GDPR outside of the EU

With GDPR this only applies to users that are in the E.U. I believe?

GDPR regulates services/sites that have EU-users, no matter where those are located. In theory anyway.

But sure, an admin can build up a system where EU citizens have different rules than others. But… why? GDPR is actually quite good system and should be adopted world wide.

I don’t know too much about the GDPR, but that’s helpful to know they do regulation on sites even if they only have one or a few E.U. members.

My understanding is the primary purpose of that is for the sake of protecting individual privacy, so would be in favor of allowing people to delete their own accounts or for user requests for that to be approved. I know of one discourse forum that doesn’t offer that service to users, which does include some E.U. residents, so seems that isn’t a requirement of the GDPR that people are always able to have their accounts deleted.

The main reason why it’s not necessarily always a great idea to allow people to delete an account is that, if a forum has any purpose besides being a place for idle chit-chat, there needs to be accountability with what people are posting.

Specifically for if a forum is open to the public anyone who qualifies for a library card can set up an account and maybe post something that should probably be reviewed by and responded to by law enforcement in their jurisdiction.

It is. But it doesn’t mean users could do it by themselves. If someone isn’t following rules is totally different thing, though.

But. As I said - in theory. EU isn’t after small fishes but big guys. So, lets say an american or asian site never get legal actions from EU even they don’t follow regulations. But again… why someone would be like Facebook or X, just because they like to send some spam?

That’s a determination you would need to make with a lawyer, we can’t offer that level of advice here and would ask people be careful making unqualified statements.

What we can tell you is that a user requesting the removal of their personal information doesn’t necessarily necessitate the removal of their posts. Discourse has a great anonymization feature which in many cases would meet the requirements of the GDPR without adversely impacting the quality of content within your community.

Oh, interesting.

This is what I read that had made me think that, but I guess this looks to be in-line with anonymization which you say meets GDPR requirements:

Accounts cannot be deleted. You can stop using your account at any time. If you’re a paid member, you can cancel your membership to downgrade, at end of your billing cycle, to free subscriber. However, to protect the integrity of the site and the community, access logs are kept for our records, and comments are NOT deleted upon request. You are, however, free to update your profile information (altering or removing your bio, display name, etc).

(This is from a site I have no affiliation with, my own forum doesn’t have any members yet.)

I don’t agree with this statement necessarily that GDPR should be adopted world wide, although again I don’t know too much about that.

I’m in favor of people being able to have forum accounts deleted or anonymized if they request that, but anonymization of an account with a high number of posts may not be effective in concealing someone’s identity.

One way to go is to enforce a no personal information in forum post policy.

My company is U.S. based but I use mail servers in Switzerland and Germany so I’m not sure if that matters with the GDPR.

German mail company has this posted legal notice:

Switzerland:

From time to time, Proton may be legally compelled to disclose certain user information to Swiss authorities, as detailed in our Privacy Policy. This can happen if Swiss law is broken. As stated in our Privacy Policy, all emails, files and invites are encrypted and we have no means to decrypt them.

Under Article 271 of the Swiss Criminal Code, Proton may not transmit any data to foreign authorities directly, and we therefore reject all requests from foreign authorities. Swiss authorities may from time to time assist foreign authorities with requests, provided that they are valid under international legal assistance procedures and determined to be in compliance with Swiss law. In these cases, the standard of legality is again based on Swiss law. In general, Swiss authorities do not assist foreign authorities from countries with a history of human rights abuses.

I’ve noticed with discourse the ability for most posts to be deleted or edited seems to be permanent, at least with the default settings don’t know if there is a way to change that? A different kind of forum I’ve seen them change the settings to only allow posts to be edited for an hour before they are frozen.

Seems that there could be disputes if someone requests some posts to be deleted but a site administrator refuses. Those may have to be handled on a case by case basis depending on what countries are involved.

These are some impressive statistics from CERN, over 1,000 legal orders contested for both 2022 and 2021!

Here is now four (at least) different things going on.

Yes, if you have users from EU you as an afmin/owner must follow GDPR.

if you don’t have have EU-users, but you are using european companies for mail or hosting you don`t need to follow GDPR, but those companie must follow GDPR even you are not from/at EU.

No, GDPR is not forcing destroying posts and comments. Anonymizati9n is enough. And no, you don’t need to edit backups, but you may store backups only as long it is absolut necessary. So, don’t harvest your one or five years old backups and trying to claim it is ok

GDPR regulates personal data. What and how you can or cannot ask, store and use, for what and how long. CDCK can store my IP (it is still not sensitive personal data that can identify me) and they can even ask my name and country. But street address is regulated piece of information and asking me send copy of passport or driving licence is in most of cases real big no-no.

