GDPR - Extension needed

[deleted]

I'll just leave this here for anyone who does run a small community (even with a small group of friends) and is under the impression that the GDPR does not apply to them because they aren't a business. Sorry guys, but it's just not the case.

I also run a self funded rabbit sanctuary which generates no revenue whatsoever and is solely funded by me - yet I still need to comply with the GDPR in terms of data processing - see. If you process any information or data on behalf of anyone else residing in the EU, then you are in scope. Flarum stores IP addresses and email addresses, therefore, it holds what is classed as PII and by definition, is in scope. This level of data can provide attribution to an individual.

Once again, I'm here in an advisory capacity as I no longer use Flarum and have no need to worry about the complete lack of GDPR functionality in this product. Take what you will from this advice. I've been heavily involved in GDPR since it's inception and was working towards full compliance (the firm I work for) 18 months before the deadline hit.

The question concerning small communities has been asked multiple times across the internet and the answer is generally the same. If you process data on behalf of EU residents, you're in scope. You may not consider your site to be, but I'll leave that decision up to you and allow you to make your own assumptions based on the risk level you are willing to accept.

Personally, I will not accept any level of risk when it comes to non compliance when I know for sure that a good bulk of my users are EU based.

010101

[deleted] I'll just leave this here

I feel like the site I linked to is more official than what you linked to in your last post. I linked to a page and explained text from an official European Union website. You linked to whatever Resource Centre is. Looks like a charity organization. So far you haven't shown any definitive proof that a small non-revenue generating, non-user tracking forum must comply with all rules. I'm not saying not comply with anything. As I read the bullet points on that Resource Centre site, I already agree with and follow those points. I don't need a GDPR extension to be able to follow those points. And the whole point of this thread, I think, that you are trying to make is: we must have a GDPR extension. I still have trouble understanding how that can be a fact.

The site you linked to says the following (and I've added responses):

Know what personal data is. Got it, ok, I know what it is.
Only collect, store or use personal data if your group needs to do so for a clear, specific purpose. Got it, ok.
Only collect, store and use the minimum amount of data you need for your purpose. Don’t keep extra data if you don’t know why you need it, and don’t keep data that is no longer needed for a clear purpose. Got it, forums need to keep posts or the research, discussion, etc. no longer makes sense.
Make sure people know how to contact you if they want you to remove their data from your records. Got it, in the privacy policy and elsewhere.
Tell people what data you have about them if they ask you to, and remove it if requested. Ok, fine, if requested I can remove their personal data.
Store data securely. Ok, I mean, it's a web host... a popular one... they follow GDPR...
Be clear whether data belongs to your group or to you personally. Just because you have access to contact details held by the group, doesn’t mean they are your personal contacts. Okie dokie.

No extension needed for any of that.

Now, if you are a large company, yes, hire a developer and get some robust tools in place to quickly be able to download or erase user data.

But, I'm not a lawyer, I could be wrong. No matter how much I read or have experience with GDPR, I'm not going to definitively say I'm 100% right. I don't study law. I'll let you all know if I ever get reprimanded or fined by the GDPR police. 😁

Actually that's a good ongoing experiment. Anyone here with a small community, please do let us know if you ever get reprimanded about GDPR stuff.

MartinJD

Have any small (or large) forum owners been punished for non compliance?

Justoverclock

MartinJD in my experience…no one in Italy

matteocontrini

MartinJD it's very unlikely, but if someone reports you the privacy authority of your country you might be gently asked to comply with the regulation, and then you can't refuse. Authorities have no capacity to go after small violations, as much as they care, and it's always best for everyone to attempt to try to fix things with collaboration.

010101

And, here's what I think I've posted here at Discuss before in a different thread. I couldn't find it again right away. But, just found it. This is from a Dutch lawyer.

https://blog-iusmentis-com.translate.goog/2018/04/03/geldt-het-vergeetrecht-onder-de-avg-ook-bij-forumdiscussies/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui,elem

Excerpt:
(and before this part the lawyer is saying, yeah, GDPR can apply to forums... BUT...)

However, specifically with forums you run into a problem that disrupts the discussion a bit, or the archive is no longer complete. That is a problem, because in such situations the freedom of expression is jeopardized. People need to be able to read what has been said in the past, and privacy shouldn't rage through it like a 1984 bulldozer.

This problem was already recognized when the GDPR was introduced, and it therefore states in the right to forget that it does not apply when processing (i.e. publication) is necessary for the exercise of the fundamental right to freedom of expression (Article 17 paragraph 3 GDPR). ). With this, a forum administrator can in principle prevent the deletion of messages. A profile or registration of a user falls outside this fundamental right and must therefore be removed upon request.

In other words, yes, you have to (and even before GDPR had to) respect privacy, and anonymize or remove accounts, which Flarum can already do. But, you don't have to remove posts. You also don't necessarily need a cookie notice unless you have non-essential cookies.

So... what would this GDPR extension do exactly? Make it easier to download a user's personal data if they request it? That'd be cool. But, what else and why?

streaps

010101 In other words, yes, you have to (and even before GDPR had to) respect privacy, and anonymize or remove accounts, which Flarum can already do. But, you don't have to remove posts.

