GDPR countdown and compliance

Last night, I started a legal tools plugin.

The first ‘tool’ included in the plugin extends the user archive feature to include all user information stored in the db.

If you’re worried about providing information under GDPR, you can help me test it and / or suggest additional information that should be included.


I hate even suggesting such a draconian tactic, but I’m going to offer it up for discussion anyway.

What would the impact be on a discourse site if every single EU and EEA country was blocked via IP range in the admin panel? I imagine having a ridiculous amount of IP address ranges dropped in there would slow a site down significantly - but I would like to hear from the experts on this if they care to share their expertise.

To avoid any headaches in terms of GDPR compliance this could be a viable option - at least in the near term. (I know I can block in CloudFlare - but I stopped using them a while ago thanks to the passionate discussion here in meta).

Obviously, this is far from ideal. I personally have a few hundred active EU users who would need to use a VPN but I’m prepared to ask them to make the sacrifice to avoid having to deal with the overly litigious bad apples out there.


Absolute non starter for anyone who actually lives there…

The UK’s Information Commissioner Office has good advice on this, go take a read through. I’m inclined to take their advice of “five mandatory checkboxes isn’t consent” and “you should be using legitimate interests most of the time” since they’re the ones that will actually be enforcing it.

The concern over Right to Access for admins is a legitimate one, but again I think something best resolved with manual actions.


Agreed - for those of you in the EU what I’m suggesting wouldn’t work. I should have specified that in my post; however, if those of us in the US want to shut out the EU market, that’s a business decision we have a right to make.

My question was focused on the technical implications of shutting out the EU via IP ranges in the admin panel.


Problem with this would be the EU citizen travelling abroad.

That’s a legal conundrum, not a technical one. Although I understand your point. Same applies to people in the EU using a VPN.

If you actually were to go through with something like that, it would surely be much better to implement at a OS firewall level that is specifically designed for such things.

And even if there are lawyers planning on exploiting GDPR for frivolous litigation I think it would be excessively paranoid to block EU users from something so harmless as specialist online forums. Even with thousands of users I think the focus will be elsewhere for a long time, like mobile apps, online casinos, large social networks and so on that count their users in the millions.


Good points. Thanks for that @ssvenn I’ve run political forums for a couple of decades now and Article 9 is my concern:

Article 9 carries over from the Directive the concept of “special categories” of especially sensitive data concerning race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These generally require express consent or a legal obligation in order to collect or process the data, and they require heightened security and attention to data storage limits. The Regulation adds genetic and biometric data to the categories of sensitive data.

For those of us PoliSci nerds misfortunate enough to believe that running a political forum was ever a good idea…this is actually a cause for concern. When very long political debate threads heat up…people get silly and do silly things. A sizeable portion of the regular users in my community are retirees - men and women in their 60s - 80s (my oldest user is 91) and these folks speak their minds and live all over the world. My community is the only daily social interaction some of them have anymore. I will protect that fiercly. I’ve taught most of them how to use a VPN at this point so for my existing EU users I’m not concerned. The younger folks will help them stay connected and they know how to get to where they want to go no matter what I do.

Thanks for the suggestion.

1 Like

Your special category condition is that forum posts are manifestly made public by the act of posting them.

Also you’re not doing much processing about their opinions, right? Just letting people talk to each other.

so: write that down!

[DRAFT] We are aware that this is a forum focused on political discussion, and that political opinions are “special category” data under the EU GDPR and other regulations. As this is a publically accessible forum, you should be aware that observers may be able to identify your political opinions based on your posts. Processing of this data is allowed under Article 9(2) condition (e) - the data is made public by you posting it. [DRAFT]


No. GDPR 3.2 says that “This Regulation applies to the processing of personal data of data subjects who are in the Union”. It’s not about EU citizens, it’s about people who are in the EU.


I have a client interested in blocking those outside of the US. It’s a US specific topic. I was going to look in to doing it outside of discourse.

I saw this earlier this week and I think it has a few points on topic here.

Notably, now:

I can’t afford the risks associated with this law so I am shutting down/I will lock Europeans out
Ok. Bye. But make sure you really understand those risks and please understand as well that it may not be possible for you to lock Europeans out reliably enough to not have any exposure under the law and realize that there are lots of other laws that you are also exposed to that could cause you to be wiped out. This law is really no different than any others in that respect. The price of using the web as a world stage is that you effectively are interacting with the legal domains of every country that you do business with.

One other thing I’ve considered in the past few days is also that under current Australian law it is necessary for any company to hand over a copy of all personal data they hold on a person if it is requested by that person. Additionally I believe a person can request deletion of that data, though I’m not sure of the specifics here.

Now, I’m fairly sure that the scope of those laws is not quite as extensive as the GDPR, but it just shines a light on the fact that the EU is not the only place with this sort of regulation.


I just translated and updated our TOS and Privacy Policy.

Why is the commonmark on these pages rendered with a slightly different styling than in forum posts? For example tables do not look as good (v1.9 stable).

May 25 tomorrow and discourse do bot follow the GDPR law yet. Still not able to download everything discourse databases have avout my account. Just posts and reply’s are not enought. PM’s, photos, fields and logs have to be included as well.

1 Like

Think of all the millions we’re missing out on!


You can put in a request to an admin to provide you with that information.

1 Like

No, the most problematic IP’s are the ones without a user ID attached, since those people never consented to their IP address being stored.

I am simply referring to what @riking identified as problematic in the OP, I am not making a call about what is the most problematic.


Except the fine is 2% of your income or up to 20 million, whichever is higher, and a horde of lawyers is wringing their hands preparing for a horde of lawsuits similar to class actions.

I don’t think you grasp the gravity of the situation - the European Union is in chaos right now, I know multiple lawyers expecting their best year ever and even public institutions are severely worried. Companies are pulling their website from the EU for this reason (even Microsoft shut down two services for this reason).

Please understand - for many of us, me included, this is a make or break for our companies, careers or w/e. I don’t think many people in the EU (or with serious business in the EU) will want to take the risk. I, for one, do not condone risking every job in the company because third parties think it’ll blow over…

Depends on the industry really, and the software. A lot of older companies are not capable of being compliant due to their nature, but in general, agreed.

We are legally obliged to offer the ability to use our services while not using any personal identifiers (including IP’s) that are not strictly needed.

Is this strictly needed to use our services?

I would argue it isn’t…

Agreed. I think the forums not supporting the GDPR are liable to lose a lot of usage. If the lawyers get their way, people will be scrambling to get rid of anything not explicitely compliant.

To be fair, it’d be harder using ipv6. It could also be hashed with something else.

It’s a painful law but ultimately I think it’s possible. The simple proof ot that to my opinion is that so many businesses are in panic - as they simply had no clue how they were handling sensitive data. Scary if you think about it. But I digress.

I think you’re right on most of what you said, but there’s something else I’d like to note: You’re also legally obliged to offer your service with the minimal amount of personal identifier needed for basic usage. There’s a strong argument to be made that IP’s aren’t actually needed whatsoever, but serve to enrich the service. Which means it has to be optional, according to the new law.

Very much true.

And to be frank, if someone wants to avoid being seen by IP, they will be able to avoid it incredibly easily using proxies. Can be asked if simply adding a cookie doesn’t suffice to offer similar protection for less trouble. Could also store a hash of the IP * the 6 hour period perhaps, not sure if that’d help legally.

All this said and done, let’s pray to the ip god that the lawyers dont get their way.


Have you got any proofs of that? Or is that just speculations?