Can they sue if you ban?

Bengie

Participant
Joined
Jan 9, 2016
Messages
63
I depends where you are, you can sue anyone for anything in the US, it's the national pastime to sit around the table thinking
up who someone can sue and for how much.

Material on a forum always remains the copyright of the writer.
 

User042321

Neophyte
Joined
May 6, 2017
Messages
0
You can't be sued for banning a user but if the member has requested you remove their personally identifiable information (PII) you must adhere to data protection laws such as GDPR. Failure to do so could result in a fine from the regulator.

we_are_borg is suggesting if you do ban a member it's generally best not to enter into any further dialogue with them.
Is it possible to request a delete account and PII removal without being banned?
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,741
Is it possible to request a delete account and PII removal without being banned?

The short answer is no. Removing PII in accordance with most interpretations of GDPR would automatically remove the member's ability to log in.
 

User042321

Neophyte
Joined
May 6, 2017
Messages
0
The short answer is no. Removing PII in accordance with most interpretations of GDPR would automatically remove the member's ability to log in.
Say like a user is banned so they request all PII to be removed and owner complies over and finished with
So why can't a regular user say ok had enough of forums, don't want to use them anymore, so can you delete my account and of course all PII, thanks
Zappa my question is why do banned users have the right to request a PII removal yet a regular user not banned can't? Doesn't make sense
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,741
Zappa my question is why do banned users have the right to request a PII removal yet a regular user not banned can't?

I think there's been a misunderstanding. Every member regardless of status (banned or not) has the right to request the removal of their PII. However a previously banned member will have a hard job making their request known because they are already banned from accessing the forum. Also the removal of a member's PII will automatically ban them.*

*Under most interpretations of GDPR a username, email address and IP (where linked to other PII) all need to be removed if a PII removal request is made. Removing that information stops the member from accessing the forum.
 

User042321

Neophyte
Joined
May 6, 2017
Messages
0
I think there's been a misunderstanding. Every member regardless of status (banned or not) has the right to request the removal of their PII. However a previously banned member will have a hard job making their request known because they are already banned from accessing the forum. Also the removal of a member's PII will automatically ban them.*

*Under most interpretations of GDPR a username, email address and IP (where linked to other PII) all need to be removed if a PII removal request is made. Removing that information stops the member from accessing the forum.
Sorry to do this
Can I close my account and have all PII removed please
Thanks Zappa
 

Oh!

Adherent
Joined
Oct 1, 2020
Messages
289
I think there's been a misunderstanding. Every member regardless of status (banned or not) has the right to request the removal of their PII. However a previously banned member will have a hard job making their request known because they are already banned from accessing the forum. Also the removal of a member's PII will automatically ban them.*

*Under most interpretations of GDPR a username, email address and IP (where linked to other PII) all need to be removed if a PII removal request is made. Removing that information stops the member from accessing the forum.
Hi Zappa,

Actually, (per GDPR) there can be a legitimate interest in retaining data to enforce a ban. So, for example, a member was banned for stalking behavior, for a DOS attack, threats, or anything else considered serious enough to warrant a ban might well qualify as legitimate interest exception. On the other hand, a ban simply because he's a Bieber fan - probably not a legitimate interest.
 

Pete

Flavours of Forums Forever
Joined
Sep 9, 2013
Messages
2,113
Yes, there are clauses around retaining such information for your own security purposes. I did at some point dig out which specific clauses there were but that information has been lost to time in the space of my brain.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,741
Hi Zappa,

Actually, (per GDPR) there can be a legitimate interest in retaining data to enforce a ban. So, for example, a member was banned for stalking behavior, for a DOS attack, threats, or anything else considered serious enough to warrant a ban might well qualify as legitimate interest exception. On the other hand, a ban simply because he's a Bieber fan - probably not a legitimate interest.
I agree there are exemptions although my understanding is they generally don't kick in until the national or public interest becomes greater than the interests of the individual. That's obviously a rather broad interpretation that might include your scenarios. It's one of a number of areas of the GDPR that seem a little vague to me.

