GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Hurrache

That's something I thought of myself, especially if the associated email address has been wiped, how to manage removal of posts associated with closed accounts if so required.

Permabear

This post has been deleted.

.......

This post has been deleted.

.......

This post has been deleted.

Bob24

....... wrote: »

I believe there is a loophole around backups, article about it here, but restoration procedures must involve removing that persons data.

Yes I’ve read about this as well and it seems reasonable enough. But I guess it is a grey area and at this stage it is just legal opinions, so those things might neee to be tested in court before we have full clarity.

.......

This post has been deleted.

tsue921i8wljb3

Move the servers and possibly a holding company outside the EU. Problem solved!

Hurrache

Micah Shrilling Strawberry wrote: »

Move the servers and possibly a holding company outside the EU. Problem solved!

Nope, the data still concerns EU citizens.

tsue921i8wljb3

Hurrache wrote: »

Nope, the data still concerns EU citizens.

How would a non EU company be prosecuted though?

Hurrache

And that's the rub! Many will have a presence of some sort in the EU, and those that don't there's a requirement that those that target and conduct business with EU citizens to have a representative in the EU, could be something as simple as employing a legal rep to handle such things. Any resulting fines for those are done within international law, as opposed to EU law.

EU-US and eventually EU-UK trade shouldn't be too hard to police, but it may become difficult for countries without trade agreements etc with the EU.

tsue921i8wljb3

Hurrache wrote: »

And that's the rub! Many will have a presence of some sort in the EU, and those that don't there's a requirement that those that target and conduct business with EU citizens to have a representative in the EU. Any resulting fines for those are done within international law, as opposed to EU law.

EU-US and eventually EU-UK trade shouldn't be too hard to police, but it may become difficult for countries without trade agreements etc with the EU.

boards.ru

Permabear

This post has been deleted.

Hurrache

It's just a discussion evolving around the broader topic.

tsue921i8wljb3

Permabear wrote: »

This post had been deleted.

I was merely offering a suggestion that, in the case of the GDPR regulations imposing an unbearable burden on either the finances of the company or the very fabric of the site, that the option to relocate may be considered. Hopefully it will not come to this.

Bob24

Micah Shrilling Strawberry wrote: »

I was merely offering a suggestion that, in the case of the GDPR regulations imposing an unbearable burden on either the finances of the company or the very fabric of the site, that the option to relocate may be considered. Hopefully it will not come to this.

It is not a viable option no matter what and people in charge of running this site are definitely not crazy enough to even consider it.

Firstly because as outlined by another poster already GDPR would apply anyway regardless of where the company is based (and saying “how will it be enforced?” doesn’t address that point as I doubt people involved with boards want to become wanted criminals in the EU since they all presumably have strong ties in Ireland).

Secondly because any European business which is sharing data with another entity has a duty to make sure that entity is GDPR compliant, so not beeing GDPR compliant most likely means closing all the talk to forums and not getting any advertisement money from any business with operations in the EU/Ireland.

tsue921i8wljb3

Bob24 wrote: »

It is not a viable option no matter what and people in charge of running this site are definitely not crazy enough to even consider it.

Firstly because as outlined by another poster already GDPR would apply anyway regardless of where the company is based (and saying “how will it be enforced?” doesn’t address that point as I doubt people involved with boards want to become wanted criminals in the EU since they all presumably have strong ties in Ireland).

Secondly because any European business which is sharing data with another entity has a duty to make sure that entity is GDPR compliant, so not beeing GDPR compliant most likely means closing all the talk to forums and not getting any advertisement money from any business with operations in the EU/Ireland.

Fair enough. It probably was a bit out there as an idea.

How are similar sites planning to deal with this does anyone know? Will Reddit, for example, delete everything I've ever posted (I'm not a member) if requested?

Hurrache

Bob24 wrote: »

Ithe talk to forums and not getting any advertisement money from any business with operations in the EU/Ireland.

There's another thing, data transferred within the Talk Forum. What scope do they come under, Sky's for example in their case, boards.ie, both?

Permabear

This post has been deleted.

Bob24

Hurrache wrote: »

There's another thing, data transferred within the Talk Forum. What scope do they come under, Sky's for example in their case, boards.ie, both?

Both. If they query personal information through PMs to identify customers Sky is what is called a “data controler” in the regulation and while it depends exactly how they operate I would guess boards is both a “data controler” and a “data processor” (and as any data controller has a duty to make sure any data processor it is using is GDPR compliant Sky would have a duty to make sure boards is GDPR compliant before having their customer data stored and exchanged through boards).

dudara

Permabear wrote: »

This post had been deleted.

