GDPR - What does it mean for the forum owner?

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
If you ban some one then you’ll need two things in your user agreement you must make clear people can get banned, this should all ready be in it any way because this was no different under old laws. When you ban someone indefinitely or for x months then you have a legitimate interest to keep the record to identify that person else you can’t remove people from your website. So you can still have a black list for a day, month, year to infinity if needed. The x months is more for logs etc like IP address and other stuff. You’ll need to look in to concent and legitimate interest for GDPR and then write the stuff. People need to think first then write stuff and to remember with GDPR less is more. It seems that people want to continue on the old foot instead of thinking privacy first.
 

Isil`Zha

Aspirant
Joined
Jan 18, 2015
Messages
33
If you ban some one then you’ll need two things in your user agreement you must make clear people can get banned, this should all ready be in it any way because this was no different under old laws. When you ban someone indefinitely or for x months then you have a legitimate interest to keep the record to identify that person else you can’t remove people from your website. So you can still have a black list for a day, month, year to infinity if needed. The x months is more for logs etc like IP address and other stuff. You’ll need to look in to concent and legitimate interest for GDPR and then write the stuff. People need to think first then write stuff and to remember with GDPR less is more. It seems that people want to continue on the old foot instead of thinking privacy first.

Well, I have no interest in maintaining any of this information except as it applies to being able to effectively manage my forum. I have no problem removing information like real names, etc. Though even that can get questionable in terms of reasonable ability. For instance, all the various times people may have quoted or said something in some random post somewhere. Our forum has 17 years of history and 31 million posts. There's no reasonable way we can comb through the entire thing for any potential time someone quoted or referenced the user that wants their personal information removed.

IPs and "other stuff" (cookies, device info, agent information that's usually part of troubleshooting logging anyway) is a piece needed to maintain any bans, or other things. I cannot predict what users will do. I may need an IP from a year ago when a user tries to make another account out of the blue, for instance.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
The personal information is only what makes their profile, if they post personal information it would not matter because they made it publicly. The profile is what you as site owner asks. So you do not need to comb trough all those posts, but be aware that i another makes an address public you'll need to act, same as now really, you do not want addresses and so on on your site to begin with.

IP and other stuff for bans is acceptable to maintain the ban that is legitimate interest. As for an IP from a year ago that is an excuse to keep the information and is weird because most IP addresses change over time.

The more i read what you write the more i see that you do not want to alter the course of our site you want to keep going like before 25th of May 2018. You can block the EU but do not forget to remove the information of persons of the EU because so long as you have them you are stil liable if something happens to it.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
5,010
them you are stil liable if something happens to it.
I still have a serious doubt whether people in other countries are subject to a law that they had no input into, that they have no physical presence in areas controlled by and have never consented to.
Going to be an interesting one to watch how many countries outside the EU decide to BS them (the EU) down.
 

Isil`Zha

Aspirant
Joined
Jan 18, 2015
Messages
33
The personal information is only what makes their profile, if they post personal information it would not matter because they made it publicly. The profile is what you as site owner asks. So you do not need to comb trough all those posts, but be aware that i another makes an address public you'll need to act, same as now really, you do not want addresses and so on on your site to begin with.

This is one of the parts I'm getting conflicting information. From my understanding, anything that can personally identify them should be removed. I don't have issue with blanking out the profile.

IP and other stuff for bans is acceptable to maintain the ban that is legitimate interest. As for an IP from a year ago that is an excuse to keep the information and is weird because most IP addresses change over time.

I've long lost count of the number of banned users trying to get back in with an IP from a year ago, or more likely, trying to make another account for one reason or another (usually to get around a temp ban.) That being said, we don't keep them for an eternity, but 1 year we definitely get legitimate matches on banned users.

The more i read what you write the more i see that you do not want to alter the course of our site you want to keep going like before 25th of May 2018. You can block the EU but do not forget to remove the information of persons of the EU because so long as you have them you are stil liable if something happens to it.

