GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Bob24

....... wrote: »

Depends if the private conversations contain personally identifying information.

That is a good point. Technically if two boards users talk about me in PM using my real name and boards stores those PMs in a database, that his personal information they are holding about me (boards might not have created the PM but they are storing it and can access it if they want to). And that is true even if I am not a registered user on boards.

My understanding of GDPR is that if I submit a request to obtain my personal data they should in theory give me those PMs, and if I request them to do so, they should also permanently delete them from their database (i.e. from those 2 users’ outbox and inbox).

This is from just attending a few trainings about it and reading a complete of articles, but I can’t remember if any exception in this situation (although as I am saying it I see a problem with it which is that in a way it is violating the privacy of the other two users ... but there isn’t much privacy in the first place anyway as some of boards’ staff already had access to this messages anyway).

Beasty

Bob24 wrote: »

boards might not have created the PM but they are storing it and can access it if they want to

No they cannot. My understanding is that PMs are always private unless reported by the recipient. Then only Admins can see them

I think the only way anyone is allowed to access PMs outside the reporting system is on the back of a legal request/obligation, and even then I think there is additional work required to get to the underlying information. We simply cannot screen PMs for any personal information, in the same way Google have to respect the privacy of it's e-mail users

Nody

Bob24 wrote: »

That is a good point. Technically if two boards users talk about me in PM using my real name and boards stores those PMs in a database, that his personal information they are holding about me (boards might not have created the PM but they are storing it and can access it if they want to). And that is true even if I am not a registered user on boards.

My understanding of GDPR is that if I submit a request to obtain my personal data they should in theory give me those PMs, and if I request them to do so, they should also permanently delete them from their database (i.e. from those 2 users’ outbox and inbox).

This is from just attending a few trainings about it and reading a complete of articles, but I can’t remember if any exception in this situation (although as I am saying it I see a problem with it which is that in a way it is violating the privacy of the other two users ... but there isn’t much privacy in the first place anyway as some of boards’ staff already had access to this messages anyway).

And that is not how it is going to work in practice; let's say I send a payment for an Ebay auction to you via bank transfer. I state my real name and it shows up on your statement as Joe Bloggs DVD Buffy Season 1 as the message for you to recognise me. Do you think the bank will go in and delete that from your bank statement and from their system due to my right to be forgotten? Some people on this thread has some very fancy ideas on how far things goes that's for sure though.

Hurrache

Some people? What other examples?

Bob24

Beasty wrote: »

No they cannot. My understanding is that PMs are always private unless reported by the recipient. Then only Admins can see them

I think the only way anyone is allowed to access PMs outside the reporting system is on the back of a legal request/obligation, and even then I think there is additional work required to get to the underlying information. We simply cannot screen PMs for any personal information, in the same way Google have to respect the privacy of it's e-mail users

You got me wrong, what I am saying is that boards.ie as an organisation has access to that data because it is storing it in a database, either unencrypted or encrypted with an encryption key which is held by the organisation and allows it to decrypt it. This is unquestionble.

I understand there are obviously internal controls to restrict who can see those messages and in which situation, and I haven't said everyone in boards can access everything and anytime (although I presume a couple of technical team members probably haven permanent full access to the database for support and operational purposes). What I said is that boards as an organisation is storing that data and has access to it so I don't see why it wouldn't handle it according to the regulation.

Bob24

Nody wrote: »

And that is not how it is going to work in practice; let's say I send a payment for an Ebay auction to you via bank transfer. I state my real name and it shows up on your statement as Joe Bloggs DVD Buffy Season 1 as the message for you to recognise me. Do you think the bank will go in and delete that from your bank statement and from their system due to my right to be forgotten? Some people on this thread has some very fancy ideas on how far things goes that's for sure though.

The bank is not subjected to the right to be forgotten in this case as they have a legal requirement to keep financial transactions data for a certain period. This is one of the several exceptions in GDPR (there are others).

My understanding is that they would also not be subjected to it if you volunteered the information as part of the core process of the service they are delivering to you, which is a second reason why they wouldn't have to entertain your request and will cover the activity of many other businesses.

There is a good number of other exceptions/restrictions to the right to be forgotten I have read about, for exemple if the data is part of piece art or a research project. But as I said I can't see of any exception in the case of a PM on boards.

Beasty

Bob24 wrote: »

You got me wrong, what I am saying is that boards.ie as an organisation has access to that data because it is storing it in a database, either unencrypted or encrypted with an encryption key which is held by the organisation and allows it to decrypt it. This is unquestionble.

So presumably your view is this applies equally to all e-mail providers?

Equally how is anyone to know whether and if so what "personal" information has been shared via PM, other than anything that is reported?

