Whether the interpretation was sketchy or not is not the point, I think. The question is rather what the data protection agency would do with this case.
The (sample) letter is “merely” asking for all the information that the user is entitled to. The “dangerous” part is what the troll is then going to do with that information (or the absence of a reply): writing a letter of complaint to the data protection authority. That letter would complain either
about the complainee not providing the required information or
about the complainee not adequately protecting the complainants personal data.
If that letter of complaint ever gets sent (and one might doubt that it will, which is why I find it particularly frustrating that the troll “won” so easily) one might wonder whether such a rather obvious troll case will be prioritized in any way by the authority given that they will have to deal with some serious real cases and given they will make sure to show to the public that their work “makes sense”. Even if/when they deal with the case they will surely consider the severity of the case so that I don’t see how this could lead to any significant fines as long as the forum owner made reasonable efforts to comply with the law. And as has previously been mentioned in the other topic, this seems to be the core of the problem: the forum admin simply couldn’t be bothered. So from that stance, it probably makes sense to close the forum down.
I wonder, though, whether that actually solves the problem. Closing the forum prevents future litigation, but does it prevent the troll from continuing just the same? After all, he still has the right to get that information and, I suppose, the forum admin could still be fined for abuse of personal data during those 30 days or so during which the forum operated under GDPR, no? (Though chances of actually being fined probably decreases further, as damage has been minimized).
This sentiment really bugs me and feeds into the irrational fear here (GDPRanoia). There are lots of laws that can be “theoretically” enforced that can ruin a business. There is tons of arm-chair theorizing going on here on what could happen.
In particular it bugs me cause historically EU privacy regulators never ever imposed a fine on a hobbyist and the fines usually went to Apple and Google and so on. There are numbers online about this and you can dig it up. This assumption that a forum operator acting in good faith is subject to financial ruin really annoys me.
If as a forum operator, you tell people how to download data, you anonymize on request, delete personal data on request (eg: bob uploaded a photo of himself and wants it removed) … just do the basics. Do not sell your user IP addresses and profile info and emails to the highest bidder etc and do horrendous stuff. I am pretty sure you will be ok.
Heck, if Google wants to shut down any business they can do it today. It is trivial. Get a lawyers to dig through the army of patents they have and then sue sue sue. They don’t even need to be right, they just have to cause so many legal fees that you can not afford to pay and then… bang you are bankrupt before the thing goes to trial. So… never ever start a business?
It offends me that people think that a body that is there “to protect our rights and privacy” is motivated by “shutting down every small operator out there that has one IP address stored in the database”.
I’m not sure whether that was meant as a critique of what I said but just to be clear: I also think that there is a lot of paranoia going on (and to an extent it is even useful in that it gets people to be more aware of the fact that they’re handling people’s data). My point with the part you quoted was not to say that the guy should be even more paranoid. I was just continuing his line of thought and wondering whether his actions (shutting down the forum) even make sense from a paranoid perspective.
You have to admit, though, that one big novelty of the GDPR is to make it easier to impose fines.
Article 17. establishes the right to erasure. I can’t delete a user if she has posts. But by default posts can’t be deleted if they are older than 60 days: can I raise this as much as I need in settings?
“Users can’t be deleted if they have posts. Delete all posts before trying to delete a user. (Posts older than 60 days old can’t be deleted.)”
As I understand it, “erasure” here doesn’t necessarily imply actual deletion of all the posts. It should suffice to anonymize the user. That way the post and user profile are no longer personal data.
Okay my friends, so where do we stand. I’m a lay person when it comes to privacy compliance, so even after reading the entire thread and a whole lot of other literature, I’m still not sure where we go from here. Will Discourse roll out a variety of fixes, tweaks and features to bring the software more closely in line with the GDPR? Can users reall take our ALL their personal-identifyable data (what was read, what was liked, when visited, how long online, etc.), can it all be anonymized, deleted, etc.? How to establish consent and record it? How to point a whole community to the fact that they have certain rights and there’s information about what info you record when Discourse leaves you no option to email all your users, etc?