Well, yes I would like to be able to continue enforcing bans with all tools at my disposal to do so. The other parts we'll change for and I'm working on getting any updates and tools installed to make the process of anonymizing an account quick and easy. Any scenarios I've presented regarding banned users that weren't GDPR hypotheticals are from real issues we deal with. Worse comes to worse, then we'll probably stop accepting any new EU registrations, while honoring requests to remove profile information; this really hinges on if we really can't keep things like IPs or cookies for more than a month or two.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
I still have a serious doubt whether people in other countries are subject to a law that they had no input into, that they have no physical presence in areas controlled by and have never consented to.
Going to be an interesting one to watch how many countries outside the EU decide to BS them (the EU) down.

The problem is that it as not yet been tested in court, so until then we do not know 100% for sure. But do you want the one going to go to court about it even if its a test case the penalty is still something you'll need to under go. Another issue is US making laws impact the EU do you expect us to follow them. The one with Iran is a good example US embargo Iran again and the rest of the world needs to follow else you get fines in the US or do no business at all. The EU is now doing the same thing.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
This is one of the parts I'm getting conflicting information. From my understanding, anything that can personally identify them should be removed. I don't have issue with blanking out the profile.

Well its explained to me like that, because like you say if you have a large forum where most posts are not moderated i could slip in personal information and then complain to the ICO (UK) or AP (Netherlands). But lets ask Maddox what his take is on this.

I've long lost count of the number of banned users trying to get back in with an IP from a year ago, or more likely, trying to make another account for one reason or another (usually to get around a temp ban.) That being said, we don't keep them for an eternity, but 1 year we definitely get legitimate matches on banned users.

You can still keep information for banned users because if you do not your site will get issues so you have legitimate interest into keeping those. But a normal user that hasn't done anything you need to make sure you do not keep that information for long, how long is up to you but you'll to explain why. This is only for normal users not banned users.

Well, yes I would like to be able to continue enforcing bans with all tools at my disposal to do so. The other parts we'll change for and I'm working on getting any updates and tools installed to make the process of anonymizing an account quick and easy. Any scenarios I've presented regarding banned users that weren't GDPR hypotheticals are from real issues we deal with. Worse comes to worse, then we'll probably stop accepting any new EU registrations, while honoring requests to remove profile information; this really hinges on if we really can't keep things like IPs or cookies for more than a month or two.

Again please read banned users you can still keep that information else your site will get issues. Its about normal users that have done nothing at all so they visit daily, weekly, monthly etc but are welcome on your site. That are the once that need privacy first.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
5,010
Another issue is US making laws impact the EU do you expect us to follow them.
If the EU located business has a presence here in the US, then yes I do expect them to comply. Same as I would a US business with a location in the EU. Internet availability ≠ physical presence in the EU.
The EU is not bound by MANY (in fact, MOST) US laws (only ones it agreed to by treaty).... if it was, then it wouldn't be the EU now would it?

The one with Iran is a good example US embargo Iran again and the rest of the world needs to follow else you get fines in the US or do no business at all.
Yep... and they have a choice... either do business with Iran and not do business with the US or do business with the US and not Iran. That's not forcing compliance with a law... it IS giving the business an option with the understanding if you try to do both you will be fined. I keep seeing you repeating that and it's like comparing apples to oranges - they are NOT the same thing. See, this is how it works... those that get fined have a physical presence in the US.... otherwise any fines would not apply. Those businesses are given a choice to decide where they can make more money. I guarantee you that many of those businesses that do no business with the US and are doing business with Iran are not being fined.
Hell, the EU is doing everything in it's power to PROTECT Iran from the US's sanctions - if the EU doesn't like it, they can quit doing business in the US.
Most of Joe Normal doesn't buy anything that comes in from the EU. It's only the upper middle and higher classes that buy that type of stuff (MB cars, BMW, etc). Most of the "good ole boys" still drive a US branded vehicle or Japanese (Toyota Tundra/4Runner is popular in this neck of the woods).

