GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Franz Von Peppercorn

Permabear wrote: »

This post had been deleted.

No you will. You identify the posts.

By the way there’s a solution to anonymise the poster per thread in some of the updated forum software.

Which means you appear here as deleted-xxxx and somewhere else as deleted-yyyy (or whatever).

This will stop most cross identification while maintaining the thread’s integrity

Beasty

Yet again I will re-iterate these are my personal views and certainly nothing to do with site policy.

This whole area is going to come under the auspices of local regulators who will have some flexibility over how they regulate this area. That's not to say their interpretation will not be subject to legal challenge - matters of law can always be challenged through the courts

However my experience is that regulators do seek to balance the rights of all parties, and try to avoid what can essentially become unworkable solutions. I know there has been discussion between the site and data protection regulators in the past, and it would not surprise me if meetings are arranged (possibly have already taken place) to discuss the practicalities of applying these new laws

I have already posted that I believe there are significantly less than 100 posts on the site that can be combined to identify me. Let me call that "core" data. There are then examples of what I could term "secondary" data which may corroborate what that core data shows (such as my cycling club, my sports allegiances, and the area in which I live) , but cannot in itself identify me. My personal view is it is entirely reasonable for me to request that "core" data be removed, but I struggle to see why I should have any rights to have any "secondary" data removed. I suspect a regulator may consider such a distinction when attempting to differentiate data that can be used (in combination with other data posted) to identify someone.

Then the question turns to who is responsible for identifying that "core" data. That is where my view is this site allows posters to publish information about themselves, but does not in itself provide or post such information. In terms of anything in the public domain my view is it should be the "author" who identifies any such data and provides appropriate links to the site to allow appropriate action (editing or deleting) to take place

Again, only my view, but I suspect this is the sort of pragmatic approach a regulator may well accept, as it respects the rights of the user while avoiding wholesale disruption of the site (which may itself impinge on other users who then see their own discussions/commentary completely disrupted)

Bob24

Sleeper12 wrote: »

They can start looking through the first 50 & there is nothing personal or to identify you. Its reasonable for them to come back to you just based on the 50 posts & say there's nothing in them to identify you.

I see your rational but I think it would be fairly risky for boards to do that. If it happens that there is a case for saying that while the first 50 posts on their own don’t identify the person, the whole batch in its globality does, boards could be in for a fine for not having properly reviewed the request if the issue gets escalated (personally if I had a valid case and I saw it wasn’t reviewed seriously, I wouldn’t bother too much arguing with the offending organisation and would raise an official complaint). And I’m not sure I even see them reviewing 50 posts thoroughly (it’s doable but might be too effort intensive and time consuming depending on how many GDPR requests they get, as IMO they can’t ask a mod to do it and will need to have it done by a properly vetted employee).

I think no matter how you look at it, this thing is a big issue for a site like boards and there is no easy and quick answer (besides accepting do delete the full post history upon request which I get they would rather not do, but if they don’t they will have to present a credible alternative).

BowSideChamp

Franz Von Peppercorn wrote: »

If they are deleting the specific data on users accounts - emails etc. It’s compliant.

Admins shouldn’t have access to emails, hashed anyway as far as we were told.

A teenager guessed the password of a admin in the 2010 hack and was able to get the list of the usernames, email addresses and passwords.

Sleeper12

Bob24 wrote:

I see your rational but I think it would be fairly risky for boards to do that. If it happens that there is a case for saying that while the first 50 posts on their own don’t identify the person, the whole batch in its globalities does, boards could be in for a fine for not having properly reviewed the request if the issue gets escalated (personally if I had a valid case and I saw it wasn’t reviewed seriously, I wouldn’t bother too much arguing with the offending organisation and would raise an official complaint). And I’m not sure I even see them reviewing 50 thoroughly (it’s doable but might be too effort intensive and time consuming depending on how many GDPR requests they get, as IMO they can’t ask a mod to do it and will need to have it done by a properly vetted employee).

OK. Let's put it another way. Boards.ie says that they looked through the 30,000 posts and couldn't find any that breach the regulations. It's up to the boards member to show what comments & why they breach the regulations.

In reality only the original poster can know what comments identity him/her. It is unreasonable and totally impractical (impossible even) to expect boards.ie to know what comments might identify someone. The original poster will have to go through the 30,000 posts.

Again no one knows how boards.ie are planning on handling this. They might even just say let's just delete all the posts. They might /most likely will rename the posts. As mentioned earlier each of the 30,000 posts could get a random username not unlike the eircode setup. One eircode has no relevance to the house next door.

