Implemented XenForo tools to comply with GDPR - rights to erasure and data portability

[Amin Sabet]

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018.

As I understand it:

• The GPDR will apply to XenForo sites which have members or visitors who reside in OR are citizens of the EU
• The GPDR will be potentially enforceable with regards to companies both inside and outside of the EU, regardless of server location.
• The penalties for violating the GPDR will be steep

Operational impacts most relevant to XenForo owners are described here: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-6-rtbf-and-data-portability/

The following are XenForo suggestions which would help us to comply with the GPDR.

1) Tool to allow forum admins to delete all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content).

Ideally this tool should be designed to have minimal impact on other members' content. For example, if the deleted content includes the first post of a thread, the remainder of the thread should somehow be preserved.

2) Tool for forum admins to enable in order to allow users to delete all of their own content (forum posts, profile posts, conversations, attachments, media gallery content).

Ideally this tool should have a time delay during which it can be canceled.

3) Tool for forum admins to export all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content) and provide that exported data for a user to take with them to a different XenForo forum or other compatible network.


Please like this post if you agree with these suggestions.

 

[Mr Lucky]

I have had a chat this afternoon with an ICO representative who has confirmed what I suspected.

If you rename and delete the account, that will be considered acceptable. The only time removal of content will be required is if that content is personal to the person (eg they posted their name and address or a picture of themselves).

So theoretically the safest thing is to get in writing from them if they have posted any personal details such as address, photographs and where those are on the forum. Otherwise you may not know they have done so without trawling through all their posts.

 

[Slavik]

So theoretically the safest thing is to get in writing from them if they have posted any personal details such as address, photographs and where those are on the forum. Otherwise you may not know they have done so without trawling through all their posts.

Pretty much, and even if you missed any as long as you have suitable tools to report anything missed (contact form, report button) then youll be fine as long as its removed within a reasonable period of time.

 

[Håkan Olsson]

1) Tool to allow forum admins to delete...

I like the tool idea!

Despite having no scope insights whatsoever I'd like to add to the tool idea: If such tool is very far away – then a tool could also be as written text instructions that shows how to manually do it on the platform.

BTW: Afaik, one needs to delete any personal data, not only the most obvious like personal information visible in posts. So, personal data in a log file for a person that has canceled the account should be a no-no. (I believe)


Thanks

 

[Mouth]

If you rename and delete the account, that will be considered acceptable. The only time removal of content will be required is if that content is personal to the person (eg they posted their name and address or a picture of themselves).

Correct. That is what all legal narrative is saying about what is defined within the EU as personal information. Removal of identifying aspects (username, ip address, etc.) will be enough to ensure you are not enabling the content to be identified to a particular person. Some legal narrative also suggests that you won't need to remove the username/account, unless same enables the person to be identified from it.

 

[CrispinP]

Some legal narrative also suggests that you won't need to remove the username/account, unless same enables the person to be identified from it.

Deleting their PII is enough to satisfy it. Their content is not PII in general and therefore would be ok.
As a day job I work for a large corner store in Knightsbridge which begins with an H and we're in the process of examining GDPR and how it affects us, our customers and what we do with the data (we're actually pretty good with it all at the moment ). In all the meetings we're having I am keeping one eye on the forums I run for that very reason. I'm EU based (for now ) and it will affect me.

I think the thing which we (all of us EU-based owners) need to be aware of is data breaches. GDPR could come after you with a big stick if your data goes missing.

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

More: https://ico.org.uk/for-organisation...orm/overview-of-the-gdpr/breach-notification/

One thing I wonder about is what if I am breached by a bug in the XF software? I can have killer passwords, firewalls etc but a latent bug in the software could floor me.
I guess the answer to that is in the EULA I agreed to (I read it?) when I purchased XF?
I know of one member who has already been hacked so it does happen.

 

[Alpha1]

We are getting more and more notifications from Google that they have removed pages from their index due to a 'right to be forgotten' filing. Its particularly problematic that Google will just remove any page. Even if it doesn't contain any identifying information.
Meanwhile France is now demanding that Google removes such pages globally. Not just for EU results.

I really do not want to see the functionality suggested by the OP implemented or at least not in a way that I have to use it, but I do think xenforo needs configurable functionality to deal with this problem.

 

[Amin Sabet]

Instagram spokesperson:

We are building a new data portability tool. You’ll soon be able to download a copy of what you’ve shared on Instagram, including your photos, videos and messages.

This is in response to GDPR. Those of us using XenForo are going to be at risk unless we have something similar.

 

[trapped_soul]

I just wish we had some sort of response from the XF team. So far there's nothing. I understand they're all busy and all doing things.. but I feel we're just being left to get on with it.

 

[BassMan]

I believe there will be a response, I'm also waiting for their statement.

I doubt they are irresponsible

 

[Andre Daub]

Yes, and d-day is on 25. May and this is only 4 weeks from now.

 

[BassMan]

Well, agree with that...

 

[johnny82]

I would also like specific functions and tools in order to meet the basic GDPR rules, in core, at least on version 2 to wich I would upgrade to, if necessary.
I hope the XF team will give us soon some announcement.

