Upcoming changes for GDPR compliance in XF1 and XF2

Status
Not open for further replies.
The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is coming up in XenForo 1.5.20 and XenForo 2.0.6.

What is the GDPR?
The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU.

But I'm not an EU resident...
That may be true, but with over half a billion residents in 28 member states, it's a fairly reasonable expectation that at some point you will have an EU resident register on your forum and they will indeed be protected by this regulation and breaches of the regulation can bring penalties and fines against you, whether you're an EU resident, or not. Even so, data protection and privacy will be important to every one of your members, regardless of their country of origin.

How can we help?
Depending on your interpretation of the guidelines and how you specifically use your member's data, there isn't much more to add to help you comply with these regulations. That said, this would be a pretty boring post without some new things to show you so we will explain some of the new features below and how they help you, as a data controller, to comply with the regulations.


Individual rights

Right to erasure
ICO said:
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Unfortunately, erasure does not relate to a 1980s pop duo but instead it relates to the inevitability that at some point, one of your members may want to leave your forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten".

Of course XenForo has always allowed you to delete members via the Admin CP, and this approach is still recommended, but this has traditionally left their content attributed to them. You have always been able to workaround this by changing the user's name prior to deleting the user. Although we're not at this stage looking to totally remove the user's content, we are making it easier to anonymise a deleted user's content.

1525459818167.webp


When deleting a user, you will now be given the option to just delete them (as now) or change their name before deleting them. You can choose the pre-defined text (which is the content of the deleted_member phrase in your language, followed by their user_id) or change it manually to whatever name you prefer.


Right to data portability
ICO said:
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format.

Starting with the next release, it will be possible for admins to generate an XML file containing a user's personal information, including those entered in custom user fields. The XML file produced can be imported into any other XF1 or XF2 forum running an appropriate version.


Right to be informed
ICO said:
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
XenForo already has functionality to enable you to edit your terms and rules, provides you with tools for you to create a privacy policy (help pages, page nodes) and present that information when they are registering. In the next releases we are somewhat expanding these features.

The first step is to start providing a default privacy policy, via a help page, similar to how we also provide a default terms and rules page. If you already have a privacy policy URL, we will continue to link to this. If you do not, then we will start displaying the new default policy link in the appropriate places. After upgrading, if you do not want or need a privacy policy then you can disable it in options.


Lawful basis for processing

Consent
ICO said:
  • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Keep evidence of consent – who, when, how, and what you told people.
On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. In XF2 we already seek this consent if you have a privacy policy or terms and rules URL configured. In XF1, however, we only did this if a terms and rules URL was configured. In XF2, there was no checkbox to consent to these, but in XF1 there was.

There are obvious inconsistencies there, so in the next releases we have taken a more consistent approach during registration:

Screen Shot 2018-05-05 at 00.35.42.webp


We already make it possible for a user to opt-in to or opt-out of receiving site emails using the "Receive site mailings" option under "Preferences", which can of course be set or un-set by default for new users under Options > User registration. That preference remains, though we have changed its name slightly. We've also added a new admin option (again, under "User registration") to enable you to show that preference on registration:

Screen Shot 2018-05-05 at 01.24.52.webp


To enable you to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy in the "User change log". We will also log if a user chooses explicitly opt in to receiving emails.

In the current version, user change logs are only kept for a period of 60 days (by default) so we have made changes here to ensure that certain change logs are "protected". These protected entries are never pruned and they are displayed differently in the log (denoted by the left feature border):

Screen Shot 2018-05-05 at 01.36.34.webp


In these releases, we are also making it possible to ask users to re-accept terms and rules or privacy policies. Because we provide the ability to use any URL as your terms or privacy policy, and because the default policies are editable by changing phrases or templates, the most explicit approach to triggering re-acceptance is having a specific page for each under Communication > Help in the Admin CP:

Screen Shot 2018-05-05 at 02.01.04.webp


Screen Shot 2018-05-05 at 02.02.19.webp


Once you click "Save" any users will be prompted to re-accept the respective policy. They will not be able to continue using the site until they do. If you use the default page then the policy will be displayed on the page:

Screen Shot 2018-05-05 at 02.09.08.webp



Cookies
ICO said:
The rules on cookies are in regulation 6. The basic rule is that you must:
  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.
We have, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we've decided to make some improvements for the next release to make the usage of cookies more clear, and to require the notice to be dismissed:

Screen Shot 2018-05-05 at 02.21.08.webp


Interestingly, this notice doesn't appear as a block notice at the top of the page, and it doesn't appear in the bottom right corner as a floating notice. Instead, we've created an entirely new position called "Fixed". This notice position is actually fixed at the very bottom of the page and full width (similar to the inline mod bar). You can even use this position for any notice you create.

