Last time I personally reviewed this, Discourse does not primarily rely on consent based processing, it’s primarily legitimate interest.
In particular, there is a significant legitimate interest in preserving the content of conversations you have had with others for the sake of the other participants, and this justifies not having instant deletion for all posts of an account.
Disclaimer: I might overlook some aspects from the Discourse perspective.
significant legitimate interest in preserving the content of conversations
Practically, I do not see any valid interest that “outweighs” the user’s interest in having a clear record if the person wishes so. We would need to put up a balancing test between the constitutional, platform interests and the user’s privacy rights.
This EU document discusses the legitimate interest within GDPR as well (p. 4):
Article 7 [Art 6?] requires that personal data shall only be processed if at least one of six legal grounds
listed in that Article apply. In particular, personal data shall only be processed (a) based on
the data subject’s unambiguous consent2; or if - briefly put3 - processing is necessary for:
(b) performance of a contract with the data subject;
(c) compliance with a legal obligation imposed on the controller;
(d) protection of the vital interests of the data subject;
(e) performance of a task carried out in the public interest; or
(f) legitimate interests pursued by the controller, subject to an additional balancing test against
the data subject’s rights and interests
I assume they discuss Article 6 GDPR, especially Paragraph 1 (might be that six and seven got swapped over time)
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
So lets do some balancing test together. We have the fundamental (privacy) right of the user, it can only be restricted for very special and good reasons or the users’ consent. Then we have the discourse interest to keep the conversations. So practically thinking, if a user posted a picture of them and “deleted” (here pseudo anonymized) their account, they would have no possibility to entirely remove e.g. multiple posted (personal) pictures. Another aspect is very likely that other platforms do not keep conversation data and for most conversations there is no reason to keep old conversations. If there is another method involved to successfully remove private information from the posts and so on, that is automated, I think you can put a balancing test in your favor but from that perspective the user’s interest outweighs the platform’s interest.
“Artistic expression or journalistic expression” (p. 11) does not apply to solely random content on platforms. The authors would need to be (hobby) artists or (hobby) journalists, and it would only apply to individual (journalistic, artistic) posts, where the criteria apply. Same as with public interest (e.g. national security) and freedom of expression (e.g. political or controversial opinion-based posts).
We should also take a look at this (p. 11):
legitimate interests ground, along with the other grounds apart from consent, requires a ‘necessity’ test. This strictly limits the context in which they each can apply. […]
With the best intentions, I can not see as single point that goes into the necessary direction, and just saying the deletion of old posts from account that is being deleted would rip conversations apart (that were barely touched over the years) is probably no valid ground for this. It can be argued that users can just skip deleted posts or do not see them at all, and mostly other users’ indirectly give away the previous posts content, including quotes.
Even more important is the deletion request by the user, that definitively uses the right to object, and removes not only the consent but in most cases even the legitimate interest.
Last but not least, this is the most significant aspect (p. 17):
As the processing of the user’s data is ultimately at his/her discretion, the emphasis is on the validity and the scope of the data subject’s consent.
More generally, currently the user is stripped off the deletion rights in the GDPR that must like previously quoted provide a easy (full) deletion method like you can register easily. Furthermore with the deletion the consent vanishes, and as we could not establish a legitimate interest (yet?), it would be a illegal data processing (no legitimate interest, no consent)
But what Stephen said:
Freedom of expression is more broad. Reiterating what I said before:
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
Recital 65 #5
However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information
(which implies that the retention of personal data is lawful, even when the data subject has withdrawn his or her consent)
and this can be used for forum owners to retain the actual forum posts.
(source: Dutch internet laywer Arnoud Engelfriet, see article in Dutch)
Oh, I see you tried to rebuild my statement. I read it multiple times, I thought a bit further about your statement, and came to the conclusion that your statement does not cover special cases where PII is identical to your identity and vice versa OR cases where information connected to both needing protection as well. While it sounds contradicting at first, it is certainly possible.
