they make a personal copy of it and the site/organisation/whatever has no policy against staff making personal copies, their personal copy is a... personal copy, taken legitimately, with no dispute over its ownership or status. The more of those provisions you take away (staff being allowed to make copies, the user knowing they're just communicating socially 1-on-1 on a personal level with an individual and not the organisation, etc) the dicier it gets.

 

28 minutes ago, Maz said:

You don't need rainbow tables to search a space that is limited to 4 Billion numbers. For example a good password of proper length hashed only with sha256 is still quite save even if the attacker knows it's been hashed with sha256 but an ip hashed in the same way could be found on current hardware within 1-2 seconds without using rainbow tables.

 

There's hashing algorithms that are (realistically) safe against brute force, too. Bcrypt for example.

 

33 minutes ago, Maz said:

"Right to be forgotten" is (hopefully) just a marketing term.

  

The "right to be forgotten" was the original term/concept as it was being fleshed out; it just got renamed the "right to erasure" for the GDPR. You'll notice it's still in the title of Article 17 in parenthesis. The two are generally seen/treated as interchangeable.

 

46 minutes ago, Maz said:

First of all there are loads of exceptions to this right even within the scope of the GDPR

 

This isn't new information; we've already talked about what is and isn't included/exempt and such.

 

46 minutes ago, Maz said:

and also there is no such thing in real life either because it can't be done without burning books or even brain surgery.

 

Even you must be aware that this is a weak argument. There were several similar points made elsewhere in the thread that I chose to ignore; what is or isn't realistic or enforced in the "real world" is absolutely irrelevant to the discussion or the law.

Link to post
Share on other sites
Quote


This would depend on who the data "belongs to" and the context in which it was sent/received, etc.

I'm not sure how all this relates to property but I guess it get's too complicated here. At any rate GDPR is not only aimed at digital content stored in databases.

 

Quote


There's hashing algorithms that are (realistically) safe against brute force, too. Bcrypt for example.

It can be done of course but your average bcrypt with currently around 100k hashrate per second will still not be safe because of the limited keyspace. So any common method that pops up when you think of hashing will probably be insufficient. The following table is quite interesting to compare hashrates: https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40

 

Quote


Even you must be aware that this is a weak argument. There were several similar points made elsewhere in the thread that I chose to ignore; what is or isn't realistic or enforced in the "real world" is absolutely irrelevant to the discussion or the law.

I meant that especially in relation to the term "right to be forgotten" (and not something more realistic like "right to have your data erased from digital databases not run by authorities or secret services or any individual who had access to the data before") because if you cannot enforce the removal of your data in the real world there is no such thing as a "right to be forgotten".

Btw. if authorities could enforce the removal of basically any content on the net just because it contains data that could be viewed as personal data that would be the exact definition of censorship.
So the term "right to be forgotten" might also be viewed as red herring(?) ("Nebelkerze" is the German term I have in mind) to distract from the fact that authorities and companies (and some individuals) track people in real life all the time (e.g. video surveillance also with the aid of face recognition is ever-increasing) and god knows what really happens with all the data. As soon as your "profile" is stored in the weights of a neural network it doesn't even help that the databases that were used to train the network are deleted. The system will still be able to recognize you. So personal data might break down to something like Joe = a+3+c+4.5+11-y in the near future.

Link to post
Share on other sites
2 hours ago, Maz said:

It can be done of course but your average bcrypt with currently around 100k hashrate per second will still not be safe because of the limited keyspace. So any common method that pops up when you think of hashing will probably be insufficient.


The work factor of bcrypt can be adjusted to determine how long one hash should (approximately) take. You can set it such that it would take (for example) ~1 second per hash - meaning it would take ~120 years to brute force ~4 billion IP addresses. In some circumstances it would even be reasonable to go higher than 1 second per hash.

 

2 hours ago, Maz said:

I meant that especially in relation to the term "right to be forgotten" (and not something more realistic like "right to have your data erased from digital databases not run by authorities or secret services or any individual who had access to the data before") because if you cannot enforce the removal of your data in the real world there is no such thing as a "right to be forgotten".

 

Are we approaching the inevitable "squabble over semantics" portion of the discussion? ;)

 

2 hours ago, Maz said:

Btw. if authorities could enforce the removal of basically any content on the net just because it contains data that could be viewed as personal data that would be the exact definition of censorship.

