Implemented XenForo tools to comply with GDPR - rights to erasure and data portability

[Amin Sabet]

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018.

As I understand it:

• The GPDR will apply to XenForo sites which have members or visitors who reside in OR are citizens of the EU
• The GPDR will be potentially enforceable with regards to companies both inside and outside of the EU, regardless of server location.
• The penalties for violating the GPDR will be steep

Operational impacts most relevant to XenForo owners are described here: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-6-rtbf-and-data-portability/

The following are XenForo suggestions which would help us to comply with the GPDR.

1) Tool to allow forum admins to delete all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content).

Ideally this tool should be designed to have minimal impact on other members' content. For example, if the deleted content includes the first post of a thread, the remainder of the thread should somehow be preserved.

2) Tool for forum admins to enable in order to allow users to delete all of their own content (forum posts, profile posts, conversations, attachments, media gallery content).

Ideally this tool should have a time delay during which it can be canceled.

3) Tool for forum admins to export all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content) and provide that exported data for a user to take with them to a different XenForo forum or other compatible network.


Please like this post if you agree with these suggestions.

 

[usAdultAds]

Irrespective of being a forum or not, it's an Internet site serving people and handling sensitive data.
If you serve people within the EU or are within the EU yourself then you're governed by the GDPR just as you would be with the DPA.
You're still a data controller if running an active site with memberships/emails and so forth. You effectively have people's personally identifiable information; emails addresses, IP's, location so on so forth. This means you then are a controller.

I wouldn't say fear mongering... more that some people are getting confused and getting nervous about the do's and dont's. Most of it to be truthful, is common sense and most of it you should be already doing as good practice anyway, regardless of being a hobby or a professional site...
"You" being generic of course.

I think you are looking at this the wrong way.

my forum does not collect and process private data, however, google analytics does the tracking, and they would be responsible to comply with GDPR law; I also do not track IPs and such, and this would be the responsibility of my server to comply with the GDPR law. Forum usernames and public content are not considered private data, and if a user wants to hide their profile, then they certainly have that right. My forum also does not collect and process private data such as credit card info, and therefore any 3rd party processors would have to comply with GDPR as it applies to them.

my forum does not collect and process the type of data that GDPR is talking about.

 

[Amin Sabet]

I think you are looking at this the wrong way.

my forum does not collect and process private data, however, google analytics does the tracking, and they would be responsible to comply with GDPR law; I also do not track IPs and such, and this would be the responsibility of my server to comply with the GDPR law. Forum usernames and public content is not considered private data, and if a user wants to hide their profile, then they certainly have that right. My forum also does not collect and process private data such as credit card info, and therefore any 3rd party processors would have to comply with GDPR if it applies to them.

my forum does not collect and process the type of data that GDPR is talking about.

Your forum doesn't collect IP addresses or email addresses? And no one ever posts anything there that could be used in any way to identify them?

 

[usAdultAds]

Your forum doesn't collect IP addresses or email addresses? And no one ever posts anything there that could be used in any way to identify them?

When you have conferred with an attorney for a good argument, then let me know.

 

[Amin Sabet]

I've no interest in arguing. Best wishes with your forum. If you're interested, there is a good thread about this topic here: https://theadminzone.com/threads/gdpr-what-does-it-mean-for-the-forum-owner.143855/

 

[MySiteGuy]

I think you are looking at this the wrong way.

my forum does not collect and process private data, however, google analytics does the tracking, and they would be responsible to comply with GDPR law; I also do not track IPs and such, and this would be the responsibility of my server to comply with the GDPR law.

Xenforo collects IP addresses and has a tracking function where it uses GEOIP lookups.

 

[trapped_soul]

I think you are looking at this the wrong way.

my forum does not collect and process private data, however, google analytics does the tracking, and they would be responsible to comply with GDPR law; I also do not track IPs and such, and this would be the responsibility of my server to comply with the GDPR law. Forum usernames and public content are not considered private data, and if a user wants to hide their profile, then they certainly have that right. My forum also does not collect and process private data such as credit card info, and therefore any 3rd party processors would have to comply with GDPR as it applies to them.

my forum does not collect and process the type of data that GDPR is talking about.