That's one opinion/interpretation that seems to be quoted again and again as a fact. I'm not convinced. In which way does removing my posts limit your fundamental right to freedom of expression?

Sometimes I have the feeling that idea has more to do with the power trip some admin/moderators are on than a real issue that would be problematic for their forum. They do delete (or edit) post as they like (because it's their forum), but also treat content of their users as it is their own.

But let's say you are in fact normally not required to remove user's posts even if they ask for it. And let's say most admins want to keep the user's posts even if the user asks for it.
Their still might be cases where it is required to purge the posts. Their still might be admins who would like to respect the user's wishes.
Maybe I also don't want to have any power over the user. If they still want to delete their content after a message popped up and politely have been asked for keeping their content for others and the flow of the discussion and after they clicked on "Yes, I really want to delete every little bit of content created by myself without an option to recover it" – "Yes, I'm really sure" then so be it. All of the stuff is in the past anyway and most of it not that relevant.

What we need is fundamental GDPR/privacy tools in Flarum that can be configured to the needs of the forum and not discussions about some "fundamental right to freedom of expression" loophole. The user is not our enemy.

[deleted]

010101 So... what would this GDPR extension do exactly? Make it easier to download a user's personal data if they request it? That'd be cool. But, what else and why?

Offer data portability, and the right to erasure - both of which are GDPR compliance requirements. You don't have these now, so you aren't compliant - pretty simple really The remaining question I've answered several times before.

Personally, I wouldn't be so cavalier. Good luck

010101

streaps That's one opinion/interpretation that seems to be quoted again and again as a fact.

Your arguments also seem to be quoted again and again as fact. 😉 Which is part of my argument. Again, the point of this thread seems to be to say, there MUST be a GDPR extension. I’m simply looking at all sides and evidence and saying I don’t think that’s true. I wouldn’t mind a GDPR extension though.

You are correct. The user is not our enemy. I can respect my user’s privacy by anonymizing their posts if they ask. But, I also won’t let GDPR ruin my web experience and scare me as a website owner. Website owners are not our enemy. That’s my opinion.

010101

[deleted] Offer data portability, and the right to erasure - both of which are GDPR compliance requirements. You don't have these now, so you aren't compliant

How do you know I don’t have these now? What if the forum owner knows how to do this manually or develops their own extension? Again, I’d like a GDPR extension too. I just don’t personally agree with your stance. Which is kind of like: You must have this extension, if Flarum doesn’t have it the platform is non-compliant. And I won’t accept any evidence to the contrary.

I like you and your posts and advice. I just don’t understand why you won’t budge at all. I try to see all sides and my opinion is pretty balanced. I think a forum owner can comply with what they need to without an extension, although I want an extension too. 🙃

[deleted]

010101 How do you know I don’t have these now?

Because there's no mechanism for it in Flarum as of today

010101 You must have this extension, if Flarum doesn’t have it the platform is non-compliant. And I won’t accept any evidence to the contrary.

Because Flarum isn't compliant. Period.

010101 I just don’t understand why you won’t budge at all.

This isn't about "budging" and it's also nothing personal. My professional approach is based on the fact that this product does not meet the requirements for GDPR. I intend to use a forum product in a professional capacity, therefore, it isn't suitable based on the evidence I've provided thus far.

010101

[deleted] Because Flarum isn't compliant. Period.

One can offer open source code for someone to begin building a community. Then, the owner implements their own GDPR tools. Your statements aren't 100% factual. Whether the base/core open source MIT code is compliant or not is irrelevant.

[deleted] Because there's no mechanism for it in Flarum as of today

One can implement their own tools.

[deleted] I intend to use a forum product in a professional capacity, therefore, it isn't suitable based on the evidence I've provided thus far.

I agree with this. My arguments have all been about small, non-professional, non-business forums. So yes, you need to take this stuff more seriously if you need something for professional/business purposes.

streaps

010101 One can offer open source code for someone to begin building a community. Then, the owner implements their own GDPR tools. Your statements aren't 100% factual. Whether the base/core open source MIT code is compliant or not is irrelevant.

Correct. It's the responsible of the data controller to ensure GDPR compliance.

010101 One can implement their own tools.

If they have the abilities ...

010101 My arguments have all been about small, non-professional, non-business forums.

... do you expect everyone operating a small, non-professional, non-business forum has the resources to implement their own tools?
Regarding the GDPR it really doesn't matter how professional or amateurish the forum is.

It's very simple: I cannot host a Flarum forum, if the GDPR tools are missing.

[deleted]

010101 One can offer open source code for someone to begin building a community. Then, the owner implements their own GDPR tools. Your statements aren't 100% factual. Whether the base/core open source MIT code is compliant or not is irrelevant.

This isn't relevant in my view. Take a look at WordPress, NodeBB, wpForo and the endless list of other forum or CRM software that has produced their relevant platforms then revisited them later to induce GDPR functionality. During the course of 2018 literally every single developer of software was working towards full compliance to ensure that their products wouldn't be abandoned because of a lack of functionality

Flarum however has taken it upon themselves to completely ignore this requirement, so I took it upon myself to use another product.

