Implemented XenForo tools to comply with GDPR - rights to erasure and data portability

Amin Sabet

Well-known member
The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018.

As I understand it:
  • The GPDR will apply to XenForo sites which have members or visitors who reside in OR are citizens of the EU
  • The GPDR will be potentially enforceable with regards to companies both inside and outside of the EU, regardless of server location.
  • The penalties for violating the GPDR will be steep

Operational impacts most relevant to XenForo owners are described here: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-6-rtbf-and-data-portability/

The following are XenForo suggestions which would help us to comply with the GPDR.

1) Tool to allow forum admins to delete all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content).

Ideally this tool should be designed to have minimal impact on other members' content. For example, if the deleted content includes the first post of a thread, the remainder of the thread should somehow be preserved.

2) Tool for forum admins to enable in order to allow users to delete all of their own content (forum posts, profile posts, conversations, attachments, media gallery content).


Ideally this tool should have a time delay during which it can be canceled.

3) Tool for forum admins to export all of a user's content (forum posts, profile posts, conversations, attachments, media gallery content) and provide that exported data for a user to take with them to a different XenForo forum or other compatible network.


Please like this post if you agree with these suggestions.
 
Last edited:
Upvote 24
This suggestion has been implemented. Votes are no longer accepted.
Sigh, this will dramatically ruin the forums. Most communities I know where they delete your account, your content remains and the name is there, but it's a guest post.

Having things out of context, suddenly missing 100,000 posts contributions for example. Or having people dynamically "quote" you, vs using the proper quote button. Not to mention all the posts where the quotes will show as redacted or something.

Does this mean if you have made content prior to this ruling that you don't have to delete it, only going forward. Or will a community where we had over 100,000 posts of which 50,000 made by someone in 2002 and 2003, will mean the site might as well be shut down if they request to have their content removed?

Maybe it's time to make a "fake" company offshore somewhere and make that imaginary person the 'owner' of the website and push away legal responsibilities to mr idgaf
 
Sigh, this will dramatically ruin the forums. Most communities I know where they delete your account, your content remains and the name is there, but it's a guest post.

I don't think it's so bad as that. In a decade of running forums, I've received very few requests to delete all content. In the larger scheme of things, it makes little difference if I do that as requested. YMMV, just my perspective. If you have a person requesting 100,000 posts deleted, that probably means your site has many millions of posts.

Does this mean if you have made content prior to this ruling that you don't have to delete it, only going forward.

I'm not a lawyer, but I think it means both. I don't think we have to delete quotes as that would be someone else's content. Again, I'm no lawyer, so your guess as good as mine.

will mean the site might as well be shut down if they request to have their content removed?

I don't think they can shut down your site, but the fines are supposedly 20 million EUR or 4% of annual revenue, whichever is greater. That would certainly shut down my sites.

Maybe it's time to make a "fake" company offshore somewhere and make that imaginary person the 'owner' of the website and push away legal responsibilities to mr idgaf

I am thinking that I will probably have to bar EU visitors and members from my sites unless someone comes up with a simple solution to this by May of 2018.
 
I disagree with barring EU visitors, it will be like the age thing "are you over 18? YEAH SURE" It's unrealistic.

I wonder what the law is when you put in your rules: Whichever personal or not personal information you contribute to this site through any means of direct or indirect input becomes 100% property of this website, you void your right to whatever law you desire to wish to enforce to get your contributed and no longer owned data removed from our site, be it log files, posts, conversations, actions, images, or whatever might be possible. You are perfectly fine with losing the right to remove any of it and handing it over to the site owner who's free to do with it as he or she seems suitable, be it editing, reproducing, deleting, archiving, or selling, renaming, or copyrighting. You are merely here as a product to a commercial enterprise to generate revenue and not welcome on this community as an individual of adult age. Browsing the site you silently agree to this, to disagree, browse away. To sign away your rights and to agree to this website, please register which is your digital and legally binding signature. [click here, adult you].
 
So would it be illegal to ask members to waive any rights they might have under that new ruling? And would such a waiver be legal?
 
I'm not a lawyer, but I think it means both. I don't think we have to delete quotes as that would be someone else's content. Again, I'm no lawyer, so your guess as good as mine.
In germany the admin owns the posts (text, not pictures) his users write. I doubt that will be much different in other parts of europe. Only exceptions are posts which are not simply part of a conversation etc. but could possibly be copyrighted (like when you share a script/ a poem / lyrics or sheet music to a song you wrote...).

Though, if you have a introductions section on your forum, like many forums have, deleting his topic there, if he has one, can`t be wrong, because it probably contains personal information aswell.
 
While I apologize for going offtopic a bit in my posts, I think part of the problem is that I am Dutch, I barely understand Dutch law, let alone German law, and Italian law, and Russia law, and USA laws, all I see after reading this: You are the owner of the site: this will cost you money, we want your money.

Yes, I hope xenforo has better tools in 1.x and 2.x to support the laws that cost us money, rather than not having the tools and costing me even more money.

My point is a little bit that's it's unrealistic to understand international laws on the Internet and the rights of each user. I am Dutch, they are maybe not, my domain is purchased in a US country, might be hosted in Germany, content might cross the border into Russia. blah blah.

It's the Internet, it's unrealistic to figure all this stuff out to be honest.
 
So would it be illegal to ask members to waive any rights they might have under that new ruling? And would such a waiver be legal?
I don't see the difference between THAT, and someone saying: When you buy this product, you can't participate or start a class action suit against us or come after us for damages. Why do I lose those rights, but not others?
 