Do you allow registration? Is your site a XF site?
Do you send email activations and emails regarding anything else?
Do you have cookies? Tracking data/software?
Any of the yes above, then you must be GDPR compliant and you are looking at the wrong way.
By default, XF collects IP addresses and has a session cookie. Those alone are enough to be GDPR compliant.
I really suggest you read up on this some more.

 

[Amin Sabet]

If a moderator would please correct my spelling of "GDPR" in the thread title, that would be great.

 

[usAdultAds]

Do you allow registration? Is your site a XF site?
Do you send email activations and emails regarding anything else?
Do you have cookies? Tracking data/software?
Any of the yes above, then you must be GDPR compliant and you are looking at the wrong way.
By default, XF collects IP addresses and has a session cookie. Those alone are enough to be GDPR compliant.
I really suggest you read up on this some more.

maybe we got off track here, but I think the biggest concern was people asking if they had to delete 100s, 1000s, or 100s of thousands of posts or whatever, and the answer, in my opinion, is NO unless those posts can be identified with private data. For example, a member above had someone come to him saying they wanted everything erased, otherwise he would sue, if it had been me, then I would have asked the person "what is your justification" and if they had said "just because" then I would have said "denied" This is not a blanket law that says you have to erase, and that its, end of story. This law is not absolute, however, if someone came to me, and said their private data was posted, then I could see this as a justification to delete said post(s), nowhere under "limited" right of erasure does it mention anything about IPs, Tracking, cookies, etc...

overall, GDPR law is more vague than helpful, and I feel this law is really meant for "revenge" type sites, so if an EX posts private data, then the other party could easily request that this data be removed which would be justified, and I would have no problem in doing so, and under the erasure portion of the law, I see nothing that says a person has the right to remove Cookies, IPs, etc, and the term "data" is too broad, and if it did so happen to apply, then I could just as easily say that tracking is done for lawful purposes, and I would be justified in doing so.

So if you thought this law was absolute and gives 100% power to individuals in order to remove this or that, then it does not, and from what I can determine, there are no such blank powers that would give 100% right to the party to remove anything without merit and/or justification.

 

[abdfahim]

Just my take on the law, if it really applies to every forum.

I run a forum which offers free community-based support on a specific subject. When the members ask for help, the other members answer the questions based on their own knowledge, experience, and online search. And due to its nature, we do not remove any content from the forum as the content might prove useful to others with similar issues/confusions. (Just want to add, usually, the professionals charge a few thousand $ for professional advise in that field).

While overall we have a positive attitude among the members, there are few cases where members asked to remove all their contents after seeking and getting support from the community. We did not comply, instead rename and delete the user (keeping the contents) as we considered that a selfish and unfair request because:

• The community spent lots of time & efforts in answering the questions which would be garbage without the original question in place
• The answers help a lot of future members who would seek similar help
• We always discourage to publish any private/confidential data (and moderate with our best effort)
• We also accept any reasonable request where a user request to remove a part of his post that can be considered personal/confidential

Hence, if someone takes this advantage to receive community support and then decide to delete all of his posts because his/her purpose is served, it would be utterly unfortunate if I have to comply with such selfish request due to this law.

 

[usAdultAds]

Just my take on the law, if it really applies to every forum.

I run a forum which offers free community-based support on a specific subject. When the members ask for help, the other members answer the questions based on their own knowledge, experience, and online search. And due to its nature, we do not remove any content from the forum as the content might prove useful to others with similar issues/confusions. (Just want to add, usually, the professionals charge a few thousand $ for professional advise in that field).

While overall we have a positive attitude among the members, there are few cases where members asked to remove all their contents after seeking and getting support from the community. We did not comply, instead rename and delete the user (keeping the contents) as we considered that a selfish and unfair request because:

• The community spent lots of time & efforts in answering the questions which would be garbage without the original question in place
• The answers help a lot of future members who would seek similar help
• We always discourage to publish any private/confidential data (and moderate with our best effort)
• We also accept any reasonable request where a user request to remove a part of his post that can be considered personal/confidential

Hence, if someone takes this advantage to receive community support and then decide to delete all of his posts because his/her purpose is served, it would be utterly unfortunate if I have to comply with such selfish request due to this law.

What I have been seeing from one GDPR site to another is nothing more than vague information that rants about privacy and security, and how the data subject has a right to have their data erased, and from that point, it like jumping into a deep dark pit with no other direction.

