Implemented XenForo tools to comply with GDPR - rights to erasure and data portability

Amin Sabet

Well-known member
The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018.

As I understand it:
  • The GPDR will apply to XenForo sites which have members or visitors who reside in OR are citizens of the EU
  • The GPDR will be potentially enforceable with regards to companies both inside and outside of the EU, regardless of server location.
  • The penalties for violating the GPDR will be steep

Operational impacts most relevant to XenForo owners are described here: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-6-rtbf-and-data-portability/

The following are XenForo suggestions which would help us to comply with the GPDR.

1) Tool to allow forum admins to delete all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content).

Ideally this tool should be designed to have minimal impact on other members' content. For example, if the deleted content includes the first post of a thread, the remainder of the thread should somehow be preserved.

2) Tool for forum admins to enable in order to allow users to delete all of their own content (forum posts, profile posts, conversations, attachments, media gallery content).


Ideally this tool should have a time delay during which it can be canceled.

3) Tool for forum admins to export all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content) and provide that exported data for a user to take with them to a different XenForo forum or other compatible network.


Please like this post if you agree with these suggestions.
 
Last edited:
Upvote 24
This suggestion has been implemented. Votes are no longer accepted.
Not a lawyer either but can guarantee this doesn't affect barely anyone outside of a small jurisdiction in the EU.

I am in the US too, and this is definitely (100% certain) not right.

For some reason the reaction from several here seems to be to assume that they can't do this to us or that it doesn't apply to most of us.

Do some research. They can do this, US companies are spending big bucks to get prepared, and it applies to many of us (virtually all of us who are making money from our forums).

What is likely true is that most of us are too small to attract attention. But I'd like to have the tools necessary to not have to rely on luck to avoid trouble.

This is a good brief article to get started on learning about the GPDR: http://www.computerweekly.com/news/450296306/10-key-facts-businesses-need-to-note-about-the-GDPR

Some quotes worth noting:

"This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law."

"The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information."

"The GDPR does away with the criterion of number of employees and focuses instead on what organisations do with personal information."

That is just the tip of the iceberg.
 
Last edited:
Since when is anonymous forum content personal data? it isn't.
We are publishers. Our members are the writers of articles. There is no personal data, except contact details and possibly account content.
 
Since when is anonymous forum content personal data? it isn't.
We are publishers. Our members are the writers of articles. There is no personal data, except contact details and possibly account content.

That may be your definition of personal data, but it isn't the GPDRs. Nor does it recognize the distinction you are drawing between writers and publishers. It speaks of data controllers and data processors, both of which are held responsible. All of us forum owners fall into one or both of those categories.

If the data includes anything which can be used to identify a person, whether alone or in combination with other data, then the GPDR makes us responsible.

Most of us have servers (not to mention CDNs, etc) which receive, store, or transmit a lot of data in that category: cookies, IP address, email address, RFID info, date of birth info, gender, and that is without even getting to the post content where members may write additional information that when combined with other data can help to identify them.

There are many ways in which we are on the hook for that information. This isn't just about deleting accounts when members ask for that. For example, we are required to monitor for breaches, and if they occur, we are required to report it in a timely manner to a supervising authority.
 
The ICO have put some prudent reading up:

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/

If you have spoken to lawyers telling you otherwise, then by all means heed their advice, however I am quite confident I will be meeting the requirements by a rename and delete if asked.

It is worth remembering, the DPA and the GDPR are really there / implemented as a way to stop peoples data being flung around without thought between companies, handled inappropriately or insecurely or sold to advertising agencies. It's not going to give people the mechanism to destroy online content at a whim.

There was something a couple of years back (maybe ICO related then also, or a court ruling) that loads of people got into a flap about also because of the possible catastrophic consequences for online forums, but, as it turns out, nope, life went on as normal.
 
Last edited:
The GPDR will be potentially enforceable with regards to companies both inside and outside of the EU, regardless of server location.

Can someone explain to me how a European country can tell a U.S citizen operating within the U.S. to follow European law? What am I missing here?
 
Can someone explain to me how a European country can tell a U.S citizen operating within the U.S. to follow European law? What am I missing here?

Hopefully someone will chime in that knows more. My understanding is as follows:

-US and EU had an agreement called Safe Harbor. This was subsequently thrown out by EU for being not protective enough.

-US and EU reached an agreement called Privacy Shield. This provides more protection for EU citizen/resident data protection in the US but many in EU feel that it doesn't go far enough. Others in US think it goes to far.

-EU passed GPDR, which US adoption of Privacy Shield ? puts us on the hook for.

Jist of it seems to be that the US government is agreeing to the enforcement of these EU policies in the US since such agreements are necessary for EU to allow transmission of data to our companies.

I may not have the details right, but every legal article I can find about GPDR says that US companies will have to comply if they handle personal data from EU citizens/residents.
 
If the data includes anything which can be used to identify a person, whether alone or in combination with other data, then the GPDR makes us responsible.

About 8 years ago a member asked me to remove all his posts. The reason was that he had been the victim of credit card fraud, and Amercan Express were actually refusing to pay the compensation he presumed he should get, citing as a reason that he had divulged personal information online which could help the fraudsters to have stolen his identity and/or compromised his security.

I have no idea if this was actually true, but he had been a very useful, active and fun member. He had used use his real name (but first name only which was a very common name, e.g. Dave) and the town he lived in. I also think maybe there was a photograph of his house. His hobby would have also been obvious due to the forum niche.

