GDPR EU legislation
-
In power from 28.05.2018.
What is stance of bbPress core about it ?
What needs to be done.I have not seen anyone is working on a plugin for compliance.
-
To be honest I’ve only just started thinking about it.
We should probably start with a Trac ticket, then start discussing it in Slack
You are not the only one. Today was first time I heard about it.
It involves a bit design consideration. Checkbox when submitting topic reply. Option for User to be able to delete account with all comments. Dedicated Page for bbPress about what is saved in database.Some are strange and complicated. What to send to User when they ask what bbPress is collecting in database.
I have been busy with it for a while. In fact the ideas behind GDPR are not new, it just that now they become clear and mandatory. Data protection has and should always be priority one.
GPDR is now specifying that how and what things are done need to be completely clear.When a user asks for ‘what do you collect’ or ‘Give me my data’, it can be as simple as a csv file with all data (user profile, topics, replies) which seems to comply.
The ‘right to be forgotten’ is the one that needs much more investigation. Deleting the user is easy, deleting the replies too. But what about topics that were started and have replies from others? Or replies to the replies of this user? How about backups? How about search engines that indexed public forums? Mentions to this user?
I have started drafting some things that I will share (hopefully next week) with the bbPress team with my thoughts. I hope it can serve as an extra guideline.
Some say any reply over what you could reveal person´s identity needs to be removed, if User wishes so.
If, only if, it is the true there is no way any forum owner/admin will ever bother searching through thousands of User´s replies. Whole account and all replies will be deleted.Will leave a mess, but will save admin´s hours, days and nerves.
Specially as it is gray area. What is personally “revealing”. Admin would not only need to quick browse through replies, but study them very well. Cannot imagine any Admin would like to lose so much time on this stupid thing.
Second big problem are quotes, and nested quotes. How to deal with it. Of course if it is true about replies at all.
My personal feeling is as this law, regulation, is made specifically to target Facebook and Twitter. How will they deal with it. BbPress problem is a piece of cake compared to them.
I agree that it might leave a mess if done incorrectly, but don’t forget the main point: Clear and Plain language when asking for the Consent. My personal view is that you could explain what is kept (because impossible to find) and what is deleted. So deleting the user, blanking the topic but leaving replies (?), removing the @mentions and full names (?), but there is no way we can remove firstnames only or screen each and every message manually. Just be very clear, that’s the starting point.
As for Facebook and Twitter, I have to disagree. The GDPR is to protect the user in ANY system. Breaches can happen anywhere and personal data protection needs to be the highest priority, regardless of the system.
Interesing – i have to follow this topic
We will have weekly meetings on slack in the #gdpr-compliance channel. So if you are on slack, feel free to join. Core will be the discussion, but bbPress and others will follow based on that outcome of course.
Great! Thank you – how can i join? is this already active? sorry i am a slack dummie ^^
ok, so we need to look at exactly what this law does.
The law is here :http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679
and from my reading you can pretty much forget the scare stuff in google !
Ignore the recitals (they are not part of the law) and skip to the actual articles
So first scope :
Article 3 says :This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
So what is processing?
Article 4 (2) saysprocessing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
and what is personal data ?
This is defined by article 4(1) which states‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
And goes on to define what identifiable means (as opposed to say anonymised data)
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So personal data is information relating to a ‘data subject’ and is processed. So NOT comment written by that data subject, or other people’s views on either the data subject himself or other people’s views on the data subject’s views. If it is wrong, defaming or libellous then this is already covered by existing law.
There is no requirement to delete topics or replies as far as I can see.
A good analogy would be if I had a newspaper subscription. If I cancel the subscription to their on-line service, then I would expect them to delete my name, address, bank account details or anything else they hold in connection with that subscription. The legislation as far as I can see does not require them to delete their on-line coverage of my wedding, nor the comment I put in the comment box under that news story about Madonna adopting another child. Neither of those is personal data. Nor is someone else’s @mentions of my name. Otherwise we could all just write to every paper, and no-one could publish anything about us ever again !!!