Those cases are covered by my short statement. I tried to include the understanding and intentions of laws like the GDPR and the Privacy Act. While I understand it might look like a wrong choice of words at first, it is clearly more representing of the facts, thus I am politely disagreeing with your assessment. I might still be wrong^^
I’m going to add the first lines of recital 65, emphasis mine.
In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected
So let’s see:
Is the statement “the personal data are no longer necessary in relation to the purposes for which they are collected” true?
→ No, the personal data that I submitted to the forum as part of my posts are still necessary for the purpose of participating to the discussion.
Do I have the right to have my personal data erased?
→ No, because it is still necessary for the purpose of participating to the discussion.
You cannot change the ground for processing as soon as you don’t want to play along anymore.
This recital is there for a reason. It is there to clarify this exact case.
First of all, “the right of freedom of expression and information” in Art 17(3a) is only exercised by a user.
Art 17(3) GPDR only says:
“[…] not apply to the extent that processing is necessary”
It indicates we need a neccesarity test, combined with a balancing test. Also defined in Art. 6 GDPR, which also applies independently.
It means if the processing is necessary, it can be done. Like shown above, it is not necessary.
retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information
Only applies to server-side, non-public logs that would be a legitimate interest as per keeping security (logs) and if the user wants to keep a post of opinion or artful or journalistic expression on his own intention, which is not given, when the consent is objected / revoked.
this can be used for forum owners to retain the actual forum posts
The intentions of the law and the interpretation by the EU lawyers themselves contradicts that idea. There is no indication that this can be used. Yet alone the Dutch lawyer comments under the article that a journalistic expression would be when user posts a few random posts, without looking at the content, whether it is journalistic/artful or not. For example, 1000 posts of emojis are not journalistic and no opinion by law.
The user can request to get his name removed, there is no necessarity to keep their name on the post. That would be a too wide legal loophole, that could be abused by everyone. Therefore it is unlikely that this is actually the correct interpretation.
And in that context user’s data means what 
A hint: it is not same how devs and coders understand term data.
GDPR has not been, and never will be, an replacement for everything that defines what is i.e. copyrights. Right to get copy of all person’s posts, photos etc. aren’t for copyright reasons, but attempt (IMO lousy way) to make speed bumps for de facto monopolies.
That text isn’t protected. My email is. And both are pieces of different data.
I like the way you have quoted it, but you overlooked a fundamental aspect, which I would like to add:
However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
Just continuing the conversation with the posts, which are not necessary as previously shown, is not part of any of those legitimate interests, and the paragraph does indicate that the scope is not that wide.
In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. 3 That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. 4 The data subject should be able to exercise that right [… even when being…] no longer a child
So
The purpose of participating to the discussion
Is neither public interest, nor freedom of expression, not official authority, public health, scientific or for archiving purposes. No exercise or defense of legal claims involved either.
Here it is more precisely written
- Statutory and government purposes
- Administration of justice and parliamentary purposes
- Equality of opportunity or treatment
- Racial and ethnic diversity at senior levels
- Preventing or detecting unlawful acts
- Protecting the public
- Regulatory requirements
- Journalism, academia, art and literature
- Preventing fraud
- Suspicion of terrorist financing or money laundering
- Support for individuals with a particular disability or medical condition
- Counselling
- Safeguarding of children and individuals at risk
- Safeguarding of economic well-being of certain individuals
- Insurance
- Occupational pensions
- Political parties
- Elected representatives responding to requests
- Disclosure to elected representatives
- Informing elected representatives about prisoners
- Publication of legal judgments
- Anti-doping in sport
- Standards of behaviour in sport
Nothing of that applies to Discourse.
Especially when the posts contain very sensitive information, those need to be removed, there is no ground to keep them. Like explained previously.
Exacly. That is GDPR. Is it not matter of content per se or even what, how and who takes care of account deletion. And my forum is just another personal projects. GDPR doesn’t even apply (but sure I’m following it because why not).
That is a British document, not part of GDPR.
Of course they are. There is case law about that. See here and here for instance.
I do agree with you that if specific posts contain specific PII the user could demand the specific PII removed from the posts, since in that case the interest of the user would exceed the interest of the forum owner as the removal of specific PII while retaining the post would not be destructive to the conversation.