He had probably posted about his cousin's dog or his mother-in-laws piles so perhaps someone could have collected all that and used it. This was on some old forum script and I don't think I was able to bulk delete his posts, but I advised that he could edit them manually, and that is exactly what he did - spent the night editing over 1000 posts and left them all empty.

It was a real shame and does make me feel a forum could easily lose a lot of its "soul" when people can do that.

I can't see why, in hindsight, he would not have been happy with deleting just those more personal bits of info, and username change, which I'm sure would have anonymised anything in his posts.


 
A forum where users can delete all of their posts will be like watching a debate video with one person cut out of the video.
We get deletion requests every day of the year, simply because members have no need for their anonymous posts to be online.
If there will be a mass content delete function for all forum users then that could well be the end of European forums, because it would lead to mass data destruction. In such case, I'd simply move my sites outside of the EU.

I think that it should be enough to allow members to change their account name and clear out any personal information or personal content. But keep community content. i.e. posts.

There is another aspect to this: a fairly large share of users asking for deletion of their data are abusive members, spammers, etc. Because they want to create new accounts for further abuse.

How can you delete identifying data, while we are obligated under penalty of €50 million to have effective moderation of abuse, hate speech and fake news? You can't.
In effect the law prohibits us from deleting data that we need to combat abuse.
 
We get at least 2-3 requests a day to delete accounts. Mostly from new members with little content but we do get a few every now in then that would cause serious issues due to the amount of content they created.

It is honestly aggravating that governments are allowing people who have no common sense to subject us and others to fixing their screw ups. Don't be a moron and post idiotic crap on a public forum if you don't want it public.
 
It is honestly aggravating that governments are allowing people who have no common sense to subject us and others to fixing their screw ups.

It's also aggravating that the laws they are devising are so broad and have penalties that don't make sense. Up to 4% of yearly revenue or 20M EUR, whichever is greater, makes sense for Facebook or Google, but it is insane to make that the possible penalty while at the same time specifically saying that no company, however small or however few employees, is exempt.
 
We get deletion requests every day of the year
We get at least 2-3 requests a day to delete accounts

You guys must have massive sites. I recently became owner of a forum which has existed for 13 years, has ~4M posts, and has always been closed off to search and mostly closed off to guest viewing. The first decision I made was it up to search and open it up to guest viewing. Quite a few members didn't like the changes. I notified the entire membership that because I understood that these changes were unsettling to many members who expected a higher degree of privacy, that I would delete the entire content of anyone who wanted that as a result of the TOS change. Only one member asked me to do it, and he had 11 posts.

My second largest site has about 8 years and 1M posts. In the history of that site, maybe 4 or 5 members have asked me to delete all their content. One of them had a lot of posts. To me, not such a big deal. To me, older threads are less important than newer ones anyway.
 
You guys must have massive sites. I recently became owner of a forum which has existed for 13 years, has ~4M posts, and has always been closed off to search and mostly closed off to guest viewing. The first decision I made was it up to search and open it up to guest viewing. Quite a few members didn't like the changes. I notified the entire membership that because I understood that these changes were unsettling to many members who expected a higher degree of privacy, that I would delete the entire content of anyone who wanted that as a result of the TOS change. Only one member asked me to do it, and he had 11 posts.

My second largest site has about 8 years and 1M posts. In the history of that site, maybe 4 or 5 members have asked me to delete all their content. One of them had a lot of posts. To me, not such a big deal. To me, older threads are less important than newer ones anyway.

We do 30-40 new registrations a day that are legitimate. Others we reject that were either VPN users or from countries we auto moderate. We also have a high volume site that is subject to a lot of debate topics and touchy subjects so it's not hard for people to be offended by something and request to have their account deleted.
 
We get about 4000 successful registrations per month. We also deny a lot of registrations. We have a warning up not to use their real name. They can change their name if needed and delete their albums and clear out their profile. It would be nice to have a button for this.

But the problem of course is that we also get members every day who throw their toys out of the prawn, rage quit and want to delete their content but after cooling down they want everything back...
 
Even if we US-based folks somehow escape this (which is at best a big, wishful "if" at the moment), I would think XenForo would want to give their EU customers the tools they need to comply with the GPDR.

Doing so would also be a XenForo selling point since many forum softwares are likely to fail to provide such tools.
 
I would think XenForo would want to give their EU customers the tools they need to comply with the GPDR.
First it needs to be clear what exactly those tools need to be.

And then there also is the example of the EU cookie law. I never had any cookie warning on my sites and most likely I will never have any. The EU cookie law is dying because it was a stupid idea conceived by people who haven't got a clue what they were doing. Now the EU cookie law has been mostly reversed on national levels.

But there may be an upside to all this: can we have our private data removed from the revenue agency's servers? :D :D
 
Yeah and as a EU person we totally don't crack a chuckle when we see you vote ..

This thread is about what's actually law right now and how XenForo is possibly going to have additional support in case we get those "right to blah blah" requests that we have to (if we do) oblige to.

Presumably, this stuff is based on 'good faith' attempts to accommodate user request. I could see how some users online handle become ubiquitous with their persona. In that case, simply change their personal details and username should be a good faith accommodation.

Personally, I think vague language open to interpretation is the best thing. You could always say you did your best to meet the request. The last thing you want is to have a bureaucrat rigidly define parameters.
 
I have had a chat this afternoon with an ICO representative who has confirmed what I suspected.

If you rename and delete the account, that will be considered acceptable. The only time removal of content will be required is if that content is personal to the person (eg they posted their name and address or a picture of themselves).

* I will just put a disclaimer that this is simply relaying the information I was told and doesn't constitute a legal opinion etc *
 
Last edited:
Top Bottom