I am pretty sure that users could make a request in writing that they want their data deleted. I don’t think there is a need to add buttons or tick boxes for this but we had to deal with the request which could be made via Message or email.
Another thing is that a user might want some of the posts deleted as they might contain personal information that might have seemed a good idea to post at the moment and then regret after.
I tried to delete a post (without having to delete the whole account) and the post remains in the database.
I think this should be addressed and administrators should have the option to really delete a post.
Yes I also think that should be enough — if you mean content data, like posts and stuff. For personal data, personally I think it makes sense & is simpler for the staff, to let people delete their own personal data via a button, I mean, anonymizing their own account.
Maybe it’d be good to make a distinction between data and data, and write “their content” (CC-By licensed) and “their personal data” instead, … otherwise when someone writes just “data” I’m never 100% certain what they mean :- ) (Content? Or personal data?)
a user might want some of the posts deleted as they might contain personal information
Yes, and … it needn’t even be the user him/herself who posted that personal info. Maybe a member contacts staff, because another member posted someone’s personal data. Maybe the user who contacts the staff, to have [personal data in some post] deleted, is not even be a member of the forum.
I tried to delete a post (without having to delete the whole account) and the post remains in the database.
Hmm wouldn’t it be enough to edit & remove the personal data from the post? I think since the post is CC-By licensed no one can force the staff to remove it … but, as far as I can tell, according to the CC-By license, one can withdraw one’s name from the CC-By post, so one isn’t associated with it any longer. So being able to edit the post and removing personal info about the author seems to me to be required by both CC-By ((here)[Creative Commons — Attribution 4.0 International — CC BY 4.0], section 3(a)(3)) and GDPR. … But what if @the_authors_full_name is present in older revisions of the post :- P
But if the post contains stuff that is illegal to even store on disk (e.g. because of copyright? or forbidden images?), then I suppose it’d be good to have a way to totally erase it. (But that’s not related to GDPR though?)
Allowing users to delete all of their posts can have a huge impact on the forum and the experience for everyone else - because Topics with posts missing can be difficult to read/follow, thus much of the forum can be rendered useless by even a small handful of (rouge?) users.
The terms should be clear that users who submit content allow perpetual publishing rights. Forums are not social networks and users who don’t agree to this collective contribution and retention of content should not contribute anything to the forum.
Sure. Although GDPR is mostly about processes and not that much about configuration.
Of course we have made sure that we have all the right things in place. Patch management, security best practices, ISO 27001 data center provider (Frankfurt, Germany) with a data processing agreement between us and them. On top of that we will* run nginx (or more specific: openresty) that is configured to remove the last octet from all IP adresses , and a Discourse with a patched rate limiter (using a plugin) so it can deal with the missing octet.
Backups and email use European data centers too (for European customers)
(*) I’m saying we “will” run that because we’re currently still ironing out the last details in that plugin)
Unfortunately, the regulators are not the ones to worry about. They are chronically understaffed, and a GDPR specialized lawyer has told me that the relevant agencies have only received minimal budget increases to deal with the new beast. The real threat stems from EU located individuals – either acting on their own, or as proxies for organizations and lawyers – who want to harm your business or community, for whatever reason.
People living in the German speaking part of Europe are aware of the notorious “Abmahnanwälte”. These are typically individual lawyers or legal practices, which are entirely specialized on suing the operators of websites which are not compliant with various regulations. They will often go after small to midsize companies, which don’t have the expertise or resources to fight long drawn legal disputes, in the hope that they will just give in and settle out of court, or accept a fine. A court ruling in the EU can be enforced in countries outside the EU, providing the country in question has a functional legal system.
We must not forget that a discussion forum can potentially have an important influence on broader public opinion, media and even policy. I am providing service to a quite vocal patient organization (on a purely nonprofit basis). A company with very deep pockets is not at all happy about their existence, and would be glad to see them gone. Even though I am not in panic mode, I am worried about GDPR being exploited for solving such conflicts of interest. In my case, I find it crucial to have as few flanks open as possible, as to not invite potential attacks.
I should reiterate up top that I fully stand by everything I said in my previous posts. Following the guidance of your Data Protection Authority is still the first (and normally last) port of call. What we’re discussing here is what do in a (theoretical at this stage) edge case.