That is a British document, not part of GDPR.
It’s an British interpretation of the GDPR’s “public interest” in accordance with the GDPR Recital 65
There is case law about that
The first case is about a man that sent a gun emoji to his ex partner. She felt death threatened and filed a law suit against him. The court ruled in favor.
In the second case the small Israeli court ruled in Dahan v. Haim “that Emoji can Prove Intent in a Landlord/Tenant Case” because it is open for interpretation in that specific case and whether it implies intent. A more complete reading can be found here.
Like the first one, the second case did not judge about whether the emoji is a freedom of expression or information. Both cases do not apply to the EU GDPR and it’s international variant, in the Israeli case it is outside their jurisdiction, and the GDPR is not even part of it, so yes you have shown two cases where Emojis can be interpreted in certain ways but it is too vague to apply them in general case law or even international law within a GDPR interpretation.
_
I do agree with you that if specific posts contain specific PII the user could demand the specific PII removed from the posts, since in that case the interest of the user would exceed the interest of the forum owner as the removal of specific PII while retaining the post would not be destructive to the conversation.
Great that we at least partially agree! How do you want to differentiate that for all post when the user deletes their account? So the auto-removal of everything is just easier. GDPR also makes the platform responsible to do the differentiation, and make the removal processes easy as possible - like the registration. Individually flagging single posts, if there are thousands of them is strongly against the intentions of the GDPR and violating the user’s interests.
Which is even more irrelevant as the case law I posted. (BTW you did not limit your statement to GDPR either, if you post a broad statement you get a broad response).
Not for people wanting to follow a discussion with lots of removed posts.
No
Nobody says that flagging single posts would be the way to go. What is wrong with “please search and replace my address and phone number with *** in all the posts that I made” ?
Funny enough the GDPR does address the processors interest against being flooded with “excessive requests”.
my forum is just another personal projects
Well, even then, Discourse is a company under “Civilized Discourse Construction Kit, Inc”
Even if you run your own board, on your own servers, and the GDPR is not applying, national regulations of the user’s state (or location, it depends per case) would apply.
At the end there is no way around it.
Is it not matter of content per se or even what, how and who takes care of account deletion
It does matter like shown above. If GDPR applies, you have to prove that a) there is a interest or consent b) necessarily or legitimate interest c) purpose for keeping or processing the information. If you have no consent and no legitimate interest or using it outside purpose scope, you are under legal risk because you practically break the law.
The intent of almost all laws is very clear and you still have to follow it. Whether you like it or not. I mean you can go into legal risk or compliance risk, some companies and people do that in their risk assessment, but it will likely take your money or your freedoms (for a certain amount of time). Your choice^^
more irrelevant as the case law I posted.
So you think the legal interpretation of a international body like the U.K. government (who partially 1:1 copied the GPDR) and is still applying it, is in your opinion “irrelevant”?
Because it is “irrelevant” it justifies posting two absolutely unrelated topics? So Whether a emoji is a threat and whether it implies intent? That absolutely does not refute my point.
Not for people wanting to follow a discussion with lots of removed posts.
Nah there are still many quotes by various users, indirectly showing the content, and the interest of the platform does not outweigh the privacy interest of the user. Balancing test and necessarity test (read above, especially the EU documents).
What is wrong with “please search and replace my address and phone number with *** in all the posts that I made” ?
Because it goes against the intent of the GDPR and you do not want to do that as Administrator. You do not want to spent two or more hours reading all 5000 posts of a user, whether it contains PII or other identity information. So either make it easy as possible, that is required by law (read a bit above), or make it shitty and work hard with it… ^^
Funny enough the GDPR does address the processors interest against being flooded with “excessive requests"
Abuse of any law is in most cases protected through the national legislation. Usually, you are using injunctions for that. They could clear you from the responsibility to process such malicious requests.
and a tiny addendum: we do not only talk about obvious PII or identity info here, even if it indirectly points to PII or identity info you would have to remove it, so not just a phone number or the own face on a pic that was posted. Also indirect connections must be removed, as the GDPR is applying to them as well.
