GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

RHJ

This post has been deleted.

Sleeper12

Bob24 wrote:

I’d say some lawyers, managers, and engineers are currently locked-up in a room 20 hours a day to work on it after realising there was a bit more work involved than originally expected ;-)

I'd imagine that they have asked the Data Commissioner to clarify if the new laws cover posts by anonymous posters why feel that they might have outed themselves.

I'd also imagine that the Data commissioner does not know the answer & it's been forwarded to the EU data commissioner. I bet there are staff in Brussels scratching their heads pondering the questions

Creative83

Boards should have emailed every single user about this by now just like other organisations. As for the CEO's comments on here... breathtaking!

Permabear

This post has been deleted.

BowSideChamp

Bob24 wrote: »

Given how many online boards are in use in Europe, I would expect that question was raised with several regulators and lawyers 2 years ago.

Doesn't boards have like 600k Irish users - either current or closed accounts? They hold a hell of a lot of data on Irish citizens. I doubt the regulator will go softly on them. BTW information accessible by admins - 3rd party randomers.

Sleeper12

Where does it say this in the legislation?

Who decides if its personal? Who decides if it identities a poster?

Franz Von Peppercorn

Sleeper12 wrote: »

Where does it say this in the legislation?

Who decides if its personal? Who decides if it identities a poster?

Sure, the real data behind the pseudonym has to be deleted, there’s no evidence that the posts have to be deleted unless they can be proven to identify someone.

Franz Von Peppercorn

BowSideChamp wrote: »

Doesn't boards have like 600k Irish users - either current or closed accounts? They hold a hell of a lot of data on Irish citizens. I doubt the regulator will go softly on them. BTW information accessible by admins - 3rd party randomers.

If they are deleting the specific data on users accounts - emails etc. It’s compliant.

Admins shouldn’t have access to emails, hashed anyway as far as we were told.

Going after forums isnt what this legislation is designed for.

.......

This post has been deleted.

Hurrache

Franz Von Peppercorn wrote: »

Going after forums isnt what this legislation is designed for.

It's not drawn up to go after anyone.

Sleeper12

Franz Von Peppercorn wrote:

Sure, the real data behind the pseudonym has to be deleted, there’s no evidence that the posts have to be deleted unless they can be proven to identify someone.

That's what I thought

....... wrote:

This post has been deleted.

Says who?
I'm not saying that you are wrong but who read the legislation and came to that conclusion? A judge? Barrister? Solicitors? Random guy on boards.ie?
All of the above? None of the above?

Beasty

Permabear wrote: »

This post had been deleted.

May be using their phones, but I certainly know my employer can track internet usage via my company phone when logged on via the company network

Bob24

Beasty wrote: »

May be using their phones, but I certainly know my employer can track internet usage via my company phone when logged on via the company network

If people choose to use their company phone for personal use they accept that their personal communications and digital life will to some extend be subject to their terms of employement. But no one is forced to do that and personally I would never accept that and thus I’d never rely only on a company phone.

StupidLikeAFox

This is straight from the EU:
"Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data"
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en#examples-of-personal-data

However the EU also state:
"Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible."

So it's a fair argument to suggest that somebodys posting history as whole could be considered identifiable data, but if it's sufficiently anonymised it isnt?

On a side note I can't believe it took me 13 pages of posts to Google this

_Dara_

Permabear wrote: »

This post had been deleted.

Employers search social media for potential employees, search google etc.

What do you envisage their strategy would be for searching messageboards where real names are rarely used? How many different messageboards would they search? How much time and manpower would they devote to searching through the posts of thousands and thousands of users. That’s the reality here. Let’s be rational about this. Comparing messageboards to real name platforms is hugely flawed.

Remove user names on request, keep the posts intact. That will make tracing posts to people an even more formidable task than it already is.

Sleeper12

_Dara_ wrote:

What do you envisage their strategy would be for searching messageboards where real names are rarely used? How many different messageboards would they search? How much time and manpower would they devote to searching through the posts of thousands and thousands of users. That’s the reality here. Let’s be rational about this. Comparing messageboards to real name platforms is hugely flawed.

They only have to remove posts that are reported to them. So Google, Facebook etc won't have to do the searching or spend a bit of time.
Even when reported its still up to the original poster to prove that it identities them.

Will it be cheaper & less trouble to just delete everything on request or will companies go to the time & money to check everything and then fight what they believe doesn't identify someone?

Bob24

StupidLikeAFox wrote: »

So it's a fair argument to suggest that somebodys posting history as whole could be considered identifiable data, but if it's sufficiently anonymised it isnt?

Yes, but it is open to interpretation to define what "identifiable" and "sufficiently anonymised" means in this context. This is the core question, and one which different people on this thread have different answers to.

