Add Account Deletion

That’s half-way correct. GDPR allows that time BUT only under extreme circumstances e.g. when you’re Facebook. Under all other circumstances the deletion process must be completed ASAP. The GDPR is not forgiving in that sense and it must be interpreted in the most extent. The safety, morale and legal rights of the user are the main thought of this regulation.

It was never the idea of the Software Industry in the first place, and yet as developer and hacker I love those buttons. People will always opt for it, and it is a human and legal right providing it. But we can debate about the action behind the button click.

The best defense against account hijacking attacks is educating the users! Not limiting actions that should be limited anyways (per rate-limiting) for the sake of the general app security of the site.

So we are not allowed to leave when we want so? Despite admins should have common sense and a feeling for that, I have a personal right to leave when I want to leave with or without telling anyone. The same you can’t just lock me in your room because you want to know why I am leaving.

For info on that:

Alright! And what about the PII in the posts?

I’d like to highlight the following aspect of Art. 7 GDPR (https://gdpr-info.eu/art-7-gdpr/):

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

If the registration is easy, the deletion (consent withdraw) must be easy as well.

If the user steps back from a statement it is not part of this exception anymore. So legally this would a very weird gray area that is extremely contradicting to the fundamental principles of the GDPR.

The idea of the ECHR, and thus GDPR freedom of expression and information inclusion is simply that you could strike every e.g. media or private blog owner if they put up PII regarding to a valid case that suits the public interest. I do not see that this would apply to forums.

Please consider Art. 85 regarding it. Article 85 GDPR - GDPRhub

So per case basis would be applied here, like when a user posts a statistical overview, such things could be kept but not the rest e.g. when a user posts a picture of themself.

I’ve also read in one post that was linked here:

You can restore a backup made before the destructive action [the account deletion]

So because the “deletion” (anonymizing) is reversible this is technically not legal.

The GDPR must be interpreted in most extreme ways.

It has nothing to do with content deletion per se.

And that is not even remotely true. It is unlegal save backups until the world comes to its end. But it is legal to have backups resonable time. But sure, if a backup is restored then deletions must be done again.

nothing to do with content deletion per se

Kinda depends! One could certainly argue that a user has all rights of the work they have posted. Therefore everything “belongs” to the user, and is thus indirectly connected to the identity, and therefore all the posts / information connected to it. I agree that this would be extreme.

The key point about deleting the account is that all connected PII or at least all links to the PII are safely deleted. The content can be kept it is totally open information and not leading to the user('s identity).

But sure, if a backup is restored then deletions must be done again.

I agree! Like you say, you would have to do the deletions again, but the fact that you can restore the deleted users information is the key issue, although you have a right to do backups for maintaining the service and security. I do not believe anyone would sue for that or any prosecutor letting the legal proceedings continue. However, we have to bring law and technical aspects together if it comes to privacy.

Kinda not. Those are two totally different things.

GDPR limits why, how, when and long a service can indetify users.

Copyright and ownership of publishing are totally different story and and has nothing to do with data protection and GDPR.

Any post in this topic is not such creativive content that could be protected by copyright somewhere in the world. But Meta has content that is protected, as blogs etc.

And then we step in the world of agreements and terms, and how content is licensed.

flag your post and ask for deletion

But that’s contradicting the principles of the GDPR The idea is that I can easily remove my posts, account etc. Everything that is connected to my PII or identity.

When the first post of a topic is deleted, the whole topic is deleted

That’s a special case where you could keep the post itself but replace the content with “user deleted this post”. Then the thread’s structure would remain.

Would you like it if someone would just delete this topic including the whole discussion?

I’m split regarding this. On one hand the user has a right to do so.The privacy and liberty is above my interest to discuss, and sometimes even above the public interest. On the other hand I love to discuss, and if everything just vanishes I would be annoyed as well.

These laws, as you point out, are open to interpretation.

Laws are always open for interpretation but we have to go by the interpretation of the courts, academics, and what the regulation says about itself. The ideology behind GDPR is pretty clear and leaves less space for interpretations.

Sorry, I think you misunderstood me. I pointed out that a combination of the mentioned laws leading to the same effect, and thus establishes a responsibility under GPDR. Of course is copyright (or similar) and PII, and the GDPR fully different things. Yet they still can be combined to establish a cause.