On the other hand the banning of Beliebers is an unquestionable certainty :)
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,700
If you ban someone you have a legitimate interest to keep info in your system to enforce the ban. So like name and email, it would be better if only the website owner would have access to this information. But forum software does not provide this function.
 

truthingtotruth

Aspirant
Joined
Jan 26, 2015
Messages
151
Please excuse another intrusion into this discussion, but I am a bit on the confused side with that information that a website owner cannot have exclusive access to a file containing a former active member's name and email address. Might it be okay for me to ask for some clarification?

For example, what (which) forum software are you referring to?

Thank you.
 
Last edited:

Oh!

Adherent
Joined
Oct 1, 2020
Messages
289
I agree there are exemptions although my understanding is they generally don't kick in until the national or public interest becomes greater than the interests of the individual. That's obviously a rather broad interpretation that might include your scenarios. It's one of a number of areas of the GDPR that seem a little vague to me.

On the other hand the banning of Beliebers is an unquestionable certainty :)
HI Zappa,

Actually, no, that's not what defines 'legitimate interest'. Legitimate interest for keeping data can include enforcing a ban. Though, I expect, only bans for non-trivial reasons. You will note that the likes of Twitter enforce bans and even monitor for surreptitious returns of those previous banned. You better believe that if Twitter were not allowed to do this, they already would have been fined by the EU for breaching the GDPR.



Granted, there is nothing specific in the above - but it is deliberately framed that way. But if someone is so disruptive to operations, or threatening violence, or is a security risk, etc., the platform surely has the right to try to prevent the reoccurrence of such problems. Indeed, any reasonable user (or regulatory) body are likely to agree that the platform has the right to protect its operational interests and those of its wider membership from harm.
 

Oh!

Adherent
Joined
Oct 1, 2020
Messages
289
If you ban someone you have a legitimate interest to keep info in your system to enforce the ban. So like name and email, it would be better if only the website owner would have access to this information. But forum software does not provide this function.
This is correct; only those with the need to access such information should be able to access it. Very early on in managing my hobby forum (SMF), I removed the ability for Admins to to download the database. I also denied the ability of moderators to manage the ban list, thus removing their ability to view member email and IP addresses. Only Admins can access such data. I did all this many, many years ago, long before the GDPR.
 

Oh!

Adherent
Joined
Oct 1, 2020
Messages
289
Please excuse another intrusion into this discussion, but I am a bit on the confused side with that information that a website owner cannot have exclusive access to a file containing a former active member's name and email address. Might it be okay for me to ask for some clarification?

For example, what (which) forum software are you referring to?

Thank you.
It will depend upon the forum software. I believe that with SMF, for example, there is no way to prevent forum Administrators from accessing such data. I take the view that there is probably little reason to have Administrators at all if they could not access that kind of data and systems. But then again, my forum Admins are either personally vetted (in the real world) either by me or an existing Admin, so I feel very confident about them.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,741
But if someone is so disruptive to operations, or threatening violence, or is a security risk, etc., the platform surely has the right to try to prevent the reoccurrence of such problems. Indeed, any reasonable user (or regulatory) body are likely to agree that the platform has the right to protect its operational interests and those of its wider membership from harm.

Having endured years of grief dealing with a stalker with very bad intentions I can only agree but from experience gained talking to the ICO and a firm of GDPR & Data Protection Lawyers this seems at odds with the received advice. I guess there's a possibility we could be talking apples and oranges because in our case there is a lot more than just a forum involved.

Just to be clear, are you saying it's within the regulations to retain information for the purposes described in addition to an IP?
 

Pete

Flavours of Forums Forever
Joined
Sep 9, 2013
Messages
2,113
I would tend to argue that keeping around some details of people who need to be banned is a requirement to be able to satisfy Article 23 in as far as restricting the rights of data subjects to have their data purged. Art. 23 1(i) gives you a specific avenue for 'curtailing the freedom of one for the purposes of protecting the rest' which for stalkers is your obvious avenue. That said, I'd generally argue that Art 23, 2(d) gives you some coverage for general prevention of abuse.

I've had a few run-ins and this has so far shown to be adequate in our specific cases; YMMV.
 
Top