GDPR and anonymizing personal data

One thing I did notice with it on another site the other day is that it does shove the privacy policy link at anon users which I consider somewhat positive

We’re definitely on the same side with regards to how we feel about the implementation of these laws. I’m always thinking “can I get a ACCEPT ALL DAMN COOKIES” button in my browser so I never have to see a stupid popup banner ever again.

You do not need consent from a user in order to process personal data. What you actually require is a
Lawful basis for processing. What the privacy policy needs to contain is identification of the data, the purpose that you are processing data for, and which basis you are doing it under.

The two relevant lawful basis for a forum are Consent and Legitimate interests According to the UK ICO guide (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/)

• Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.

• It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing

• If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests

• The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

So if you can define a legitimate interest for logging the IP address (or other data), such as using it to limit the rate of logins from that IP, you do not require the users consent. However you can then only use the IP address for that purpose.

If you collect data under legitimate interest you also don’t always have to delete it at the users request. You will have to document the reason and reply to the request within one month.

The most important thing is to document all of this upfront as after collection you are not allowed to change the lawful basis for processing.

It’s a little bit (ok, a LOT) more nuanced than that, since the legitimate interest of the controller may not be overridden by the rights and freedoms of the subject. So to use your example, if the IP addresses in combination with the visited URLs can reveal sensitive information (for instance sexual preference or medical information), then the legitimate interest is overridden by the right of the individual to keep this data confidential.

Not always, but most of the time you do have to comply. As a controller, you can only deny such a request if " the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims"

What is your source for that? GDPR says "the obligation to erase personal data without undue delay"

Absolutely, I agree it is a lot more nuanced, but there is also a lot of doom and gloom about only being able to do things with consent. Consent now needing to be explicit, people seem to be tying themselves up in knots about it.

I think I mixed that up with the minimum time to respond to a right of access request
(Right of access | ICO). My main objective was to highlight that you don’t have forever to deal with it. I have stuck a line through my incorrect statement.

Being aware that you can have privacy policy that combines Consent and Legitimate Interests instead of trying to do it all with Consent should hopefully help people stop worrying too much about getting explicit consent for everything. Though everyone should be aware they need to document what data it is they are collecting and why before they collect it.

On a personal level rather than the law: In the context of forum software I think it only fair that if you use legitimate interests instead of consent that if someone asks you to delete something, you should delete it.

Registration - OK.
How about a change in ToS/privacy policy?
With GDP compliance if I understand correctly, we need date of user consent.

https://meta.discourse.org/t/how-to-change-faq-privacy-policy-and-terms-of-service/18074/34?u=systemz

The username is a chosen pseudonym, and we aren’t doing anything hinky with it (edit: and it’s displayed publicly, which is another factor) so I think that submitting the registration form is clear enough intent.

For IP address tracking, the forum has a legitimate interest to detect, identify, and prevent malicious use based on IP address. One privacy fix would be to delete registration iP after a year.

The tricky one, I think, is post timings. That needs an opt out mode that always sends 999ms for every read post, instead of the actual read time. The data is close enough that the existing analysis won’t give complete garbage, and you still get your read dots with better privacy properties.

I’m currently looking into how other forum software developers plan to handle/comply with the upcoming GDPR regulation. Note: This is not a recommendation that you should or shouldn’t switch to a different forum software, fyi I’m will be sticking with Discourse for my own forum.

A particular feature that Invision Community is implementing for GDPR is:

If you change the Terms & Conditions, or the Privacy Policy, you can request that members accept these changes when they next log in thus giving their consent for those changes.

ipb_consent_11535×1000 116 KB

…and storing the confirmation when a user clicks on “I accept”.

ipb_consent_21535×1000 104 KB

(Not sure if I can directly link to a Discourse competitors website, but you can find the specific article using Google searching for “How Invision Community’s tools can help with GDPR compliance”)

IPB implementation looks exactly what I need. No more, no less.

I’ll link to it. It’s worth a look to see how to deal with this issue.

I’m also wondering just what the implications are for those outside of the EU who know that they’ll have community members who are from the EU.

If user requests to revoke their consent, I think we don’t need to delete the data from our database, we just don’t use it, right?

No, you must actually delete it. The GDPR calls it “erase personal data without undue delay”.

