GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Franz Von Peppercorn

....... wrote: »

Would boards.ie have the resources to do that if even one poster requested their entire post history be removed?

I imagine it would be a lot easier to just blat the whole thing rather than go through each post.

The user would probably have to indicate what he thinks identify him or her. An AMA moght be an example. A thread about where he lives. Some posts with pictures.

Of course anonymising usernames per thread would stop most identification across the site.

Hurrache

Franz Von Peppercorn wrote: »

It is actually the answer to that.

It would be pretty rare and I bet the onus is on the poster to indicate the posts that he or she thinks are identifiable on closing the account. While the account is open there’s implied consent.

You keep saying it's pretty rare, but it's not. If you (royal you), or other posters, tend to post regularly in a small number of forums around areas you're also involved in, it's pretty easy to build up what they do, where they work and if you wanted, find out their name.

Franz Von Peppercorn wrote: »

I can’t anonymise my FB posts as I make them.

You can, even kids can figure out that one, you're not obliged to use your real name or have only one account.

Permabear

This post has been deleted.

Bob24

Franz Von Peppercorn wrote: »

It is actually the answer to that.

It would be pretty rare and I bet the onus is on the poster to indicate the posts that he or she thinks are identifiable on closing the account. While the account is open there’s implied consent.

Remember forums don’t even have to be pseudonymous. While you are posting you give permission. I can’t anonymise my FB posts as I make them.

No it is not an answer to the question. Your argument was based on individual posts whereas the question was on the posting history in its globality.

Also when you say “the onus is on the poster to indicate the posts that he or she thinks are identifiable on closing the account”, this could indeed be the policy. But in my previous post I also said something which I think is important: the politicy must be workable in practice. If the policy is as you suggest and a poster provides a list of 1000 posts which they argue all put toghether can lead to identifying them, is boards really going to take the time to go through all of these to make its own opinion on the matter?

Additionally, the question is wider than knowing if the information contained in the posts themselves makes someone personally identifiable. For exemple if for whatever reason I know that Franz Von Peppercorn‘s real name is Sean O'Something, can boards argue that simply disabling your account is preserving your privacy, given that at least one person can still match all the potentially private information in your posting history to your real name? (And just posting that you are a man or a woman would be considered personal information)

I am not saying i have a clear answer to this, but clearly there is a significant legal risk in assuming there is no problem.

.......

This post has been deleted.

Bob24

....... wrote: »

I cant see how changing the username on posts would anonymise the data.

The posts themselves ARE data.

Depends on specific cases. The posts are data but not necessarily private data which is identifiable.

If an account only has five posts in the mobile forum whereby the poster is asking which one is the best between the lastest flagship Android phones, I don’t think boards has any legal obligation do delete or anonymise anything.

But of course if we are talking about someone who has been a member for 15 years and has a 20000 posts history including personal stuff in the relashionships forum, details about the various places where they have lived across that period in the accommodation forum, details about their financial situation in the banking forum, etc - then it is a very different story.

Permabear

This post has been deleted.

Hurrache

Permabear wrote: »

This post had been deleted.

Especially now that they've just hidden a whole thread upon request based on privacy fears.

Hector Savage

And what about banned users ?
Can they request their banned accounts / cookie/ login info be purged ?

My God - could be a nightmare for admins ...

.......

This post has been deleted.

Bob24

Hector Savage wrote: »

And what about banned users ?
Can they request their banned accounts / cookie/ login info be purged ?

My God - could be a nightmare for admins ...

If they are arguing that boards is still holding identifiable personal information about them and doesn’t have any justification for it based on GDPR, yes they can request permanent deletion from boards infrastructure.

Being banned is irrelevant in this case and there is no difference with a non-banned user, but what I said doesn’t mean anyone can request anything to be deleted: the person would have to show that the data held by boards can lead to identifying them.

Sleeper12

Boards.ie needs to have its new privacy policy in place and on display in just over two days, this Friday. If they are still unsure what to do, they can use a standard policy just stating that you can request the removal of personal data.

I'm not sure why this hasn't been done yet. The issue of what might or might not be private data in posts can be dealt with at a later date when these requests come in. The privacy policy can & will be modified at a later date.

They are leaving it late but I'm still getting several emails from companies about their own privacy policy on a daily basis and expect to do so till midnight Thursday.

Sleeper12

Bob24 wrote:

Being banned is irrelevant in the case and there is no difference with a non-banned user, but what I said doesn’t mean anyone can request anything to be deleted: the person would have to show that the data held by boards can lead to identifying them.

I get what you mean but just to clarify for others, people can request anything & everything to be deleted. This is definitely in the legislation. This does not mean that everything requested has to be deleted.

Permabear

This post has been deleted.

