Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is coming up in XenForo 1.5.20 and XenForo 2.0.6.

What is the GDPR?
The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU.

But I'm not an EU resident...
That may be true, but with over half a billion residents in 28 member states, it's a fairly reasonable expectation that at some point you will have an EU resident register on your forum and they will indeed be protected by this regulation and breaches of the regulation can bring penalties and fines against you, whether you're an EU resident, or not. Even so, data protection and privacy will be important to every one of your members, regardless of their country of origin.

How can we help?
Depending on your interpretation of the guidelines and how you specifically use your member's data, there isn't much more to add to help you comply with these regulations. That said, this would be a pretty boring post without some new things to show you so we will explain some of the new features below and how they help you, as a data controller, to comply with the regulations.


Individual rights

Right to erasure

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Unfortunately, erasure does not relate to a 1980s pop duo but instead it relates to the inevitability that at some point, one of your members may want to leave your forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten".

Of course XenForo has always allowed you to delete members via the Admin CP, and this approach is still recommended, but this has traditionally left their content attributed to them. You have always been able to workaround this by changing the user's name prior to deleting the user. Although we're not at this stage looking to totally remove the user's content, we are making it easier to anonymise a deleted user's content.

When deleting a user, you will now be given the option to just delete them (as now) or change their name before deleting them. You can choose the pre-defined text (which is the content of the deleted_member phrase in your language, followed by their user_id) or change it manually to whatever name you prefer.


Right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format.

Starting with the next release, it will be possible for admins to generate an XML file containing a user's personal information, including those entered in custom user fields. The XML file produced can be imported into any other XF1 or XF2 forum running an appropriate version.


Right to be informed

• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
• You must provide privacy information to individuals at the time you collect their personal data from them.
• You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

XenForo already has functionality to enable you to edit your terms and rules, provides you with tools for you to create a privacy policy (help pages, page nodes) and present that information when they are registering. In the next releases we are somewhat expanding these features.

The first step is to start providing a default privacy policy, via a help page, similar to how we also provide a default terms and rules page. If you already have a privacy policy URL, we will continue to link to this. If you do not, then we will start displaying the new default policy link in the appropriate places. After upgrading, if you do not want or need a privacy policy then you can disable it in options.


Lawful basis for processing

Consent

• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Keep evidence of consent – who, when, how, and what you told people.

On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. In XF2 we already seek this consent if you have a privacy policy or terms and rules URL configured. In XF1, however, we only did this if a terms and rules URL was configured. In XF2, there was no checkbox to consent to these, but in XF1 there was.

There are obvious inconsistencies there, so in the next releases we have taken a more consistent approach during registration:

We already make it possible for a user to opt-in to or opt-out of receiving site emails using the "Receive site mailings" option under "Preferences", which can of course be set or un-set by default for new users under Options > User registration. That preference remains, though we have changed its name slightly. We've also added a new admin option (again, under "User registration") to enable you to show that preference on registration:

To enable you to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy in the "User change log". We will also log if a user chooses explicitly opt in to receiving emails.

In the current version, user change logs are only kept for a period of 60 days (by default) so we have made changes here to ensure that certain change logs are "protected". These protected entries are never pruned and they are displayed differently in the log (denoted by the left feature border):

In these releases, we are also making it possible to ask users to re-accept terms and rules or privacy policies. Because we provide the ability to use any URL as your terms or privacy policy, and because the default policies are editable by changing phrases or templates, the most explicit approach to triggering re-acceptance is having a specific page for each under Communication > Help in the Admin CP:

Once you click "Save" any users will be prompted to re-accept the respective policy. They will not be able to continue using the site until they do. If you use the default page then the policy will be displayed on the page:

Cookies

The rules on cookies are in regulation 6. The basic rule is that you must:

• tell people the cookies are there;
• explain what the cookies are doing and why; and
• get the person’s consent to store a cookie on their device.

We have, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we've decided to make some improvements for the next release to make the usage of cookies more clear, and to require the notice to be dismissed:

Interestingly, this notice doesn't appear as a block notice at the top of the page, and it doesn't appear in the bottom right corner as a floating notice. Instead, we've created an entirely new position called "Fixed". This notice position is actually fixed at the very bottom of the page and full width (similar to the inline mod bar). You can even use this position for any notice you create.

