Modifying Privacy Policy to conform with EU law

I’m trying to formulate a privacy policy for those of us who are neither lawyers nor an organization large enough to hire any, but do care about privacy. I need the privacy policy to conform to my country’s privacy laws.

This task is similar to adopting it to the EU’s General Data Protection Regulation (GDPR). This law won’t come into force quite yet, but I’m sure quite a few Discourse administrators will need to adopt their privacy policy to it anyways. Therefore I’m creating this topic about the questions concerning this. Be aware that I’m not an expert. My comments consist mainly of assumptions and questions.

There have been topics with similar questions, but I haven’t found any answers

https://meta.discourse.org/t/default-ip-log-retention-time/42135
https://meta.discourse.org/t/faq-privacy-policy-for-non-english-discourse/19412
https://meta.discourse.org/t/data-retention-policy-implementation/38470
(As a new user my link count per post is restricted.)

The most relevant parts of the law are Article 12–13 (beginning on page one in [this]http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FUL PDF document; more easily accessable on this web page). I don’t think Article 14 applies.

Article 12 states, among other things, that information all information related to the Privacy Policy should be in “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

Article 13 is about “Information to be provided where personal data are collected from the data subject”. It states:

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
   (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

That would the the administrator.

(b) the contact details of the data protection officer, where applicable;

Usually not applicable.

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

As to the purpose, basically what the section [What do we use your information for?]https://meta.discourse.org/privacy#use in the Discourse Privacy Policy says. The legal basis would be the GDPR.

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

Processing is mainly based on Article 6(1) point (f), but point (a): consent of the data subject. I guess the logging the IP addresses of visitors serves a legitimate interest of the controller; but I don’t know about storing cookies on the data subject’s computer.

(e) the recipients or categories of recipients of the personal data, if any;

None, assuming one does not use Google Analytics.

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;

Ok, let’s just pretend the data stays in the EU.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

The Discourse Privacy Policy states:

We will make a good faith effort to:

• Retain server logs containing the IP address of all requests to this server no more than 90 days.
• Retain the IP addresses associated with registered users and their posts no more than 5 years.

First of all, I don’t think a good faith effort is good enough. Secondly and asking as an administrator, what piece(es) of software actually keeps the server logs when Discourse is set up with Docker? Discourse itself only logs the IP addresses of registered visitors, right? As to the IP addresses of registered users, are these logged for visits only? Then it should not be too hard to anonymize them by deleting the last byte after a set amount of time.

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

Eh…?

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

So a data subject can have all his or her data deleted if requested?

(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Standard phrasings will pop up in time.

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

I don’t think this applies to Discourse.

We’re about to start this process as well so I’m also curious.

There’s a topic about this on Feverbee.

Rather than trying to parse the text of the EU directive itself, I suggest you follow the directions and suggestions of your relevant national data protection authority (DPA).

Your DPA is the relevant compliance authority, so their position is what you should care about.

There is a list of DPAs here. For example, the UK’s DPA is the “Information Commissioner’s Office”; they have an interactive toolkit to help you out.

Do you happen to know whether “my DPA” is the one where I live or where my server lives?

The one where your target audience is.

You cannot circumvent the privacy laws by relocating your server or your company. Worse: your applicable privacy laws might put restrictions on where you locate your server.

No, that is definitely not the case. A company that is not legally established in Sweden, for example, does not have to follow Swedish law even when its target audience is in Sweden.

Besides, what if your target audience is in multiple countries? There definitely must be a different principle than “target audience” to determine which laws apply. I’m guessing it’s where your organisation is legally established, but I’m not 100% sure.

That is correct. But AFAIK, there are no restrictions within the EU. For an EU organization to store data outside the EU is more tricky, however.

Correct, although there are still some countries within the EU where companies prefer to have their data hosted within their country. Especially Germans are pretty strict in this. This is why we have chosen to host our new EU-based GDPR-compliant plans in Frankfurt, since that satisfies both German customers who want to keep their forum within their country, as well as customers from other EU countries that want to host somewhere within the EU.

Although your statement was less incorrect than mine it’s not that black and white as you say either.

EU privacy laws often do apply to non-EU companies delivering services to EU citizens.

The Working Party emphasised that their position stems from the belief that the individual should not be without protection where his personal data is being processed in his country solely because the organisation performing the processing has not chosen to be established in an EU Member State.
(…)
where equipment (which includes computers, terminals, and servers) situated in the EU is at the disposal (but not necessarily full control) of a non-EU controller, then EU data protection law applies

and then things get fun:

(…)
the use by a non-EU controller of cookies placed on the hard drive of an EU user’s personal computer can trigger the application of EU data protection law since the non-EU controller has some control over equipment used to process personal data.