 

That wouldn't be great, but the GDPR doesn't give governments the ability to have other people's data removed; it gives you the ability to have your own data removed. So I'm not sure where this is coming from either. We also already touched upon the intersection between the right to erasure and the right to expression earlier in the thread.

Link to post
Share on other sites
Quote


You can set it such that it would take (for example) ~1 second per hash -.

Sure but i doubt many servers will still be able to handle requests while simultaneously writing logfiles if the data to be written takes more than one second to be generated ;)

 

Quote


Are we approaching the inevitable "squabble over semantics" portion of the discussion?

Nah, If you more or less agree with the statement "the term right to be forgotten is BS" then we are done ;)

 

Quote


That wouldn't be great, but the GDPR doesn't give governments the ability to have other people's data removed; it gives you the ability to have your own data removed.

I don't know how this will be handled in the UK (bye bye EU soon) or in the US but here in Germany there are at least two problems with this law. First of all the individual can call upon authorities (den "Datenschutzbeauftragten der Länder") if the site owner e.g. does not remove the data. So in the end authorities theoretically get to decide whether data is personal data and whether it will have to be removed. The other much greater problem is that in Germany if you run a business site every competitor has the right to send you something similar to a cease-and-desist order ("Abmahnung") combined with fees (usually somewhere between 300 and 900 Euros) if there are any mistakes in the legal documents you provide online. Also the German implementation of the new law explicitly states that "Gemeinnützige Organisationen" (somewhere between non-profit and charitable organizations?) also have the right to issue "Abmahnungen" (here the fee is limited to about 150 Euros) even if you run a private / non-comercial site. If you don't want to comply you can go to court of course but that will likely cost you thousands of Euros.

Also should you ever repeat the same mistake after you accepted the "Abmahnung" you will have to pay a high penalty (so called "Vertragsstrafe"). So basically that means that if you have any mistake in the documents you provide ("Datenschutzerklärung") or the way you handle requests random people can make you pay for it. The only thing that still stops those people from issuing "Abmahnungen" in a large scale now is the fact that GPDR / DSGVO is written in a way that is totally up for interpretation so first of all courts will have to decide whether certain possible mistakes really constitute the right to issue "Abmahnungen" or not.

Nevertheless at lot of private community sites in Germany have closed because their owners don't want to take the risk while large companies like Facebook could theoretically even pay billions of dollars in penalties and still not comply with the law. I can't help it but I get the feeling this law is aimed at fishing off small buisnesses and privately run sites while sucking money out of some large companies on the way.

Link to post
Share on other sites
Blaiddmelyn

Haha tbh, I feel like this has gotten way too detailed for me - I do enough law during the day without spending my free time doing it too.

 

To summarise:

 

Your reading of indirect is too broad as a matter of law IIRC. What is identifiable is contextual. Provide enough detail and you do eventually become identifiable. Say somethin like "I have green eyes"  by itself and you are not.

 

AVEN is a US body with no assets or legal presence in the EU. Who do you think is enforcing the GDPR against it? And how do you think you're enforcing a claim for damages? It's possible US authorities will help with the former but not certain.

 

Asexuality may be covered by sexual orientation or sex life but it's not 100% clear. I suspect it would be, i'd just be curious to know. 

 

Anyhow, my life is generally happier without thinking about the GDPR, so that's me out. It's a hellish piece of legislation.

 

 

Link to post
Share on other sites
paperbackreader

Wow... This thread has gotten intense since I last had a peek. 

 

Having done a bit more research - pseudomysation (still can't spell this word - but it means deleting username / IP addresses and de-linking posts to those details so that it's not attributable to someone) is an acceptable alternative to 'right to erasure' where in balancing the personal interests of the data subject against the legitimate interests of the organisation, there is a legitimate interest for the organization to keep that information, and there is limited risk of infringements of a person's human rights. 

 

However, there is a duty that the data controller (in this case AVEN) - assesses on a case by case basis whether this is appropriate, and to inform the data subject of the fact that their posts won't be deleted and remind when such a request is being made and confirm again that they have the onus to delete any posts prior to account deletion, and to extend reasonable assistance such as is proportionate to the data subject's rights and freedoms if the user requests for wider deletion. 

