GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

BowSideChamp

Facebook moved half of their userbase data to avoid GDPR on non EU users. They are taking this seriously.

Beasty

BowSideChamp wrote: »

Facebook moved half of their userbase data to avoid GDPR on non EU users. They are taking this seriously.

After recent events, and with Zuckerberg appearing before the EU Parliament today, they have a serious amount of making up to do. And they have billions of cash swilling around to ensure they both get the best advice and implement whatever they feel necessary to get the EU, other nations and indeed regulators back onside

The reason they have moved all that is to get it outside the reaches of GDRP

Bob24

I was just reading this on the topic of GDRP readiness (interesting title - "No one’s ready for GDPR" :-)): https://www.theverge.com/2018/5/22/17378688/gdpr-general-data-protection-regulation-eu

For what it is worth, there is a quote from an attorney and privacy officer in there which is relevant to this thread: "But then there’s more ambiguous data, like an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR".

Dravokivich

Bob24 wrote: »

I was just reading this on the topic of GDRP readiness (interesting title - "No one’s ready for GDPR" :-)): https://www.theverge.com/2018/5/22/17378688/gdpr-general-data-protection-regulation-eu

For what it is worth, there is a quote from an attorney and privacy officer in there which is relevant to this thread: "But then there’s more ambiguous data, like an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR".

Well let's just shut down the internet so. You've got one such oblique reference in that very post. Does it make it his personal data and he may not even be aware of it here, to request boards to take action.

Sleeper12

Bob24 wrote:

For what it is worth, there is a quote from an attorney and privacy officer in there which is relevant to this thread: "But then there’s more ambiguous data, like an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR".

That's another thing people are confused about. Does the GDPR just cover my data that I provide? Even if it covers posts is it just my posts? What if someone else posts information identifying me? I know boards.ie have rules about this but I'm wondering can I get information someone else posts about me under the legislation?

I believe that the legislation covers my data that I provide. I don't see how my rights can override someone else's right to post, comment, speach etc.

Hurrache

Beasty wrote: »

After recent events, and with Zuckerberg appearing before the EU Parliament today, they have a serious amount of making up to do. And they have billions of cash swilling around to ensure they both get the best advice and implement whatever they feel necessary to get the EU, other nations and indeed regulators back onside

The reason they have moved all that is to get it outside the reaches of GDRP

He said today they're working on a delete function which will delete all trace of you ever having a Facebook account, be that believable or not.

And as long as they hold data on EU citizens they can't move out of GDPRs reach.

Permabear

This post has been deleted.

Bob24

Sleeper12 wrote: »

That's another thing people are confused about. Does the GDPR just cover my data that I provide? Even if it covers posts is it just my posts? What if someone else posts information identifying me? I know boards.ie have rules about this but I'm wondering can I get information someone else posts about me under the legislation?

I believe that the legislation covers my data that I provide. I don't see how my rights can override someone else's right to post, comment, speach etc.

While I would definitely agree there is a lack of clarity on what constitutes personal data (and the link I posted is just one opinion which I wouldn't necessarily take at face value), for me who provided that data is irrelevant.

Regardless of whether it was provided by me, by someone else, or by an IT system, any private information held about me is covered by GDPR (which as we all agree doesn't necessarily mean I have the right to request its deletion as there are many exemptions).

I'd be interested in being corrected with reference to the regulation if this is invalid, but for example my understanding is that if an organisation runs a background check about me for whatever reason (i.e. they potentially obtains personal data about me which I didn't volunteer myself), they would have to disclose all that information to me if I make a subject data access request.

Hurrache

Permabear wrote: »

This post had been deleted.

I know, but GDPR doesn't apply to non EU users anyway.

Bob24

Hurrache wrote: »

And as long as they hold data on EU citizens they can't move out of GDPRs reach.

100% correct, but Beasty is also 100% correct in saying they moved many users to an other jurisdiction to escape GDPR for those users.

I believe all their non American users used to be under the umbrella of Facebook Ireland, which means all of them would have been covered by GDPR (including someone living in Japan or Australia). So what they did is only keeping EU users under Facebook Ireland and moving everyone else to Facebook US, so that these non-EU users are not covered by GDPR anymore.

