Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is coming up in XenForo 1.5.20 and XenForo 2.0.6.

What is the GDPR?
The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU.

But I'm not an EU resident...
That may be true, but with over half a billion residents in 28 member states, it's a fairly reasonable expectation that at some point you will have an EU resident register on your forum and they will indeed be protected by this regulation and breaches of the regulation can bring penalties and fines against you, whether you're an EU resident, or not. Even so, data protection and privacy will be important to every one of your members, regardless of their country of origin.

How can we help?
Depending on your interpretation of the guidelines and how you specifically use your member's data, there isn't much more to add to help you comply with these regulations. That said, this would be a pretty boring post without some new things to show you so we will explain some of the new features below and how they help you, as a data controller, to comply with the regulations.


Individual rights

Right to erasure

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Unfortunately, erasure does not relate to a 1980s pop duo but instead it relates to the inevitability that at some point, one of your members may want to leave your forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten".

Of course XenForo has always allowed you to delete members via the Admin CP, and this approach is still recommended, but this has traditionally left their content attributed to them. You have always been able to workaround this by changing the user's name prior to deleting the user. Although we're not at this stage looking to totally remove the user's content, we are making it easier to anonymise a deleted user's content.

When deleting a user, you will now be given the option to just delete them (as now) or change their name before deleting them. You can choose the pre-defined text (which is the content of the deleted_member phrase in your language, followed by their user_id) or change it manually to whatever name you prefer.


Right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format.

Starting with the next release, it will be possible for admins to generate an XML file containing a user's personal information, including those entered in custom user fields. The XML file produced can be imported into any other XF1 or XF2 forum running an appropriate version.


Right to be informed

• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
• You must provide privacy information to individuals at the time you collect their personal data from them.
• You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

XenForo already has functionality to enable you to edit your terms and rules, provides you with tools for you to create a privacy policy (help pages, page nodes) and present that information when they are registering. In the next releases we are somewhat expanding these features.

The first step is to start providing a default privacy policy, via a help page, similar to how we also provide a default terms and rules page. If you already have a privacy policy URL, we will continue to link to this. If you do not, then we will start displaying the new default policy link in the appropriate places. After upgrading, if you do not want or need a privacy policy then you can disable it in options.


Lawful basis for processing

Consent

• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Keep evidence of consent – who, when, how, and what you told people.

On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. In XF2 we already seek this consent if you have a privacy policy or terms and rules URL configured. In XF1, however, we only did this if a terms and rules URL was configured. In XF2, there was no checkbox to consent to these, but in XF1 there was.

There are obvious inconsistencies there, so in the next releases we have taken a more consistent approach during registration:

We already make it possible for a user to opt-in to or opt-out of receiving site emails using the "Receive site mailings" option under "Preferences", which can of course be set or un-set by default for new users under Options > User registration. That preference remains, though we have changed its name slightly. We've also added a new admin option (again, under "User registration") to enable you to show that preference on registration:

To enable you to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy in the "User change log". We will also log if a user chooses explicitly opt in to receiving emails.

In the current version, user change logs are only kept for a period of 60 days (by default) so we have made changes here to ensure that certain change logs are "protected". These protected entries are never pruned and they are displayed differently in the log (denoted by the left feature border):

In these releases, we are also making it possible to ask users to re-accept terms and rules or privacy policies. Because we provide the ability to use any URL as your terms or privacy policy, and because the default policies are editable by changing phrases or templates, the most explicit approach to triggering re-acceptance is having a specific page for each under Communication > Help in the Admin CP:

Once you click "Save" any users will be prompted to re-accept the respective policy. They will not be able to continue using the site until they do. If you use the default page then the policy will be displayed on the page:

Cookies

The rules on cookies are in regulation 6. The basic rule is that you must:

• tell people the cookies are there;
• explain what the cookies are doing and why; and
• get the person’s consent to store a cookie on their device.

We have, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we've decided to make some improvements for the next release to make the usage of cookies more clear, and to require the notice to be dismissed:

Interestingly, this notice doesn't appear as a block notice at the top of the page, and it doesn't appear in the bottom right corner as a floating notice. Instead, we've created an entirely new position called "Fixed". This notice position is actually fixed at the very bottom of the page and full width (similar to the inline mod bar). You can even use this position for any notice you create.

The default help page for cookies has been expanded with more detailed information about what cookies are set, and why.


And that brings us to the end of this GDPR-centric Have you seen thread!

