I have to agree, without citing the lawyer in question and their exact advice it just sounds like you’re passing the buck.
In the opening post you made no mention that legal counsel was involved, your post could in fact be summarised as:
- Telling us “there’s something you should now[sic]”
- Citing the US DoL post to mischaracterise email as PII, when here in Europe it’s recognised as public-PII. Email addresses don’t work if they aren’t disclosed, they are transferred between systems unencrypted, yet in some cases can go so far as to identify gender, age and location.
- Wrongly suggesting that a GDPR request will remove all occurrences of an email address from a system, which isn’t the case - they only need to remove specific records you’ve provided within the scope of the original processing. Occurrences introduced by other parties for other means wouldn’t, in fact, be covered.
- Stretching that misconception to posit that GDPR would force sites to serve users who are no longer welcome.
You then asked for our thoughts and experiences - which is precisely what you got.
Some of us here have been working in the industry for 20 or more years, and work in organisations who retain full-time legal counsel. Many of us have studied GDPR in depth to determine the impact on our existing strict data protection policies. A few of us even have papers and guidance published externally to guide others and avoid the kind of ‘chicken little’ scenarios we see above.
Your post wasn’t a warning, it was billed as a “reminder/story”, but the only story was how you misled the moderator of a “large forum in the open-source community”.
For anyone interested in real GDPR advice a good starting point would be the likes of the Information Commissioner’s Office which represents a real regulatory body putting the contents of GDPR into enforcable guidelines. They have a great section on both the storage limitation and right of erasure including many of the grounds for which requests for erasure do not apply:
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
In the event of a user harassing other community members point one has some use here. Point five is an immediate go-to when dealing with users who need to be excluded, whether it’s for breaking community rules, or going so far as to harass, victimse, or break local laws. Unsurprisingly this was already the case prior to article 17 too.
Another good resource is JISC - they have a whole portal on GDPR. I’ve collaborated with John Kelly their subject specialist on a number of occasions for papers on data protection, identity and informed consent.
GDPR @ JISC