Just a little GDPR reminder/story


(The Mainframe) #1

Hi there,

Hope you’re all doing well - you might’ve managed to go for a while without hearing GDPR, but as forum owners I think there’s something you should now.

  • An email address is considered to be personally identifiable information as per the U.S Department of Labor and the European Union. https://www.dol.gov/general/ppii // I think we can all agree on this one

  • Therefore, in order to comply with a GDPR personal data erasure request you would need to remove email addresses too. // Obviously

  • ICYMI: Forum owners, this means that if you intended on blocking a user and they then submit a personal data erasure request, you would need to comply. If they choose to sign up for another account, you would no longer have the right to block them - even manually. // Apparently not so obvious

Otherwise, you clearly aren’t complying with one of the fundamental aspects of the GDPR: providing users with the right to be forgotten.

Please can we discuss this, because I’ve encountered this on a large forum in the open-source community (not this one) that will remain unnamed to save them from embarrassment. I got into a lengthy discussion with a forum moderator who clearly had no idea what he was talking about. Share your thoughts + experiences below…****


#2

You can store a hash of the personally identifying information, e.g., an email, and block registration from those emails you want to blacklist. This way you are not storing the email address, so you do not have it. Still you have stored the memory of the troll. It’s not personally identifying information per the law.


(The Mainframe) #3

This workaround would not be legal - if you’re storing a hash of the personal data, you’re in theory still storing the personal data itself. The intent of this thread was not so much to help forum owners validate a workaround on how to solve dealing with the GDPR - it was to point out what you can no longer do since the GDPR has come into effect.


(Stephen) #4

No you aren’t. This statement is fundamentally false.

Hashes by definition are not the data, they aren’t reversible. While you can’t change a couple of bytes and get the same MD5 hash you can change almost all of them and get a collision - it’s only a 128 bit value after all.

The right to be forgotten applies to information stored and presented on the internet. If you have an abusive user who requests removal after a ban, they aren’t entitled to return as if nothing happened. The right to be forgotten isn’t a men-in-black style neuraliser, capable of inflicting amnesia and entitling you to another ride on the troll-train.

Maybe you’re forgetting it, but your site is more than a relational database of transactions. As a site owner you also have a fundamental responsibility to protect your users.

You are under no obligation to provide service to everyone - even if publicly funded. If someone does something to be excluded you retain the right to exclude that individual, the email address is immaterial. GDPR isn’t a shield for trolls and fuckwits.


#5

Hmmm. Regardless of the law, if I asked Facebook to delete me I would expect them to wipe me completey including any identifying email addresses.

If I joined them later I would not expect them to be able to remember I’d been there before.

The extent to which a platform should be allowed to maintain some information to protect the platform and its users is an interesting debate.

I’m more than happy to anonimize an account and deal with the troll again if and when they return. Perhaps they will have calmed down and changed behaviour by then in any case? But then I’ve got hundreds of active users not thousands.


(The Mainframe) #6

Exactly @merefield - this is what I meant.


(Stephen) #7

But that’s not the same thing as being banned.

The right to be forgotten doesn’t extend to the lawful processing of information for reasons you might dislike.

And Facebook doesn’t delete all information related to you - only the information you provide. If a Facebook friend uploads their contacts and includes your telephone number they won’t remove your contact from their account when they remove your user, whether you ever provide Facebook with that number or not they will associate it with your user and it remains on their servers when you’re gone.

One big distinction that was missing in the OP was the difference between PII and public PII, email addresses and phone numbers are both considered to be the latter. Your right to erasure applies to the storage of personal data no longer being necessary, because the purpose for which they were collected or processed has passed - by asking to be deleted there’s no longer a need for that PII to remain on those systems. That’s entirely different to you breaking a user agreement and subsequent step of processing becoming necessary to exclude you.

What you’re effectively suggesting is that GDPR would allow you to break a contract and suffer no consequences, extrapolate that out a little - you could dodge debts and do all manner of unsavory things were that possible, which is why it isn’t.


#8

Prove it in court. I can prove to you that I do not store your email address, even that I never had access to it. All I can do is match a hash of a string you pass to me to a hash I have stored, which is not personal information. If my database is stolen, nobody can find your email in it. Nobody, even me, can send you email from a hash of your email. So in practice, I do not have your email address. Leave theory alone: GDPR is applied in reality, not in theory.