The default help page for cookies has been expanded with more detailed information about what cookies are set, and why.


And that brings us to the end of this GDPR-centric Have you seen thread!

Due to the fairly large number of changes in these releases, we will first be releasing beta versions on Tuesday 8th May which will be available to all customers with an active license, while aiming for a final and stable release on Tuesday 22nd May.

As ever, with Have you seen threads, please post any suggestions in the suggestion forum (one thread per suggestion).
 
Last edited:
Still a manual job, if you feel it is necessary to do so to comply.
We like to get the quotes and mentions in line with the current account name, as it helps avoid confusion (especially for newer users). I would think it is more important for GDPR compliance, as that would be the only remaining trace of an old account on our forums. I'll have to make a note of that for the staff so we remember to take care of it.
 
Great news. As always, the Xenforo team are looking after us.
FYI @Chris D in the Google webinar I watched on Thursday last, they said quite specifically that if a user is deleted, their google Analytics data must be deleted also. Quite how that person is identified, I don't know, but Google are adding that facility soon if not already.
Isn't that being a little unreasonable, expecting us to sift through all that data to find a needle in a haystack? I'm not quite as worried about the fallout since we are not EU-based (I mean, seriously, how can they legally ever go after someone in a country they have zero jurisdiction in?), so I'm not even going to worry about it. I have yet to see any Google Analytics data that shows me an individual person--all I see are summaries of visits over the years.

No big deal here, though. I'll update XF, add a minimal GDPR notice to our privacy policy, and be done with it.
 
Isn't that being a little unreasonable, expecting us to sift through all that data to find a needle in a haystack? I'm not quite as worried about the fallout since we are not EU-based (I mean, seriously, how can they legally ever go after someone in a country they have zero jurisdiction in?), so I'm not even going to worry about it. I have yet to see any Google Analytics data that shows me an individual person--all I see are summaries of visits over the years.

No big deal here, though. I'll update XF, add a minimal GDPR notice to our privacy policy, and be done with it.

Unfortunately, it is not so easy. And, as long as you have European users, they do have jurisdiction. Your options are to either comply or block Europe.
 
If you have a legitimate interest in retaining their account details (for example to log troublesome users or enforce a 1 account policy) then you do not have to delete an account either.
Could you expand on this?

We do have a one-account policy, and we are also concerned about banned users returning.

If someone comes to us and says, 'You have to delete my account because of GDPR', then what could we tell them as grounds for not doing so? Is there a passage that addresses this?
 
Could you expand on this?

We do have a one-account policy, and we are also concerned about banned users returning.

If someone comes to us and says, 'You have to delete my account because of GDPR', then what could we tell them as grounds for not doing so? Is there a passage that addresses this?

It seems to me that keeping a list of banned users is OK. Keeping their profiles is probably not unless you absolutely need to know their style in order to re-ban them or if it is somehow relevant (E.g., fraud and scamming).

However, your "one-account policy" is likely not at all grounds for refusing to delete an account on its own.
 
We like to get the quotes and mentions in line with the current account name, as it helps avoid confusion (especially for newer users). I would think it is more important for GDPR compliance, as that would be the only remaining trace of an old account on our forums. I'll have to make a note of that for the staff so we remember to take care of it.
So do you do this whenever a member changes their username?

It feels wrong to edit other members' posts in order to satisfy the whims of some prima donna member who left in a huff.
 
However, your "one-account policy" is likely not at all grounds for refusing to delete an account on its own.

Your source? Because I have it straight from the ICO that maintaining a users account with basic details such as the username and email is acceptable and reasonable.
 
Btw how can someone request a deletion of his account and at the same time prove he is in the EU?
Anybody can use a proxy these days, having an EU IP doesn't make you a citizen of the EU.
When someone requests a deletion, can we ask for proof that they are EU citizens, and unless they prove it, we won't do anything?
 
Your source? Because I have it straight from the ICO that maintaining a users account with basic details such as the username and email is acceptable and reasonable.