There will have to be give & take between boards.ie and the poster. I'm sure the data commissioner will have set up arbitration for cases from all companies in cases of disagreement

BowSideChamp

Sleeper12 wrote: »

Again no one knows how boards.ie are planning on handling this. They might even just say let's just delete all the posts.

I hope that is the case. We shall wait for the policy to be revealed. Another 2 days.

Boards.ie is badly run. Their refusal to allow users to delete posts has resulted in users being afraid of their profiles and closing them down. It has turned the site into a ghost town.

Hurrache

Beasty wrote: »

Then the question turns to who is responsible for identifying that "core" data. That is where my view is this site allows posters to publish information about themselves, but does not in itself provide or post such information. In terms of anything in the public domain my view is it should be the "author" who identifies any such data and provides appropriate links to the site to allow appropriate action (editing or deleting) to take place

So it completes the circle of what was mentioned at the very beginning. Remove the time limitation of when a user can delete a post they made, either just let them do it wholesale, or have users flag them to be reviewed by someone.

But the review should not be done by admins or mods, it will need to be done by known Data Protection Officer or vetted Data Processors.

But this still leaves the whole area of right to be erased.

A lot of the argument pertaining to the applicability of GDPR is naturally going to involve what is and what is not personal identifiable information.

That's been argued about enough on this thread. But my question is, what if a posters identity is known, lets say for a previous account because that poster was very active and involved for a large number of years, and as such there is no question as to whether it is subject to gdpr as there is no question as to whether it can be attributed to an individual.

Surely in such a scenario as that, when a posters true identity is widely know, they will be entitled to request the removal of all data. It is their data after all.

And this could be true if only one or potentially no persons know that individual. A person has the right to be forgotten.

Anonymising the post history may be a solution but not in all cases I would think.

Sleeper12

Hurrache wrote:

But the review should not be done by admins or mods, it will need to be done by known Data Protection Officer or vetted Data Processors.

Each company has to have a dedicated person that handles requests under the data protection. This is most likely the person who will investigate & make initial decisions.

Gloomtastic!

[Deleted User] wrote: »

A lot of the argument pertaining to the applicability of GDPR is naturally going to involve what is and what is not personal identifiable information.

That's been argued about enough on this thread. But my question is, what if a posters identity is known, lets say for a previous account because that poster was very active and involved for a large number of years, and as such there is no question as to whether it is subject to gdpr as there is no question as to whether it can be attributed to an individual.

Surely in such a scenario as that, when a posters true identity is widely know, they will be entitled to request the removal of all data. It is their data after all.

And this could be true if only one or potentially no persons know that individual. A person has the right to be forgotten.

Anonymising the post history may be a solution but not in all cases I would think.

Is it not equitable to writing to a newspaper and saying, due to GDPR, you want any letters they’ve published on your behalf removed.

It’s published, it’s out there, it cannot be unpublished.

BowSideChamp

Gloomtastic! wrote: »

Is it not equitable to writing to a newspaper and saying, due to GDPR, you want any letters they’ve published on your behalf removed.

It’s published, it’s out there, it cannot be unpublished.

The site is still publishing your information.

Imagine a 20,000 post user, every opinion on politics, sex, employment, health, relationship issues is online waiting for another data breach.

Dravokivich

Franz Von Peppercorn wrote: »

No you will. You identify the posts.

By the way there’s a solution to anonymise the poster per thread in some of the updated forum software.

Which means you appear here as deleted-xxxx and somewhere else as deleted-yyyy (or whatever).

This will stop most cross identification while maintaining the thread’s integrity

Changing dravokivich to slimdog1 in one thread and gogodancer66 in another wouldn't be enough if the account name was a common link. It'd have to change per post. Not thread.

In work for me it seems we've just recently identified that serial numbers may be considered personal data, so are erring on the side of caution in that regards.

Bob24

Sleeper12 wrote: »

OK. Let's put it another way. Boards.ie says that they looked through the 30,000 posts and couldn't find any that breach the regulations. It's up to the boards member to show what comments & why they breach the regulations.

Yes agreed, but what I meant to say is that once boards has said no the member has an official refusal and can decide to go straight to the regulator with it rather than bothering with boards any longer to try and change their decision.

And if the regulator reviews the complaint and sides in favour of the member, boards will be found to be in breach of GDPR with a track record of then refusing to delete the data.