(Stephen) #9

Actually GDPR itself is applied nowhere. It’s up to the member countries to update their respective laws, and for the respective information commissioners to enforce.


#10

I agree that having a law that prevents you maintaining a reference to identify someone you’ve done business with before as rather OTT and harsh (not saying GDPR is preventing you, just speaking generally)


(Stephen) #11

Exactly, which is why it doesn’t do that and no judge would enforce it that way.

I feel bad for the moderator which OP engaged with, and worry that there’s now a community out there working on such false information.


#12

I would love to see some of this tested out in court so long as the participants have sufficient funds to go the whole way.


#13

I agree with @hellekin and @Stephen here. I’m leaving this discussion open because it helps to clarify some (more) misinterpretations.

@thephotographyblog I urge you to be careful about making assumptions.


(The Mainframe) #14

I wasn’t making assumptions - I spoke with a lawyer. But you all clearly don’t need my warning because you know better.


#15

Ok, then it might be helpful to get the lawyer’s exact wording here because something has broken down.
The way you have described it isn’t a completely accurate interpretation.

I appreciate you sharing what you’ve learned but we need to be really careful here or it turns into scaremongering.


(Stephen) #16

I have to agree, without citing the lawyer in question and their exact advice it just sounds like you’re passing the buck.

In the opening post you made no mention that legal counsel was involved, your post could in fact be summarised as:

  • Telling us “there’s something you should now[sic]”
  • Citing the US DoL post to mischaracterise email as PII, when here in Europe it’s recognised as public-PII. Email addresses don’t work if they aren’t disclosed, they are transferred between systems unencrypted, yet in some cases can go so far as to identify gender, age and location.
  • Wrongly suggesting that a GDPR request will remove all occurrences of an email address from a system, which isn’t the case - they only need to remove specific records you’ve provided within the scope of the original processing. Occurrences introduced by other parties for other means wouldn’t, in fact, be covered.
  • Stretching that misconception to posit that GDPR would force sites to serve users who are no longer welcome.

You then asked for our thoughts and experiences - which is precisely what you got.

Some of us here have been working in the industry for 20 or more years, and work in organisations who retain full-time legal counsel. Many of us have studied GDPR in depth to determine the impact on our existing strict data protection policies. A few of us even have papers and guidance published externally to guide others and avoid the kind of ‘chicken little’ scenarios we see above.

Your post wasn’t a warning, it was billed as a “reminder/story”, but the only story was how you misled the moderator of a “large forum in the open-source community”.

For anyone interested in real GDPR advice a good starting point would be the likes of the Information Commissioner’s Office which represents a real regulatory body putting the contents of GDPR into enforcable guidelines. They have a great section on both the storage limitation and right of erasure including many of the grounds for which requests for erasure do not apply:

The right to erasure does not apply if processing is necessary for one of the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims.

The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:

  • if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
  • if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).

In the event of a user harassing other community members point one has some use here. Point five is an immediate go-to when dealing with users who need to be excluded, whether it’s for breaking community rules, or going so far as to harass, victimse, or break local laws. Unsurprisingly this was already the case prior to article 17 too.

Another good resource is JISC - they have a whole portal on GDPR. I’ve collaborated with John Kelly their subject specialist on a number of occasions for papers on data protection, identity and informed consent.

GDPR @ JISC


(Richard - DiscourseHosting.com) #17

You are all making this far too difficult - @Stephen already said

The right to be forgotten doesn’t extend to the lawful processing of information for reasons you might dislike.

and he is right. GDPR Article 17 states:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

So if you intended on blocking a user and they then submit a personal data erasure request, you do not need to comply because

  • the personal data is still necessary in relation to the purpose for which it was collected so #1 does not apply
  • there is no consent on which the processing is based so #2 does not apply
  • there is an overriding legitimate ground so #3 does not apply
  • the processing is lawful (legitimate interest) so #4 does not apply
  • #5 does not apply because there is no such legal obligation
  • #6 does not apply (article 8 is about children’s data)

Because #1 to #6 are all not applicable, the controller is not obliged to erase this personal data upon request.