It's really amazing how everyone got along fine before the big globalization push started. That's what happens when you attempt to make one country dependent upon another..... get into a little pissing match and it can blow up and then it effects everyone.

EDIT:
Here's something applicable to what you were talking about:
Consistent with Section 218 of TRA, section 8 of E.O. 13846 continues in effect the sanctions previously contained in section 4 of E.O. 13628 and expands them to cover activity sanctionable under E.O. 13846 (see FAQ 601). This provision prohibits a U.S.-owned or -controlled foreign entity from knowingly engaging in any transaction, directly or indirectly, with the GOI, or any person subject to the jurisdiction of the GOI, if that transaction would be prohibited by certain Executive orders prohibiting trade and other dealings with, and investment in, Iran and blocking the GOI and Iranian financial institutions, or any regulation issued pursuant to the foregoing (including the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR)), if the transaction were engaged in by a United States person or in the United States. Civil penalties for the U.S.-owned or -controlled foreign entity’s violation of Section 8, attempted violation, conspiracy to violate, or causing of a violation shall apply to the U.S. person that owns or controls such entity to the same extent that they would apply to a U.S. person for the same conduct.
from here.
 
Last edited:

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,251
It's been a while since I visited this thread, so if I am reading this correctly the issue is around retaining data to enforce bans. If that is the case then you have a legitimate interest in retaining whatever data is required to enforce that ban. There are no time limits for this as a legitimate interest can be applied for as long as you are running a forum. As long as the data you retain is not visible to others and it is treated with same respect for privacy, then there is no problem.

Convert any threads to a guest or random username and delete anything that could identify that person as an individual that is visible and that's as much as you need to do. You do have to be careful about declaring a legitimate interest and extra care must be taken to not allow that data to fall into someone else's hands.

THIS LINK (CLICK HERE) explains legitimate interest in more detail - bear in mind this is how the ICO in the UK interpret it.

;)
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
Maddox thanks for the links.

Also what was the articl if a data subject makes his own private information public under what falls it then.
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,172
The problem is that it as not yet been tested in court, so until then we do not know 100% for sure. But do you want the one going to go to court about it even if its a test case the penalty is still something you'll need to under go. Another issue is US making laws impact the EU do you expect us to follow them. The one with Iran is a good example US embargo Iran again and the rest of the world needs to follow else you get fines in the US or do no business at all. The EU is now doing the same thing.

Companies with a physical presence in the USA, or are majority owned or controlled by USA individuals/companies, are subject to the sanctions, and are not allowed to do business with companies which do business with Iran. That is different from the scope of GDPR.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
5,010
bear in mind this is how the ICO in the UK interpret it
And therein lay another problem with this so-called law. Apparently it can be interpreted by each country differently. Last time I looked, that's not what a law was - it was a specified requirement that must be met by ALL member states/parties (citizens).
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
5,010
Companies with a physical presence in the USA, or are majority owned or controlled by USA individuals/companies,
Can't let the facts get in way of sensational news clips/bites now. ;)

That's what the links I provided reflect (especially the FAQ). It was fairly clear on who it applied to - but I'm sure that the news services over across the pond have stated it applied to everyone that does business with Iran while in fact it deals with US controlled/owned businesses not being allowed to do business with one that does business with anyone dealing with Iran in trade. We get back to the earlier post I made... those businesses will have to decide where the profit lay (long term) - either in doing business with the US or doing business with Iran and possibly having to deal with UN sanctions coming back into play (doubtful as the UN is so far left leaning now that it puts the Tower of Pisa to shame).
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
And therein lay another problem with this so-called law. Apparently it can be interpreted by each country differently. Last time I looked, that's not what a law was - it was a specified requirement that must be met by ALL member states/parties (citizens).

Yes that is an issue, until it goes to court then the court asks the EU court for guidance at that point it counts for the whole EU.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,604
And that's ass-backwards... need I say more?

