GDPR - Extension needed

MartinJD

Have any small (or large) forum owners been punished for non compliance?

Justoverclock

MartinJD in my experience…no one in Italy

matteocontrini

MartinJD it's very unlikely, but if someone reports you the privacy authority of your country you might be gently asked to comply with the regulation, and then you can't refuse. Authorities have no capacity to go after small violations, as much as they care, and it's always best for everyone to attempt to try to fix things with collaboration.

010101

[deleted] I'll just leave this here

I feel like the site I linked to is more official than what you linked to in your last post. I linked to a page and explained text from an official European Union website. You linked to whatever Resource Centre is. Looks like a charity organization. So far you haven't shown any definitive proof that a small non-revenue generating, non-user tracking forum must comply with all rules. I'm not saying not comply with anything. As I read the bullet points on that Resource Centre site, I already agree with and follow those points. I don't need a GDPR extension to be able to follow those points. And the whole point of this thread, I think, that you are trying to make is: we must have a GDPR extension. I still have trouble understanding how that can be a fact.

The site you linked to says the following (and I've added responses):

Know what personal data is. Got it, ok, I know what it is.
Only collect, store or use personal data if your group needs to do so for a clear, specific purpose. Got it, ok.
Only collect, store and use the minimum amount of data you need for your purpose. Don’t keep extra data if you don’t know why you need it, and don’t keep data that is no longer needed for a clear purpose. Got it, forums need to keep posts or the research, discussion, etc. no longer makes sense.
Make sure people know how to contact you if they want you to remove their data from your records. Got it, in the privacy policy and elsewhere.
Tell people what data you have about them if they ask you to, and remove it if requested. Ok, fine, if requested I can remove their personal data.
Store data securely. Ok, I mean, it's a web host... a popular one... they follow GDPR...
Be clear whether data belongs to your group or to you personally. Just because you have access to contact details held by the group, doesn’t mean they are your personal contacts. Okie dokie.

No extension needed for any of that.

Now, if you are a large company, yes, hire a developer and get some robust tools in place to quickly be able to download or erase user data.

But, I'm not a lawyer, I could be wrong. No matter how much I read or have experience with GDPR, I'm not going to definitively say I'm 100% right. I don't study law. I'll let you all know if I ever get reprimanded or fined by the GDPR police. 😁

Actually that's a good ongoing experiment. Anyone here with a small community, please do let us know if you ever get reprimanded about GDPR stuff.

010101

And, here's what I think I've posted here at Discuss before in a different thread. I couldn't find it again right away. But, just found it. This is from a Dutch lawyer.

https://blog-iusmentis-com.translate.goog/2018/04/03/geldt-het-vergeetrecht-onder-de-avg-ook-bij-forumdiscussies/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui,elem

Excerpt:
(and before this part the lawyer is saying, yeah, GDPR can apply to forums... BUT...)

However, specifically with forums you run into a problem that disrupts the discussion a bit, or the archive is no longer complete. That is a problem, because in such situations the freedom of expression is jeopardized. People need to be able to read what has been said in the past, and privacy shouldn't rage through it like a 1984 bulldozer.

This problem was already recognized when the GDPR was introduced, and it therefore states in the right to forget that it does not apply when processing (i.e. publication) is necessary for the exercise of the fundamental right to freedom of expression (Article 17 paragraph 3 GDPR). ). With this, a forum administrator can in principle prevent the deletion of messages. A profile or registration of a user falls outside this fundamental right and must therefore be removed upon request.

In other words, yes, you have to (and even before GDPR had to) respect privacy, and anonymize or remove accounts, which Flarum can already do. But, you don't have to remove posts. You also don't necessarily need a cookie notice unless you have non-essential cookies.

So... what would this GDPR extension do exactly? Make it easier to download a user's personal data if they request it? That'd be cool. But, what else and why?

streaps

010101 In other words, yes, you have to (and even before GDPR had to) respect privacy, and anonymize or remove accounts, which Flarum can already do. But, you don't have to remove posts.

That's one opinion/interpretation that seems to be quoted again and again as a fact. I'm not convinced. In which way does removing my posts limit your fundamental right to freedom of expression?

Sometimes I have the feeling that idea has more to do with the power trip some admin/moderators are on than a real issue that would be problematic for their forum. They do delete (or edit) post as they like (because it's their forum), but also treat content of their users as it is their own.

But let's say you are in fact normally not required to remove user's posts even if they ask for it. And let's say most admins want to keep the user's posts even if the user asks for it.
Their still might be cases where it is required to purge the posts. Their still might be admins who would like to respect the user's wishes.
Maybe I also don't want to have any power over the user. If they still want to delete their content after a message popped up and politely have been asked for keeping their content for others and the flow of the discussion and after they clicked on "Yes, I really want to delete every little bit of content created by myself without an option to recover it" – "Yes, I'm really sure" then so be it. All of the stuff is in the past anyway and most of it not that relevant.