The last time I consulted with a lawyer. It's unnecessary identifying information and I wouldn't personally risk it if you don't have to. You can totally keep a ban list. But, flat out refusing to delete emails and usernames when they have done nothing wrong generally does not seem to be a sound choice.
 
The last time I consulted with a lawyer. It's unnecessary identifying information and I wouldn't personally risk it if you don't have to. You can totally keep a ban list. But, flat out refusing to delete emails and usernames when they have done nothing wrong generally does not seem to be a sound choice.
About usernames.. What if Slavik demanded you delete his account and all content associated with it (when he never posted any personal information like address, phone number, etc.. all of his posts were just discussions) on your forum but then I signed up as Slavik.

What then if I claim the username he uses? :unsure:

It's kind of stupid to think usernames are a problem in this (personal info posted under the account is another story). That's just me though.
 
About usernames.. What if Slavik demanded you delete his account and all content associated with it (when he never posted any personal information like address, phone number, etc.. all of his posts were just discussions) on your forum but then I signed up as Slavik.

What then if I claim the username he uses? :unsure:

It's kind of stupid to think usernames are a problem in this (personal info posted under the account is another story). That's just me though.

The way I see it, do like @Chris D says in the thread, simply delete the account and change the username or use the default changed deleted account name. None of the content will be deleted but the users account and any reference to the user will still be removed.

It's kind of hard especially for larger forums to locate if a user has put his personal information in a post and therefore would be extremely difficult for anyone to moderate.
 
About usernames.. What if Slavik demanded you delete his account and all content associated with it (when he never posted any personal information like address, phone number, etc.. all of his posts were just discussions) on your forum but then I signed up as Slavik.

What then if I claim the username he uses? :unsure:

An email and username are identifiable information. If you don't need it, you're not supposed to store it. If you really don't want people to be able to appear as others, you're best off preventing people from registering with a name after it has been used.
 
An email and username are identifiable information. If you don't need it, you're not supposed to store it. If you really don't want people to be able to appear as others, you're best off preventing people from registering with a name after it has been used.

I don't think that seems logical at all. Common names on big sites are used on a potential regular basis. There are ways to prove if someone owns the account they want erased and therefore you wouldn't need to store anything.
 
The way I see it, do like @Chris D says in the thread, simply delete the account and change the username or use the default changed deleted account name. None of the content will be deleted but the users account and any reference to the user will still be removed.

It's kind of hard especially for larger forums to locate if a user has put his personal information in a post and therefore would be extremely difficult for anyone to moderate.
I will not delete someone's account. I already know what I'm going to do on the forum I manage. I am not allowing people to submit any personal information in public unless supervised by a member of staff, who will quickly remove it once its purpose has been served.
An email and username are identifiable information. If you don't need it, you're not supposed to store it. If you really don't want people to be able to appear as others, you're best off preventing people from registering with a name after it has been used.
The member is leaving so s/he can remove his/her email address himself/herself. It's private data not shown to the public. Either way, I always remove emails from deactivated accounts but we're looking specifically at publicly displayed usernames that are not real names.
 
Unfortunately, it is not so easy. And, as long as you have European users, they do have jurisdiction. Your options are to either comply or block Europe.

Not really. My site is based in the US, hosted on US servers, and serves to over 99% US IP's. Also, the US has no such agreement that forces Americans to comply with EU regulations. In fact, the EU can't force me to hand over information in regards to how I operate my website. The Fourth Amendment to the Constitution protects me. So why should an American care?...because Google cares because they have assets under the jurisdiction of the EU; therefore, I will comply with what Google request, and nothing more.
 
Not really. My site is based in the US, hosted on US servers, and serves to over 99% US IP's. Also, the US has no such agreement that forces Americans to comply with EU regulations. In fact, the EU can't force me to hand over information in regards to how I operate my website. The Fourth Amendment to the Constitution protects me. So why should an American care?...because Google cares because they have assets under the jurisdiction of the EU; therefore, I will comply with what Google request, and nothing more.
Yeah, so in essence you have to comply. Job done. Why the rest of the mini rant applies I don't understand, but fact is you will comply. So nothing more to be said really, is there. :rolleyes:
 
Not really. My site is based in the US, hosted on US servers, and serves to over 99% US IP's. Also, the US has no such agreement that forces Americans to comply with EU regulations. In fact, the EU can't force me to hand over information in regards to how I operate my website. The Fourth Amendment to the Constitution protects me. So why should an American care?...because Google cares because they have assets under the jurisdiction of the EU; therefore, I will comply with what Google request, and nothing more.