Same as in the US normal court says A then supreme court says B etc same as the EU only here the normal court can ask for guidance straight away they do not need to sentence first then they go to another court.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
5,010
Same as in the US normal court says A then supreme court says B etc same as the EU only here the normal court can ask for guidance straight away they do not need to sentence first then they go to another court.
No, the courts don't determine how each state implements it. It is written as law and THEN the applicability of it is challenged. The law is written to apply to ALL states.... they don't get to determine by each one how it applies to them. One ring to rule them all..... one law to bind them.

And now that we are on that point... it sure does look like the "rights" that are "given" by the EU are somewhat skewed. You would think that an overall governmental authority would have jurisdictional authority in all of it's member "states" (which most would call countries).
If those in the EU REALLY wanted to go full tilt boogie, let them give up their nationality (nation status) and become full fledged members of the EU under a basis similar to how the US federal government is over the individual states. They wouldn't even have to call them states... they could call them provinces... but their overall control would be under the EU. I know many in the EU hierarchy would be creaming their drawers if they could do that.
 

Isil`Zha

Aspirant
Joined
Jan 18, 2015
Messages
33
You can still keep information for banned users because if you do not your site will get issues so you have legitimate interest into keeping those. But a normal user that hasn't done anything you need to make sure you do not keep that information for long, how long is up to you but you'll to explain why. This is only for normal users not banned users.

Again please read banned users you can still keep that information else your site will get issues. Its about normal users that have done nothing at all so they visit daily, weekly, monthly etc but are welcome on your site. That are the once that need privacy first.

There are a few caveats to our rules that still make this necessary to enforce the rules. For instance, in most cases we do not permit new account registrations from VPNs/proxies. However they may use one after signing up. We also do not permit creating multiple accounts. This has resulted in a few odd circumstances where non-banned members create sockpuppet accounts to argue with or agree with themselves or cheat at forum games. The only useful IP match would be the registration IPs, which could be quite old.

It's been a while since I visited this thread, so if I am reading this correctly the issue is around retaining data to enforce bans. If that is the case then you have a legitimate interest in retaining whatever data is required to enforce that ban. There are no time limits for this as a legitimate interest can be applied for as long as you are running a forum. As long as the data you retain is not visible to others and it is treated with same respect for privacy, then there is no problem.

Convert any threads to a guest or random username and delete anything that could identify that person as an individual that is visible and that's as much as you need to do. You do have to be careful about declaring a legitimate interest and extra care must be taken to not allow that data to fall into someone else's hands.

THIS LINK (CLICK HERE) explains legitimate interest in more detail - bear in mind this is how the ICO in the UK interpret it.

;)

Ah thank you! This is exactly what I was looking for. An authoritative source (rather than speculation or interpretation) that presents the following:

The GDPR does not have an exhaustive list of what purposes are likely to constitute a legitimate interest. However, the recitals do say the following purposes constitute a legitimate interest:

  • fraud prevention;
  • ensuring network and information security; or
  • indicating possible criminal acts or threats to public security.

Emphasis mine. We have no desire to use IP/device information for anything other than running the forum, and we already have strict policies on not ever share this information with anyone outside of staff. As far as being able to run and police your own forum goes, it looks like we'll be okay to maintain that information strictly for that purpose.
 

Maddox

Habitué
Joined
Jul 29, 2016
Messages
1,251
And now that we are on that point... it sure does look like the "rights" that are "given" by the EU are somewhat skewed. You would think that an overall governmental authority would have jurisdictional authority in all of it's member "states" (which most would call countries).
If those in the EU REALLY wanted to go full tilt boogie, let them give up their nationality (nation status) and become full fledged members of the EU under a basis similar to how the US federal government is over the individual states. They wouldn't even have to call them states... they could call them provinces... but their overall control would be under the EU. I know many in the EU hierarchy would be creaming their drawers if they could do that.

This is what the EU is aiming towards - a United States of Europe; just another reason I voted to leave lol. I also believe this is another reason why a lot of member 'states' are now having second thoughts; the idea was probably a reasonably good one, but the implementation sucks bigtime.

;)
 
Top