The default help page for cookies has been expanded with more detailed information about what cookies are set, and why.


And that brings us to the end of this GDPR-centric Have you seen thread!

Due to the fairly large number of changes in these releases, we will first be releasing beta versions on Tuesday 8th May which will be available to all customers with an active license, while aiming for a final and stable release on Tuesday 22nd May.

As ever, with Have you seen threads, please post any suggestions in the suggestion forum (one thread per suggestion).

 

[Neilski]

Glad to see this is coming.

One thing that occurs to me though: if a user is renamed to a new anonymous (but unique) name like DeletedUser2837, all of the posts that they made will still be linked together by that new username. So it only takes one of their posts (or even a post by someone else) to identify them, and the anonymity is gone and all of the posts are identifiably theirs.
So... does this form of "deletion" actually comply with GDPR? Not being a lawyer, I have no clue, but it bothers me a little.

 

[Lukas W.]

One thing that occurs to me though: if a user is renamed to a new anonymous (but unique) name like DeletedUser2837, all of the posts that they made will still be linked together by that new username. So it only takes one of their posts (or even a post by someone else) to identify them, and the anonymity is gone and all of the posts are identifiably theirs.

There's no ruling against it. You could as well claim that their user id is a unique identifier (which it is), or their style of writing, their choice of words, and so on. It'd also take just one user who'd know their posts and their "anonymity is gone".

 

[usAdultAds]

I didn't read all of this, but the US Government generally does not have issues with sovereign states enforcing their own laws on those in their country. Simply if Facebook puts a data center in the UK and the EU comes out with some regulation than it's Facebook's fault that they put the data center there and they must comply.

In regards to treaties, no such treaty allows a foreign entity to pass regulation. Look at the US War with Iraq. The United Nations considered unlawful because it wasn't UN approved and after all the US is a member the UN. The US came back and said that under US law the president had the power to levy war. My point is anyone acting within American law on American soil cannot be prosecuted for a crime that a foreign government passes.

Here is an interesting comment from the EU in a similar case:
https://www.reuters.com/article/us-...reme-court-data-protection-case-idUSKBN1E12AO

“Given that the transfer of personal data by Microsoft from the EU to the U.S. would fall under the EU data protection rules, the Commission considered it to be in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the U.S. Supreme Court,”

The EU is clearly stating that data held it isn't servers fall under EU jurisdiction. This is important because if the US Supreme Court rules in favor of Microsoft then it would be acknowledging that the host country of the data is where jurisdiction sits. If the US Supreme Court rules in favor of the US Administration then it is saying that EU Privacy laws don't apply to American companies, even if the data is stored in those countries. Personally, I believe the Supreme Court will rule in favor of Microsoft.

Bottom line is the US Government is going to let the EU fine Facebook to death and not get that tax revenue when the money comes back.

edit:
Here is an article from a power American lobby
https://www.heritage.org/government...draw-line-the-eus-data-protection-imperialism

The US is going to be watching to see what happens, and since the govt already wants to regulate social media, then there is a pretty good chance that the US will come out with their own GDPR version in the future, so if your legs are not cut off by the EU, now, then the US will cut you up later.

 

[Brent W]

To be clear, all of this is admin only options correct? Users will have to send a request and for those of us who think its crap the EU is trying to force non EU citizens to comply with their laws, we can simply deny the requests since there are no front end options that users will have access to?

 

[mikez006]

My site is a marketplace forum and we ban scammers daily.

Let's say someone posts their Skype username, or some other chat program, in a post. We then ban them because they scammed someone.

If they request their Skype username removed from the post, are we obligated to removed that?

Normally when we ban someone for scamming, we post all their known contact info (emails and chat usernames only) in a dispute thread so everyone can see what the dispute was about and so members can avoid that person.

I feel like this is important information to provide to our community, otherwise it's like we're helping the scammer hide their info and making it easier for them to scam more. Anyone have insight on this?

