GDPR discussion thread

#1
I have read some of the old threads on the upcoming law concerning GDPR.
And some of my developers wants to rush the upgrade from our 1.5.9 to XF 2.0 due to this.

A number of the addons we use is still Work in progress when it comes to XF 2.0 support, I would prefer to wait a while and begin with an update to 1.5.17 first.

Or do they have a point that to avoid problems with GDPR we should upgrade to 2.0 before the end of May?
 

snoopy5

Well-known member
#2
Hi,

I hope this is the correct forum to discus this.

As some of you might know, starting in May 25th 2018, there will be a new law in Europe regarding data protection privacy etc. It is called

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

This new law applies to all EU countries and is regulating also how newsletters have to be handled by website and onlineshop owners (i.e. double optin, unsubscription links without logging in, using external providers like mailchimp etc. pp.).


At the moment, XF1.5x does not offer a functionality to unsubscribe from the site mailings or the normal thread subscriptions without being forced to login. So starting in May 25th, we would not be allowed anymore by law to use XF1.5x to put it in an extreme scenario here.

Also those of you, who use external email services outside of the EU, like Mailchimp et alii, need to change the subscription page and the data protection privacy page.

With this new European law, it is not allowed to use external email providers located outside of Europe, if the user does not agree to this specifically (data protection, because in the US privacy it is not as restrictive as in Europe).

So if you use mailchimp et alii to send out your newsletter or thread subscriptions, you need an additional confirmation from each user who subscribes to your newsletter or subscribes to thread notfications, plus the changes in your privacy/data protection information-page.

The question is now, what shall those admins do, who still need to run XF1.5x and can not upgrade yet to XF2.x? (XF2 offers the unscubcription via a link without beeing forced to login)

Will Xenforo offer a XF1.5x-fix for this to be in line with European law?

I mean, if not, all XF1.5x versions are useless in Europe since nobody wants to get sued for that by the competition ;)

Here are some links in German from German lawyers, to give more information on this. I do not have the time to research this also in English :

https://www.it-recht-kanzlei.de/newsletter-datenschutzgrundverordnung-dsgvo.html

https://www.datenschutzbeauftragter-info.de/newsletter-mit-einem-klick-abbestellen-muss-das-sein/

https://drschwenke.de/mailchimp-newsletter-datenschutz-muster-checkliste/


The deadline is in 10 weeks. We need a solution asap.
 
Last edited:

snoopy5

Well-known member
#3
As a side note:

This law was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period. Why nobody here raised that yet or Xenforo did not fix this yet is a surprise for me.

Unlike a directive, this law does not require national governments to pass any enabling legislation and so it is directly binding and applicable.
 

snoopy5

Well-known member
#5
No, that thread is only about the postings inside of a forum. I am talking about all emails we send out of our forums and how the user is able (technically) to unsubscibe from these emails.

The question regarding the forum content can be handled with the current features. You need a very good terms of use which every user has to confirm while registering. The rest can be made manually, if you are "covered" by good ToU.

But the above mentioned feature to easy "unsubscribe" is only a question of a pure technical execution. Actually a very simple request. But it is now mandatory by law. So we can not ignore it.

Technically it should be easy to implement this into the code of XF1.5.x
 

DragonByte Tech

Well-known member
#6
I am not a lawyer, but my research has thus far been unable to conclusively prove that one-click unsubscribe is required by law.

The GDPR does state a "right to be forgotten", which states that businesses must honour any request for deletion of personal information (which, to my understanding, includes email subscriptions), so long as the storage of this information is not required (e.g. for tax purposes).

If my understanding is correct, that means that one-click unsubscribe is not required, although not having it may cause you to receive spam complaints and/or replies to your subscription emails asking you to unsubscribe the recipient. Failure to honour such requests will subject you to the fines as per the GDPR.

For the record, I am not saying it is fine to not have one-click unsubscribe - I am merely saying that I do not believe webmasters will be immediately subjecting themselves to legal action if they do not implement it on their XF 1.5 forums.


Fillip
 

Slavik

XenForo moderator
Staff member
#7
As far as I am aware this only applies if you are not using the inbuilt XenForo email options to send out marketing style communications and wouldn't apply to the more applicable use of notifications.
 

dutchbb

Well-known member
#8
My host contacted me and stated they would draft up a privacy statement to comply with the new law. As far as i can see there is nothing more to do with standard use of xenforo.
 

snoopy5

Well-known member
#9
As far as I am aware this only applies if you are using the inbuilt XenForo email options to send out marketing style communications and wouldn't apply to the more applicable use of notifications.
According to the German lawyers (linked in my first posting) it is applicable to everything that gets send into the Inbox of the user.

I am not a lawyer, but my research has thus far been unable to conclusively prove that one-click unsubscribe is required by law.
The German lawyers see it differently. A one-click unsubscribe is mandatory. If you have more than one newsletter or like in the case of Xenforo where you have the site-mailings from the admin plus the thread subscriptions, the "one-click" requirement can be done like it is done in XF2.x. See screenshot:

unsubscribe_without_login.jpg

You click on a link in the email and then you get to a landing page where you make your cross which email you do not want to have in the future. In both options, you do not need to login for anything. This is the requirement.
 

snoopy5

Well-known member
#10
My host contacted me and stated they would draft up a privacy statement to comply with the new law. As far as i can see there is nothing more to do with standard use of xenforo.
if you get sued, is he paying the bill?