Any post in this topic is not such creativive content that could be protected by copyright somewhere in the world.

I think you might confuse, copyright and ownership. Especially under German jurisdiction you have for everything you create a special ownership right, which you can enforce globally.

we step in the world of agreements and terms, and how content is licensed.

Even there you can’t just strip a user of their ownership, and the biggest issue is still the PII connected to a post, depending on the content and nature of course.

The word order of your statement is wrong and it makes a huge difference.

Everything that is your PII, or is connected to your identity.

Last time I personally reviewed this, Discourse does not primarily rely on consent based processing, it’s primarily legitimate interest.

In particular, there is a significant legitimate interest in preserving the content of conversations you have had with others for the sake of the other participants, and this justifies not having instant deletion for all posts of an account.

Disclaimer: I might overlook some aspects from the Discourse perspective.

significant legitimate interest in preserving the content of conversations

Practically, I do not see any valid interest that “outweighs” the user’s interest in having a clear record if the person wishes so. We would need to put up a balancing test between the constitutional, platform interests and the user’s privacy rights.

This EU document discusses the legitimate interest within GDPR as well (p. 4):

Article 7 [Art 6?] requires that personal data shall only be processed if at least one of six legal grounds
listed in that Article apply. In particular, personal data shall only be processed (a) based on
the data subject’s unambiguous consent2; or if - briefly put3 - processing is necessary for:
(b) performance of a contract with the data subject;
(c) compliance with a legal obligation imposed on the controller;
(d) protection of the vital interests of the data subject;
(e) performance of a task carried out in the public interest; or
(f) legitimate interests pursued by the controller, subject to an additional balancing test against
the data subject’s rights and interests

I assume they discuss Article 6 GDPR, especially Paragraph 1 (might be that six and seven got swapped over time)

Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

So lets do some balancing test together. We have the fundamental (privacy) right of the user, it can only be restricted for very special and good reasons or the users’ consent. Then we have the discourse interest to keep the conversations. So practically thinking, if a user posted a picture of them and “deleted” (here pseudo anonymized) their account, they would have no possibility to entirely remove e.g. multiple posted (personal) pictures. Another aspect is very likely that other platforms do not keep conversation data and for most conversations there is no reason to keep old conversations. If there is another method involved to successfully remove private information from the posts and so on, that is automated, I think you can put a balancing test in your favor but from that perspective the user’s interest outweighs the platform’s interest.

“Artistic expression or journalistic expression” (p. 11) does not apply to solely random content on platforms. The authors would need to be (hobby) artists or (hobby) journalists, and it would only apply to individual (journalistic, artistic) posts, where the criteria apply. Same as with public interest (e.g. national security) and freedom of expression (e.g. political or controversial opinion-based posts).

We should also take a look at this (p. 11):

legitimate interests ground, along with the other grounds apart from consent, requires a ‘necessity’ test. This strictly limits the context in which they each can apply. […]

With the best intentions, I can not see as single point that goes into the necessary direction, and just saying the deletion of old posts from account that is being deleted would rip conversations apart (that were barely touched over the years) is probably no valid ground for this. It can be argued that users can just skip deleted posts or do not see them at all, and mostly other users’ indirectly give away the previous posts content, including quotes.

Even more important is the deletion request by the user, that definitively uses the right to object, and removes not only the consent but in most cases even the legitimate interest.

Last but not least, this is the most significant aspect (p. 17):

As the processing of the user’s data is ultimately at his/her discretion, the emphasis is on the validity and the scope of the data subject’s consent.

More generally, currently the user is stripped off the deletion rights in the GDPR that must like previously quoted provide a easy (full) deletion method like you can register easily. Furthermore with the deletion the consent vanishes, and as we could not establish a legitimate interest (yet?), it would be a illegal data processing (no legitimate interest, no consent)

But what Stephen said:

Freedom of expression is more broad. Reiterating what I said before:

GDPR article 17.3

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

• for exercising the right of freedom of expression and information;

Recital 65 #5

However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information

(which implies that the retention of personal data is lawful, even when the data subject has withdrawn his or her consent)

and this can be used for forum owners to retain the actual forum posts.