The problem I see is that ripping some posts out of the discussion flow can render topic pretty useless… Is it enough to anonymize it (Discourse already has this feature)?

IANAL…

I’d say it depends on the case. If a user mentions personally identifiable information in a post, or if the conversation flow mentions the user repeatedly, making it obvious who is talking, the anonymization function won’t work. OTOH I think the terms of service should make clear that if a user decides to leave, their public contributions bear a non-exclusive license (e.g., CC-0 or CC-BY-SA) that will protect the site in case of a ‘divorce’. That said, CC-BY-SA might be even trickier, since the BY clause means you want to keep your name on it, and of course, if you decide to leave, you only lose access to those words you already shared.

I think it’s important to realize that when an individual participates in a conversation, they become part of a trans-individual activity that’s larger than any single participant, where each gets nourished and inspired from the whole, and engage accordingly. Given that, it’s difficult to be willing to remove that from the group, since it would create a hole in the conversation that, to me, is sabotage. If people cannot deal with their words, anonymization is probably the best solution, but it also has drawbacks: if the person actually reverts his decision, the de-anonymization is nearly impossible or at least very costly (you would have to go through all anonymized posts before the decision was made and grant them back to a new account.)

It seems to me that, as often with law, a sane balance cannot be found within the conditions of the law itself, but requires attention to solve the issue case-by-case. If you consider the upcoming law to limit subsidies to larger farms in order to support family farming against industrial farming, then the Czech will cry because they have so much larger farm lands than, say, the French: it’s not because they have larger industrial farming, but because the socialist economy imposed large farmers cooperatives… So one size fits all is not how things work in reality.

One thing we should take care of in priority for European instances of Discourse, is to transpose the default ToS and Privacy Policy that ship with the product to European law – GDPR-compliance is a good pretext for that, but certainly not the only one. I’d like to work with ToS;DR on this to provide a default Class A ToS for Discourse instances in the EU. I started some time ago to think about it, but it requires IMO – besides some legal knowledge – a participative process and so far not many people seem to be interested in solving this issue. I’m glad this discussion exists here!

Disclaimer: If there were to be one word that would describe my mindset it would be “scientist”. I tend to think in terms of observations, hypotheses, theories, etc. and “math” is a core language. I do not know “art” and my design skills are rudimentary at best. I can lack maneuvering finesse in emotional contexts.

I do not consider Law to be a science. It can be subject to interpretation, and where there is lack of precedence even massive amounts of legalese meant to provide clarity can be ambiguous. It can be nothing like “If A and B then within an acceptable S.D. the outcome will be C”.

My concern would be on what is considered to be “personal data”
Article 4 EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy according to plan.

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

My take is that posted content is not necessarily personal data and is implicitly posted with the members consent. I also have seen nothing in the Law that specifies posted content that has been removed upon request must be retained and reposted upon subsequent request. In fact it seems that retention could be a violation of the Law.

My conclusion (admittedly conjectural) is that Anonymizing and replacing the member name from posts and notifications would satisfy due diligence.

In talking to my CISO (one is EMEA based), lawyers, outside council, and consultants we were informed that we can leave posted data but must anonymize the user account. One of the reasons we can leave the posted data is that myself and my moderators go out of our way to remove personally identifiable data (our company is a security platform provider), so other than the user data there is nothing public that you could really trace back.

We also paid outside council to completely customize our TOS and privacy policy beyond what was provided. It was extremely helpful to have folks who deal with privacy and the law engaged.

Any chance you could share this with us?

I was wondering how to deal with that. I have a feeling some type of “the disclosing member assumes liability not the forum” would need to be carefully worded in the terms.

For example, if I post

I am a friend of @Supergirl her real name is Kara and she works at CatCo in Central City

the forum could change it to

I am a friend of @anon12345 …

but in the event of kryptonite exposure I don’t think the forum should be held liable.

Just to be really clear: Discourse currently doesn’t do that.
References to usernames with @ , and even worse: Supergirl wrote… are NOT replaced when anonymizing a user.

Nor does it retroactively replace

Supergirl Some topic title

notifications. Or unsend sent emails.

I think code could be written to replace the name string wherever it may appear in a forum with more or less success. But unsending sent emails is an impossibility.

Nor is removing content from cached “wayback” pages feasible.

Surely there must be some limit to what is expected of a forum.