I'm afraid if this passes, this will severely erode the quality of forum content over time as bits and pieces are removed over years making once meaningful threads no longer make sense, or worse, missing pieces so the advice becomes dangerous in the most extreme cases.

For example:
User-A asks "can I attach this chain this way"
User-B replies "you put it over sprocket 1, 3, and 9 and that's all you need to do"
User-C replies "you MUST disengage sprocket 7 first before attaching that or you could hurt yourself bad"
User-D replies "Agreed"
User-E replies "That's correct - you must do that first."

Now if User-C requests all their actual replies removed 10 years after the fact, removing the actual content across the board now makes User-D and User-E comments out of context and changes their meaning so they now become potentially dangerous advice with the piece immediately preceding them which they replied to removed long after the fact.

I suppose the chance of creating an issue as extreme as this would be fairly rare, but if an action exists to remove hundreds or thousands of posts with a click, the risk increases.
 
Last edited:
I'm pretty sure unless you are a registered DPA controller this is largely irrelevant.

I am pretty sure this is not the case. 99% of forums will probably ignore everything and be fine because there are much bigger fish in the sea, and there is safety in numbers. But that doesn't mean that they are truly safe, only that they will probably be okay taking their chances.
 
I almost went back and edited the word "passed" :)

What I mean, is if it is interpreted against forums that forum threads are in fact classified as personal data under this.

To date, I've expected that personal data includes items such as email addresses, phone numbers, and that type of personal data, but not content that is posted as part of an overall public-accessible forum thread, and not private or personal from the beginning. I would think better tools to censure personal information would be useful, so someone could request their username be anonymized in both username and quotes, and their legal name, phone number, and email address be censured (currently the censure list is only in the order it's added without any organization and I'm not sure if censuring names with spaces is an issue, so I could definitely see this being improved, but that's another far less impacting suggestion.)

It will be interesting to see how far reaching this is.

For example, my county video records all meetings including both the decision making process and a public comment period before decisions are made. I wonder if under this law, someone could require that their comments be removed from any such video archives dicing up the county process recording the same way a forum thread would be diced up with bits and pieces removed?

I wonder if wikipedia would have to revert any edits a person has made even if they were made years ago and became part of later content/context?

How about any radio show or tv show that allows any audience interaction/questions/call-in/camera time or contestants, etc -- would they have to remove any such material from archive or any future rebroadcast?

In the oldest sense, when someone writes a letter to the editor to be published in a newspaper "Dear Editor, the land swap our town is considering shouldn't be done because ... " would the paper/magazine have to remove any such at a later date if requested? Society has always had this type of material archived at libraries and microfiche, even if it's more accessible now with internet archives so you don't have to drive to a library.

It seems difficult to believe that this law would change everything and require that posts made to a forum with no expectation of any privacy (and actually, exactly the opposite) would have to be removed on request at a later date as this would seem to create not only a swiss-cheese effect to our information knowledgebase but also create an impossibly difficulty to maintaining any quality of the information archive as years pass.

If this law is interpreted in this shocking way, I wonder if posts could be transcoded or translated in some way by xenforo to create a new work that summarizes the original post but strips out any personal aspect and retains at least the basic question. This would be a tall order, but might be essential to retaining the overall quality of forum data as otherwise if x-posts are removed from the context every year for 15 years, at the end with simple removal a forum would be left with a lot of gibberish threads with too much context removed to make sense.

(sorry for going on so long in your suggestion thread)
 
Last edited:
I am pretty sure this is not the case. 99% of forums will probably ignore everything and be fine because there are much bigger fish in the sea, and there is safety in numbers. But that doesn't mean that they are truly safe, only that they will probably be okay taking their chances.

Have just had some time to read into this. Now I ain't no lawyer, but...

Nearly all forums fall under the Section 36 exemption, and likewise would be considered exempt under the new rules.

Likewise the right to erasure does not provide an absolute ‘right to be forgotten’ or the ‘right to have all their content removed’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances.

Content they have posted publicly would be exempt from this unless that content included personal data (eg, their name, address and email).

Put simply, if a user came to you and asked to have their data erased under the new rules, simply renaming then deleting the users account (but retaining all content) would be sufficient, the only time frontend data would need to be removed would be if it contained personal data or photos of that person etc that could be used to identify them.
 
Content they have posted publicly would be exempt from this unless that content included personal data (eg, their name, address and email).

I'm being told by a number of folks that personal data applies to a lot of stuff besides what you've indicated here and that normal forum content often falls under what the GPDR considers personal data. Anything that can be linked to or used to identify a person is personal data. Links they post to their other sites, comments about where they have been, stories about their uncle Barry, etc.

Now I ain't no lawyer, but...

Nearly all forums fall under the Section 36 exemption, and likewise would be considered exempt under the new rules.

I would love if that were the case. So far the lawyers I have asked say it ain't so. Section 36 exemption that you refer to is from the 1998 Data Protection Act which is superceded by the GPDR. The equivalent part of the GPDR states:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

That does not exempt most of us.

Put simply, if a user came to you and asked to have their data erased under the new rules, simply renaming then deleting the users account (but retaining all content) would be sufficient, the only time frontend data would need to be removed would be if it contained personal data or photos of that person etc that could be used to identify them.

Again, I'm pretty sure this is not correct as much as I wish it were.
 
Last edited:
You need to look up the laws for 'public domain'. Not familiar with EU laws but in the U.S. we have a law called public domain. Not a lawyer either but can guarantee this doesn't affect barely anyone outside of a small jurisdiction in the EU. I also don't believe it's worth changing the entire software over either.
 
Top Bottom