GDPR and anonymizing personal data

I think it depends on what they request, Right to Erasure or Right to Restriction of Processing. Either way you are obliged to communicate to the data subject what you did.

Right to erasure

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies…

It’s not clear to me exactly what would be a way to argue that the data is required for a Discourse forum to continue to operate normally. I guess it may depend on the subject matter?

Instead of storing and exposing IP, would it be worth salting and hashing the IP and storing that instead? If it cannot be reverse decoded to point to a location, it could perform the same function for spam prevention, etc.


Discourse automatically creates CIDR notation when 6+ spammers come from the same /24, and I’m not sure there’s a way to do that if we’re hashing the IPs.


I noticed that the posts download does not include uploaded attachments. I’m assuming they should be part of my data export?


13 posts were split to a new topic: Providing data for GDPR

One of the leading Dutch ICT/Law blogs just published a post titled “does the right to be forgotten in the GDPR apply to forum discussions as well?”

TL;DR: no.

Translation: Google Translate
(AVG is the Dutch term for GDPR)


Thanks for sharing. But just to make sure I understand: this is irrelevant for anyone using the default ToS that come with discourse and which stipulate that all posts are published under a Creative Commons license, right?


I don’t think it is completely irrelevant, and the default ToS that comes with Discourse will not hold up in court in many European countries.


Reading through this topic (and being new to Discourse), I am under the impression that the only way to handle the “right to erasure” is that an admin deletes the user including all posts? If so, and as others have stated, this is quite disruptive for a discussion community. A better approach would be to anonymize all user data (removing Email, any stored IP addresses, and changing user name, also in all posts). Would this approach suffice for the “right to forget” requirement? If so, is my understanding correct, that Discourse doesn’t provide any functionality to support this?

The other question is, does the right to erasure even apply to a public discussion forum? ICO states:

When does the right to erasure not apply?

  • to exercise the right of freedom of expression and information;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;

Wouldn’t both apply in the case of a discussion forum?

The “anonymize user” functionality does what you said - change name, email, remove IP addresses. The post content is licensed under Creative Commons and should be reviewed for personal info on a case-by-case basis if the user requests such a review.


As you correctly pointed out in an earlier post, we need to make sure it is removing the IP from everywhere it can at the time of anonymization, though – feel free to send through PRs on that if you can assist.


Also I definitely agree with removing IP logging where it is pointless, @riking isolated a few spots, PR also super welcome on that.



Anonymizing the user (which includes removing all identifying structured data like IP addresses and such) should be sufficient. If the user has posted information that could lead to their identity in a forum discussion, it is up to the moderator or admin to decide if they are willing to remove those.

Not necessarily, it depends on what license the forum owner has decided to choose.
If the default Discourse ToS have not been changed, then it is CC.


Hello there, is Discourse going to include GDPR specific tools with the upcoming updates ? ETA of 25th of May is closing in fast and it’s pretty serious stuff.

If you ask me, it should contain the basis, like the first registration process, maybe anonymization and NOT the entire GDPR fixtures.

Thank you.


I was just writing up some stuff and making screenshots of the anonymization process and then I saw something I had never noticed before: anonymization apparently keeps the signup and last login IP addresses. Those should really be included in the anonymization process.


I fully agree with this, but perhaps the procedure should be made transparent (not sure if this is legally necessary, but it surely would help if both users and admins understand the distribution of responsibilities). What I mean is: I would like to assume that it is the user who has to point out each individual post that needs to be sanitized. In other words: it’s not enough to request “deletion” (aka anonymization) and assume that this will include any personal information in any post.

Perhaps the default ToS could be clarified in relation to deletion request. Currently, the elaboration of the CC user content license seems preoccupied about the site owner being allowed to remove content. How about also mentioning that the site owner can refuse the removal of content? Not sure whether it should say “within the limitations of applicable law” or something like that, but with or without that clause it would help make people aware of what they’re agreeing to.

1 Like

I had breakfast this morning for someone who works with a major ad company and predicts that they’ll basically shut down a bunch of their services when 25 May hits because they don’t quite know what to do.

1 Like

Yes, I know a few companies as well that will shut down some of their applications on May 24, just because it’s too big a problem to fix and the liabilities will be too high.


Just checking on an updated for acceptance of a change of ToS or other policies.

At the moment we have a compulsory field so all new users have to tick the “I have read and agree with ToS” and this is stored in the db


But this does not cover changes of ToS when a user will have to accept them again before logging in.

Is there a way of doing this in Discourse?

For those of you still confused about GDPR, I completely recommend watching this talk
I attended this conference and it was one of the most concise talks on GDPR I’ve seen so far.