That is correct. If any country outside of the EU copies an EU regulation and adds their own legal interpretation to it, that is irrelevant for (the interpretation of) the EU regulation. The reason for that is that such an interpretation is made in the context of the (legal system of the) third country and not the EU. That, and it allows for unreasonable cherry picking in discussions like this.
It is the responsibility of the user to point these out. It cannot be reasonably expected of the forum owner to make this interpretation, simply because they are not able to. They might not be aware of all the references that can be made to my identity. Also, this indirect PII does not need to be limited to the posts made by the user, i.e. if you post my home address here then I can request removal. But I cannot ask the Meta admins “hey guys remove my home address from all posts”. They would ask me to either a) point out the specific posts or b) ask me for my home address and perform a search and replace.
Issuing a search and replace command does not require “reading all posts”.
So, which one are we talking about? GDPR or California for example? Because GDPR pops up all the time on this topic.
No it is not.
This is isn’t that hard. GDPR protects me against CDCK that they can’t do what they want with my personal data/info. GDPR doesn’t care what I’ve written here. It is totally different ball game.
Really, it is that simply. Even in Germany.
No.
It is the responsibility of the user to point these out.
Nope. The GDPR requires the processor / collector to keep track of the collected data. That’s actually the intent of the GDPR.
They might not be aware of all the references that can be made to my identity.
Exactly and that is the problem I have pointed out.
The search and replace only works for known links and word by word content, but as GDPR compliant provider you also have to make sure that indirect links are removed. When the user objects or revokes consent.
that is irrelevant for (the interpretation of) the EU regulation.
I disagree, first of all that is not how (international) law works, secondly it shows how the UK government, who was under the GDPR Regulation, interpreted that aspect of the GDPR. Furthermore the UK has a interest in harmonizing national legislation with international legislation. That is why it is interesting to read how they interpreted it, and they did it like the other countries, and their bodies.
GDPR pops up all the time on this topic
I mean it might have reason, even if some people might refuse to see it.
At this point we are talking about the GDPR. Formally, the GDPR is part of international law, not national legislation of the member states. It extends to the user’s where GDPR applies to them e.g. Germans on platforms. For that consult Article 1-3 GDPR, so the Territorial Scope, the Material Scope. Your “private board” would be regulated by Art. 2 (2) GDPR (see gdpr-info[.].eu/art-[n]-gdpr)
Art. 1 GDPR makes the intent even more clear:
(1) This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
(2) This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
(3) The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
GDPR protects me against CDCK […] GDPR doesn’t care what I’ve written here
Now you have the chance for a second guess.
Other national and interstate legislation:
If you look at the California Consumer Privacy Act (CCPA) there is a bunch of other exceptions etc. But they made sure they stay as close as possible to the GDPR. But that’s “only” state legislation.
You would want to look into the E.U.-U.S. Data Privacy Framework, which has been remade as successor of the EU Privacy Shield that was declared as invalid a long time ago. It explicitly refers to the foundation on REGULATION (EU) 2016/679 (p.1 in (1) ). Please look at page 6 under 2.2.3 (20) and (22) here we have it again, the Choice Principle, next to the previously laid out necessarity, purpose, and limited retention time scopes.
No.
While I do not know the background of your reasoning I’d like to disagree because the documents I have read and linked indicate the opposite.
Cheers
/E: I had to remove my other links because “new members can only link two times per post”. Why ever…
/E1: Now I’m not allowed to post anything anymore^^
If someone wants to see that I am reading even the E.U.-U.S. Data Privacy Framework correctly, please look here katten[.]com/key-principles-and-considerations-for-participation-in-the-eu-us-data-privacy-framework
For the CCPA please consult oag.ca[.]gov/privacy/ccp
After re-reading all of the laws I came to the conclusion that my argumentation is probably correct. I might still be wrong, please feel free to refute my central points. For example by pointing out case-law going against it or parts of the corresponding laws that contradict my assessment.
We are on Discourse so we can discuss that, I believe. Hopefully we all can increase our understanding of the laws that protect us, and therefore make Discourse even better. A nice discuss platform should be more compliant to laws and protecting our privacy even more.