It’s not an interpretation. It’s what it says in GDPR Art. 7.1 (Conditions for consent):
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Just sayin’ 
Honestly, some people go pretty nuts here, and anonymise IP addresses … everywhere … cause reasons … and then can no longer mitigate denial of service attacks.
My personal (NOT DISCOURSE) interpretation of GDPR basically boils down to don’t be a slimeball and collect and resell data (or track users across multiple properties) don’t have lax internal security practices and so on.
6 Likes
IMHO, this will keep you away from most of the accidental problems. However, lack of compliance may attract wrong kind of people - and then you have to show them that somebody claiming to be owning their email address clicked said checkbox on that day. That shields you in the best possible way.
VPNs and other stuff does not really matter here - if the user claims it was not him, you did your job, remove him from the database and you are done. You could not do anything more, or doing anything more was not reasonable.
But you need to get basics right.
I don’t dare to make predictions, but that’s what I’d hope too.
However, there are two sides to this: one is official law enforcement. Another, however, is internal compliance procedures, especially in public administrations (perhaps most relevant here: universities, but also, say, city administrations, for example): in my experience, these organizations will be annoyingly cautious in making sure they don’t do anything wrong because nobody wants to be the one responsible in case something goes wrong. In this internal compliance process especially, where it would help tremendously to be able to point decision-makers to some site setting called “enforce active consent to data processing” or something like that.
In a way, there is a chance for discourse establishing “common practice” and thereby influence how the law is interpreted.
I don’t think it’s a simple as that. On dicourse you can’t simply remove a user from the database…
1 Like
The minimum I’d expect from discourse is admins being able to at least anonymise an account (break the connection between user and his data).
What I meant to say is that in such a case the consent process is unrelated to Discourse.
That is incorrect. There are no minimum fines.
I expect the contrary. Because the cookie law was never really enforced, people never took it seriously. You can see that when this law was made, the lessons learned with the cookie law have clearly been applied. My personal prediction is that in Q3 2018 the authorities will set a few examples by imposing a huge fine and a lot of publicity upon some pretty well-known companies.
1 Like
There are in fact minimums, it’s a set amount or a percentage, whichever is higher. Meaning the set amount is the minimum. See Article 83 EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy according to plan.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
No, those are maximums. The text says ‘up to’. Twice.
2 Likes
Yeah, corporate lobbying seems to have worked… 
Well, it wouldn’t be really fair if a small two person company that made a honest mistake would be fined 10 million, would it?
2 Likes
Of course not. I didn’t mean to imply that it should have been “at least”. Not at all. But the only ones who benefit from the “up to” wording, especially “up to 2 percent”, are the big corporations (because it’s “whichever is higher”).
and ends with that…
2 Likes
That just means that the maximum fine is either 10m or 2 percent, whichever is higher.
1 Like
Guess we’ll see, I’m going off my consultants and lawyers recommendations who expect them to push hard on fines, especially with the Facebook debacle of the week.
1 Like
Apologies, I was wrong, or out of date, with the €2M minimum fine. The actual minimum fine is €10M:
Errm, isn’t that more correctly the “minimum maximum amount”? 
5 Likes
There is no minimum fine. You’re putting the emphasis wrong. Let me try to explain it again, by splitting the sentence.
The first is up to X
Where X = €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher
5 Likes
If anyone was inspired by this topic like I was to add a user field at sign up for people to check that they’ve reviewed the TOS or FAQs or whatever it is they require, here is the very simple way to achieve that:
6 Likes
That’s exactly what you need, I have implemented that now at https://monitoring-portal.org 
Woltlab for example has that built-in, German company. Don’t know if it makes sense to move this into a generic setting for users, or to just leave that to the user fields (it is somewhat hard to find if you are not pointed to).
3 Likes