(source: http://www.hldataprotection.com/2014/11/articles/international-eu-privacy/how-do-global-businesses-know-whether-eu-data-protection-law-applies-to-them/)

I was just referring to the Swedish data protection authority which states that Swedish data protection laws don’t apply to an online community run by a British company.

The other things you state are exactly the reason why I asked:

Is it a case of where complying to some rules directly contradicts complying with other rules?

In other words, wouldn’t it just be easiest to comply with the most stringent rules as might apply to any visitors?

The question you’ve linked to is about the Personal Data Act 1998 (PDA) which implemented the Data Protection Directive | 95/46/EC (DPA)

Section 4 of the PDA states

This Act applies to those controllers of personal data who are established in Sweden.

However, the DPA, which the PDA enables, is being replaced by the General Data Protection Regulation (GDPR). As the GDPR is a regulation (not a directive), it does not require enabling legislation in EU member countries.

Article 288 of the Treaty on the Functioning of the European Union provides

A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.

The upshot of this is that it doesn’t technically matter which Data Protection Authority you choose to focus on. The law (i.e. the GDPR) is the same in each EU country.

Some DPAs may take different ‘attitudes’ to enforcement / compliance, however they are enforcing the same law.

What I meant by ‘your DPA’ is that, in addition to the possibility of slightly different ‘attitudes’, you’ll find some DPAs easier to deal with than others due to language, website, etc.

disclaimer: this does not constitute legal advice, it is opinion only.

Seeing how easily the Spanish government has shot down / filtered websites in the past months and how easily they are suing Internet activities that they dislike, I’d rather give them as few excuses as possibly. This is my main motivation to seek EU compliance.

Our Discourse site is hosted in The Netherlands. Our target audience is mainly in Catalonia / Spain. Our site doesn’t use cookies for AdSense or anything similar. For what is worth, we do plan to embed comments in other sites.

I have tried following the links mentioned here but, honestly, I’m overwhelmed and I don’t think I’m stupid. Would taking this text as template suffice for now? (I don’t even know what is the diff with the equivalent content in Discourse master): Communiteq Privacy Policy - Communiteq

Also related, the cookie disclaimer. I don’t feel like reviving the rather antagonistic thread “Compliance with EU Cookie Law” but I wonder what EU based Discourse sites are doing nowadays. I noticed the last comment in the aforementioned thread pointing to https://cookieconsent.insites.com/ – is this the best / a convenient solution for now?

I’m not sure whether the cookie notice will be required in the future:

O’Neil noted a minor change in which visitors to a website for analytics purposes do not require consent, as long as any personal data collected is only processed by the first party. This means web analytics based on the Google Analytics system, which Google uses to drive its targeted and behavioural advertising business, continues to need prior informed consent, while analytics based on the first-party hosted Piwik system “would probably not”. (from The Register, via Piwik)

As far as I understand, this still isn’t fully baked yet.

That is the privacy policy for our hosting service, that doesn’t have anything to do with the privacy policy for a Discourse forum. (And even if it were, it’s not a template and you cannot “take” things from our website without asking… )

Just use this one from the Deutsche Gesellschaft für Datenschutz, it works well.

@RGJ You are of course right, and even if I posted on a Sunday morning I should have paid more attention. I landed in your privacy policy page after reading the links shared in this thread by several contributors, including @michaeld from Communiteq (formerly DiscourseHosting). Take my good faith (wrong) question as praise and not as an attempt to steal a copyrighted text. I do pay attention to licenses when I actually copy anything.

Thank you, I will check.

Don’t worry about that
What is more important: legal texts are specific - using someone else’s text will cause you making promises you cannot keep. If you need a legal text, use a legal expert, or a generator made by one.

It seems the Spanish Data Protection Authority recently (Sept 2017) released an online tool to help businesses comply with the GDPR. I suggest you start there:

http://www.servicios.agpd.es/

See further: https://www.agpd.es/portalwebAGPD/canalresponsable/inscripcion_ficheros/herramientas_ayuda/index-ides-idphp.php

Oh irony, so the http version (!) yields a 404 not found and the https version causes an insecure certificate error.

yeah, ironic. it seems their site has issues. It seemed to work earlier… try calling them maybe.

If they remain unresponsive, report them to the EU Data Protection Supervisor