Anyone who has shared their personal info with another user via PM has lost any control over that information, as even if we can delete the PM, the recipient is likely to have received an e-mail with the same information embedded

LuckyLloyd

Captain Obvious wrote: »

No it doesn't. If I send an email to a friend mentioning your name and address are Google required to reveal the contents of that email to you? I think the more relevant question will be wether it is how the communication will be considered in relation to the business.

All I know is that our company (large pensions / insurance place) give you *everything* when you do a SAR. Even email conversations between employees complaining about your phone manner or whatever.

Interested to see what the official statement says anyway...

Trojan

Permabear wrote: »

This post had been deleted.

Reddit, StackExchange, Quora.

Trojan

From a previous discussion on this topic:

Trojan wrote: »

It's an interesting argument, and I'm very much on the side of "the right to be forgotten" and I'm in favour of the EU bringing this into legislation. I do understand the opposing views - I have had this discussion in the admin forum several times over the years - I just hold a completely different opinion to those opposing. There has got to be a way to find a solution that allows privacy with maintaining threads of conversations in a usable format.

I think that to compare it to Sherlock's Folly more reflects badly on those making the comparison than on the legislation itself. There's a world of difference.

If Boards started impinging on user privacy, have no fear - you'll see admins crying foul as loud or louder than anyone else. For me, personal freedom and privacy are very important (and bloody difficult to reconcile with running a business).

Wibbs wrote: »

OK. How? Change the original name and populate that throughout the site inc quotes and replies, seems to be the only obvious one that would maintain the flow. That said there are a couple of those type accounts here and a fair number could tell you who they were and are(if they reregged) Having a catchall "closed account" wouldn't keep the flow at all.

Plus you then have to pin down where the right to be forgotten line actually lies. One could well argue that the post content themselves are part of the identity of the person. There are a fair few folks out there that if someone was interested/deranged enough they could find out an awful lot about them, even identify them in real life. Some members actively identify their real life selves. Posts are also already copyright of that person who agrees boards can publish on their behalf. You own your own words as has been said hereabouts. In which case a user/legislative body could make the case that the right to be forgotten extends to the posts themselves and they have to be deleted or privately archived if requested. Imagine if every person who has hit the "close account" button in the last year also took every post of theirs with them? That would seriously impact Boards and other communities out there.

Well duuuh of course there is a difference in what the legislation is. You're missing the point. I wasn't equating the aims behind both, but in the same way that we can all agree that legislation to fairly protect copyright is a good thing, laws like sherlocks took it too far because of bad advice(among other things). The right to be forgotten is also a good thing, but who is to say legislation wouldn't go too far on the back of equally bad advice? The record of our government in drafting up such isn't so great in areas they've little clue in and as we've seen they're not usually for turning or even real open debate before inking on the dotted line. That said the sky didn't fall in since then. Yet. Mainly because this site was already voluntarily compliant. However a right to be forgotten law could well impact communities like ours in a much more fundamental way. As I stated one hopes cooler more informed legal heads prevail.

Boards as usual is thinking ahead with the closed account option, so might well be a case example of how to do it right without going overboard, which would hopefully inform and sway any local legislators to keep a light touch. To add to that, maybe an automatic random username change could be applied when people click that button? That way if and when such legislation is more concretely mooted, Boards can say "eh hello folks we're already well ahead of ye". Just as they have been ahead of sherlock by not allowing blatant links to copyrighted material from the get go.

Trojan wrote: »

"You own your own words"

I've heard this used in argument against the right to be forgotten, but to be honest they're the strongest arguments of the pro-rights camp. If I truly own my own words, I have the right to change, remove them, or remove my association with them, or whatever else I like - I own them, right?

Defining the scope of the issue, I believe that there are 3 solutions to any given post being identifiable:

A) Change the username (may not always work depending on post content)
Remove the post
C) Change the content

With posts where there is zero possibility of being personally identifiable, I think we allow or perform automatic random username change on those posts, within context of the below.

I think that any given post that is personally identifiable falls into one of the following classifications:

1. The first is that which is personally identifiable even without any associated username.
   
2. The second type of personally identifiable information in a given post is that which is identifiable when associated or grouped with other posts from the same user in that same discussion thread.
   
3. The third type of personally identifiable information in a given post is that which is identifiable when associated or grouped with other posts from the same user in a different discussion thread.
   
4. There might be a fourth, which is posts identifiable when associated with posts from other users in that same discussion thread (usually just underneath, quoted or referenced within the context of the thread).

The second, third and fourth types are essentially one and the same content, it's our constructs of threads and posts that requires us to deal with them differently.

