It would be helpful to ensure all Admins/forum owners tell their Moderators about the GDPR legislation, and link them to specific guidelines when someone requests post deletion or when a “close my account and take all my stuff off” PM occurs.
Many forums have volunteer mods who are not going to be aware of the changes described, and they will probably be the first point of contact in most cases.
I also have questions about this in other areas that are likely to affect moderators, in particular, and are less technical in nature than the other topics I found here on that subject:
This will also logically be available to people who have been permanently suspended, even for serious abuses, as forum rules do not trump EU law.
This presumably means that any suspended member invoking the GDPR “Right to be forgotten ” can request all information including Name, Username, email, and IP addresses, and also any posts or PMs made be permanently erased from all locations within the forum.
Aside from items included on the member’s profile page handled at developer level by Discourse, can anyone confirm whether this would include:
- PMs sent to moderators by other members which mention the suspended member’s Name or Username and/or quote their posts/PMs
- items in the Admin > Flags > Old Flagged Posts section that contain the above and contain an automatically generated quote of the suspended member’s posts – even if the system can remove this, the person flagging the post may separately quote something if they use a Custom flag
- any conversation between moderators or notes made in Staff that contain any of the above
- any similar notes logged in Staff based on and/or containing information about their IP (to pin down location) and ISP, which have been a valuable tool in catching out returning miscreants on many occasions, even in this era of VPNs and dynamic IPs, etc.
(Where a forum uses TL4 as moderator-lite, TL4 members’ PMs and any conferring to discuss actions that contain the above would also be included in the list above.)
Example 1 would be UserA gets into an argument where they become very abusive in the heat of the moment.
A moderator issues a warning to UserA and logs the incident in Staff as an aide-mémoire in case of future problems with that same person. Relying on memory means one person’s past misbehaviour may be recalled, another’s forgotten, resulting in uneven treatment; therefore, I log as much as possible, this has usually been regarded as best practice, and also promotes transparency and accountability.
2 weeks later UserA sends an “I am sick of this forum remove all my posts and erase my account, the EU says I can get this” PM to a mod/admin.
Example 2 would be a UserB, a troll highly motivated by fanatical ideology of some kind who, after their suspension, makes the same request that all their data be completely erased to the forum’s owners, because they maliciously intend to delete anything that may identify them next time round, and also, inconvenience admins and moderators.
Would these necessitate removing all the material in the bulleted list above from the forum?
If so, all moderators on Discourse forums (and even TL4 where applicable) need to know this, I think.
And with visible edit histories, and even deletion not meaning total erasure, I am not sure how this would be possible.
Or would this apply:
And also with reference to this: Art. 6 GDPR – Lawfulness of processing | General Data Protection Regulation (GDPR)
If so, what kind of burden of proof would we be looking at to demonstrate that these users’ data is retained in the locations listed above to make possible statistical processing in the public interest (i.e., pattern-recognision to evaluate future new accounts and protect forum members from their abusive behaviour)?
Can such a thing be proven where the rule-breaking was specific to that forum’s ruleset only, and not covered by actual legislation?
Is there any precedent from similar past legislation regarding data retention/privacy, that could be drawn upon here?
These are probably not simple questions, but I believe they’re worth asking so that mods, admins and forum owners who receive this request from a suspended member have some information readily available.
I also request guidance on whether moderators need to cease logging information in Staff, where it may fall under this legislation, bearing in mind that mods are often volunteers who simply have a passion for the subject of their forum, and little knowledge of the legal side of things.
Specifically, in my 2nd example above, UserB who is motivated to troll for their ideology and persists in returning to do this, is especially relevant to Article 9.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
If the forum is not set up with this type of notification, could it create a problem where a moderator mentioned they suspended this person due to their preaching a fanatical ideology?
And again, is any infraction by UserB short of something plainly illegal (and, speech laws vary by location, muddying the waters) likely to be accepted as being permissable for “processing” under Paragraph 2 of Article 9?