Due to the fairly large number of changes in these releases, we will first be releasing beta versions on Tuesday 8th May which will be available to all customers with an active license, while aiming for a final and stable release on Tuesday 22nd May.

As ever, with Have you seen threads, please post any suggestions in the suggestion forum (one thread per suggestion).

 

[BassMan]

Thank you @Chris D and XF team! These are great news.

 

[Chris D]

An additional change in both XF1 and XF2:

 

[netrix]

Are there plans to host some Google fonts locally?

 

[Chris D]

I'm not really sure what relevance that has to anything. XF itself doesn't use Google Fonts.

 

[Azaly]

This is also known as the "right to be forgotten".

Compleate account removal destroy warning system, because users can delete themselves and return under new name. For now we rename user and ban to save IP history.

 

[AndrewSimm]

Compleate account removal destroy warning system, because users can delete themselves and return under new name. For now we rename user and ban to save IP history.

Why not just ban their IP and delete the user if they request?

 

[Slavik]

Why not just ban their IP and delete the user if they request?

IP banning is useless apart from automated attacks/spambots.

 

[Jim Boy]

I dont believe the erasure method is sufficient - changing the username is just that, changing the username. And the right to be forgotten doesn't necessarily mean they want to leave the forum. We get members who want their history to be removed for personal reasons, such as having said stuff in the past that would hurt their future employment prospects - and this is exactly the sort of thing that is the underlying purpose of the GDPR.

I know it isn't easy, apart from posts you have edit history and search to deal with (although leaving the content in elasticsearch would be fine) never mind quotes, but it is something that needs to be looked at, especially since forums are often the place where people say things they later regret

 

[Slavik]

I dont believe the erasure method is sufficient - changing the username is just that, changing the username. And the right to be forgotten doesn't necessarily mean they want to leave the forum. We get members who want their history to be removed for personal reasons, such as having said stuff in the past that would hurt their future employment prospects - and this is exactly the sort of thing that is the underlying purpose of the GDPR.

I know it isn't easy, apart from posts you have edit history and search to deal with (although leaving the content in elasticsearch would be fine) never mind quotes, but it is something that needs to be looked at, especially since forums are often the place where people say things they later regret

The right to erasure does not extend to posts/content you make on a forum except under specific contexts where said content is personal information.

Compleate account removal destroy warning system, because users can delete themselves and return under new name. For now we rename user and ban to save IP history.

If you have a legitimate interest in retaining their account details (for example to log troublesome users or enforce a 1 account policy) then you do not have to delete an account either.

 

[Jim Boy]

The right to erasure does not extend to posts/content you make on a forum except under specific contexts where said content is personal information.
.

The content itself doesn't need to contain personally identifiable, it just needs to be in correlation with data that is correlateable. A username is just that - it doesn't matter whether the the username is Slavik or "deleted user 2270". The fact that you have uniquely identified and grouped it all together, means that the personal information of the poster isn't erased at all.

GDPR is not intended to protect usernames, it is designed to protect people.

If you have a legitimate interest in retaining their account details (for example to log troublesome users or enforce a 1 account policy) then you do not have to delete an account either.

Way to miss the point of the statement

 

[Azaly]

forums are often the place where people say things they later regret

"Right to be forgotten" is not about deleting public posted things. Even if admin rename and then delete some account its original account name could be found via quotes and @tags in post by other users. Their converstion post are still could be read by recipients. Only IP history, nicname/id, email, subscriptions, timezone, profile post would be deleted. But users already could clean most of these exept name and IP history.

 

[Sim]

IP banning is useless apart from automated attacks/spambots.

Worse than that - in many cases it can have a negative impact because many ISPs use a shared pool of dynamically allocated IP addresses which can frequently be used by multiple people on the forums.

Banning an IP address can have significant unintended consequences - it will both fail to ban the person you are trying to ban (because they will soon be allocated a new IP address) as well as potentially stop another legitimate user from being able to access your site (because they can be assigned that banned IP address from the ISP's pool).

 

[Azaly]

Why not just ban their IP and delete the user if they request?

This not works. Banned users could use VPN, in some countries using VPN is very popular for normal users, and not everyone has dedicated IP.

For example on our forum there was very sweet user. Some young girls got friendship with him. Only after 3 months when he started harass these girls in public, this situation was revealed and he was banned. He returned soon, and his IP history helps a lot to catch him. Then he returned again and again. Right to be forgotten garantee him to be deleted, but forum owner and admins must protect their users too. How facebook solve this problem?