 

I think my previous comment was made because I recognise that very often on AVEN, there is discussion and collection of 'special category information' - sexuality, mental health discussions, etc. - It is possible / plausible, to a person that so wishes to and has the foresight to do so, that an enterprising user that has saved posts locally on a computer can work back and use that information to great harm and detriment if they so wish. Or could draw inferences between a group of posts that had not yet been deleted to correctly identify a user. Most of us don't post so much information to make us identifiable, but some (particularly those who post photos... who may later have a serious reason why they need all their posts deleted), do.  

 

What you want to do is to take a nuanced and reasonable approach so that any European or UK resident would decide against having to take legal action against AVEN and go the full whack through the appropriate regulatory body... and not misuse or leak that information out unnecessarily :-)  

 

Side note - there was a case last year where someone argued that submission within an exam script is personal information which was ruled in favour of the exam candidate : http://www.cms-lawnow.com/ealerts/2017/08/data-protection-and-exams-does-an-exam-script-constitute-personal-data 

 

I think my biggest worry is how IP addresses are handled. I seem to recall in summary an altercation regarding release of IP addresses by AVEN to other parties - sharing information like that where there is not a legal reason to do so would be seen negatively, and in another 'all hell scenario' - I would be worried if for example, all admods were able to access IP address details, access that information where there is no legal need to do so (where I've not harassed or conflicted the TOS in any way), where there are no audit trails of who accessed my IP address details, as they could run a check to figure out where I am, start stalking me, or release that information to other people to my detriment... :D all it takes is 1 rogue... 

 

Article 2(2) - item 3 (the completely personal item) is interesting to note though. 

 

On 5/26/2018 at 9:04 PM, Blaiddmelyn said:

In terms of forum posts, I'd think they're only personal data if you could identify someone through what they write. A lot of forum posts won't qualify (the underlying data, like my IP address for example will, clearly). Otherwise, my guess without thinking about it much is that AVEN isn't the controller in respect of my posts - I decided to write this post so it was me who decided what to do with my data, not AVEN. You can only argue they're a controller on the basis that they tell the software company how to process my post - that is a guess though, without me having done proper research into it.

Just wanted to say - this isn't really true - you are the data subject, AVEN is defo the controller (they decide how your data is being used on the site), but you have, by using the forum and accepting the terms of service, consented to your data being posted on the site. :-) 

 

47 minutes ago, Maz said:

I can't help it but I get the feeling this law is aimed at fishing off privately run sites and sucking money out of some large companies on the way.

I kinda think the same but the converse; that the emphasis is on governance and limiting unfair competitive advantage of large organisations - and also a little bit to improve (read : fine!) privately run sites.

Link to post
Share on other sites

"fishing off" should be read as "finishing off" ;)

I don't think many privately run sites will continue if they are really fined. It's just not worth the hassle.

Link to post
Share on other sites
Yatagarasu

As an EU citizen, GDPR is good in theory, but pretty much nonsense in practice.

Link to post
Share on other sites
hopeisnotlost

@Tercy (laughing) Remind me never to get into a debate with you.

Link to post
Share on other sites

Ever since this update AVEN keeps crashing. Will somebody finally dignify us lowlifes with some information as to what the heck is going on? Thank you.

Link to post
Share on other sites
Blaiddmelyn
1 hour ago, timewarp said:

Ever since this update AVEN keeps crashing. Will somebody finally dignify us lowlifes with some information as to what the heck is going on? Thank you.

Presumably, it's AVEN's way of protesting against the havoc the GDPR has wrought. First they're starting with this forum, using us as test subjects, but they'll branch out soon. This has the dual effect of being an effective protest and ensuring everyone has heard of asexuality. It's genius!

 

Link to post
Share on other sites
  • 1 year later...
On 5/24/2018 at 5:28 AM, Coleslaw said:

Should a member desire to have their account removed in order to have their email & IP record deleted from our servers, they now have that option.

I scanned all the options I have under my account, and I wasn't able to find the option to delete my account. So how one may do that?

Link to post
Share on other sites
32 minutes ago, Vila said:

I scanned all the options I have under my account, and I wasn't able to find the option to delete my account. So how one may do that?

Send a message to a moderator or admin and we’ll get on that for you :) 

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...