Beasty

BowSideChamp wrote: »

The site is still publishing your information.

Imagine a 20,000 post user, every opinion on politics, sex, employment, health, relationship issues is online waiting for another data breach.

Are they "publishing your information" or publishing your words? Anything they are publishing is at the user's behest. You were entirely in control of what you have posted (subject to any edits/deletions considered necessary by mods, admins etc), and in my view the onus has got to be on the user to point out any information they have posted they believe can and indeed should be redacted under this legislation.

Beasty

Bob24 wrote: »

Yes agreed, but what I meant to say is that once boards has said no the member can decide to go straight to the regulator rather than bothering with boards any longer to try and change their decision.

And if the regulator reviews the complaint and sides in favour of the member, boards will be found to be in breach of GDPR with a track record of then refusing to delete the data.

As I've already alluded to, I think there will be or indeed possibly already has been discussion with the regulator to establish their views on all of this. Hopefully the site can clarify if this is the case and indeed any conclusions reached. I guess though that the regulator may be quite busy at present.

I really cannot imagine the regulator or site would want to try and deal with numerous individual cases when it is possible to agree up front where to draw the lines (subject always, of course, to the rights of user, regulator or site to seek clarity through the courts). I suspect there may be various test cases in Ireland and elsewhere to clarify certain issues, but ultimately in my experience courts tend to consider pragmatic solutions where possible

Bob24

Gloomtastic! wrote: »

Is it not equitable to writing to a newspaper and saying, due to GDPR, you want any letters they’ve published on your behalf removed.

It’s published, it’s out there, it cannot be unpublished.

Already addressed this point on the thread: https://www.boards.ie/vbulletin/showpost.php?p=107040658&postcount=234

Dravokivich

Beasty wrote: »

Are they "publishing your information" or publishing your words? Anything they are publishing is at the user's behest. You were entirely in control of what you have posted (subject to any edits/deletions considered necessary by mods, admins etc), and in my view the onus has got to be on the user to point out any information they have posted they believe can and indeed should be redacted under this legislation.

Boards have provided the opportunity for us to publish content. We are constrained by the 48 hour time frame avail to edit posts. So we don't have control of it, nor of any quotes. They could give us the option to edit / delete out own posts without constraint. But im not sure how they could manage quotes.

Sleeper12

BowSideChamp wrote:

Imagine a 20,000 post user, every opinion on politics, sex, employment, health, relationship issues is online waiting for another data breach.

Many people have more than one email address. I have one I use to buy things and join things like boards.ie and Facebook. I then have my real email address. I've had this since 1998 and to this day I don't get spam or junk mail.

Even your IP address will be changed every few years. Its changed every time you change provider or get a new router. Virgin tend to change my IP address every few years regardless. Maybe it is when they have a software update.

I think most members here more than 5 years will find data held by boards.ie is out of date. Once you close your account this information will be deleted anyway.

I can't see an issue with changing the username on each post to a different random username so someone with 30,000 posts could end up with 500 or 1000 different usernames spread out over their posts. You'd never be able to link all my posts on this thread to posts on another thread where I might give information about the area I live in to another thread I might have been on in the LGBT or politics or religion.

There are always ways to compromise

Dravokivich

Sleeper12 wrote: »

Many people have more than one email address. I have one I use to buy things and join things like boards.ie and Facebook. I then have my real email address. I've had this since 1998 and to this day I don't get spam or junk mail.

Even your IP address will be changed every few years. Its changed every time you change provider or get a new router. Virgin tend to change my IP address every few years regardless. Maybe it is when they have a software update.

I think most members here more than 5 years will find data held by boards.ie is out of date. Once you close your account this information will be deleted anyway.

I can't see an issue with changing the username on each post to a different random username so someone with 30,000 posts could end up with 500 or 1000 different usernames spread out over their posts. You'd never be able to link all my posts on this thread to posts on another thread where I might give information about the area I live in to another thread I might have been on in the LGBT or politics or religion.

There are always ways to compromise

Youll need to change the identifier to a unique reference for every occurance. Simply renaming them within a range won't suffice as a number of your posts will still share an identifier.

Edit to add:
Just as an interesting thought piece. There is a porntube website I frequent when an account is retired the content is still there, but the profile is unavailable. It Also doesn't seem to be possible to purposely seek other content from the same account.

Hurrache

Sleeper12 wrote: »

Each company has to have a dedicated person that handles requests under the data protection. This is most likely the person who will investigate & make initial decisions.