Dealing with types (1), (2) and (4) it's quite simple - we have to allow the user or their proxy (mods/admins) to either edit the information, or remove the post. I think we should allow users to edit or delete old posts manually, but not en masse, to enable this. Maybe limit it to a time window or during Close Account procedure.

Type (3) is the interesting one for me because I think it's the vast majority of posts that are personally identifiable. In this case, I like the idea of not only having a once-off automatic random username change for the user, but having the username consistent only within a single thread. So the posts from that user all make sense if you're reading a discussion thread, but you can't find other posts from that same closed account.

I'm sure there are other solutions too, but it is possible.

Bob24

Beasty wrote: »

So presumably your view is this applies equally to all e-mail providers?

Equally how is anyone to know whether and if so what "personal" information has been shared via PM, other than anything that is reported?

Anyone who has shared their personal info with another user via PM has lost any control over that information, as even if we can delete the PM, the recipient is likely to have received an e-mail with the same information embedded

As I said I am asking the question and don't have the answer. I can see how this would be a problem and there very well could be specific rules for this type of scenario but I can't recall them from what I have read and if they exist it would be good to know exactly what they cover.

On the question to know what personal information an organisation holds about you: it is for them to figure out when you ask them about it and it could be a hell for these organisations. This is actually a question I have asked before at a GDPR training: if you ask a company what information they have about you and after checking their databases they say they have nothing on you, but a few weeks later one of their employees gives you a marketting call because you were a customer before and while you had been deleted from their customer database that person had kept your details in a text file on their company PC, the company is deemed responsable for not having properly handled your data and you can go after them for it (now every opinion is questionable but that was the one of the lawyer who gave a training at my job when I asked that exact question - which is scary working in IT as identifying those lone files would be hell).

dudara

Searching or scanning unstructured data stores (electronic or paper) will be a huge effort

What this means is that organisations need to look at a proper records management, classification, rentention and deletion process. That’s a a huge curve to climb for most organisations.

Bob24

dudara wrote: »

Searching or scanning unstructured data stores (electronic or paper) will be a huge effort

What this means is that organisations need to look at a proper records management, classification, rentention and deletion process. That’s a a huge curve to climb for most organisations.

Yes, and I don't presume it applies to boards but audio recordings can also be a massive challenge as they can contain loads of personal data but are not necessarily tagged with every person's name - and even if they are their content is not easily indexed/searchable (although technology is coming around to help with that but I doubt it will be 100% reliable for a while in hard situations - for exemple an unusual person/place name or a very heavy accent).

Also, pictures/screenshots can be another killer.

As you say there is a huge effort to better manage data, but what I hope is that it will also push some organisation to retain less data than they used to as they know they will have overhead to manage it.

Cookie_Monster

Bob24 wrote: »

GDPR only applies to EU residents anyway.

Individuals only or companies also?
I'm not in the EU currently but am an EU citizen and because boards.ie ltd is EU based does this make a difference?

half of my posts were probably made while i was an EU resident as well...

kippy

LuckyLloyd wrote: »

All I know is that our company (large pensions / insurance place) give you *everything* when you do a SAR. Even email conversations between employees complaining about your phone manner or whatever.

Interested to see what the official statement says anyway...

Interesting to see how your company manage to do this. It's an extremely complex area.

Hurrache

dudara wrote: »

Searching or scanning unstructured data stores (electronic or paper) will be a huge effort

For digital storage it's not that great an effort. It can be done in house or using off the shelf products handily enough.

dudara

Hurrache wrote: »

For digital storage it's not that great an effort. It can be done in house or using off the shelf products handily enough.

If you have a homogenous IT environment, it’s not too bad using forensics or electronic discovery tools. If you have a fragmented environment, the effort goes up. Then someone still needs to go through the results and select / redact the relevant docs. Having a good information classification process in place would help .

Hurrache

Cookie_Monster wrote: »

Individuals only or companies also?
I'm not in the EU currently but am an EU citizen and because boards.ie ltd is does this make a difference?

half of my posts were probably made while i was an EU resident as well...

The relevance of the law to you is that you're an EU citizen, doesn't matter if you posted from outside the EU, or even on a server outside of the EU.

There's also extraterritoriality, the law applies to data held by companies outside of the EU that hold data on EU citizens. However applying the law to non EU companies is a different matter altogether.

Turtwig

Iirc the data protection commissioner already
liased with boards a few years ago. Closed accounts were a byproduct of that. It's unlikely that if boards were considered compliant then that they'd not be GDPR compliant now.

Hurrache

Turtwig wrote: »

It's unlikely that if boards were considered compliant then that they'd not be GDPR compliant now.

Not true at all.

Cookie_Monster

Hurrache wrote: »

The relevance of the law to you is that you're an EU citizen, doesn't matter if you posted from outside the EU, or even on a server outside of the EU.