If this law really gave you the right to have posts removed, then this would be huge and making headlines. For instance the newspapers would be all over the fact that after April Facebook, Instagram twitter etc. would have to delete all posts made by me, or about me or where I could be identified. This would be a MEGA story – and we would all know about it by now.
It IS appropriate for website owners to consider – as if asked to delate a user, you would need to totally remove their existence not just from the current wordpress database (which deleting a user does) but also from any membership plugins, woocommerce plugins etc, etc.
But I see no way that bbpress needs to worry about this law.
But I’m not a lawyer.
If you haven’t joined up for WordPress’ Slack please do 🙂
Please remember though, the discussions on WordPress’ Slack will be about adding GDPR to WordPress Core, as bbPress and BuddyPress are official “sister projects” of the WordPress project we’ll be for the most part following and implementing the solution WordPress Core decides upon, this will be implemented across these bbPress.org, buddypress.org, and wordpress.org support forums and shipped in an upcoming bbPress release 🙂
If person wtites on forum he/she was on vacation in Cuba, put some pictures of itself. Later asks to all you have in your database, that could identify him as physical person, to be deleted. What then ?
These issues will be discussed as part of the research into the final solution @stagger-lee
I just added you to the #gdpr-compliance Slack channel @stagger-lee 🙂
Will try to see discussion on Slack, thank you. We can chat about it here too, why not.
@Robin W, our analogy with newspapers and similar commercial services is a bit wrong, I think anyway. No law can force them to delete everything in their database(s), simply because they need those data to pay VAT, to pay to state what they had in income. They are exceptions, and has to be. Amazon will never be forced by this law to delete your profile. On the other side Twitter, Facebook will be forced by this law a lot, that is why I mentioned them.As I get it, it is like this:
– Robin W asks for this law to be respected here on this domain “bbpress.org”, and all (identifiable) personal info about him to be deleted.
– After this is done, can Admin of this domain, webmaster, owner, or I as Stagger Lee find anything, anything on this domain, to threaten Robin W, find his physical post address, kill him, threaten his family, etc…etc…colourful example, but I believe it is it.
As private person I like this regulation, really a lot.
– No more selling your data to third parties around. They have to write clearly what they collect, to whom they give it. (Facebook, Google and Twitter, no more dirty tricks with advertisments and following silently people around, with different scripts). They will be forced now to reveal all those secrets and what they do.
As a webdesigner, developer of course not.
– It will be long time in the future many unknowns, uncertain. What to do. Regulation is as anything in EU very birocratic and not clear.
Problem with it, as I personaly see it, is majority of websites, forums, etc will never be interesting for them. Nor anyone has money and resources to investigate this vast universe so called WWW.
But, but, if only one malicious person who hates you, do not like you, report your domain to regulation “officer”, they are forced to launch full scale investigation on your tiny, not important, and non-commercial perhaps, website. And screw yourself. 🙂As private person I like this regulation, really a lot.
– No more selling your data to third parties around. They have to write clearly what they collect, to whom they give it. (Facebook, Google and Twitter, no more dirty tricks with advertisments and following silently people around, with different scripts). They will be forced now to reveal all those secrets and what they do.
I agree with this 100% 🙂
Probably a naive question. In general a person’s posts won’t contain personal information (recognising that @mentions might exist, but a person being deleted might be mentioned in others’ posts too…), so can’t we just delete the user and assign all content to user ‘Anonymous GDPR’? They are then not ‘identified or identifiable’.
This doesn’t help with getting rid of IP address, of course – my understanding is that IP address is classified as ‘personal data’. And there might be other data fields…
see above – big difference between personal data, data used to identify and content – 3 different things.
Man, this Slack thing is completely mess.
I have no clue who is talking there, what they are talking. So difficult to follow more than 2 sentences exchanged between people.
Then this anoying Github bot is not making things more easy.Hi all,
Thanks for your participation. It was a very first gathering and of course it was a bit hectic.
Like always everybody wants to have his saying and a more detailed agenda needs to be set so things can get a bit more structured.But please continue to spread the word that we are focusing on Core to get GDPR compliant and will try to create hooks or new functions where applicable so plugins like bbPress can follow.