And we got another problem. For example user from Russia uses VPN from German. In Russia admin should store user information for 3 months at least if I remember correctly. But on the other hand I couldn't refuse users with EU IP to be deleted.

 

[IJester_]

Hi @Chris D How will XF help "clients" bypass this, so there for people who don't know much about legal things of sites, get help as most people just wanna buy sites and not worry about these kinda things at all.

Can you not just scrap old XF and tell everyone to update?

Will there be a policy we need to follow soon?

Thanks

 

[Tom]

If you have a legitimate interest in retaining their account details (for example to log troublesome users or enforce a 1 account policy) then you do not have to delete an account either.

Would it be considered acceptable, do you think, to not allow banned users to have their accounts deleted, but let everybody else request deletion?

 

[Jim Boy]

[QUOTE="Azaly, post: 1248833, member: 4824"]"Right to be forgotten" is not about deleting public posted things. Even if admin rename and then delete some account its original account name could be found via quotes and @tags in post by other users. Their converstion post are still could be read by recipients. Only IP history, nicname/id, email, subscriptions, timezone, profile post would be deleted. But users already could clean most of these exept name and IP history.[/QUOTE]
It's their whole history, public or not. Their is a reasonableness to the GDPR, and you are exempt if you dont offer services to the EU, regardless of whether you have some EU members or not.

Ultimately you can get fined massively - 20,000,000 euros is the starting point. If XenForo wrrants that their software allows you to act in a GDPR compliant way, then fine - but they better have that backed up by solid legal counsel. And they need to remind users that their legal counsel is not your legal counsel. Becuase if they get it wrong, Xenforo will be sued out of existence.

Have they been thorough enough? well they haven't mentioned IP addresses on posts - they are personally identiable pieces of data which can get you into a whole heap of trouble

 

[Slavik]

The content itself doesn't need to contain personally identifiable, it just needs to be in correlation with data that is correlateable. A username is just that - it doesn't matter whether the the username is Slavik or "deleted user 2270". The fact that you have uniquely identified and grouped it all together, means that the personal information of the poster isn't erased at all.

GDPR is not intended to protect usernames, it is designed to protect people.

Way to miss the point of the statement

I'm not missing the point, im correcting the fear mongering and incorrect statements that are being posted, and frankly, im getting quite sick of people who have read a few internet articles in the last couple of weeks telling us how our software isn't GDPR compliant and what we, or site owners must or mustn't do.

We have been in touch with the ICO for months following up on working guidance and any changes made to it and have our own internal documentation as such. We have been asking about specific points, and clarifications on them, it was only in May the ICO published their official guidance on portability, and while we had a good idea of what was expected, once we had it, it confirmed our views. The other additional features and enhancements made are not ground breaking either, they are quality of life improvements for admins in dealing with GDPR.

Likewise, the fines wont start at 20 million euros. It will start with some friendly contact to help a non-compliant site owner become compliant, or if they have some policies in place, some education and guidance to tweak it to become compliant.

If your personal lawyer is telling you posts made need to be deleted, then by all means go ahead and follow their advice. However I imagine this isn't something you have hired council on and have simply read it online, because even if it was classed as personal data, which it isn't, it would more than pass the reasonable tests to refuse deletion and maintain the record so the threads involving the user in question aren't reduced to incoherent garbage.

People really need to step back, take a breath, calm down and look at the GDPR for what it is. Because right now it seems a XenForo Molehill > Everest.

 

[trapped_soul]

People really need to step back, take a breath, calm down and look at the GDPR for what it is. Because right now it seems a XenForo Molehill > Everest.

Couldn't agree more with this. Crazy stuff.

 

[Azaly]

It's their whole history, public or not.

That is not true. GDPR do not garantee right to be forgotten like user never exist. It garantee only personal information attached to some name/id must be deleted if user wants. He could ask to delete some post with personal information if he was so stupid to publish it, but he couldn't ask to delete thread started by him with something like "Cats or dogs" or "GDPR good or not?" or "global warming is myth or truth".

I understand that GDPR is already done. But we need instrument to use IP history in future. For example impersonalize and store IPs of users who was banned but then asked to be deleted.

 

[IJester_]

So what do we need to do on our end since I'm from UK at the moment?

What do we need to do then, with xenforo ect