Ultimately, you have your views, and I have mine. Let's just agree to disagree before this thread descends into nothing more than a bun fight.

010101

streaps It's very simple: I cannot host a Flarum forum, if the GDPR tools are missing.

Ok. If that’s how you feel. That’s how you feel. It’s very simple: I cannot change your mind. 🙂

010101

[deleted] Flarum however has taken it upon themselves to completely ignore this requirement, so I took it upon myself to use another product.

More hyperbole.😁 Flarum developers have not completely ignored it. They took an almost abandoned product and got it to stable. No one said there will never be a GDPR extension. And if there ever is a GDPR extension, I’ll probably, unfortunately, use it. Unfortunately because no country or union should dictate the Internet in this way. It’s the last somewhat free space on the planet.

I won’t be bullied into not running a website because of the EU. I’ll forever be a free and open Internet warrior. A fighter for the rights of the good small website owner who doesn’t mess with people’s privacy anyway. 😎 If you are clear with users and don’t do anything bad with their data, then they will know and sense that, you’ll get more users, and life is wonderful. If you are a bad guy, you’ll get fined or shut down.

Anyway, you have to do what you feel you have to do. Like you said. You’ve moved on. Thanks for the advice. I’m sure the core devs have at least read some of this. There’s nothing else to say.

Well, there is another thing. I do get frustrated when someone feels like they are 100% correct, then someone else shows them evidence, yet they still stick to all of their views. Compromise and understanding is needed badly in this world.

Always keep an open mind about everything. Even GDPR. That’s my opinion. You never know when you might not have one part not quite right. Accept other people’s opinions versus: no, sorry, it’s simple, Flarum isn’t compliant. Just not the way to be.

Darkle

I think @010101 point is that simply for small websites the GDPR is not critical and never will be, it's more about a commitment to your users, the EU simply doesn't have the capacity to review cases, they don't even get that with big tech, it takes months to do it and these companies keep them entertained by changing policies every 6 months.... The GDPR has been the way to impose the biggest fines in the history of the EU and address very serious privacy problems due to the proven sale of data that affected millions of users, it is not crazy to say that the eye is not exactly on us because it does not make sense and it is not physically possible.

By this I mean that if you are in the position of having a small website and you are really committed to your users it shouldn't be too complicated to comply with GDPR, I don't think you will receive thousands of GDPR related requests, maybe not even one for months. Yes, in the case of Flarum (for now, as the extension will come) it requires manual intervention, there are no automatic mechanisms, but it can be done. Manual intervention is not the most comfortable thing to do, but just as it has been done with physical documents in any company for decades, there are no automatic mechanisms.

Also to say that after Brexit in UK the GDPR or now specifically called EU-GDPR does not apply anymore in UK, from 1 January 2021 the UK-GDPR came into force, so the EU-GDPR and UK-GDPR (although now copy-paste) will evolve differently, another task to be aware of, it will not be so much fun for individuals to compile with privacy laws when we end up having lots of laws from different countries.

010101

Darkle By this I mean that if you are in the position of having a small website and you are really committed to your users it shouldn't be too complicated to comply with GDPR, I don't think you will receive thousands of GDPR related requests, maybe not even one for months. Yes, in the case of Flarum (for now, as the extension will come) it requires manual intervention, there are no automatic mechanisms, but it can be done.

Yaas! Thank you. I appreciate someone out there understanding. 😅

Sibert

[deleted] There are numerous topics around GDPR on discuss

I have seen nowhere mentioned in this thread, one of the major GDPR issues. It is more or less prohibited in the EU to use a server or service hosted by a "state controlled" company. Azure (amongst other) is therefore abandoned or prohibited by some countries in the EU.

Sibert

010101 no country or union should dictate the Internet in this way

GDPR could be boiled down to ONE sentence: YOU own your own data - NOT the organization behind the website.

So it is about privacy. Your privacy. Nobody can do anything with your data without your permission. It may be annoying that the EU raises YOUR right to your OWN data to "law". :-)

streaps

010101 Yaas! Thank you. I appreciate someone out there understanding.

Now it's your turn to understand the other point of views. Then everyone feels understood ... 🤣

010101

streaps Now it's your turn to understand the other point of views. Then everyone feels understood ... 🤣

Seriously? Read my posts. Many of them start with verbiage such as: I 80 to 90% agree with you.

🤷‍♂️

In a perfect world would I like my users to be able to with one click erase everything and/or get their personal data? Sure. But, my points were:

GDPR was poorly written and doesn’t protect small businesses. #sad
Flarum is amazing and the developers who graciously work on this are amazing. They had to get this to stable first. Plus, I’m sure there are still some bugs, and this and that which need attention. In the meantime, there are ways to comply with GDPR.

And I think somewhere in your comments you mentioned something like, if Flarum wants to be a business or something like that. Well, it’s not. It’s a foundation. It’s open source software. The Flarum devs don’t get rich off of this. I can promise you that.

« Previous Page Next Page »