I don't think boards.ie has one, but if they did I'd have thought they'd be involved in the thread, either for their input as to their policies, or for input from members.

Bob24

Beasty wrote: »

As I've already alluded to, I think there will be or indeed possibly already has been discussion with the regulator to establish their views on all of this. Hopefully the site can clarify if this is the case and indeed any conclusions reached. I guess though that the regulator may be quite busy at present.

I really cannot imagine the regulator or site would want to try and deal with numerous individual cases when it is possible to agree up front where to draw the lines (subject always, of course, to the rights of user, regulator or site to seek clarity through the courts). I suspect there may be various test cases in Ireland and elsewhere to clarify certain issues, but ultimately in my experience courts tend to consider pragmatic solutions where possible

100% agreed this is the way it should be done.

But if it had been done that way I would assume engagement with the regulator would have ideally started 2 years ago when GDPR was published or at least several months ago, as reaching a guideline on this would take time (since it is not a clear cut, there is a need for possible back and forth discussions between boards and the DPC, as well as the DPC possibly talking to some lawyers and the European Commission before reaching a commonly accepted guideline).

I might be negative here, but I have to say the fact that no official clarification has been made on this thread to date leads me to believe these discussions haven't happened or have started too late (if such guideline had been reached, I assume it would have been shared here?).

Sleeper12

Did anyone hear the Q&A from the commissioner today on the journal?

I didn't myself but wondered if anything interesting came up?

Hurrache

Beasty wrote: »

Are they "publishing your information" or publishing your words? Anything they are publishing is at the user's behest. You were entirely in control of what you have posted (subject to any edits/deletions considered necessary by mods, admins etc), and in my view the onus has got to be on the user to point out any information they have posted they believe can and indeed should be redacted under this legislation.

But then this in a way contradicts how boards shuts down threads citing fear of being brought to court over what posters post.

If they think they're liable for what posters post they then can't wash their hands of the same posts when users want them removed.

You may be entirely in control of the content when you post, but after a short period any responsibility for that content is removed.

RHJ

This post has been deleted.

Hurrache

Sleeper12 wrote: »

Did anyone hear the Q&A from the commissioner today on the journal?

I didn't myself but wondered if anything interesting came up?

It's available to listen back but not worth it, just the standard fayre of what it is at a high level.

Sleeper12

Hurrache wrote:

I don't think boards.ie has one, but if they did I'd have thought they'd be involved in the thread, either for their input as to their policies, or for input from members.

It's part of the new rules. From Friday there has to be an individual responsible for the data legislation. In a small business or one man band like myself then I am responsible.

Beasty

Hurrache wrote: »

But then this in a way contradicts how boards shuts down threads citing fear of being brought to court over what posters post.

If they think they're liable for what posters post they then can't wash their hands of the same posts when users want them removed.

They don't know if they could be considered liable. It's a grey area. They operate a policy of taking down things that they could potentially be sued for, even if they think their case is strong. They want to avoid potentially costly legal disputes.

Businesses can incur massive amounts in legal fees that will not be automatically recoverable because it is in preparation for a potential legal case. Boards essentially adopts a "better safe than sorry" policy on such matters

Again these are personal comments based on what I've seen on this site over the past decade or so

Hurrache

Yeah, we agree on the reasons for shutting things down, but on one hand they say hang on guys, can't be saying that, we're responsible. And on the other sorry guys, you knew what you were posting at the time, that's on you.

Sleeper12

Beasty wrote:

They don't know if they could be considered liable. It's a grey area. They operate a policy of taking down things that they could potentially be sued for, even if they think their case is strong. They want to avoid potentially costly legal disputes.

This is a sensible business approach. I'm betting it helps reduce boards.ie keep their annual insurance lower than it could be.

I'd imagine boards.ie are safe enough in reality though. Facebook, twitter etc don't care what you are saying & I'd imagine that they have the best legal teams telling them so.

On another note a lot have been saying that boards.ie are late stating their updated policy. I'm still getting emails from companies and expect more but I can't recall getting anything from Facebook. Nothing recently anyway. It's possible that they changed their policy a few months ago

Bob24

Sleeper12 wrote: »

I can't recall getting anything from Facebook. Nothing recently anyway. It's possible that they changed their policy a few months ago

In my case Facebook displayed the new policy and re-asked for consent on a few things directly within the app, 1 or 2 months ago I think.

Apple also did it directly on device with an iOS update around the same time.