Is this law meant for you and I? maybe, maybe not, but I read one article that said some companies are expected to spend up to $10 million dollars on becoming GDPR complaint, and on legal fees, as these companies would need GDPR legal consultation, and keep in mind the article that I read was opinion based, and I am not sure where that site got their facts from, and if they are even legit facts at all.

Would I ask XF to add tools so that members could delete all data on request? no, I would not, that alone could be a rush to judgment, since GDPR seems to be geared toward multi-million dollar companies, and I would not delete anyone's data on request without justification, and right now, it seems people are just guessing, and I highly doubt all the GDPR I have been seeing on other sites are not even legal advisors.

If you want to know the facts if GDPR has anything to do with your forum, data, IP, content, privacy, security, etc. The only thing I could possibly recommend is that you contact a GDPR attorney for a consult, and I certainly would not take any advice from non-certified attornies.

 

[limboclub]

I think you are looking at this the wrong way.

my forum does not collect and process private data, however, google analytics does the tracking, and they would be responsible to comply with GDPR law; I also do not track IPs and such, and this would be the responsibility of my server to comply with the GDPR law. Forum usernames and public content are not considered private data, and if a user wants to hide their profile, then they certainly have that right. My forum also does not collect and process private data such as credit card info, and therefore any 3rd party processors would have to comply with GDPR as it applies to them.

my forum does not collect and process the type of data that GDPR is talking about.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Information Society Service
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L1535
‘service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

For the purposes of this definition:

(i)‘at a distance’ means that the service is provided without the parties being simultaneously present;

(ii)‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;

(iii)‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

An indicative list of services not covered by this definition is set out in Annex I;


Annex I
Indicative list of services not covered by the second subparagraph of point (b) of Article 1(1)

1. Services not provided ‘at a distance’
Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:
(a)medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present;

(b)consultation of an electronic catalogue in a shop with the customer on site;

(c)plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;

(d)electronic games made available in a video arcade where the customer is physically present.

2. Services not provided ‘by electronic means’
—
services having material content even though provided via electronic devices:
(a)
automatic cash or ticket dispensing machines (banknotes, rail tickets);
(b)
access to road networks, car parks, etc., charging for use, even if there are electronic devices at the entrance/exit controlling access and/or ensuring correct payment is made,

—
offline services: distribution of CD-ROMs or software on diskettes,

—
services which are not provided via electronic processing/inventory systems:
(a)
voice telephony services;
(b)
telefax/telex services;
(c)
services provided via voice telephony or fax;
(d)
telephone/telefax consultation of a doctor;
(e)
telephone/telefax consultation of a lawyer;
(f)
telephone/telefax direct marketing.

3. Services not supplied ‘at the individual request of a recipient of services’
Services provided by transmitting data without individual demand for simultaneous reception by an unlimited number of individual receivers (point to multipoint transmission):
(a) television broadcasting services (including near-video on-demand services), covered by point (e) of Article 1(1) of Directive 2010/13/EU;

(b) radio broadcasting services;

(c) (televised) teletext.

 

[Claverhouse]

I think you are looking at this the wrong way.

my forum does not collect and process private data, however, google analytics does the tracking, and they would be responsible to comply with GDPR law; I also do not track IPs and such, and this would be the responsibility of my server to comply with the GDPR law. Forum usernames and public content are not considered private data, and if a user wants to hide their profile, then they certainly have that right. My forum also does not collect and process private data such as credit card info, and therefore any 3rd party processors would have to comply with GDPR as it applies to them.

my forum does not collect and process the type of data that GDPR is talking about.

Even filling in a profile is utterly optional...

I'm not that worried, having followed Slavik's Pocket Guide. We don't have advertising, nor Google Analytics --- the only possible loggers are the ones on the server such as Awstats, which are studiously ignored in the interest of having a life ( actually, yesterday to save space I deleted the Analog directory on the server, since, for reasons best known to itself, it was 500MB in size ) --- and from the beginning members were forbidden to put personal information in posts in Terms and Rules.


Plus some crafted language assigning us rights over all contributions...

Administrators can ban any member for any reason, which does not require justification.

