GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

oscarBravo

beauf wrote: »

Your only point seems to be it will be ruin threads. When it's very likely it will only effect threads that aren't been accessed anymore.

I'm not sure how you arrived at that conclusion. Let's imagine that (say) permabear invoked his right to be forgotten next Friday, and that that involved all his posts being deleted, including quotes from those posts in other people's posts.

How much sense do you suppose this thread would make once that had happened?

Just go back and read the thread from the start, and mentally remove all his posts and quoted replies. Do you see the problem?

beauf

One this thread is still active. So creating a new user name for the posts in this thread which is active would be more appropriate. His old inactive threads could be deleted...

There can be multiple ways of dealing with it. Seems simple to me.

Beasty

Just to be absolutely clear I am not a lawyer. The "tone" of any of my posts reflects that fact.

RHJ

This post has been deleted.

Permabear

This post has been deleted.

RHJ

This post has been deleted.

pleas advice

Franz Von Peppercorn wrote:

The problem is the quotes reference the name and a number and it’s in the text.

So the text of this post contains your username.
...

This is an issue where a user changes the username on their account. Are all previous usernames stored somewhere? Some mods change their usernames regularly, the 'Find all posts that quote' function only brings up posts since the last name change.

oscarBravo

Permabear wrote: »

This post had been deleted.

The problem is that you're approaching this from the perspective that the GDPR grants sweeping, unqualified rights to individuals that Must Be Obeyed without qualification or question.

This website exists for the purpose of facilitating conversations. Blithely allowing swathes of those conversations to be deleted would be actively harmful to the raison d'etre of the site. That harm needs to be balanced against the right to be forgotten.

RHJ

This post has been deleted.

TheChizler

What's the difference between this site and say a newspaper? Newspapers print identifying info about individuals all the time. Quite a lot of it would be about stuff not in the public interest, just part of their business.

If a newspaper got a request for deletion under GDPR by someone they had once done a lifestyle piece on for instance, following the logic of some posts here they would have to delete all the articles on this person from their website (Would they also have to round up all printed copies they can find and cut out the article as well, of does electronic media fall under different data protection standards?).

I feel like the obvious answer is that they wouldn't have to, but I'm not trying to be facetious, I genuinely don't see why the two forms of processing information would be treated differently.

Since the posts on Boards are in the public realm are they subject to the same rules as say an advertising company collecting your data?

Hurrache

kippy wrote: »

Not sure the relevance.
Hypothetical scenario.
My username is storage. I want all threads and PMS where my name is mentioned deleted. I also want all references to me removed from any and all backups.
What would the impact be on this thread alone?

This thread alone wouldn't see any posts deleted but what about references to my username?

oscarBravo wrote: »

Just go back and read the thread from the start, and mentally remove all his posts and quoted replies. Do you see the problem?

The impact on this thread, or any other thread, is completely irrelevant if the posts are required to be removed.

Permabear

This post has been deleted.

Captain Obvious

RHJ wrote: »

This post has been deleted.

Only for a certain period though isnt it? They are permanently archived after a few months.

blackwhite

Permabear wrote: »

This post had been deleted.

That needs to be qualified - there’s a number of valid reasons that a company can give to refuse a request. It’s not an absolute right under GDPR.

There’s a “legitimate business reason” clause; there’s a legal necessity clause (unlikely to apply often to boards) would be two examples.

There’s also a get-out for requests that are “manifestly unfounded or excessive”.

GDPR certain expands on a number of individual rights, but it’s not a Carte Blanche one sided piece of legislation either.

Jasnah

The Reddit example is quite interesting. I'm also a user there and it's happened to me quite frequently to come across old threads where the content of posts has been deleted by the OP before their account was deleted. So it is certainly possible there.

Having come across this issue, I agree with previous posters that this is inconvenient. But that's not the point. The law isn't concerned with what is convenient for the company running the site or the users who want to consult the data, it's concerned with the person who submitted it and how they want their data used.

pleas advice

Captain Obvious wrote: »

Only for a certain period though isnt it? They are permanently archived after a few months.

I just deleted a post i made 3 years ago, it's possible to edit them as well, but not add new comments to threads over 6 months old

Hurrache

TheChizler wrote: »

Wha

If a newspaper got a request for deletion under GDPR by someone they had once done a lifestyle piece on for instance, following the logic of some posts here they would have to delete all the articles on this person from their website (Would they also have to round up all printed copies they can find and cut out the article as well, of does electronic media fall under different data protection standards?).

I can't just walk into your house and read any newspaper you have.

Permabear

This post has been deleted.

RHJ

This post has been deleted.

Permabear

This post has been deleted.

Trojan

Permabear wrote: »

This post had been deleted.

If the posts are anonymised - associated with randomly generated usernames only consistent within a single thread - then there's a strong argument to be made that they are not identifiable. Personally, I think that's the best balance between deleting personal data and maintaining integrity of conversations.

Permabear

This post has been deleted.

Bob24

TheChizler wrote: »

What's the difference between this site and say a newspaper? Newspapers print identifying info about individuals all the time. Quite a lot of it would be about stuff not in the public interest, just part of their business.