 

[Kirby]

If they request their Skype username removed from the post, are we obligated to removed that?

IANAL yes.

I feel like this is important information to provide to our community, otherwise it's like we're helping the scammer hide their info and making it easier for them to scam more. Anyone have insight on this?

IMHO & IANAL this would be illegal under GDPR.

 

[RobParker]

this would be illegal under GDPR.

Can GDPR offenses lead to criminal charges?

I had assumed it would all be civil, not criminal...

 

[Slavik]

IANAL yes.

IMHO & IANAL this would be illegal under GDPR.

Public interest.

 

[Kirby]

Can GDPR offenses lead to criminal charges?

I honestly don't know, as said before I am not a lawyer so "illegal" was really just meant as "is not allowed and you might be at risk getting sued for doing so".

Public interest.

Well, yes

But that doesn't necessarily outweight personal rights.

We've had at least one case where there was a warning thread for a scammer (who got sentenced for scamming) in one of our forums that had to be removed as court ordered that this thread violated his personal rights.

 

[Brent W]

This is what Rip Off Report has to say about foreign lawsuits.
https://www.ripoffreport.com/legal#foreign

Yes, we have already broken a few members hearts by telling them we will not be honoring GDPR requests. My question was whether or not any of this is exposed to members or is it all behind the admin panel?

 

[Chris D]

There's obviously some front end changes, such as the new cookie notice and new default privacy policy but, no, there's no new user features as such. No self deleting accounts and that kind of thing.

 

[webbouk]

In my humble opinion I think it's all a load of bollox and a knee jerk reaction to make website owners responsible for the inadequacies of their users.
In an ideal World and in the essence of fairness all internet users should be made to take a test before being granted the use of a keyboard

 

[Jaxel]

In my humble opinion I think it's all a load of bollox and a knee jerk reaction to make website owners responsible for the inadequacies of their users.
In an ideal World and in the essence of fairness all internet users should be made to take a test before being granted the use of a keyboard

Welcome to current year. Personal responsibility is lost.

 

[Sim]

My site is a marketplace forum and we ban scammers daily.

Let's say someone posts their Skype username, or some other chat program, in a post. We then ban them because they scammed someone.

If they request their Skype username removed from the post, are we obligated to removed that?

Normally when we ban someone for scamming, we post all their known contact info (emails and chat usernames only) in a dispute thread so everyone can see what the dispute was about and so members can avoid that person.

I feel like this is important information to provide to our community, otherwise it's like we're helping the scammer hide their info and making it easier for them to scam more. Anyone have insight on this?

Interestingly, there is a careful distinction you can make here.

You are obliged to remove the personal information that the user in question added to your site. So anything in your user database needs to go if they request it. There is also an argument that any personal information contained in their posts needs to go. Exactly what that means is still up for debate.

However, you do NOT have to remove posts made by other people. This legislation is NOT about erasing all references to yourself from the internet (ie reputation management). This legislation is about controlling your own information which you have provided (and is thus used by the operator of the site to provide the services to you). The fact that you made certain information public and now other people (users) have access to that information and are using it online - is a natural consequence of your actions.

Provided that the information being posted by 3rd parties is not otherwise illegal (ie defamatory), there is nothing I've read in the bits of the legislation I've read so far which says that you have remove content that they have created. Even if it references someone who has requested to be "forgotten" - that refers to the structured information you hold, not to discussions about you.

This is why suggestions I've read that doing a global search and replace on someone's username would be required to truly anonymise their account I feel are misguided. Other than posts they've made themselves, you're no longer dealing with personal information created by the user - you're dealing with content created by other people.

Now where it gets tricky is how reasonable it is for other people to be posting personal information about someone on your forums. I can think of plenty of scenarios where I would consider it perfectly reasonable in the course of normal discussion - especially based on the subject having been a member of your site and thus people get to know them. The mere fact that they used someone's username in a post (whether it be their real name or a pseudonym), is not unreasonable and I would not feel that trying to "anonymise" those posts is a reasonable course of action - I wouldn't do it.

