GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Bob24

Hurrache wrote: »

The New York Times has an article about Helen Dixon and be how she'll be the most important regulator in tech as a result of GDPR

https://www.nytimes.com/2018/05/16/technology/gdpr-helen-dixon.html

"She is eager to test her newfound power"

I don't believe a word of this sentence to be honest ;-)

I understand why they have been doing that (it is in our economic interest for these companies to feel comfortable here), but both her and her predecessors have often seen their role as trying to make EU regulation look enforced while having the most limited practical impact on the likes of Facebook and Google (which is why most big cases have been referred to the ECJ). Call me cynical but I'd say this type of article/interview is a PR exercise towards achieving that goal.

I have mixed feelings about this to be honest: on the one hand I would like these companies to keep operating here so I understand what has been done by our DPCs, but on the other hand I strongly believe in these privacy rules and I think it makes zero sense for very powerful companies operating across Europe to be regulated by the understaff regulator of a small country which has a vital economic interest in keeping these companies happy (it is obviously not Ireland's fault if the regulation works that way, but in my view it is causing a conflict of interest for the regulator). It would probably be better for everyone (except those companies) if the regulator was an external party: Irish authorities wouldn't have to worry about incommoding companies which are key to the Irish economy as it wouldn’t be their responsibility anymore, and that external agency wouldn’t have to hold back in the way they enforce regulation which would be good for EU residents. .

testicles

This post has been deleted.

Hurrache

That's hair splitting levels.

Bob24

testicles wrote: »

She personally won't be as there will be 3 commissioners in Ireland then.

Can you expend on the 3 commissioners? I not aware of that and would be interested.

Franz Von Peppercorn

Murray TheDemonic TalkingSkull wrote: »

Actually closed one account and changed my name, been here for years.

You’d think they’d know that :-p

testicles

This post has been deleted.

Bob24

testicles wrote: »

Section 15 of the Data Protection Bill 2018

Thanks I wasn’t aware of these changes.

Having said that I see in the bill that while there can be up to 3 commissioners, one of them will be appointed chairperson of the commission.

So there will still be someone who can personally be called the regulator (which makes sense as someone needs to be held accountable for what the commission is doing).

Permabear

This post has been deleted.

BowSideChamp

What information does boards have on users who sign up using Twitter, Google accounts. Do they have their actual names as well as email accounts?

Boards.ie: Sean

So, I just want to give an update regarding some of the GDPR issues that are being discussed in this thread, particularly regarding the status of posts and what obligations, if any, we have under GDPR to delete them upon request and regarding closed accounts.

Amongst the many other things we are doing to prepare for GDPR, we are working with our legal team to clarify where and how GDPR relates to Boards and what our obligations are under the regulation.

In terms requests by a member of Boards to delete all their posts, we have already sent that specific query to the legal team and should have their response back in the coming days and prior to 25 May. Internally, we have a view what we are required to do and what we are not, but rather than speculate at this stage I think it is more sensible to wait until we get the legal advice. It is our intention to follow that legal advice, whatever it may be, and I am more than happy to share that advice on this thread when we receive it.

Some people may disagree with the interpretation of GDPR that our legal team has arrived at (whatever that interpretation may be) but I think this will be the case for many aspects of GDPR, there will be differing interpretations of what the regulation implies and there will have to be a settling in period after the 25th where a lot of these issues get clarified and tied down.

So let's see next week what the lawyers say regarding deletion of posts.

.......

This post has been deleted.

Boards.ie: Sean

Regarding closing of accounts, currently when an account is closed all personal data associated with that account is deleted from the database other than the Boards username and the IP address used when registering. So we delete any email addresses, actual names, social media handles, birth dates etc. we hold. We do not delete any posts made by the user

We keep the Boards username (which is now not associated with any personal data) as this username is still associated with a set of posts on the site, which remain even after account closure (unless our legal advice is that this is not permissible under GDPR - see my previous post).