Hurrache wrote: »

I know, but GDPR doesn't apply to non EU users anyway.

Any company which is based in the EU has to apply GDPR to all its users (even if those users and outside the EU). So Facebook Ireland would have had to apply GDPR to non-EU users which were under its umbrella.

Sleeper12

Bob24 wrote:

While I would definitely agree there is a lack of clarity on what constitutes personal data (and what I posted is just one opinion which I wouldn't necessarily take at face value), for me who provided that data is irrelevant.

I was assuming that I had no control over information a third party posts about me. Not just here on boards.ie but anywhere. If I do work for someone & they leave a nasty review or even just a Facebook post naming me, you can look up my Facebook page & get information about me from there. If I have a business page my address might be there. Can I get the original review or Facebook comment removed? It just doesn't seem logical to me to be able to get other people's comments removed because they identified me. If my name is John Smith & I win a swimming race my local swimming club might say John Smith from Cabra on their newsletter. Can I get them to remove this?

I don't know the answers above but this is why I am assuming that it's only data that I give that I have control over. It would make a very quiet Internet. Freedom of speech will be gone. Maybe I'm being extreme but you can see where I'm coming from.

I have a little online store & I'm very lucky this legislation doesn't effect me very much. PayPal process my payments so I have no card details. I have ssl certificate for security purposes. I have name address & email address. I suppose I have IP address but I wouldn't know where to find this information. I don't pass on any data at all. I don't have a newsletter so once they receive their goods they will never hear from me again. All told I put up a privacy policy & that's about it. WordPress (only a few days ago) came out with a plug in that sorts everything out for me. It will compile someone's data for me and email it to them on request & then permanently delete the data if needed. I'm betting boards.ie wished things were so simple for them

Bob24

Sleeper12 wrote: »

I don't know the answers above but this is why I am assuming that it's only data that I give that I have control over. It would make a very quiet Internet. Freedom of speech will be gone. Maybe I'm being extreme but you can see where I'm coming from.

My view is that many use cases will be covered by exemptions or valid reasons to hold the data. For exemple if you sign up for a competition at your swimming club I’d say under GDPR you implicitly accept they will retain your name as a winner because this is part of the core process you signed-up for (a competition).

But I am fairly certain there are cases where people will have the right to request the deletion of data they didn’t provide themselves (although I agree if this is pushed to the extreme it could become unmanageable for a website like this one, and I am not clear where the limit is).

Permabear

This post has been deleted.

Creative83

Is this not a big can of worms...

Take this for example... a user with 8 thousand posts gets banned. The user then asks boards to remove any posts containing personally identifiable information. Boards will then have to go through every single post... have I got that right??

seamus

Creative83 wrote: »

Is this not a big can of worms...

Take this for example... a user with 8 thousand posts gets banned. The user then asks boards to remove any posts containing personally identifiable information. Boards will then have to go through every single post... have I got that right??

From what others say here, the answer is no. Identifying information that boards intentionally holds on you, like your email address, yes.

Information which boards doesn't intentionally hold on you - i.e. it never asked for and was incidentally provided in your posts - falls in a grey area. And it's more likely that the individual themselves will have to go through every post to pick out the ones containing identifying data and request their deletion.

Permabear

This post has been deleted.

Sleeper12

Creative83 wrote: »

Is this not a big can of worms...

Take this for example... a user with 8 thousand posts gets banned. The user then asks boards to remove any posts containing personally identifiable information. Boards will then have to go through every single post... have I got that right??

Under the new law you can ask boards for a copy of all your data. You can actually request a physical copy. Boards send you this information. You have to look through it & decide what you want removed. Only the poster can know what comments identify him/her.

What happens after that we don't know. Just because you request that your data is removed doesn't mean it will. On my retail site I have to keep records of transactions (name, address, what you bought & how much) for revenue for I think up to seven years. As for posts, boards might just delete them all, no questions asked, might generate random usernames for each of your posts, might agree to delete some of your posts.

Permabear

This post has been deleted.

.......

This post has been deleted.