He is not responsible for the emails YOU send out.
 
#12
Quoting from the link given above, since you speak German:
Newsletterverwaltung
In dieser Konstellation sollte man besser von Newsletterverwaltung und nicht von Newsletterabbestellung sprechen. In Fällen einer differenzierten Erklärung der Einwilligung für spezifische Newsletters ist es daher richtig, den Nutzer bei der Abbestellung eines spezifischen Newsletters aufzufordern, sich in dessen Nutzerkonto anzumelden und die entsprechenden Häkchen selbst zu entfernen.
And this is exactly what XenForo does. It's a personalized newsletter which requires you to log in.
 

dutchbb

Well-known member
#14
if you get sued, is he paying the bill?

He is not responsible for the emails YOU send out.
No, but the new law states you need to have an adjusted privacy statement for the storage of personal information..

Those emails are NOT the same as a normal email subscription/newsletter. Difference is that these are personal for own use and you can only get these by having an account (on my forum). So for privacy reasons you can only disable them by logging in else anybody could disable them when access to a members email account.
 

snoopy5

Well-known member
#15
No, but the new law states you need to have an adjusted privacy statement for the storage of personal information...
These are two separated things. The newsletter and the privacy statement. You have to do both!

And if you use external providers like mailchimp, you should adjust the privacy statement even more.

...

Those emails are NOT the same as an normal e-mail subscription/newsletter. Difference is that these are personal for own use and you can only get these by having an account (on my forum). So for privacy reasons you can only disable them by logging in else anybody could disable them when access to a members e-mail account.
Sorry, but the law sees it differently. They do not care why you send that massmail or how nice and individuel you do it. It is a massmail/newsletter sent to more than a few receipients. Therefore it has to follow the new rules ;)

Quoting from the link given above, since you speak German:


And this is exactly what XenForo does. It's a personalized newsletter which requires you to log in.
You try to mix this now. This is part of a discussion whether theer is any chance to have arguments not to follow these new rules. But the lawyers say, it is technically possible to unsubscribe even with more than only one newsletter without beeing forced to login in and this is why we have now to offer this also without login. Same as XF2 is offering that now too.

I am sorry, I am not a lawyer. I just give here hints that we have a huge problem with XF1.5 soon. PLease make your own research for english speaking articles.

I trust the German laywers. There is no reason not to believe this.

I know it is easier to sugercoat that, but this does not resolve the problem.
 

Slavik

XenForo moderator
Staff member
#16
I am sorry, I am not a lawyer. I just give here hints that we have a huge problem with XF1.5 soon. PLease make your own research for english speaking articles.
Which I have, and none of them state a 1 click optout is mandatory. In fact I believe the requirements are worded along the lines of "unsubscribing must not be more difficult than subscribing". Which given when landing on a standard XenForo install the process would be

1) "Click sign up/login"
2) Click "create account" radio
3) Click sign up
4) Fill out 6 form fields
5) Click the rules tickbox
6) Defeat Captcha
7) Click sign up
8) Check emails
9) Confirm account


Unsubscribing is

1) Click unsubscribe link (takes you to login page for the site preferences)
2) Login if needed
3) Change preferences
4) Save


Or even simpler

1) Reply to email asking to be unsubscribed (as site owners will have to monitor the mailbox for these type of emails afaik)


In fact:

https://ico.org.uk/media/about-the-...-consent-guidance-for-consultation-201703.pdf

Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place
Also,

Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Such tools would be behind a login for obvious reasons.

*edit* there does seem to some ambiguous wording also

This means the process of withdrawing consent should be an easily accessible one-step process.
I think people are confusing a 1-step process with a 1-click.

My take on this and what the rest of that document is saying is that unsubscribing shouldn't be a multi-step process.

Eg, logging in and changing your email preferences would be 1 step.

However, logging in and changing the preferences, then having to confirm by having to check and click a confirmation link in your emails, would be 2 step.

The key point being, if it required 1 click, it would very specifically say this in the documentation, it doesn't.
 
Last edited:

snoopy5

Well-known member
#17
I do not think that it is a good advise that we try now no to find interpretations which have the only goal that we feel good about doing nothing.

Neither you nor me are lawers. I linked to articles written by lawywers who tell us, what will happen if a case like this gets to the court. Of cours we can now put our head in the sand and wait and pray that this will not happen to us.

I honestly do not understand, why we have to discuss things like this now for a very long time instead of invetsing that time and come up with a fix in a few days. I am asking for nothing dramatic. Why this habit of avoiding any kind of future conflict with the law just because you need 1-2 days to change the code?

What kind of business sense is this?