Bob24

Btw is a boards rep in a position to give a timeline on when official feedback will be availble?

We know there is a hard deadline at midnight on Thursday night to publish updated terms of use and address the questions of data access and deletion, but does it look like some feedback will be available before that?

Hurrache

Real world example at the moment. Anonymous poster and thread in the AMA but the entire thread was removed because of privacy concerns of the anonymous poster. Would regular posters be afforded the same?
https://touch.boards.ie/thread/2057873479/1/#post107061391

It sets precedent for showing boards.ie does do it in very short notice without it affecting their business.

Permabear

This post has been deleted.

Sleeper12

Hurrache wrote: »

Real world example at the moment. Anonymous poster and thread in the AMA but the entire thread was removed because of privacy concerns of the anonymous poster. Would regular posters be afforded the same?
https://touch.boards.ie/thread/2057873479/1/#post107061391

It sets precedent for showing boards.ie does do it in very short notice without it affecting their business.

I have seen threads deleted because someone identified herself. The ones I recall were threads with only a few comments. Less then a page but I have definitely seen them

Hurrache

Sleeper12 wrote: »

I have seen threads deleted because someone identified herself. The ones I recall were threads with only a few comments. Less then a page but I have definitely seen them

I'm aware that happens. I didn't get through the entire thread but I believe with the AMA one it was because it was feared people could start putting the pieces together, which is what some of us here have been saying for a while.

I also enjoy the idea that a tabloid journalist cites privacy concerns.

Bob24

Hurrache wrote: »

Real world example at the moment. Anonymous poster and thread in the AMA but the entire thread was removed because of privacy concerns of the anonymous poster. Would regular posters be afforded the same?
https://touch.boards.ie/thread/2057873479/1/#post107061391

It sets precedent for showing boards.ie does do it in very short notice without it affecting their business.

Also IMO this is a clear cut exemple of how GDPR impacts boards’ processes and IT infrastructure.

It is clear from the feedback thread you posted that boards team member are saying the AMA thread was hidden due to recognised privacy concerns expressed by a poster, *but* that the thread content is still available to boards team members.

My take is that when GDPR is into force, in this situation and if the poster who’s privacy is compromised requests it, boards will have to guarantee it has permanently deleted the thread from every system it might have been stored on (with a possible exception for backups if appropriate encryption and selective restoration processes are in place).

Permabear

This post has been deleted.

Franz Von Peppercorn

Bob24 wrote: »

Yes, but it is open to interpretation to define what "identifiable" and "sufficiently anonymised" means in this context. This is the core question, and one which different people on this thread have different answers to.

There’s only one rational answer. Most posts are not identifying. Those that are can be taken down on a case by case basis.

In terms of real personal data I just got an update from a recruiter (or actually group representing numerous recruiters) directing me to their privacy policy.

There was a huge list of stuff they do with my data. Including heat maps, analytics, location based interactions, google ad sense and data transfer outside the EU.

It was nice of them to tell me but this was clearly an opt out strategy which most companies are not doing. And according to my reading every single one of these options needs to be opt in - there should be an option to opt out entirely and a checkbox unchecked for all of these uses to allow the user to opt in.

This is what GDPR is really about, not anonymous posts about Room to improve.

There’s going to be a lot to do for data commissioners.

Hurrache

The AMA will still be cached by Google too so it can still be read, the first page at least anyway.

.......

This post has been deleted.

Bob24

Franz Von Peppercorn wrote: »

There’s only one rational answer. Most posts are not identifying. Those that are can be taken down on a case by case basis.

This is not an answer to the question which was asked though: can someone’s whole posting history make them personally identifiable? (even if no single post taken in isolation makes them identifiable)

In my opinion the answer is clearly yes in some cases, clearly no in others, and is sometimes somewhere in between. The problem for boards is to come up with a policy which takes these versions situations into account and is workable in practice.

Franz Von Peppercorn

Permabear wrote: »

This post had been deleted.

Hardly a huge problem to permantly delete some threads or posts if needed.

That’s not the same as a blanket post deletion policy on close.

Franz Von Peppercorn

Bob24 wrote: »

This is not an answer to the question which was asked though: can someone’s whole posting history make them personally identifiable? (even if no single post taken in isolation makes them identifiable)

In my opinion the answer is clearly yes in some cases, clearly no in others, and is sometimes somewhere in between. The problem for boards is to come up with a policy which takes these versions situations into account and is workable in practice.

It is actually the answer to that.

It would be pretty rare and I bet the onus is on the poster to indicate the posts that he or she thinks are identifiable on closing the account. While the account is open there’s implied consent.

Remember forums don’t even have to be pseudonymous. While you are posting you give permission. I can’t anonymise my FB posts as I make them.