Yes, this is a fair point. Litigation is used like this in common law countries as well. This aspect of the discussion about the GDPR has been nagging me, as it does seem to introduce a private right of action (albeit, how that can and will be used is yet to be seen).
The typical way smaller entities deal with legal threats from bigger entities is by pooling resources. The point of abusive litigation tactics is to divide and conquer. Even if one community were to hire a lawyer now and get some initial advice, in this event of this kind of suit, it may not be enough.
One thing that occurred to me yesterday was whether it would be possible for small, community focused, data controllers and processors (i.e. Discourse communities) to join forces with the already existing community efforts to pool resources for GDPR enforcement against larger entities, in particular I had this organisation and its crowdfunding campaign in mind.
It may seem a bit strange at first, but I think there are some shared cultural touchstones (e.g. support of open source, tech community culture, support for individuals and small entities vs big entities etc.) that could make projects like this a natural ally.
Even if it didn’t result in specific advice, there would be benefit in culturally aligning with this side of the privacy discourse in the EU.
Does anyone know Max Schrems…?
@erlend_sh I understand that Discourse itself may not want to get involved in this kind thing, but I’d be interested in your thoughts on this specific point of the GDPR discussion (i.e. the pooling of resources and cultural alignment with the ‘privacy’ side of the tech community in the EU as a strategic step).
We’re certainly interested in such efforts, but at this point we’ve still got our hands full getting our own GDPR policies in place. I feel like there will be more of substance to talk about when we’ve lived with GDPR in practice for a little while.
I think the most important things to do about the GDPR is to let the users download everything our discourse websites have about they and also to let the users delete everything if they want. At least that’s what this law ask for.
Someone ask why to do that if the TOS says everything a user publish become the forum property. That’s exactly about. This new law GDPR not let the companies to own the users informations even they agree.
Even this page, meta.discourse.org become “illegal” since May 25, 2018, because I’m from Europe and they don’t let me download all data discourse stores about me and my account. (Just an example). Also, there are no options to remove all my data without deleting my account.
That is not completely correct. It’s not about property or ownership, it’s about the right to request deletion. As I have pointed out before, article 17.3 of the GDPR provides for an exception where processing is necessary for “exercising the right of freedom of expression and information”;
That is not a requirement either.
There is no automatic mechanism, but maybe you can ask and they will process your request manually.
As a forum admin you can search for @bobthedeleted and just edit the posts and hide revisions if you must. Doing this automatically is very wrongheaded and full of edge cases.
What about posts that said:
I agree with what Bob the deleted said.
I agree with what Bob said.
Bob The Deleted was wrong
@bobthedeleted is a great username to use.
And so on and so on, I can list edge cases here all day.
After anonymization we can queue a rebake maybe on posts with mentions so they turn from @sam to @sam but this can be done today anyway. I don’t see why we are responsible for some magical, impossible to build right feature here.
That anonymizing a user leaves @ mentions intact is not an opinion but a fact, how can you disagree ?
I totally understand there are lots of edge cases, and I also understand that this is a pretty hard thing to do. But I wasn’t saying that you are “responsible” nor that you should fix it. I was merely stating that this is something where the user anonymization feature is not perfect.
Although I’m now getting confused whether you guys are working on this or not…
It’d be interesting to hear how you do this? (if you’re working with that?) (I’m curious about this, because I’m thinking about doing that in a web app I’m building.)
Changing from @username in the commonmark source seems like really hard, to me. (Hard to know if @something is pre-formatted text or maybe part of an email address or maybe Twitter handle, or whatever, but not a real username mention)
However, changing @username to @anon12345when rendering the markdown to html, seems like actually doable, in a markdown renderer plugin? …
… (because the plugin would know if the @something is actually a username mention, or something else and should be skipped)
So, one approach is to change the @username to @anon12345 everywhere it’s publicly visible (i.e. in the rendered HTML), but … leave it as is, in the Commonmark source? People could then (unfortunately) still find out what the actual username is, by viewing the edit history — then the source is visible (right?). But few people would think about that? & wouldn’t be indexed by search engines.