When dealing with spammers, Discourse typically flags their posts, or automatically hides/deletes them.
If Discourse could recognize this copy-pasted nightmare letter, it could (optionally) do something similar. Suspend/silence the user and then notify moderators and admins that there is a user who should be anonymized or nuked. This could be a useful plugin. Some sort of Clippy response? “It looks like you are writing a letter to be forgotten from the forums!”
Ok. I’m thinking that you’ve been in contact with bradrydzewski then (i.e. he who runs the Drone .io forum and decided to move to Reddit), and he has told you a bit more details than what is available in the threads linked above (?). In those threads (Shutting Down Forum (GDPR) and the two about the Nightmare GDPR Letter) I don’t see any request about deleting or anonymizing one’s data. (The letter asks for a copy of, or access to, one’s data though)
If you were performing any kind of unlawful processing, this could be considered destroying evidence of a criminal act. If you were not performing any kind of unlawful processing, you could just have a template with all the answers.
Actually I disagree on one level. I have written to my Member of Parliament and found it very effective. He is very responsive and responsible and you do feel he is listening and will take action if you can convince him there is a genuine issue - but the onus is on you to do that.
However, I do agree if you are inferring that Members of the European Parliament are one step removed from your national MPs and this makes them seem less directly accountable. However, I have also found them very responsive to communication. I think they appreciate the engagement and interest. But again you really have to convince them there is a genuine issue. People need to get more used to engaging with their MEPs in the EU.
I also agree with you that GDPR seems reasonable. In some ways it’s simply a structured statement of what is simply good practice. I am just keen to find the right balance and an efficient way to implement it.
… when a GDPR request is made IN BAD FAITH, by someone who is CLEARLY trolling …
Verify this person is actually a real user, e.g. did they provide proof that they have a functional account on your site? You’ll need to know the account for the next step as well.
Compose your reply. Refer them to the public info from step 1 (or edit the public info so it covers the reasonable parts), then anonymize their account, and indicate that all their data has, per their request, been anonymized and is no longer associated with any person.
So, now the amount of effort expended on a troll acting in bad faith is rather reasonable – a form reply with link to public info, plus a click or tap on the anonymization button for their account to ensure there’s no personal info to trouble them any more.
Not only for people who can’t afford lawyers. So many lawyers have refused to give guidance, because they don’t want to accept responsibility for something that they don’t understand. The whole thing is a mess, but if I’m not wrong, if the Drone forum owner would have written a response explaining to the troll, he wouldn’t have had to shut down the forum. I mean, the troll wouldn’t have gone as far as to file a lawsuit anyway, because they’re just a troll, so the sending the letter doesn’t really mean anything.
For example, if I personally send the letter to every single one of you, that doesn’t mean that you all have to close your forums now. Don’t worry, I won’t, but my point still stands.
Please note: Suing is a very American way of looking at this, that’s basically not what the European GDPR is focused on. The troll can file a report at the Privacy Agency of the country. They will most likely ignore it until there are more.
If there is gross negligence, then they (the agency) will take action (which most likely will consider of a written warning before any fines are filed.)
I learned yesterday that there is an important twist to this “horror letter thing” (at least in Germany, but possibly in other countries too): so far we have been talking about letters which have their legal base directly in the GDPR. But there is another kind of letter which has its base in the law against unfair competition. The aim of this law is, well, to prevent unfair competition and one way you can engage in unfair competition is by not following regulations which are “also aimed at regulating market behaviour” (the idea being that your law abiding competitor would have a disadvantage by following the law). If you become aware that your competitor not following some relevant regulation, you can ask your lawyer to send a letter of caution to your competitor, asking them to stop whatever they are doing.
So far so good. The problem is that the fees that lawyers charge for these letters can be quite high, depending on the (assumed) value of the litigation. And, you guessed right, it is the recipient who will be billed the fee for that letter.
This law has long been abused by certain lawyers by sending letters of caution for minor offences (or even no offences at all) with the sole purpose of cashing the fee for the letter. From their perspective, GDPR looks like an excellent opportunity for sending some more letters of caution. The easiest way to start is by looking at the websites of their colleagues (i.e. other lawyers) to see if they are providing all the information required by the GDPR. If not: Bingo!
I’m mentioning this because the legal construct is fundamentally different from what we have been talking about so far. What both types of letters have in common is the uncertainty connected to a new law that hasn’t yet been tested in court. But in the case of the second type of letter, the unknown is not the GDPR itselöf but whether the GDPR actually constitutes a regulation that is “also aimed at regulating market market behaviour”. If it does not, the whole business model described above collapses. But until that has been ruled by a high court, there is plenty of time for sending those letters anyway.