Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is coming up in XenForo 1.5.20 and XenForo 2.0.6.

What is the GDPR?
The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU.

But I'm not an EU resident...
That may be true, but with over half a billion residents in 28 member states, it's a fairly reasonable expectation that at some point you will have an EU resident register on your forum and they will indeed be protected by this regulation and breaches of the regulation can bring penalties and fines against you, whether you're an EU resident, or not. Even so, data protection and privacy will be important to every one of your members, regardless of their country of origin.

How can we help?
Depending on your interpretation of the guidelines and how you specifically use your member's data, there isn't much more to add to help you comply with these regulations. That said, this would be a pretty boring post without some new things to show you so we will explain some of the new features below and how they help you, as a data controller, to comply with the regulations.


Individual rights

Right to erasure

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Unfortunately, erasure does not relate to a 1980s pop duo but instead it relates to the inevitability that at some point, one of your members may want to leave your forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten".

Of course XenForo has always allowed you to delete members via the Admin CP, and this approach is still recommended, but this has traditionally left their content attributed to them. You have always been able to workaround this by changing the user's name prior to deleting the user. Although we're not at this stage looking to totally remove the user's content, we are making it easier to anonymise a deleted user's content.

When deleting a user, you will now be given the option to just delete them (as now) or change their name before deleting them. You can choose the pre-defined text (which is the content of the deleted_member phrase in your language, followed by their user_id) or change it manually to whatever name you prefer.


Right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format.

Starting with the next release, it will be possible for admins to generate an XML file containing a user's personal information, including those entered in custom user fields. The XML file produced can be imported into any other XF1 or XF2 forum running an appropriate version.


Right to be informed

• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
• You must provide privacy information to individuals at the time you collect their personal data from them.
• You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

XenForo already has functionality to enable you to edit your terms and rules, provides you with tools for you to create a privacy policy (help pages, page nodes) and present that information when they are registering. In the next releases we are somewhat expanding these features.

The first step is to start providing a default privacy policy, via a help page, similar to how we also provide a default terms and rules page. If you already have a privacy policy URL, we will continue to link to this. If you do not, then we will start displaying the new default policy link in the appropriate places. After upgrading, if you do not want or need a privacy policy then you can disable it in options.


Lawful basis for processing

Consent

• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Keep evidence of consent – who, when, how, and what you told people.

On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. In XF2 we already seek this consent if you have a privacy policy or terms and rules URL configured. In XF1, however, we only did this if a terms and rules URL was configured. In XF2, there was no checkbox to consent to these, but in XF1 there was.

There are obvious inconsistencies there, so in the next releases we have taken a more consistent approach during registration:

We already make it possible for a user to opt-in to or opt-out of receiving site emails using the "Receive site mailings" option under "Preferences", which can of course be set or un-set by default for new users under Options > User registration. That preference remains, though we have changed its name slightly. We've also added a new admin option (again, under "User registration") to enable you to show that preference on registration:

To enable you to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy in the "User change log". We will also log if a user chooses explicitly opt in to receiving emails.

In the current version, user change logs are only kept for a period of 60 days (by default) so we have made changes here to ensure that certain change logs are "protected". These protected entries are never pruned and they are displayed differently in the log (denoted by the left feature border):

In these releases, we are also making it possible to ask users to re-accept terms and rules or privacy policies. Because we provide the ability to use any URL as your terms or privacy policy, and because the default policies are editable by changing phrases or templates, the most explicit approach to triggering re-acceptance is having a specific page for each under Communication > Help in the Admin CP:

Once you click "Save" any users will be prompted to re-accept the respective policy. They will not be able to continue using the site until they do. If you use the default page then the policy will be displayed on the page:

Cookies

The rules on cookies are in regulation 6. The basic rule is that you must:

• tell people the cookies are there;
• explain what the cookies are doing and why; and
• get the person’s consent to store a cookie on their device.

We have, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we've decided to make some improvements for the next release to make the usage of cookies more clear, and to require the notice to be dismissed:

Interestingly, this notice doesn't appear as a block notice at the top of the page, and it doesn't appear in the bottom right corner as a floating notice. Instead, we've created an entirely new position called "Fixed". This notice position is actually fixed at the very bottom of the page and full width (similar to the inline mod bar). You can even use this position for any notice you create.

The default help page for cookies has been expanded with more detailed information about what cookies are set, and why.


And that brings us to the end of this GDPR-centric Have you seen thread!

Due to the fairly large number of changes in these releases, we will first be releasing beta versions on Tuesday 8th May which will be available to all customers with an active license, while aiming for a final and stable release on Tuesday 22nd May.

As ever, with Have you seen threads, please post any suggestions in the suggestion forum (one thread per suggestion).

 

[Sabermaster]

Well, let me take on that by the paragraphs.

So you are saying a German lawyer off his own back can send you a letter identifying a violation and in effect fine you, or the reality blackmail you, into paying them so they don't take it any further which would cost you should it go to court?
I'm glad we're leaving the EU then as that is ludicrous.

That is exactly what I am saying. The legal construct is actually like this:

They find a violation of the law and send you a warning letter "Strafbewehrte Abmahnung". I am not quite certain how to translate the first word properly, literally it means "punitively armed", so the entire thing would be called a "punitively armed warning letter including cease and desist".