(source: Dutch internet laywer Arnoud Engelfriet, see article in Dutch)

Oh, I see you tried to rebuild my statement. I read it multiple times, I thought a bit further about your statement, and came to the conclusion that your statement does not cover special cases where PII is identical to your identity and vice versa OR cases where information connected to both needing protection as well. While it sounds contradicting at first, it is certainly possible.

Those cases are covered by my short statement. I tried to include the understanding and intentions of laws like the GDPR and the Privacy Act. While I understand it might look like a wrong choice of words at first, it is clearly more representing of the facts, thus I am politely disagreeing with your assessment. I might still be wrong^^

I’m going to add the first lines of recital 65, emphasis mine.

In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected

So let’s see:

• I become a member of a forum
• I make posts with the purpose of participating to the discussion
• …
• I want to have my personal data erased

Is the statement “the personal data are no longer necessary in relation to the purposes for which they are collected” true?

→ No, the personal data that I submitted to the forum as part of my posts are still necessary for the purpose of participating to the discussion.

Do I have the right to have my personal data erased?

→ No, because it is still necessary for the purpose of participating to the discussion.

You cannot change the ground for processing as soon as you don’t want to play along anymore.

This recital is there for a reason. It is there to clarify this exact case.

First of all, “the right of freedom of expression and information” in Art 17(3a) is only exercised by a user.

Art 17(3) GPDR only says:

“[…] not apply to the extent that processing is necessary”

It indicates we need a neccesarity test, combined with a balancing test. Also defined in Art. 6 GDPR, which also applies independently.

It means if the processing is necessary, it can be done. Like shown above, it is not necessary.

retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information

Only applies to server-side, non-public logs that would be a legitimate interest as per keeping security (logs) and if the user wants to keep a post of opinion or artful or journalistic expression on his own intention, which is not given, when the consent is objected / revoked.

this can be used for forum owners to retain the actual forum posts

The intentions of the law and the interpretation by the EU lawyers themselves contradicts that idea. There is no indication that this can be used. Yet alone the Dutch lawyer comments under the article that a journalistic expression would be when user posts a few random posts, without looking at the content, whether it is journalistic/artful or not. For example, 1000 posts of emojis are not journalistic and no opinion by law.

The user can request to get his name removed, there is no necessarity to keep their name on the post. That would be a too wide legal loophole, that could be abused by everyone. Therefore it is unlikely that this is actually the correct interpretation.

And in that context user’s data means what A hint: it is not same how devs and coders understand term data.

GDPR has not been, and never will be, an replacement for everything that defines what is i.e. copyrights. Right to get copy of all person’s posts, photos etc. aren’t for copyright reasons, but attempt (IMO lousy way) to make speed bumps for de facto monopolies.

That text isn’t protected. My email is. And both are pieces of different data.

I like the way you have quoted it, but you overlooked a fundamental aspect, which I would like to add:

However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

Just continuing the conversation with the posts, which are not necessary as previously shown, is not part of any of those legitimate interests, and the paragraph does indicate that the scope is not that wide.

In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. 3 That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. 4 The data subject should be able to exercise that right [… even when being…] no longer a child

So

The purpose of participating to the discussion

Is neither public interest, nor freedom of expression, not official authority, public health, scientific or for archiving purposes. No exercise or defense of legal claims involved either.

Here it is more precisely written

6. Statutory and government purposes
7. Administration of justice and parliamentary purposes
8. Equality of opportunity or treatment
9. Racial and ethnic diversity at senior levels
10. Preventing or detecting unlawful acts
11. Protecting the public
12. Regulatory requirements
13. Journalism, academia, art and literature
14. Preventing fraud
15. Suspicion of terrorist financing or money laundering
16. Support for individuals with a particular disability or medical condition
17. Counselling
18. Safeguarding of children and individuals at risk
19. Safeguarding of economic well-being of certain individuals
20. Insurance
21. Occupational pensions
22. Political parties
23. Elected representatives responding to requests
24. Disclosure to elected representatives
25. Informing elected representatives about prisoners
26. Publication of legal judgments
27. Anti-doping in sport
28. Standards of behaviour in sport

Nothing of that applies to Discourse.

Especially when the posts contain very sensitive information, those need to be removed, there is no ground to keep them. Like explained previously.