UK Online Safety Regulations and impact on Forums

[ForumFan]

Forums actually closed down because of GDPR? I know there was discussion about it and XenForo made it clear that the software itself easily allowed GDPR compliancy (e.g. in regard to cookie notice, deleting accounts)

Definitely I know some sites that stopped offering services to EU members.

Yep... Because of GDPR and similar laws, my forum automatically rejects anyone from those countries (IP address).

. This could be a bit like that with instant knee-jerk reaction to "something foreign"

Nope. It's not that it's "foreign." It's that it's legally binding for starters... for anyone "offering services" to citizens (subjects?) in those countries... even if the company / forum isn't located there. I "aint got time for that!" My forum is entirely financially and administratively supported by just me. And I have a "day job."

Secondly, it's a principled stand for me. I pledged an oath and my life to defend the US Constitution, which includes Freedom of Speech. I'm simply not going to deign to comply with laws or rules that contradict my principles. I understand that my position may perplex or even offend those who cannot relate to such Freedom.

And puh-leeze... with the straw man "pedo" arguments.

 

[smallwheels]

I think that any site that has received GDPR requests or complaints over the years, will probably also receive OSA requests or complaints.

Not really. I get GDPR requests regularly but never an OSA one. The annoying bit about GDPR requsts is that at least in my forum they are often used by people who do a rage quit of the forum after being moderated for massive misbehaving. And in 99% of the cases these requests on behalf of GDPR are not covered at all by GDPR. We are already very good in the field of privacy on our forum, so GDPR is not much of an issue. But people that demand wild things based on being illinformed and have a phantasy interpretation of GDPR are sometimes.

I know some sites that stopped offering services to EU members.

Yes, it has become a rare occurence, but in the beginning websites, especially from the US often did block any visits from within the EU and with some this is still the case.

Forums actually closed down because of GDPR?

Yes, a bunch of. As @Arantor said for many it may have just been the final nail in the coffin but in the end for most it was a decission if they were willing to carry the risk and extra effort tied to it in a situation of high uncertaincy that led most companies in the EU to year-long projects of huge effort to implement the requirements of GDPR properly and an ongoing effort with loads of buerocracy on top of that. Given the potential consequences in penalty many said instead: "I'm done."
In hindsight it may sometimes have been an overreaction given the real world practice of penalizing as it turned out, but before that GDPR and it's implemenation created a hysteria and until know, years later, the potential for being punished harshly persists as does the uncertaincy about what is ok and what is not.

I know there was discussion about it and XenForo made it clear that the software itself easily allowed GDPR compliancy (e.g. in regard to cookie notice, deleting accounts)

My personal opinion is that in regards of cookie notice and other information duties in regards of GDPR XF is not sufficiently compliant from factory but one can change that (and has to). The cookie notice may be enough if you do not have add ons or 3rd party embeds in your forum but only what stock XF allows. The only halfway safe option here is possibly to go for a 3rd-party service for the cookie notice (that ironically would often cost more per month as the license for XF). The information duties you have to write the data protection policy and TOS yourself anyway.

 

[Mr Lucky]

And puh-leeze... with the straw man "pedo" arguments.

I apologise I did mention it once but I thought I got away with it It seemed relevant when the regulations seem to be very much aimed around CSAM as a priority.

Don’t forget the record-keeping as well.

Is there record keeping beyond the risk assessment (and updating it), I started reading that and almost lost the will to live.

 

[Arantor]

Give over, I wasn't suggesting they were. Rather, if a forum does those things, they have cause to worry. A properly managed bike forum has no need to worry about legislation designed to combat the disgusting things above.


You seem the worrying kind, I'll let you do the worrying for me

They have plenty of reason to worry otherwise, since a bike forum with disgruntled members who think death threats are fine will very likely not be too far away from posting material that does contravene the stated guidance. Such folks could well post it via PM then make a complaint about it, just to make a complaint. Wouldn’t be the first time legislation gets weaponised with censorial side effects.

 

[Arantor]

I get GDPR requests regularly but never an OSA one

Bit hard to get legislative requests for a law that hasn’t gone fully into force yet.

 

[lazy llama]

Is there record keeping beyond the risk assessment (and updating it), I started reading that and almost lost the will to live.

It's definitely not easy reading, especially the way it's presented with Proposal/Responses/Decision for each section.

From the Governance doc I linked to previously,
Written records have to be kept for at least 3 years. Records must be kept of Risk Assessments and

Service providers must make and keep a written record of each measure that is taken or in use as described in the Code of Practice. As set out in the RK&RG, this should:
a) provide a description of the measure in question;
b) identify the relevant Code of Practice; and
c) give the date that the measure takes effect.

 

[Alpha1]

I get GDPR requests regularly but never an OSA one.

It will take time before OSA rights will become common knowledge and members / readers become aware of it.
We barely got any GDPR requests in the first year of it, but then year after year it increased. Now I when I open my board there likely are one or two waiting. And most of them expect all their posts deleted, which is not covered by the GDPR at all.
I suspect users will start making OSA requests once they have become aware of their new rights and our new obligations. Or at least their understanding of it.

That's probably some years down the road as the OSA is still a work in process. I wonder if they will use the risk assessments that they receive to create new guidelines and regulations to cover those risks.

Ofcom is quite vague and just refers to illegal content and mentions only broad topics. As if any mention of said topics is illegal. Reading the law itself does clarify quite a bit, as it defines quite clear what type of content they consider illegal content. However, the variables are so many that it seems impossible to amend site rules without blanket banning those broad topics. For example if a site allows discussion of the topic of any kind of weapons and caters to UK users, then all sections in article 14 to 22 and the provisions these refer to apply. It seems to me that he easiest solution is to completely ban any talk about the whole broad topic of arms. And it seems the same for any of those broad topics listed as illegal topics.

https://www.legislation.gov.uk/ukpga/2023/50

I think for communities outside of the UK, its best to dump / avoid .co.uk domains or UK based servers that could mean to situate the site in the UK.
I wonder if XFCloud automatically falls under the scope of OSA or not.