We are currently updating our close account function to all delete the IP address used when registering in order to be GDPR compliant. This update will be in place by 25 May and will apply to any new account closures. Once live we will also delete any IP addresses in the database associated with previously closed accounts so no account closures, either historic or new, will have this information associated with them.

In terms of tracking users after they requested their account to be closed, we don't implement tracking mechanisms that are associated with closed accounts. We do have anti-spam methods that, while not foolproof, do help us detect various spamming attempts on the site (for example spammers registering, being banned and re-registering under a different username). However, these anti-spam methods are based on monitoring and information associated with individual posts, not user accounts. And we are also checking with the legal team that these methods are GDPR compliant (and if they're not we'll change them to make sure they are).

Boards.ie: Niamh

....... wrote: »

This post has been deleted.

I've replied to your other thread there but can merge it in here if you prefer.

testicles

This post has been deleted.

.......

This post has been deleted.

Boards.ie: Niamh

....... wrote: »

This post has been deleted.

I'll leave it where it is, it's a question other people are likely to ask as well and might get lost in here.

Trojan

testicles wrote: »

This post has been deleted.

What does it matter when they get the advice, so long as they have their processes in place for the date of implementation of the regulation?

Boards.ie: Sean

testicles wrote: »

This post has been deleted.

We take legal advice on a regular basis. All I'm saying is that on the particular question of user requests for deletion of all their posts and whether this is required under GDPR we are awaiting final advice from our legal team.

And irrespective of whether we take advice 2 years, 2 weeks or 2 days before the deadline, I think the more important issue is that we both take advice, get the feedback and make any changes required based on the feedback prior to the 25 May deadline, because ultimately that is the only real date that counts And that is the timeline we are working towards

.......

This post has been deleted.

Hurrache

Boards.ie: Sean wrote: »

R

In terms of tracking users after they requested their account to be closed, we don't implement tracking mechanisms that are associated with closed accounts. ......., not user accounts. And we are also checking with the legal team that these methods are GDPR compliant (and if they're not we'll change them to make sure they are).

I don't think this is true. You do check if emails used to create an account have been used before, therefore you must hold on to email addresses.

Captain Obvious

So does that mean users that are simply banned will not have their IP addresses removed? The issue with rereg trolling is already pretty bad, particularly in AH. I'd hate to see it get even worse.

Boards.ie: Sean

Hurrache wrote: »

I don't think this is true. You do check if emails used to create an account have been used before, therefore you must hold on to email addresses.

So, what's happening here is as follows ...

When an account is closed, prior to deleting the email address associated with that account, we take a hash of the email address and store the hash in a separate table that is not linked to the user account. The personal data in the user account is then deleted, including the email address.

So, what is left after deletion is a separate table containing a list of hashed email addresses from closed accounts. As you know, hash functions are one way, if we have an email address we can create a hash but if we have the hash we cannot re-create the original email address. So we are not storing any personal data in that table and the hashes in the table are not linked to any account or Boards user.

When a new user is registering they enter an email address and as part of the registration process we take a hash of email address and check to see if the same hash is contained in the table I've described above. If it is then we know that the new registration is trying to use the same email address as a previously closed account and we don't complete the registration. We do this to stop malicious re-registering.

The hashes in the table have a time stamp and 40 days after being added to the table they are removed from it. What this means is that if you close an account and within 40 days try to use the same email address when setting up a new account, you won't be able to.

However, if it's more than 40 days after closing an account then you can use the same email address with a new account.

But in all cases, once you close an account the email address is deleted and there is nothing in our database that allows us to access or re-create that email address.

Hurrache

Ok, I was wondering alright if they were hashed. Interesting to see if that's adequate for GDPR though as email addresses are still held in some form, albeit in a hash table. Data privacy campaigners will push the law to see how far it's reach is.


Cheers for the explanation.

Beasty

Trojan wrote: »

What does it matter when they get the advice, so long as they have their processes in place for the date of implementation of the regulation?