Hi all,
10 cents from a person having had to live with personal data protection for more than a decade. GDPR is just a rewamp of already existin EU legislation which has been implemented in most of the EU member states for years as part of their national legislation. For most people in EU this will not be a wild thing to implement.
If you read the regulation, you will also find that it has different requirements for different sizes of organisations/companies.
In EU you will find many sites having a “gate of acceptance” which has to be passed before going further.
This is often supported by a online description of what is stored, how it is used, how long it is stored, what to do when data security is broken and who is the legal entity that handles the data. Further it is practice to include a link to the national authority for personal data protection.I am pleased to read that bbPress will look into GDPR at “core level”, as one of the intentions of personal data protection is privacy by design.
The overall philosophy is that you own dat about yourself. You may deside if anyone can make a profit out of your personal data.I much agree with the views of Robin W. Data to identify a person, personal data and content – may be 3 things OR they may be less than three things.If content is a portrait, then it is personal data/ if it is a photo of a croud it is likely not to be. Here we have grey areas.
@Stagger Lee: Amazon may have to delete your profile; but they may keep the transactions in their ledger due to other legislation. Having recalled the permission to make use of your data, Amazon (or any other) may not make further use of (or sell) your personal data. The transaction data however is Amazons property, but the content may not be used for marketing purposes or to approach you in the future.
Also – your personal opinion on EU legislation does not bring anything usefull to this thread.
@Pascal Casier: Please do not overdo it.
– Think privacy by design.
– Think that you are the owner of your personal data and that you may recall any permissions given at any time.
Any web/bb/blog owner should think about logical and physical safety ofthe data he/she stores and the handling he/she may does.
Remotely hosted web/bb/blog is another issue. this cannot be dealt with in “core” og any program.How can you say it will not be a big deal for bbPress, WP, sites when right now there is not even close near option to send export to the people when they ask what you have about them in database.
Should all owners of WP, bbPress, websites, use phpMyAdmin to search for hours and export what is needed.So, keep your personal opinions to yourself, to reply with your own words.
“For most people in EU this will not be a wild thing to implement.”@stagger-lee please be more careful with your comments, people are entitled to opinions and you are entitled to disagree. You are not entitled to tell others that they may or may not say.
Up until the last two sentences it was fine, please consider re-wording or removing this last part
Cannot edit now. He started first by insinuating my opinions are of low value because they are “personal”. And that I should stop with them.
Anyway, only way GDPR can be “easy” for owners/developers is:
– To simply lie about some of what is happening on website. Do not tell = did not happen.
Puting checkbox in forms is few minutes work. Puting dedicated Page, with mostly copy/pasted text from another websites is also easy.
But some other things are very, very technical demanding.And as desert at the end, any plugin saving anything about visitors/Users and is not compliant with GDPR makes all of this astronomical work for nothing. Like you did absolutely nothing.
So no, it will not be easy for anyone directly involved.
@stagger-lee sorry I’d missed that line in @rimfaxe ‘s comments, but rise above it please.
@rimfaxe the last sentence to stagger-lee is across a boundary and on the personal side -please keep comments to the matter not about the people.Always hate it when I feel I hate to actually moderate, so please keep this friendly.
OK, no worries.
Normally all of this are personal opinions, right now when anyone more experienced with it than me are looking for laywers. But fortunately no panic, Automattic will be forced to hire layers, for advices, and we all will benefit from it.
Want just to elaborate more on my line “Do not tell = it did not happen”. Really has nothing to do with bbBress, WP, nor is it a try to convince people to lie and cheat regulations.
But knowing human nature so will it end for majority of WP websites. Nothing new.
– People will keep quiet about export options, they will not have them, or not completely. And as it goes, majority of websites, specially small ones, will never experience demand to export private data. Life goes on.
– People will be quiet about emergency plans in case of hacking and database breach. They will have no clue what to do if anything happens. Even if it happens they will repair website and life goes on.
– People will not tell who has access to private data, not all names. It is not all about selling data, regulation is about access.
So will webdesign company who is planned to fix website after hacking case mandatory to be named as company who has access to private data, or not. What if hacking happens when this company has no time whatsoever for your website.
- You must be logged in to reply to this topic.