However, we do have rules on our forums that prohibit people from posting "personal information" about people. For example, on PropertyChat - we don't permit people to post details about specific properties which someone else owns (ie. the address). But I wouldn't preclude someone from talking about another member in more general terms based on information already posted on the forums - eg "User XYZ posted that they owned property in suburb ABC" (although I would remove the address of that property if it were posted!!). I would remove email addresses and other such obviously personal information as a matter of course anyway - regardless of who posted them.

We also have rules against using people's real names when they post user a pseudonym - which is not an uncommon occurrence because our users frequently attend face-to-face meetups and do get to know each other by name.

But if a user does choose to post under their real name, and then other members of my site discuss that user and what they have posted (without posting more specific personal information), then I feel that is perfectly reasonable and would not consent to removing that content (but I would review specific posts if asked to by the subject!).

I think there is a fine line that needs to be drawn here though - very much depending on whether the user chooses to be anonymous or not.

If someone posts on my site using their real name - then someone else posting a link to their Twitter profile would be quite reasonable.

If someone posts on my site using a pseudonym - then even if they have previously linked to their Twitter profile, I would consider that personal information, and would remove it if requested, even if it were posted by another user. But that's just my approach - I personally don't feel that this would fall under the rules of GDPR (3rd party posting the Twitter handle of a user on the forums).

Think about it in terms of a blog. If you run a blog and discuss someone in posts on your blog - the person in question has never been a "user" of your site and thus has no protection under the GDPR. There may be other avenues they could use if you were posting personal information - but I'm pretty sure that the point of the GDPR is NOT to prevent someone from publishing information about you which they did not source from you directly.

The specific question we're dealing with here though is about deliberately posting personal information about someone (who was presumably a member at some point) on your forums for the purposes of "public interest" (ie the protection of others). Posting information about a known scammer - does that trump the rights of the individual?

Maintaining records about users on your site who have scammed people?

In our case, we have plenty of discussion threads about shonky real estate spruikers - and provided that they aren't otherwise defamatory, we allow them to be discussed. These 3rd parties are generally not members of our site - and thus the GDPR laws wouldn't apply - we are allowed to discuss people (albeit without specific personal information such as their home address!). However, if they were a member of our site - would that then change the dynamic of the law? I don't think so - facts are still facts - so if someone posted "this guy was a member of our site (username DEF) and has now been convicted of fraud - here is a link to the court documents", then I wouldn't edit that even if the subject had made a "right to be forgotten" claim. It is very much in the public interest.

But how far is reasonable? What constitutes "public interest"? At what point does it stop being public interest and start being defamation? What if the person in question was a minor?

The big unknown is how far the courts would be willing to go to enforce a complaint and where they would draw the line on public interest.

One article I read about the GDPR suggested that at the end of the day, what is going to happen is that when a complaint is made about you - you may find yourself need to do a "please explain" to some board of arbitration or a court. If you have a good reason for holding the "personal information" about someone, then you might have a reasonable defence. If you don't have a good reason (ie you're not going to be able to convince a board or court that it is reasonable), then why are you holding it in the first place?

I think that's generally the approach we need to take - ask yourself "why am I holding this information?" If you don't have a good reason, just remove it!

 

[Brent W]

There's obviously some front end changes, such as the new cookie notice and new default privacy policy but, no, there's no new user features as such. No self deleting accounts and that kind of thing.

Thanks!

 

[AndrewSimm]

The US is going to be watching to see what happens, and since the govt already wants to regulate social media, then there is a pretty good chance that the US will come out with their own GDPR version in the future, so if your legs are not cut off by the EU, now, then the US will cut you up later.

At least I get to vote on the representatives that would enact such legislation. The tech lobby is in my opinion much stronger in the US, so I suspect the regulation would not be as severe.

 

[Chris D]

As promised, the beta versions have been released today:

https://xenforo.com/community/threa...oro-2-0-6-beta-1-released-unsupported.147043/

 

[BassMan]

Chris, I can't see them in the download area.

 

[BassMan]

Ok, see them now. Sorry, maybe I was too excited

 

[Chris D]

Sorry about that. I set the wrong access level

Should be available now.