Thanks
So EU citizens regardless then, not just residents as was quoted in this thread at some point?

Bob24

Cookie_Monster wrote: »

Individuals only or companies also?
I'm not in the EU currently but am an EU citizen and because boards.ie ltd is EU based does this make a difference?

half of my posts were probably made while i was an EU resident as well...

Hurrache wrote: »

The relevance of the law to you is that you're an EU citizen, doesn't matter if you posted from outside the EU, or even on a server outside of the EU.

There's also extraterritoriality, the law applies to data held by companies outside of the EU that hold data on EU citizens. However applying the law to non EU companies is a different matter altogether.

Hurrache's second point is correct but not the first one. Being an EU citizen doesn't matter in deciding whether someone is covered by GDPR; what matters is being located in the EU (regardless of citizenship).

So an Irish citizen living in Japan and having their data processed by an American company is definitely not cover by GDPR, while an Japanese citizen living in Ireland and having their data processed by an American company is cover by GDPR. My understanding however is that posts made by the OP while located in the EU are covered even though they are not a resident of the EU, but this is to be confirmed and purely due to their geographical location at the time, not to their country of citizenship.

Also OP FYI the protections granted by GDPR only apply to individuals, not to organisations.

Bob24

Turtwig wrote: »

Iirc the data protection commissioner already
liased with boards a few years ago. Closed accounts were a byproduct of that. It's unlikely that if boards were considered compliant then that they'd not be GDPR compliant now.

GDPR extends a lot on previous data protection regulation. Being compliant with previous regulation is definitely not a guarantee of being compliant with GDPR; and in most organisations who have taken it seriously GDPR compliance has been a large project going on for months or years.

The most trivial exemple which most people have seen in the past week is that explicit consent is now required in many cases to contact people, which was not the case before. Se many organisations which hadn't collected that explicit consent are now doing it in a hurry as otherwise when the date comes they won't be able to leverage their mailing lists anymore.

Hurrache

Bob24 wrote: »

Hurrache's second point is correct but not the first one. Being an EU citizen doesn't matter in deciding whether someone is covered by GDPR; what matters is being located in the EU (regardless of citizenship).

So an Irish citizen living in Japan and having their data processed by an American company is definitely not cover by GDPR, while an Japanese citizen living in Ireland and having their data processed by an American company is cover by GDPR. My understanding however is that posts made by the OP while located in the EU are covered even though they are not a resident of the EU, but this is to be confirmed and purely due to their geographical location at the time, not to their country of citizenship.

Also OP FYI the protections granted by GDPR only apply to individuals, not to organisations.

Actually, yes, you're correct. EU citizen but outside of the EU is not covered. I actually covered that in a course I did on it recently, but I faded out at that point as it wasn't applicable to me or my current project.

Another one particular discussion point on this is the definition of an EU citizen. If for example you're a foreign student, the Japanese person in your example, an attache to an embassy etc, even if it's hosted on an EU server from within the EU, it's not necessarily covered by GDPR.

This site has done a bit of work and a few blogs on it
https://cybercounsel.co.uk/data-subjects/

.......

This post has been deleted.

Bob24

....... wrote: »

I would have thought most companies were engaged in a similar process if the nature of the business means that they hold personal data.

Unfortunately I think many organisations haven’t yet grasped the impact it has on them.

LuckyLloyd

kippy wrote: »

Interesting to see how your company manage to do this. It's an extremely complex area.

It's a complex area, and some of it involves manual thralling through files I believe. We don't receive a high volume of them, thankfully. But it's simple in another: just find everything relevant to the person / customer. You need to understand as a company how you process data, where it is stored and how the flows work.

Bob24

Hurrache wrote: »

Japanese person in your example, an attache to an embassy etc, even if it's hosted on an EU server from within the EU, it's not necessarily covered by GDPR.

This site has done a bit of work and a few blogs on it
https://cybercounsel.co.uk/data-subjects/

Yeah non residents are trick and it’s still a bit a a grey area for me (although on my view a student who is her for several months is covered).

I might be wrong but I think in theory anyone who is physically present in the EU when they access the service provided by a company is coveres by GDPR. But I don’t see how it can work or be enforced in practice: it would mean that if the don’t want to fall under GDPR a 100% American company only serving customers residing in the US but which has a web portal for their customers should disable that portal when someone is trying to access it from the EU (even if it is just someone on a 2 hours layover in London or Paris trying to access the service from the airport on their way to a non EU country).

.......

This post has been deleted.

blackwhite

For anyone who previously closed account - how exactly are they going to prove that they are entitled to make a "right to be forgotten" request in relation to that account?

Boards have already said that they delete the hashed email, etc, within 30-40 days.