You retain authorship and intellectual property rights in your posting, but grant xxxxForum and its successors and assigns a non-exclusive irrevocable right to reuse your posting in any manner it or they see fit without notice or compensation to you --- posts made on this forum are hereby property of this forum.



They can't say they haven't been warned.

 

[Claverhouse]

Just my take on the law, if it really applies to every forum.

I run a forum which offers free community-based support on a specific subject. When the members ask for help, the other members answer the questions based on their own knowledge, experience, and online search. And due to its nature, we do not remove any content from the forum as the content might prove useful to others with similar issues/confusions. (Just want to add, usually, the professionals charge a few thousand $ for professional advise in that field).

While overall we have a positive attitude among the members, there are few cases where members asked to remove all their contents after seeking and getting support from the community. We did not comply, instead rename and delete the user (keeping the contents) as we considered that a selfish and unfair request because:

• The community spent lots of time & efforts in answering the questions which would be garbage without the original question in place
• The answers help a lot of future members who would seek similar help
• We always discourage to publish any private/confidential data (and moderate with our best effort)
• We also accept any reasonable request where a user request to remove a part of his post that can be considered personal/confidential

Hence, if someone takes this advantage to receive community support and then decide to delete all of his posts because his/her purpose is served, it would be utterly unfortunate if I have to comply with such selfish request due to this law.

I applaud your stance, and utterly agree.

 

[RobinHood]

While I get that user generated content is central and pivotal to the long term continued success of many forums due to the creation of evergreen content for search engines to index, for other members and guests to browse, read and obtain value from that site, I do wonder how this policy and stance will hold up over time as GDPR and other privacy laws are actually tried, tested and revised.

While I wouldn't want any data or information/guide heavy forums to die or lose tons of valuable content in a few clicks from users who wish to cleanse their digital footprint on a whim, I do also empathise with those users who wish to move forward with taking better responsibility of data and content they've published to the web.

Most users aren't being paid or reimbursed for the content they provide to a forum. They're getting nothing in exchange for what they post besides access to interact with that community. So it's not like they're exchanging their user generated content in exchange for monetary gain or goods and service. Their content isn't being purchased in order to be published and monetised by the site admin, some users are actually paying out themselves for premium memberships.

I wonder how this attitude would go down if it was one of the major social media players taking this stance. If Facebook said that all the crap you posted there was their own content to be used, hosted and published in perpetuity because of a sentence in the Ts&Cs. Would they continue to get away with it in this climate given everything that's gone on recently? I imagine there would be uproar.

I'm not saying every user on every forum should have the right to complete content deletion. But I think in the long run this issue is going to continue to arise and be very nuanced and it will be interesting to see how it plays out. Perhaps admins will need to start requesting rights to specific posts, or posts in specific forums such as guides and tutorials, so the ownership of the content can be more officially transferred over to the site owner and vetted ahead of time for PII so that when the user wipeout request comes in the valuable content can be salvaged.

Perhaps the admins can flag certain forums as archive/guide forums where content rights are already agreed upon user registration and only posts in off topic chat forums are automatically deleted if a right to erasure request comes in.

I think these kind of tools and features will become more desirable and required after enough users kick up a fuss and after a certain number of lawsuits and tests of the new legislation hit the system. It will be interesting to see what happens.

 

[RobinHood]

PS: Please send me $1 or credit my XF account if you'd like to keep my previous post on this forum forever and retain the rights to it when I eventually send in my request for my account deletion.



/BlackMirrorScriptIdea...sort of

 

[Chris D]

Implemented in XF 2.0.6 and XF 1.5.20. See here for more details:
https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/

These versions will be available as a beta starting from Tuesday 8th May.

 

[Mr Lucky]

Implemented in XF 2.0.6 and XF 1.5.20. See here for more details:
https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/

These versions will be available as a beta starting from Tuesday 8th May.

Many thanks, great write up as well. I have always been a big Erasure fan.

 

[D.O.A.]

Can someone explain to me how a European country can tell a U.S citizen operating within the U.S. to follow European law? What am I missing here?

someone should explain how un-elected bureaucrats in the EUSSR decided they rule the internet now. No wonder England left.

 

[Claverhouse]

They got tired of the government and corps of the USSAR grabbing the world's information and dictating the internet.


Old Obama's telephoning tapping of Angela was the last straw.