The standards of data privacy vary across the US, from state to state. As US national standards as a whole do not meet GDPR standards, organisations have to use other measures to provide reassurance that data transfers are protected. US companies can voluntarily sign up to the Privacy Shield which assures that the data privacy standards employed by the company are adequate to protect data transfers from the EU.

Certain countries, like Switzerland, are not implementing GDPR, but their standard of data privacy laws means that they are considered Adequate countries. In other words, data can be transferred safely from the EU to Switzerland (or other Adequate country) without having to employ additional tools to secure the transfer.

Hurrache

Permabear wrote: »

This post had been deleted.

I don't think it does, doesn't seem like they've updated the policy for GDPR?

Bob24

Permabear wrote: »

This post had been deleted.

It is a replacement for “Safe Harbour” which was declared invalid by the European Court of Justice (both are sets of privacy principles allowing multinational companies to transfer personal data of EU citizens to the US).

But the same guy who got Safe Harbour invalidated (Max Schrems, he also is the guy who annoyed Facebook and the Irish DPC and forced them to implement subject data access requests when they were legally obliged to but didn’t) has said he believes this can also be challenged and I think he is already working on it.

PS: Schrems has established an NGO dedicated to legally pushing for enforcement of European privacy regulations, good to be aware of as he has a track record of achieving significant results with limited means: https://noyb.eu/

dudara

Yup, there are mechanisms like the Privacy Shield and Standard Contractual Clauses which can be used to protect data transfers from EEA to non-EEA countries. However, due to legal actions like that of of Schrems, they are being challenged as not providing enough adequacy. For now, they stand but that could change.

Bob24

Bob24 wrote: »

PS: Schrems has established an NGO dedicated to legally pushing for enforcement of European privacy regulations, good to be aware of as he has a track record of achieving significant results with limited means: https://noyb.eu/

On this I am member of noyb and just saw the following in a newsletter they sent today:

noyb wrote:

Within the next week, we will send you an update on noyb internals and our first complaint which is planned for May 25th – the day the GDPR comes into effect!

So if companies still think they have time get organised they are wrong. There are people around who have cases ready based on GDPR and are just waiting for the regulation to enter into effect (and I hope the Irish DPC is appropriately staffed as most big internet companies are regulated in Ireland for their EU operations so they'll probably get a good list of complaints next week)

dudara

Incidentally most European regulators have said that they are not adequately resourced or provisioned to deal with the new regulation and the increased volume of complaints it will bring. Many regulators are going to work on a best effort / most priority basis. I know the Irish DPC has invested heavily but whether it will be enough remains to be seen.

Bob24

dudara wrote: »

Incidentally most European regulators have said that they are not adequately resourced or provisioned to deal with the new regulation and the increased volume of complaints it will bring. Many regulators are going to work on a best effort / most priority basis. I know the Irish DPC has invested heavily but whether it will be enough remains to be seen.

Yes I can imagine most of them will be very pressured at least initially and will have difficulties to cope. But while I can't find a source now I seem to remember reading that in a way GDPR also regulates regulators and imposes certain standards/targets on them in terms of how they deal with complaints (partly because in the view of many EU countries our DPC was being too lax and too slow in their dealings with multinational companies operating across Europe from Ireland). So I am not 100% sure but I think regulators working on a best effort basis might not always be acceptable and they might have some obligations to deliver.

TheValeyard

Boards.ie: Niamh wrote: »

Dollylama and RandomString, I'm afraid you don't meet the posting requirements yet to be allowed post in the Feedback forum so I have had to remove your posts. You need to be a member for 3 months and have 100 posts to be allowed to post in Feedback.

Edit: ditto Murray TheDemonic TalkingSkull, not registered long enough yet.

Actually closed one account and changed my name, been here for years.

Beasty

Murray TheDemonic TalkingSkull wrote: »

Actually closed one account and changed my name, been here for years.

That's irrelevant. Your current account has not been in place for the requisite 3 months. Please PM me if you wish to discuss this further

StupidLikeAFox

It's not exactly reinventing the wheel to anonymise a users posting history. Just give them a different username that's unique to the thread and that would prevent people. Would take ages to run the script but it would surely be done in a couple of weeks, and could be automated for future closures.

Also, it's a bit mad that there isn't some kind of a high level strategy that boards could share with just 8 days to go to the deadline. For a user driven site this should surely have been done and dusted ages ago.

Hurrache

The New York Times has an article about Helen Dixon and be how she'll be the most important regulator in tech as a result of GDPR

https://www.nytimes.com/2018/05/16/technology/gdpr-helen-dixon.html