Hector Savage

....... wrote: »

This post has been deleted.

Well, I can't imagine the actual process of removing the data wouldn't be so hard ...

simplifying something like

DELETE from dataBase_Name 
WHERE unique_user_id in (lists of user ids requesting deletion)

Done, all tables .... the nightmare would be that this info is gone for future checking spammer accounts etc ...

Franz Von Peppercorn

Permabear wrote: »

This post had been deleted.

No that’s your interpretation of a phrase. I read it to mean that if the individuals physical, physiological, genetic etc information is personally identifying then it should be removed. Not that it always is. And that’s the general belief amongst software vendors.

Therefore, it's not just about pictures or references to where he or she lives. It includes such things, but is much, much broader than that.

Before you can make pronouncements that most posts are not identifying, you need to consider what the GDPR regards as identifying information. Not just what you personally would regard as identifying information.

You are literally the only person making that point. And you are no expert on this. The experts - software providers - are not saying this. Plenty of forums or comment sections do not have delete options and there’s no rush to include one.

The aim of this legislation is to stop data mining companies from data mining or selling information without consent, and to delete identifying information when asked. That’s emails, ip etc.

This legislation was not set up to take on Internet forums.

Hurrache

I'm a software provider.

Franz Von Peppercorn

Hurrache wrote: »

I'm a software provider.

Good man.

Franz Von Peppercorn

I posted this before but this is the CIF policy on deleted accounts.

If you have posted comments your comment profile will be removed, however the posted comments will remain underneath the articles. Comments are part of the historical record, but if want your comments to be removed please contact the Moderation Team. Please note that requests are considered on a case-by-case basis and your comments will not be automatically deleted

BowSideChamp

Franz Von Peppercorn wrote: »

I posted this before but this is the CIF policy on deleted accounts.

If you have posted comments your comment profile will be removed, however the posted comments will remain underneath the articles. Comments are part of the historical record, but if want your comments to be removed please contact the Moderation Team. Please note that requests are considered on a case-by-case basis and your comments will not be automatically deleted

What site is CIF? Is that their updated GDPR policy?

Hurrache

Franz Von Peppercorn wrote: »

Good man.

So according to you I'm an expert.

I've pointed this out already, GDPR is not out to get or take on anybody.

.......

This post has been deleted.

Permabear

This post has been deleted.

Hurrache

Q&A with the DPC's office is on now, and I've to go to a meeting so won't find out it anything relevant to this discussion is asked and answered
https://www.facebook.com/thejournal.ie/

Hurrache

Caught up with it during a break, no relevance to this thread, nothing discussed that's not widely documented already.

Sleeper12

Permabear wrote: »

This post had been deleted.

I have a comment I want removed "I like flowers in July" because I claim it identifies me. Let's say boards.ie says "Na, that doesn't identify you". It's up to me to prove it does. It's not up to boards to prove it doesn't.

Going on your train of thought I can demand everything I posted be deleted. That's not the case.

I can claim that I say "I like flowers in July" in real life 10 times a day therefore it identifies me. I can claim this about everything & anything. I don't think so

_Dara_

Permabear wrote: »

This post had been deleted.

Aaaaah, let's just stop you right there. I have no vested interests. I won't elaborate on my career history here but it is very far from anything to do with the above.

What an utterly bizarre leap to make.

Maybe everything that bothers you is coloured by your vested interests. Don't assume it's the same for everyone. Ta.

Bob24

Yeah there are two parties which have a burden for proof in the process:
- the individual requesting deletion must first pove they are the physical person they say they are and demonstrate that boards is holding information which can identify them
- and if boards doesn’t want to delete it, they have to either counter that demonstration if it is open to interpretation or to explain why they fall into a GDPR exemption which allows a them to retain personal data in that particular case

Permabear

This post has been deleted.

Sleeper12

Permabear wrote:

This post had been deleted.

I can't say what boards.ie might do or not but here's how it works:

You request a copy of the personal data boards.ie has on you.

They email it to you & you read through it.

You submit a request for some / all the personal data to be deleted.

We know boards.ie has to destroy your personal data. Email address, IP address etc. So we know that this will be deleted without questions.

As for your posts again no one knows what boards.ie will do but they might ask you to identify what posts you want deleted under the legislation. You can say all the posts please as they all identify me. They can start looking through the first 50 & there is nothing personal or to identify you. Its reasonable for them to come back to you just based on the 50 posts & say there's nothing in them to identify you. The ball is in your court. Name the actual posts or risk nothing being deleted. There is responsibility on you to justify your claim as much as there is responsibility on boards.ie to prove they don't come under the legislation.

Don't forget if it actually went to a data commissioner hearing you will have to present your case. You will have to show the commissioner how these 30,000 posts link to the real you.