What we need is fundamental GDPR/privacy tools in Flarum that can be configured to the needs of the forum and not discussions about some "fundamental right to freedom of expression" loophole. The user is not our enemy.

[deleted]

010101 So... what would this GDPR extension do exactly? Make it easier to download a user's personal data if they request it? That'd be cool. But, what else and why?

Offer data portability, and the right to erasure - both of which are GDPR compliance requirements. You don't have these now, so you aren't compliant - pretty simple really The remaining question I've answered several times before.

Personally, I wouldn't be so cavalier. Good luck

010101

streaps That's one opinion/interpretation that seems to be quoted again and again as a fact.

Your arguments also seem to be quoted again and again as fact. 😉 Which is part of my argument. Again, the point of this thread seems to be to say, there MUST be a GDPR extension. I’m simply looking at all sides and evidence and saying I don’t think that’s true. I wouldn’t mind a GDPR extension though.

You are correct. The user is not our enemy. I can respect my user’s privacy by anonymizing their posts if they ask. But, I also won’t let GDPR ruin my web experience and scare me as a website owner. Website owners are not our enemy. That’s my opinion.

010101

[deleted] Offer data portability, and the right to erasure - both of which are GDPR compliance requirements. You don't have these now, so you aren't compliant

How do you know I don’t have these now? What if the forum owner knows how to do this manually or develops their own extension? Again, I’d like a GDPR extension too. I just don’t personally agree with your stance. Which is kind of like: You must have this extension, if Flarum doesn’t have it the platform is non-compliant. And I won’t accept any evidence to the contrary.

I like you and your posts and advice. I just don’t understand why you won’t budge at all. I try to see all sides and my opinion is pretty balanced. I think a forum owner can comply with what they need to without an extension, although I want an extension too. 🙃

[deleted]

010101 How do you know I don’t have these now?

Because there's no mechanism for it in Flarum as of today

010101 You must have this extension, if Flarum doesn’t have it the platform is non-compliant. And I won’t accept any evidence to the contrary.

Because Flarum isn't compliant. Period.

010101 I just don’t understand why you won’t budge at all.

This isn't about "budging" and it's also nothing personal. My professional approach is based on the fact that this product does not meet the requirements for GDPR. I intend to use a forum product in a professional capacity, therefore, it isn't suitable based on the evidence I've provided thus far.

010101

[deleted] Because Flarum isn't compliant. Period.

One can offer open source code for someone to begin building a community. Then, the owner implements their own GDPR tools. Your statements aren't 100% factual. Whether the base/core open source MIT code is compliant or not is irrelevant.

[deleted] Because there's no mechanism for it in Flarum as of today

One can implement their own tools.

[deleted] I intend to use a forum product in a professional capacity, therefore, it isn't suitable based on the evidence I've provided thus far.

I agree with this. My arguments have all been about small, non-professional, non-business forums. So yes, you need to take this stuff more seriously if you need something for professional/business purposes.

streaps

010101 One can offer open source code for someone to begin building a community. Then, the owner implements their own GDPR tools. Your statements aren't 100% factual. Whether the base/core open source MIT code is compliant or not is irrelevant.

Correct. It's the responsible of the data controller to ensure GDPR compliance.

010101 One can implement their own tools.

If they have the abilities ...

010101 My arguments have all been about small, non-professional, non-business forums.

... do you expect everyone operating a small, non-professional, non-business forum has the resources to implement their own tools?
Regarding the GDPR it really doesn't matter how professional or amateurish the forum is.

It's very simple: I cannot host a Flarum forum, if the GDPR tools are missing.

[deleted]

010101 One can offer open source code for someone to begin building a community. Then, the owner implements their own GDPR tools. Your statements aren't 100% factual. Whether the base/core open source MIT code is compliant or not is irrelevant.

This isn't relevant in my view. Take a look at WordPress, NodeBB, wpForo and the endless list of other forum or CRM software that has produced their relevant platforms then revisited them later to induce GDPR functionality. During the course of 2018 literally every single developer of software was working towards full compliance to ensure that their products wouldn't be abandoned because of a lack of functionality

Flarum however has taken it upon themselves to completely ignore this requirement, so I took it upon myself to use another product.

Ultimately, you have your views, and I have mine. Let's just agree to disagree before this thread descends into nothing more than a bun fight.

010101

streaps It's very simple: I cannot host a Flarum forum, if the GDPR tools are missing.

Ok. If that’s how you feel. That’s how you feel. It’s very simple: I cannot change your mind. 🙂

010101

[deleted] Flarum however has taken it upon themselves to completely ignore this requirement, so I took it upon myself to use another product.

More hyperbole.😁 Flarum developers have not completely ignored it. They took an almost abandoned product and got it to stable. No one said there will never be a GDPR extension. And if there ever is a GDPR extension, I’ll probably, unfortunately, use it. Unfortunately because no country or union should dictate the Internet in this way. It’s the last somewhat free space on the planet.