This means they send you this letter and you can either sign it and be bound to never commit this violation again, otherwise you owe them tens of thousands in fines and damages. You will also have to pay their "fee" which is limited by law to I believe 380€ for the first letter.
So you end up paying 380€ in any case and can basically close your website unless you want to run everything on it by a lawyer before publishing.

Or you can go to your own lawyer (and of course pay him) and have him negotiate with the other lawyer about that cease an desist part and the fines included. Generally that works rather well, so you do not sign away your soul, but still have to pay the 380€ plus whatever your own lawyer charges you.

Or you can let him take it to a civil court (not a penal court as you won't be fined or punished in the sense of the German penal code) and risk losing the case, in which case you will have to pay him his 380€, plus whatever he charges you to represent his own case in court, plus your own legal counsel, plus the costs of the court.

Best case is if everything on your website is legally waterproof.

They can do this quite easily by just looking at a website. It has to have in imprint and a privacy policy, reachable from everywhere with two clicks maximum. If it is not, they already got their reason. If they can't use this attack vector, they will start looking at the privacy policy, the imprint and the terms of use and search for anything in there.

They find anything, they are happy to earn 380€ minimum.

What that has to do with the EU or the UK leaving it is beyond my grasp, as this is a purely internal German issue, on which I have my opinion, but expressing that opinion would violate the rules of this forum.
I am not a friend of political unsound statement like that.

In the UK we have similar involving no-win no-fee solicitors making spurious or inflated claims for their 'clients' against companies for injuries, etc they may have (or may not have) sustained.
They work on the premise that it is cheaper for the company to agree a settlement figure outside of court than it is for the company to go to court to successfully defend themselves.

If you can successfully defend yourself, the cost is all on the guy sending you the warning letter. But if you have actually violated the law it is cheaper for you to just pay him, because in court you will end up paying more. Of course you will need your own (paid) legal counsel to ascertain wether or not you should go to court or just pay him.

Because these people also don't like to waste money, you can be rather certain that if they send you a warning, there will be at least something to their claim.

The best thing to do if that is the situation and you are that worried is to give the website to any individual in some remote distant land and let them be the owner, the person doesn't even have to be real, pick a name from the many Nigerian scam emails. You could then just be the 'manager' of the website, a paid employee in other words, with no legal responsibility for it, and when/if the letter lands on the doormat forward it on to them

Believe me, it has been tried. These people are not idiots, and if they catch you doing that and have any way to provide proof (and they will find the truth if they take it to court) you will just loose bigger than before.
Of course a setup like this is possible, but in the end probably even more expensive to make it look convincing than just paying the guy his 380€.

So much for a quick look into questionable legal practices in the German Bureaucratic Republic.
Fortunately there is an initiative going on to restrict cases like that if the lawyer can prove a legitimate interest, but knowing the process of lawmaking, it will take forever for this to actually produce results. It will also be met with considerable lobbying attempts against it by those who make a living of this very same issue.

 

[webbouk]

Well maybe if that is the case the best thing to do is roll over and keep €380 in a tin and wait for the inevitable because no doubt if someone was that way out they would find something especially in a public forum if they wanted to.
However this is a local issue which however which way around it you go, is not the responsibility of xenForo to provide every solution to (imho)

 

[Sabermaster]

Well maybe if that is the case the best thing to do is roll over and keep €380 in a tin and wait for the inevitable because no doubt if someone was that way out they would find something especially in a public forum if they wanted to.
However this is a local issue which however which way around it you go, is not the responsibility of xenForo to provide every solution to (imho)

It is your prerogative to think that, however they did implement this. Most certainly not only for their customer from Germany, but for a bunch of other people as well.
I can not speak for the team of XenForo limited, but they have implemented features that help comply with this new law and I welcome that change.
However I am certain that they had their reasons for doing so.

A little note about your notion of leaving the UK: All EU-law will be transferred into national UK-law as part of the Brexit process. This is publicly known and has been communicated by the British government including the reasons for doing so.

Which in turn means, that even if the UK leaves the EU, the GDPR will still effect you until it is changed or lifted altogether and I am rather certain that the House of Commons has more urgent things on its agenda then GDPR for quite some time.

 

[trapped_soul]

A little note about your notion of leaving the UK: All EU-law will be transferred into national UK-law as part of the Brexit process. This is publicly known and has been communicated by the British government including the reasons for doing so.

Until our Great Repeal Bill comes in.

 

[Sabermaster]

Until our Great Repeal Bill comes in.

Which is excatly the law that will make happen what you just quoted from me and implied that it will lift all this. But I am out of this discussion now, as it leads nowhere.

 

[Sheldon]

From GDPR, to lawyers sending you fines on a whim, to German law, to Brexit.... All in 5 posts.

Can we keep this about the subject at hand?

I'm anxiously awaiting for someone to give themselves a heart attack over this GDPR nonsense, and most previous replies in this thread have me thinking it'll happen sooner rather than later.

 

[Mr Lucky]

I'm anxiously awaiting for someone to give themselves a heart attack over this GDPR nonsense

They will need to opt in and give themselves consent to have a heart attack.

 

[Chris D]

Despite repeated requests, discussion that doesn’t relate specifically to the releases mentioned in the first post has continued.

Now that the releases are out, this thread doesn’t any longer serve a purpose.