If a newspaper got a request for deletion under GDPR by someone they had once done a lifestyle piece on for instance, following the logic of some posts here they would have to delete all the articles on this person from their website (Would they also have to round up all printed copies they can find and cut out the article as well, of does electronic media fall under different data protection standards?).

The difference is that a newspaper would be covered by this exception defined in the regulation: https://gdpr-info.eu/recitals/no-153/

"Member States law should reconcile the rules governing freedom of expression and information, including journalistic, academic, artistic and or literary expression with the right to the protection of personal data pursuant to this Regulation. The processing of personal data solely for journalistic purposes, or for the purposes of academic, artistic or literary expression should be subject to derogations or exemptions from certain provisions of this Regulation"

So no problem for them.

There are also other grounds for exemptions, for exemple if retaining the data is a legal requirement (typically: since your bank has a legal requirement to retain your identification documents and financial transactions history because of AML regulation, GDPR of course doesn't grant you the right to ask them to delete that data).

In short, the regulation has been made fairly restrictive by default but it also recognises that there are cases where it should not apply (so if boards decided not to delete data it would have to explain which one of those exceptions they are basing their decision on - they might have grounds for it in some situations, but it is not evident to me which exemption that could be based on why I know about GDPR and what has been said on this thread).

RHJ

This post has been deleted.

Beasty

I was at the cup final today. Does that information fall within these rules? It cannot be used to identify me. There were over 87,000 others there. Not only that but only Manchester United FC and possibly Wembley stadium and security services know I was sold a ticket. They do not know I used it though. I could have sold it to a friend or a tout.

I may or may not have mentioned this on another social media site. Can anyone link that if I did? I doubt it as there were hundreds of people at Dublin Airport this morning with the same intention.

That info is personal but cannot be used to identify me.

Again though I am not a lawyer but it would appear to me strange if anyone believes everything they have posted on this site can be used to identify them

Ultimately though none if us Admins know what the official line will be in this. We can contribute to discussions but are not in any position to comment on what the official line will be.

Trojan

Permabear wrote: »

This post had been deleted.

It grants the right to have personal data erased.

Personal data being as you already quoted "defined as any information about an identified or identifiable person".

Therefore removing the identifying data, i.e. the username, leaves the post content, which is now no longer identifiable as it is not linked to the rest of the user's post history.

In some cases, e.g. where a poster includes very, very specific details: what road they live on, their phone number (which we already delete), etc, only in those cases does the post actually need to be deleted - or edited.

Permabear wrote: »

This post had been deleted.

Sorry, P, I don't agree with you there.

Hurrache

Beasty wrote: »

I was at the cup final today. Does that information fall within these rules? It cannot be used to identify me. There were over 87,000 others there. Not only that but only Manchester United FC and possibly Wembley stadium and security services know I was sold a ticket. They do not know I used it though. I could have sold it to a friend or a tout.

I may or may not have mentioned this on another social media site. Can anyone link that if I did? I doubt it as there were hundreds of people at Dublin Airport this morning with the same intention.

That info is personal but cannot be used to identify me.

Again though I am not a lawyer but it would appear to me strange if anyone believes everything they have posted on this site can be used to identify them

Ultimately though none if us Admins know what the official line will be in this. We can contribute to discussions but are not in any position to comment on what the official line will be.

You're being a tad facetious with that post. However there is enough posts in the cycling forum to probably identify you, and other posters

I had chips from dinner, bought in Macaris. That can't be used to identify me.

But if I posted my finishing time or position in a race etc you could easily get my name and age range.

Some forums have nicely structured tables with such information handily available so you don't even have to ead through the relevant threads.

I know a number of people in real life and their boards.ie user profiles, and I'm sure vice versa, without ever having even discussed if we're members or not.

Practicality says all posts belong to a user gets removed, if any, rather than leaving the ones saying what had for dinner.

hullaballoo

The GDPR is about balancing competing rights, not about putting the private individual's rights above and beyond the reach of anything else.

That's an impossible objective for any functioning society.

There will be plenty of litigation on this imo but I think some people will be surprised by how little the bog standard small business is effected by the regulation.

Even within the terms of the GDPR itself, the right to be forgotten is limited. It's absolutely not an absolute right. Same goes for restriction of processing. The Oireachtas Bill, which I admittedly haven't read in full, has been criticised for doing a standard Irish government job and being quite restrictive of the so-called rights under GDPR. You might well argue the Oireachtas has no power to do so when EU regulations are prescriptive, supreme and directly effective but the scope is in-built in the GDPR for derogations and restrictions of rights.

The above is just my personal view. It's not legal advice nor is it the official boards.ie position. We won't know what the official position will be until the site has heard from its legal advisors.

blackwhite

Permabear wrote: »

This post had been deleted.

Joe poster needs to demonstrate the every post meets the definition of personal data - it’s still speculation as to whether the posts would constitute it or not (based on guidance I’ve seen at work I’d say for 99% of posts wouldn’t meet the definition of personal data - but that remains to be seen TBH).

And I’d definitely say that claiming every single post is personal info would like fall under the “manifestly excessive” get-out

RHJ

This post has been deleted.