And I’m a little bit sorry to say this at loud, but american services, and with service I mean admins, are really big and greedy issue from european point of view. Spamming in the name of marketing and sales using solution that tries follow every action a person does is very american way. And how darn strongly americans are pro-independent and my-home-is-my-castle I’ve kept that allways very interesting.

Yes. Now I’m totally off topic, again. And no, by design Discourse is not build to break people’s virtual personal space. Discourse is actually more or less like Mastodon for example and is planned to work decently responsible way. And anonymization is one part of that (and automatic deletion after wanted timeframe if there is no logins; that is actually worth of praise, because B2B customers of CDCK needs that).

GDPR is matter of personal data that can be used to identify individuals. It has nothing to do with topics and comments per se.

Thanks for writing, that is some helpful info.

Some American companies certainly are big and greedy, but most of these were created by Europeans of course.

The Dutch East India trading company is the worst.

My site is mainly for people who don’t have street addresses, but those are required for building permits in both the U.S. and Canada.

Except for manufacturing houses that can be moved on trucks/ships, that is my plan to build those and then sell, once they are sold people can register them with a permanent address but that is optional.

Anyway back to the GDPR, it sounds like this notice I quoted from a different site with a forum might technically be a violation, however that would be a lawyer question they would need to pay for.

Last thing I’ll mention for that is it is specifically about questions that are written in to be read out loud and answered, some laws may be different with spoken as opposed to written words.

In the U.S. there is the Federal Trade Commission, this is the closest thing to the GDPR I know of in America. Similar intent to “Protect American Consumers,” as the GDPR is to protect people in Europe, however don’t believe they would offer help to people who aren’t E.U. citizens.

Trying to find where they have policy posted in regards to forums not sure where that is at. I believe there are requirements against personal information being in forum posts, especially if site administrators won’t delete those upon request.

The FBI department that would enforce that is this one:

• GDPR applies to people who are in the EU. If you’re not physically within the EU then the GDPR does not apply to you.
• FWIW Switzerland is not an EU country.

Thanks for your reply, I didn’t know Switzerland isn’t a member of the E.U.

The U.K. as well I believe is no longer a member?

The Brexit vote happened when I was a student at the university of amsterdam, they have a partnership with u.w. so I have a dutch student ID however that has expired.

Last question then is if one must be a citizen of an E.U. country to qualify.

No. But an user must live and have address in EU.

So, if your non-EU-member is saved lifelong vacation days to take a 2 weeks trip to Paris you don’t need to follow GDPR.

That means you can harvest and save what ever personal info, use opt-out spam-memberships and you don’t need consent for anything. And all of that in the meaning EU doesn’t care.

Actually… what are you afraid of GDPR? If you will handle data as you should and respecting users’ basic privacy, telling what are you storing and how long, keeping transparency and openess, you would follow GDPR. And then you don’t need to wonder who, where and why.

UK still has GDPR style regulation. So ad admins/companies we can’t opt-in or follow as we like. And AFAIK Switzerland follows GDPR-regulation, as does Norway for sure, even they aren’t in EU either.

At that time you were protected by GDPR.

I’m not afraid of the gdpr, just wasn’t clear about what their policies are.

Keep in mind, legal advice on a forum is somewhat risky. As far as I know, none of the people who replied here are lawyers and nobody is offering stamped legal advice.

I recommend you consult with a lawyer to answer GDPR jurisdiction nuance.

Even more broad: the user must be in the EU. It’s not a requirement to be a resident.

Article 3.2

This Regulation applies to the processing of personal data of data subjects who are in the Union

Well, that’s a bit unclear, but luckily Recital 14 clarifies it a bit:

The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.

But that could still be ambiguous so there is an additional guideline, which is very explicit, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) section 2.a

The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed.
(…)
While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2), (…) that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place

So the US citizen who is in vacation in Paris is subject to the GDPR during their stay - as far as it concerns services which were initiated during their stay. Their existing USA cell phone contract is not suddenly subject to the GDPR.

The U.S. T-mobile has service in Europe but I got a notification from them after two months that this is limited for short-term service only, not any more than 2 or 3 months in the euro-zone.

That does not sound GDPR related to me.

Well it may not be, I was just responding to your statement that a U.S. cell phone contract would not be subject to the gdpr for someone traveling to France or a different country in Europe.

That is a contradiction to earlier statements by others that any service offered in Europe is indeed subject to the gdpr.

However key of where service is initiated, if that is in Europe or not.

It could be T-Mobile and/or other u.s. carriers have specific contracts that are limited by the gdpr or other regulations that they can only offer service in Europe for a limited number of days.

Is helpful to have a local phone number with the country code where someone is traveling to avoid international calling.

Anyway I’m not asking anyone for legal advise never mind.