Let me ask you this, has the US govt made any GDPR protests? Did the US govt come out and say that you cannot be held accountable? I have not seen any such protests or statements, you know why? Because the US/EU have treaties with each other, going forward, this is new case law that is technically not in effect as of yet, and it is to soon to say exactly how you would be forced to comply or fined; Facebook is not going out without a fight because their user data is their business, and I am pretty sure other fights and lawsuits are going to come around also, and no one is going to have time for insolvent little forums right now as big business will be the biggest targets of them all, and if they did go after you, then they most likely would hire a US Based attorney in order to do their dirty work, and to be honest, this just sounds like one big ole melting pot that is going to explode, so you should not really jump to any conclusions until you start seeing how case law will be worked out, and case law will not work out until you start seeing lawsuits, and I would bet my last buck they will be going after big business such as Facebook and other big sites that may not want to comply with GDPR. You can jump through all the hoops in the world, but if one little thing concerning GDPR is out of place on your site, then technically, this would open you up to a lawsuit, so guessing what you need or don't need concerning your forum is simply not going to cut it, however, they can sue me until they are blue in the face, you simply can not squeeze blood from a sheep when there is no blood left to squeeze, it will cost them far more money to hire an atty, and send me the paperwork compared to the amount of money I have in the bank, and facebook is expected to be one of the first lawsuits.
 
Last edited:
Let me ask you this, has the US govt made any GDPR protests? Did the US govt come out and say that you cannot be held accountable? I have not seen any such protests or statements, you know why? Because the US/EU have treaties with each other, going forward, this is new case law that is technically not in effect as of yet, and it is to soon to say exactly how you would be forced to comply or fined; Facebook is not going out without a fight because their user data is their business, and I am pretty sure other fights and lawsuits are going to come around also, and no one is going to have time for insolvent little forums right now as big business will be the biggest targets of them all, and if they did go after you, then they most likely would hire a US Based attorney in order to do their dirty work, and to be honest, this just sounds like one big ole melting pot that is going to explode, so you should not really jump to any conclusions until you start seeing how case law will be worked out, and case law will not work out until you start seeing lawsuits, and I would bet my last buck they will be going after big business such as Facebook and other big sites that may not want to comply with GDPR. You can jump through all the hoops in the world, but if one little thing concerning GDPR is out of place on your site, then technically, this would open you up to a lawsuit, so guessing what you need or don't need concerning your forum is simply not going to cut it, however, they can sue me until they are blue in the face, you simply can not squeeze blood from a sheep when there is no blood left to squeeze, it will cost them far more money to hire an atty, and send me the paperwork compared to the amount of money I have in the bank, and facebook is expected to be one of the first lawsuits.

I didn't read all of this, but the US Government generally does not have issues with sovereign states enforcing their own laws on those in their country. Simply if Facebook puts a data center in the UK and the EU comes out with some regulation than it's Facebook's fault that they put the data center there and they must comply.

In regards to treaties, no such treaty allows a foreign entity to pass regulation. Look at the US War with Iraq. The United Nations considered unlawful because it wasn't UN approved and after all the US is a member the UN. The US came back and said that under US law the president had the power to levy war. My point is anyone acting within American law on American soil cannot be prosecuted for a crime that a foreign government passes.

Here is an interesting comment from the EU in a similar case:
https://www.reuters.com/article/us-...reme-court-data-protection-case-idUSKBN1E12AO

“Given that the transfer of personal data by Microsoft from the EU to the U.S. would fall under the EU data protection rules, the Commission considered it to be in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the U.S. Supreme Court,”

The EU is clearly stating that data held it isn't servers fall under EU jurisdiction. This is important because if the US Supreme Court rules in favor of Microsoft then it would be acknowledging that the host country of the data is where jurisdiction sits. If the US Supreme Court rules in favor of the US Administration then it is saying that EU Privacy laws don't apply to American companies, even if the data is stored in those countries. Personally, I believe the Supreme Court will rule in favor of Microsoft.

Bottom line is the US Government is going to let the EU fine Facebook to death and not get that tax revenue when the money comes back.

edit:
Here is an article from a power American lobby
https://www.heritage.org/government...draw-line-the-eus-data-protection-imperialism
 
Status
Not open for further replies.
Back
Top Bottom