 

[JamesBrown]

They have plenty of reason to worry otherwise, since a bike forum with disgruntled members who think death threats are fine will very likely not be too far away from posting material that does contravene the stated guidance. Such folks could well post it via PM then make a complaint about it, just to make a complaint. Wouldn’t be the first time legislation gets weaponised with censorial side effects.

Oh well, best follow the bike forum's lead and pack it all in then.

 

[Mr Lucky]

Oh well, best follow the bike forum's lead and pack it all in then.

Yes, it'll save all the concern and impatience over xenForo 2.4

 

[smallwheels]

And most of them expect all their posts deleted, which is not covered by the GDPR at all.

Exactly, that's the most common example in our forum as well.

I think for communities outside of the UK, its best to dump / avoid .co.uk domains or UK based servers that could mean to situate the site in the UK.

As the act refers to users from the UK but not to hosting location or domain name and is intended to have woldwide reach in theory this seems to be too relevant - apart from having domain and hosting outside the national legislative of the UK could be an adavantage in case the going gets tough. We do have a handful (literally, probably not more then ten at max.) users from the UK. In fact I am only aware of one and ahe does not even have British nationality. So I have no worries to ignore the thing completely, the more as nothing it wants to prevent is in the target area of our forum or would be common behaviour in it anyway (rather the opposite).

 

[ForumFan]

I apologise I did mention it once but I thought I got away with it

No worries. It was another poster's comment that I saw bringing it up along with "how to harm yourself."

It reminds of the fallacious argument, "If you have nothing to hide, you shouldn't object (to unreasonable censorship, search, seizure, imposition, onerous regulation, etc)."

 

[Arantor]

Oh well, best follow the bike forum's lead and pack it all in then.

I’m waiting for the actual guidance to finish coming out before I make any decisions of any kind. My experience of dealing with UK law is that they publish the laws, then realise how unworkable they are, then publish guidance on how to actually comply that is really fudging the issues (but that you can cite because it’s their guidance)

 

[zappaDPJ]

I’m waiting for the actual guidance to finish coming out before I make any decisions of any kind. My experience of dealing with UK law is that they publish the laws, then realise how unworkable they are, then publish guidance on how to actually comply that is really fudging the issues (but that you can cite because it’s their guidance)

To add to that, Ofcom has made it clear in huge print on the Act's main page;

'This is just the beginning'​

At this stage it seems a little pointless to start implementing measures to satisfy a half-baked, moving target.

 

[Arantor]

satisfy a half-baked, moving target

This has been my experience for the last 18 months dealing with a different part of UK legislation and it nearly drove me mad trying to implement a compliant solution.

Though, to be fair, the solution for that market is the only one on the market and I expect it to remain so for some time, to the point that I don't imagine many others will even try because the legislation had no actual basis in reality.

 

[Suzanne O]

To add to that, Ofcom has made it clear in huge print on the Act's main page;

'This is just the beginning'​

At this stage it seems a little pointless to start implementing measures to satisfy a half-baked, moving target.

Or you set it up in your rules and say that you don't tolerate these behaviours and post up the link.
Then you also set up your age based limit and post up the link to Australian laws on why it is the case.
Just so you cover your butt so it doesn't get kicked by both governments

 

[Arantor]

Or you set it up in your rules and say that you don't tolerate these behaviours and post up the link.
Then you also set up your age based limit and post up the link to Australian laws on why it is the case.
Just so you cover your butt so it doesn't get kicked by both governments

Just because you are subject to Australian law does not make the rest of us so.

 

[zappaDPJ]

So today I copied part of a headline from The Guardian news website to get more information on a subject via a Google search which returned multiple pornographic images some of which I'd describe as borderline illegal (in the UK).

This is just one of so many grey areas I've encountered while researching the Act and in this case something I stumbled upon quite by accident. How will Google or any search engine be able to comply with the Act without removing a huge amount of search results?

 

[Arantor]

So today I copied part of a headline from The Guardian news website to get more information on a subject via a Google search which returned multiple pornographic images some of which I'd describe as borderline illegal (in the UK).

This is just one of so many grey areas I've encountered while researching the Act and in this case something I stumbled upon quite by accident. How will Google or any search engine be able to comply with the Act without removing a huge amount of search results?

It will be handwaved through once someone works out the infeasibility of it.

Did I mention I’ve been working with other recent legislation from the UK govt? I should also mention that the relevant body does not even comply with its own legislation as when it came time to do so, it’s engineering team threw their hands up with “this isn’t possible to comply with”, so they don’t. (It’s not true, it is possible but it’s ungodly hard and there are many good reasons why you shouldn’t, but the literal enforcement body of the legislation has quietly said it can’t be done and so they don’t. Just everyone else has to. I don’t want to get into specifics publically for the usual reason that it’s tied to my work and I don’t want to bring that down on my head.)

This legislation having a similarly large gotcha in no way surprises me.

 

[eaststandboy]

Jumping on this. There has been no update from OFCON since Dec.

I am hoping the scope is changed to not apply to communities under x k users.

 

[hdrcweb]

I am the webmaster for a large bike club based in the UK, we have a very popular forum but this may have to be shutdown due to this new legislation, an 85 page risk assest document and someone has to put thier name down as being the responsible forum owner, I doubt anyone will be willing to do this and I don't have the time to fill in an 85 page document.