Beasty

Permabear wrote: »

This post had been deleted.

I'm not sure anyone from the office have advised what they are currently doing in terms of legal advice. I am certainly not aware of any questions that may have been or indeed are being asked.

seamus

Permabear wrote: »

This post had been deleted.

That would seem like a terrible waste of trees when you can just browse your own post history and stick the stuff in a word document.

If it was up to me, I'd bring back the delete function, but disable multi-deleting.

Thus if someone has 10,000 posts they want to delete, they can do so one-by-one without having to waste anyone's time.

The biggest grey area I see here are posts in private forums. If a user is banned, those posts are inaccessible to them. It may be a case that closing your account will require that all posts in private forums are extinguished.

Sleeper12

Permabear wrote: »

This post had been deleted.

No you wont. They aren't obliged to provide you with the pen. Just the box of your data. Boards nor any other site is required to (nor would they be able) decide what posts identify you. That is your responsibility.

Permabear

This post has been deleted.

Permabear

This post has been deleted.

.......

This post has been deleted.

Bob24

Sleeper12 wrote: »

Under the new law you can ask boards for a copy of all your data. You can actually request a physical copy. Boards send you this information. You have to look through it & decide what you want removed. Only the poster can know what comments identify him/her.

Yes but for a site like board just producing the initial data dump can be a challenge.

For exemple if I create a post referencing “mister Smith whose mobile number is 08xxxxxxxx”, I have very clearly identified someone and boards is holding that data.

Now 2 months later “John Smith” (who is not a registered user on boards) makes a data subject access request to boards - he is the guy I was taking about.

Will boards’ policies and technical capabilities lead to them providing him with my post and offering the option to permanently delete it from all of boards servers? And if not, would they not be in breach of GDPR?

Franz Von Peppercorn

Permabear wrote: »

This post had been deleted.

He’d still have to prove it was in fact him and that he was in fact identifiable. Which is a hard task.

Anyway that’s probably already covered in defamation laws. If a poster claim he or she was treated badly in a relationship and was posting enough information about the supposed perpetrator, boards would close that down now.

GDPR is about your data not what someone says about you.

Franz Von Peppercorn

Bob24 wrote: »

Yes but for a site like board just producing the initial data dump can be a challenge.

For exemple if I create a post referencing “mister Smith whose mobile number is 08xxxxxxxx”, I have very clearly identified someone and boards is holding that data.

Now 2 months later “John Smith” (who is not a registered user on boards) makes a data subject access request to boards - he is the guy I was taking about.

Will boards’ policies and technical capabilities lead to them providing him with my post and offering the option to permanently delete it from all of boards servers? And if not, would they not be in breach of GDPR?

It’s already a breach of board policies and depending what you are saying about the guy, defamation law.

The grey area here is when the police come looking for that post (let’s say boards kept it up) and at the same time the poster wants to delete it permanently. Not that grey really as I think the law wins in that case. It depends on the timing.

Bob24

....... wrote: »

True - for hidden stuff or things like email addresses that are not viewable through the application they would have to provide you with a way of seeing the content.

For this, I think a site like boards will have to implement a feature which exports all the data they hold related to an account into structured CSV files which are then put into a zip file which can be downloaded by the user. Like Google, Facebook, Apple and the likes did.

I am not sure to which extend boards is subjected to it, but it also covers the right to data portability so it is killing two birds with one stone.

Bob24

Franz Von Peppercorn wrote: »

It’s already a breach of board policies and depending what you are saying about the guy, defamation law.

The grey area here is when the police come looking for that post (let’s say boards kept it up) and at the same time the poster wants to delete it permanently. Not that grey really as I think the law wins in that case. It depends on the timing.

Doesn’t have to be defamation or involve the police (maybe I’m just praising that guy about something). And because it is against the policies doesnt meant it won’t happen.

The only way for boards to make sure they will never be in this situation is to have a process to make sure that such posts are consistently detected and permanently deleted from all their systems (not just logicaly deleted on the website). Possible but it means each post needs to be reviewed by a boards staff with this is mind and they must have the tools in place to trigger the permanent deletion.