GDPR countdown and compliance

Again, that’s my point. Software isn’t compliant or non-compliant. It is up to individual administrators to ensure that they comply – so perhaps step one for anyone that is concerned about whether they are compliant would be to source/write this query.


Working on it :slight_smile:


If you don’t have the in-house resource to do this I’m sure someone would pull it together for you if you post in the #marketplace


So does CDCK have a price in mind for hosted customers to fetch such data, or is it rolled into the hosting fee?

1 Like

Business or Enterprise customers could deal with these requests using the Data Explorer plugin so we wouldn’t need to be involved at all. Standard customers would need our assistance and we will talk to them on a case by case basis. There (obv) hasn’t yet been a requirement. :slight_smile:


Last night, I started a legal tools plugin.

The first ‘tool’ included in the plugin extends the user archive feature to include all user information stored in the db.

If you’re worried about providing information under GDPR, you can help me test it and / or suggest additional information that should be included.


I hate even suggesting such a draconian tactic, but I’m going to offer it up for discussion anyway.

What would the impact be on a discourse site if every single EU and EEA country was blocked via IP range in the admin panel? I imagine having a ridiculous amount of IP address ranges dropped in there would slow a site down significantly - but I would like to hear from the experts on this if they care to share their expertise.

To avoid any headaches in terms of GDPR compliance this could be a viable option - at least in the near term. (I know I can block in CloudFlare - but I stopped using them a while ago thanks to the passionate discussion here in meta).

Obviously, this is far from ideal. I personally have a few hundred active EU users who would need to use a VPN but I’m prepared to ask them to make the sacrifice to avoid having to deal with the overly litigious bad apples out there.


Absolute non starter for anyone who actually lives there…

The UK’s Information Commissioner Office has good advice on this, go take a read through. I’m inclined to take their advice of “five mandatory checkboxes isn’t consent” and “you should be using legitimate interests most of the time” since they’re the ones that will actually be enforcing it.

The concern over Right to Access for admins is a legitimate one, but again I think something best resolved with manual actions.


Agreed - for those of you in the EU what I’m suggesting wouldn’t work. I should have specified that in my post; however, if those of us in the US want to shut out the EU market, that’s a business decision we have a right to make.

My question was focused on the technical implications of shutting out the EU via IP ranges in the admin panel.


Problem with this would be the EU citizen travelling abroad.

That’s a legal conundrum, not a technical one. Although I understand your point. Same applies to people in the EU using a VPN.

If you actually were to go through with something like that, it would surely be much better to implement at a OS firewall level that is specifically designed for such things.

And even if there are lawyers planning on exploiting GDPR for frivolous litigation I think it would be excessively paranoid to block EU users from something so harmless as specialist online forums. Even with thousands of users I think the focus will be elsewhere for a long time, like mobile apps, online casinos, large social networks and so on that count their users in the millions.


Good points. Thanks for that @ssvenn I’ve run political forums for a couple of decades now and Article 9 is my concern:

Article 9 carries over from the Directive the concept of “special categories” of especially sensitive data concerning race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These generally require express consent or a legal obligation in order to collect or process the data, and they require heightened security and attention to data storage limits. The Regulation adds genetic and biometric data to the categories of sensitive data.

For those of us PoliSci nerds misfortunate enough to believe that running a political forum was ever a good idea…this is actually a cause for concern. When very long political debate threads heat up…people get silly and do silly things. A sizeable portion of the regular users in my community are retirees - men and women in their 60s - 80s (my oldest user is 91) and these folks speak their minds and live all over the world. My community is the only daily social interaction some of them have anymore. I will protect that fiercly. I’ve taught most of them how to use a VPN at this point so for my existing EU users I’m not concerned. The younger folks will help them stay connected and they know how to get to where they want to go no matter what I do.

Thanks for the suggestion.

1 Like

Your special category condition is that forum posts are manifestly made public by the act of posting them.

Also you’re not doing much processing about their opinions, right? Just letting people talk to each other.

so: write that down!

[DRAFT] We are aware that this is a forum focused on political discussion, and that political opinions are “special category” data under the EU GDPR and other regulations. As this is a publically accessible forum, you should be aware that observers may be able to identify your political opinions based on your posts. Processing of this data is allowed under Article 9(2) condition (e) - the data is made public by you posting it. [DRAFT]


No. GDPR 3.2 says that “This Regulation applies to the processing of personal data of data subjects who are in the Union”. It’s not about EU citizens, it’s about people who are in the EU.


I have a client interested in blocking those outside of the US. It’s a US specific topic. I was going to look in to doing it outside of discourse.

I saw this earlier this week and I think it has a few points on topic here.

Notably, now:

I can’t afford the risks associated with this law so I am shutting down/I will lock Europeans out
Ok. Bye. But make sure you really understand those risks and please understand as well that it may not be possible for you to lock Europeans out reliably enough to not have any exposure under the law and realize that there are lots of other laws that you are also exposed to that could cause you to be wiped out. This law is really no different than any others in that respect. The price of using the web as a world stage is that you effectively are interacting with the legal domains of every country that you do business with.

One other thing I’ve considered in the past few days is also that under current Australian law it is necessary for any company to hand over a copy of all personal data they hold on a person if it is requested by that person. Additionally I believe a person can request deletion of that data, though I’m not sure of the specifics here.

Now, I’m fairly sure that the scope of those laws is not quite as extensive as the GDPR, but it just shines a light on the fact that the EU is not the only place with this sort of regulation.


I just translated and updated our TOS and Privacy Policy.

Why is the commonmark on these pages rendered with a slightly different styling than in forum posts? For example tables do not look as good (v1.9 stable).

May 25 tomorrow and discourse do bot follow the GDPR law yet. Still not able to download everything discourse databases have avout my account. Just posts and reply’s are not enought. PM’s, photos, fields and logs have to be included as well.

1 Like

Think of all the millions we’re missing out on!