Arguably the later you leave it the better the advice, as with anything like this the lawyer's views will evolve as they are asked more detailed questions. I'm not saying it's best leaving everything to the last minute, but equally it's more efficient, and indeed cheaper, to learn from what others have already gleaned.

Having said that there will be an extended period while business starts adapting to the day to day practicalities, including how they approach any requests made under the legislation. Indeed I've received more than one communication setting out differing approaches to the new legislation and indeed how you opt in or out of certain things. You may find that things are approached differently in, say, 6 months, as organisations adjust to realities as opposed to the theory.

Boards.ie: Sean

Captain Obvious wrote: »

So does that mean users that are simply banned will not have their IP addresses removed? The issue with rereg trolling is already pretty bad, particularly in AH. I'd hate to see it get even worse.

No, if banned the registration IP address will not be deleted. All users, including banned users, can still log into their Boards account and in the Control Panel can select the Close Account option. In that case the IP address is nuked but otherwise we will still have access to it

Boards.ie: Sean

Hurrache wrote: »

Ok, I was wondering alright if they were hashed. Interesting to see if that's adequate for GDPR though as email addresses are still held in some form, albeit in a hash table.


Cheers for the explanation.

That's something that we'll have see and I think it will only become clear in the weeks and months after the 25th. I think we would have pretty strong grounds to stand on in that:

- the email address is not held in the clear but is hashed

- it is stored for 40 days and then the hash itself is wiped

- it is necessary to help prevent spamming and malicious re-regs which could be argued puts it under the "legitimate interest" section of GDPR

... but hey, I'm no lawyer!!

Bob24

Trojan wrote: »

What does it matter when they get the advice, so long as they have their processes in place for the date of implementation of the regulation?

My point is not to blame anyone here, but I think it is obvious why taking legal advice on these core questions just a week before enforcement is surprising.

What will boards do if the legal advice they get involves weeks or months of development work / process changes to become compliant? (it might end up being fine but in my view there is a material risk of having to disable certain features on the website until they can be made compliant)

Not to mention that a hard part before even fixing non-compliance issues is to find these issues. Doing this requires an audit of all data held and all processes by someone who is familiar with the regulation (i.e. you cannot just ask questions to a legal advisor, you also need them to help you find out what the questions are).

This is the reason the final regulation was published well in advance of its enforcement date: many organisations needed several months/years to get ready for it.

Trojan

Bob24 wrote: »

My point is not to blame anyone here, but I think it is obvious why taking legal advice on these core questions just a week before enforcement is surprising.

To be honest, I read the other user's post as someone just wanting to have a pop at boards. Perhaps I'm wrong.

And I speculate that some folks are suddenly becoming interested in GDPR regulation when it might allow them to get away with trolling.

Beasty wrote: »

Arguably the later you leave it the better the advice, as with anything like this the lawyer's views will evolve as they are asked more detailed questions. I'm not saying it's best leaving everything to the last minute, but equally it's more efficient, and indeed cheaper, to learn from what others have already gleaned.

100% agreed. In fact we're seeing this in the web development world right now - WordPress just today released a new update which includes several features that make GDPR compliance a bit easier. And they're not the only ones - there are lots of new cookie blocking services becoming available (at different levels of sophistication). Things are happening at "internet speed" with regard to GDPR this week.

Bob24

Boards.ie: Sean wrote: »

That's something that we'll have see and I think it will only become clear in the weeks and months after the 25th. I think we would have pretty strong grounds to stand on in that:

- the email address is not held in the clear but is hashed

- it is stored for 40 days and then the hash itself is wiped

- it is necessary to help prevent spamming and malicious re-regs which could be argued puts it under the "legitimate interest" section of GDPR

... but hey, I'm no lawyer!!

Here is the relevant section of GDPR related to data hashing in my opinion: http://www.privacy-regulation.eu/en/r26.htm

The highlighted part below is probably what is open to interpretation in this case and to me it looks like there is no easy black or white answer and one could argue either way:

Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.

Trojan

On the one-way hash thing, I think that you'd have a very difficult time arguing that that is personally identifiable.