 

[MySiteGuy]

My suggestion:

Use GeoIP lookup on first visit (ie, they have no cookies from the site). If they are in a EU country, pop up a message with terms/info the admin can populate (without setting ANY cookies since the normal cookie message does it after a cookie has been sent!). If they agree proceed normally, set cookies, etc.

Needs this in XF 1.5.x and 2.x.

 

[Anomandaris]

I had my first GDPR "right to erasure" request today and he threatened legal action. So if anyone believes they won't be affected, think again!

 

[trapped_soul]

I had my first GDPR "right to erasure" request today and he threatened legal action. So if anyone believes they won't be affected, think again!

Seriously?
Blimey

 

[Slavik]

I had my first GDPR "right to erasure" request today and he threatened legal action. So if anyone believes they won't be affected, think again!

Most forum owners will only bump into this from members trying to be irritating by using it.

 

[RobinHood]

Honestly, I've hoped for a right to erasure feature myself personally for a long time.

There are a number of forums I'm a member of where I would happily put in a request for complete erasure if it was an option. I know many admins would hate this for all the obvious reasons, but as a member I think it's a good idea.

For a long time I've been of the opinion that forums should be more concerned with upping engagement and making it easier for users to create and post new content, rather than being obsessed with preserving old content.

I won't be putting in these requests or trying to make a fuss anywhere as soon as this legislation passes, but I can understand where many users may be coming from when they read about this and they figure it may be a good time to start cleansing their digital footprint, especially with all the data scandals in the news. I don't think they're trying to be irritating, they're trying to start being more responsible about their online data sharing practices.

 

[Robust]

I had my first GDPR "right to erasure" request today and he threatened legal action. So if anyone believes they won't be affected, think again!

There's a difference between a threat of legal action, and actual legal action.

You're barely affected. GDPR enforcement isn't even in play right now. I believe it's active, but enforcement won't begin until the 25th.

You have to remember that actual violations take place all the time, take copyright/IP violations for example. People don't have the time, money or resources to pursue legal action after everyone that violates their actual rights. Someone upset about you processing their email and IP really isn't going to pursue legal action. At best they'll file a report with their DPA, and such a report is probably going to get ignored unless you process a large amount of information and/or get a large amount of reports.

 

[usAdultAds]

There's a difference between a threat of legal action, and actual legal action.

You're barely affected. GDPR enforcement isn't even in play right now. I believe it's active, but enforcement won't begin until the 25th.

You have to remember that actual violations take place all the time, take copyright/IP violations for example. People don't have the time, money or resources to pursue legal action after everyone that violates their actual rights. Someone upset about you processing their email and IP really isn't going to pursue legal action. At best they'll file a report with their DPA, and such a report is probably going to get ignored unless you process a large amount of information and/or get a large amount of reports.

I would like to know how forums got dragged into this GDPR debate? Can someone specificity provide a link that GDPR has anything to do with forums? As it stands, this GDPR law is governing laws concerning companies that collect and process data, even though I think we are heading into the digital age where more and more people are wanting their data deleted, however someone has managed to twist GDPR as an attack on forums, so unless you are an entity such as a data controller ie: Cambridge Analytica, then I do not see how this law would remotely apply to forums.

I also see a lot of this fear mongering when it comes to SEO vs google. Someone reads something about SEO on an SEO forum that has never done SEO in their life, and then they take it as gospel and spread it all the around the internet as truth, and before you know it, webmasters are paralyzed in fear because they think if they do any SEO on their site, then Google will ban them in time forever, and forever.

Google, Facebook, and big companies that collect, and process private data such as names, address, credit cards, etc would have to comply with GDPR laws, however, if your forum sends customers to 3rd party providers, then that 3rd party provider would have to comply with GDPR, and overall has nothing to do with forums, usernames, content on forum, none of this would be considered private data as it is public anyways.

I am not an attorney, this is just how I see it.

 

[trapped_soul]

I would like to know how forums got dragged into this GDPR debate? Can someone specificity provide a link that GDPR has anything to do with forums? As it stands, this GDPR law is governing laws concerning companies that collect and process data, even though I think we are heading into the digital age where more and more people are wanting their data deleted, however someone has managed to twist GDPR as an attack on forums, so unless you are an entity such as a data controller ie: Cambridge Analytica, then I do not see how this law would remotely apply to forums.

I also see a lot of this fear mongering when it comes to SEO vs google. Someone reads something about SEO on an SEO forum that has never done SEO in their life, and then they take it as gospel and spread it all the around the internet as truth, and before you know it, webmasters are paralyzed in fear because they think if they do any SEO on their site, then Google will ban them in time forever, and forever.

Irrespective of being a forum or not, it's an Internet site serving people and handling sensitive data.
If you serve people within the EU or are within the EU yourself then you're governed by the GDPR just as you would be with the DPA.
You're still a data controller if running an active site with memberships/emails and so forth. You effectively have people's personally identifiable information; emails addresses, IP's, location so on so forth. This means you then are a controller.

I wouldn't say fear mongering... more that some people are getting confused and getting nervous about the do's and dont's. Most of it to be truthful, is common sense and most of it you should be already doing as good practice anyway, regardless of being a hobby or a professional site...
"You" being generic of course.