Question About Anonymizing Users and GDPR

Hi,

I would like to ask if the following is true:

Anonymization meets GDPR requirements for removal of personal data. Once anonymized, no data remains in the Discourse server to identify who you are or about you.

Are the IP address and email of a user retained after anonymization?

Is a site admin able to reverse the anonymization process?

Thanks in advance,
Rubi

The code which does the anonymization:

• discourse/app/services/user_anonymizer.rb at main · discourse/discourse · GitHub
• discourse/app/jobs/regular/anonymize_user.rb at main · discourse/discourse · GitHub

It will:

• Username is changed to: anon#<random number>
• password made random (and invalid)
• name removed or changed to username
• date of birth is removed
• title is removed
• avatar is removed
• optionally IP is anonymized
• emails is changed to <username>@anonymized.invalid
• location in profile is removed
• website in profile is removed
• bio is removed
• profile background is removed
• card background is removed
• custom user fields are removed
• SSO is cleared
• API keys are removed
• invites and emails are removed

As the username is changed, Discourse will try to replace the username is all posts.

Reversal is basically impossible, but user information can remain in individual posts.

In this case, I assume emails includes/also means PMs?

From a legal perspective, can a user be told that the process of anonymizing is GDPR compliant or are the waters still muddy on this matter?

PM in discourse are just private discussions, they are posts with really limited visibility. They are anonymized in the same way as the more public posts.

The “invites and emails” I mentioned are the email messages send out by discourse for various actions. For example email notifications about reactions to followed discussions.

I am not a lawyer. But it is not that simple. In spirit this mechanism does conform to the guidelines of the Right to erasure from the GDPR, but the local implementing law might not agree.

It also depend a lot on how you use Discourse.

Further more, the amount of data being erased might violate some other laws which require this data to be kept.

If this is really a big concern, like with everything legal, you should contact a lawyer.

Mostly. I have been able to partially recover an account by renaming username back to what it was prior to being anonymized and reattaching the user email and reactivate account. Seems to keep original password. But all other things are gone, profile pic, birthday if entered. I had to explore this when I had a Moderator go off the rails.

It is a pain and not simple.The only thing is in posts where the user may have posted may have details in a post. Now if that was in a Personal message maybe not a big deal.

I believe the team has said though this is within gpdr compliance.

If a member requests to be anonymized likely good to ask them to scan their posts and if necessary flag them for deletion. Ie posts with uploaded pictures of the poster for example.

This is very useful to know!

Thankfully, we do not have many users requesting what they call “deletion” but since GDPR is or can be an issue I wanted to gather as much information as possible.

Depending on how strict your data retention policies are, you may also want to disable Log anonymizer details as well:

This screenshot displays the 'All site settings' page within a Discourse administration panel, allowing configuration of the site's appearance, functionality and user experience, with a particular focus on log anonymisation details. (Captioned by AI)1179×1353 132 KB

Unchecking that makes sure not to keep a record of the original user details in the staff logs.

Oh, that is very nice!

Will definitely pass this information up the chain of command