If XF tries to gurante me that I am not getting in conflict with EU law, after I have shown that German lawyers do think this will happen, why not mke a case, hire a lawyer specialized in this and let him making here a statement which is legally binding and covers my ass?

I do not post these things here, because I am bored and have nothing to do. I post it because I fair that I risk to get fined in the future. Do you really think that a judge in the court will say: You are not responsible, the developpers of Xenforo told you not to worry, so we close the case without any fine?

Wake up.

This law is like any other law written in broader terms to have room for a case by case interpretation. So you will not find examples for everything like you write a code. For this there are lawyers. Important is the intention the EU wants to put on this. And a Judge will always make judgement in line with the intention of that law.

I quote here a German lawyer in one of the linked articles above:

https://www.it-recht-kanzlei.de/newsletter-datenschutzgrundverordnung-dsgvo.html

"...
Neu ist jedoch die Verpflichtung der Shop-Betreiber zur Einhaltung des „Simplizitätsgebots“. .....


...Im Rahmen von Newsletter-Werbung dürfte dem Simplizitätsgebot wohl dadurch hinreichend Rechnung getragen werden, dass jeder Mail am Ende ein eigener „Unsubscribe-Link“ beigestellt wird, dessen bloße Betätigung der Datenverarbeitung Einhalt gebietet..... "

Simple broad translation:

"New (in this law) is the "simplicity-legal-requirement".....

...Regarding newsletters that means that this request for simplicity is/seems to be fullfilled, if an unsubscribe link is provided in every email and with the simple click on that link, the unsubscription is executed....."

I do not kow what to discuss here further if it is so clear.

In 95% of all newsletters nowadays, the standard is to have an unsusbcribe link at the buttom of each email and with a click on that you can unsubscribe without login. Every Judge will have this as the benchmark. No matter how you try to argument.

If Simplicity is the key, just do it instead of wasting time with discussing what non-lawyers do think. You could do it with XF2. So simply do it now also for XF1.5x and noone gets hurt. Simple as that.

In XF1.5x we have neither an unsubscribe link, nor do we have an unsubscription process without login. So just do it to be in line with law.
 
Last edited:

Slavik

XenForo moderator
Staff member
#18
Well that's the beauty of the law isn't it :) It is strangely open to interpretation.

That particular section when translated by google comes back different to your version:

"Withdrawal
As in German data protection law, the data subject must also be able to revoke the consent given at any time according to the GDPR (Art. 7 (3) GDPR). She must be informed of her right of withdrawal before the consent is given. The newsletter subscriber must therefore be informed before his submission of his right of withdrawal.
What is new, however, is the obligation of the shop owner to comply with the "Simplicity bid". This means that the revocation of consent must be "as simple as the granting of consent". For example, it would be inadmissible if a company were to designate a specific contact person for consent and consent can only be revoked against it (see Ernst in: Paal / Pauly Data Protection Basic Regulation 2017, Art. 7 DSGVO No. 17).
In the context of newsletter advertising, the simplicity requirement should probably be adequately taken into account by the fact that each e-mail is ultimately provided with its own "unsubscribe link", the mere manipulation of which restricts data processing."

Given the context in which the rest of the article speaks of the newsletter however, it would appear to be referring to newsletters signed up by those simple 1 box enter your email sign ups that they should be 1 click unsubscribe also. This wouldn't apply to a XenForo account.

Given the documents I can read, in English, if a 1 click unsubscribe was *required* by law, it would be in black and white, no open to interpretation written down as exactly that. Not have 39 pages discussing various issues and acceptable solutions / implementation with 1 footnote suggesting a 1 click opt out.

Either way it seems we are at an impasse of the issue. At this stage I would suggest you may need to look at getting it custom coded if you believe 1 click is required.
 

snoopy5

Well-known member
#19
Hi Slavik,

the text I quoted is the same as you did with Google. The newsletter needs to have an unsubscribe links and the prcess has to be done with the click on it.

I law we can not assume just because it was not written word by word in the original law-text, that it is not necessary ;)

The reason why there are not much information about that specific point (unsubscribing for newsletters) is because defacto all newsletteres nowadays offer that link already. So why write an article about it, if that is already in place in every newsletter?

If you look closer into it, users of Xenforo software actually never subscribe for newsletters. We slip them the newsletter while they are registering into a discussion forum. There is no way with Xenforo to show the checkbox during registration and ask them whether they want to have that newsletter or not.

So we are even worse at the moment with XF1.5x and definetely not in line with the law applicable in May ;)

I even do not know whether XF2 has this option, which will be mandatory now in May.

It is cheap to say, lets do this with an addon. I mean I payed for XF and the software does not reflect current legal requirements. Why paying for an addon, to fix this?

For xenforo it can get even worse: What if suddenly more and more webhosters start to blacklist Xenforo software because it is not in line with the current law?

As you know, the GDPR requires that you also make sure that each other firm you work with respects also the GDPR. So it is not unlikely, that the webhosters will not allow anymore XF1.5x installations on their servers, just to cover their own back...

Can you magine that reputaional risk for xenforo? Just because XF wants to avoid a few hours of coding?

Is this risk worth it?
 
Top