I won’t be bullied into not running a website because of the EU. I’ll forever be a free and open Internet warrior. A fighter for the rights of the good small website owner who doesn’t mess with people’s privacy anyway. 😎 If you are clear with users and don’t do anything bad with their data, then they will know and sense that, you’ll get more users, and life is wonderful. If you are a bad guy, you’ll get fined or shut down.

Anyway, you have to do what you feel you have to do. Like you said. You’ve moved on. Thanks for the advice. I’m sure the core devs have at least read some of this. There’s nothing else to say.

Well, there is another thing. I do get frustrated when someone feels like they are 100% correct, then someone else shows them evidence, yet they still stick to all of their views. Compromise and understanding is needed badly in this world.

Always keep an open mind about everything. Even GDPR. That’s my opinion. You never know when you might not have one part not quite right. Accept other people’s opinions versus: no, sorry, it’s simple, Flarum isn’t compliant. Just not the way to be.

Darkle

I think @010101 point is that simply for small websites the GDPR is not critical and never will be, it's more about a commitment to your users, the EU simply doesn't have the capacity to review cases, they don't even get that with big tech, it takes months to do it and these companies keep them entertained by changing policies every 6 months.... The GDPR has been the way to impose the biggest fines in the history of the EU and address very serious privacy problems due to the proven sale of data that affected millions of users, it is not crazy to say that the eye is not exactly on us because it does not make sense and it is not physically possible.

By this I mean that if you are in the position of having a small website and you are really committed to your users it shouldn't be too complicated to comply with GDPR, I don't think you will receive thousands of GDPR related requests, maybe not even one for months. Yes, in the case of Flarum (for now, as the extension will come) it requires manual intervention, there are no automatic mechanisms, but it can be done. Manual intervention is not the most comfortable thing to do, but just as it has been done with physical documents in any company for decades, there are no automatic mechanisms.

Also to say that after Brexit in UK the GDPR or now specifically called EU-GDPR does not apply anymore in UK, from 1 January 2021 the UK-GDPR came into force, so the EU-GDPR and UK-GDPR (although now copy-paste) will evolve differently, another task to be aware of, it will not be so much fun for individuals to compile with privacy laws when we end up having lots of laws from different countries.

010101

Darkle By this I mean that if you are in the position of having a small website and you are really committed to your users it shouldn't be too complicated to comply with GDPR, I don't think you will receive thousands of GDPR related requests, maybe not even one for months. Yes, in the case of Flarum (for now, as the extension will come) it requires manual intervention, there are no automatic mechanisms, but it can be done.

Yaas! Thank you. I appreciate someone out there understanding. 😅

Sibert

[deleted] There are numerous topics around GDPR on discuss

I have seen nowhere mentioned in this thread, one of the major GDPR issues. It is more or less prohibited in the EU to use a server or service hosted by a "state controlled" company. Azure (amongst other) is therefore abandoned or prohibited by some countries in the EU.

Sibert

010101 no country or union should dictate the Internet in this way

GDPR could be boiled down to ONE sentence: YOU own your own data - NOT the organization behind the website.

So it is about privacy. Your privacy. Nobody can do anything with your data without your permission. It may be annoying that the EU raises YOUR right to your OWN data to "law". :-)

streaps

010101 Yaas! Thank you. I appreciate someone out there understanding.

Now it's your turn to understand the other point of views. Then everyone feels understood ... 🤣

010101

streaps Now it's your turn to understand the other point of views. Then everyone feels understood ... 🤣

Seriously? Read my posts. Many of them start with verbiage such as: I 80 to 90% agree with you.

🤷‍♂️

In a perfect world would I like my users to be able to with one click erase everything and/or get their personal data? Sure. But, my points were:

GDPR was poorly written and doesn’t protect small businesses. #sad
Flarum is amazing and the developers who graciously work on this are amazing. They had to get this to stable first. Plus, I’m sure there are still some bugs, and this and that which need attention. In the meantime, there are ways to comply with GDPR.

And I think somewhere in your comments you mentioned something like, if Flarum wants to be a business or something like that. Well, it’s not. It’s a foundation. It’s open source software. The Flarum devs don’t get rich off of this. I can promise you that.

streaps

askvortsov As to the status of the GDPR extension, I agree that it's been going way slower than any of us initially hoped, but the only active developers on it are myself and @ianm, and we've both been very pressed for time. However, that extension will have all the features discussed in this thread, and I am still optimistic that we will get it done.

Don't you (the people trying to build a business around Flarum) realize how damaging this approach and communication strategy is for Flarum? It already had the image of a software that never gets finished. Now after version 1.0 has been released, after years of waiting, we see the same pattern with a central feature that should have been in v1.0. Maybe there will be a beta version soon, maybe it will take months or years or the whole business / development around Flarum implodes again. This wishy-washy communication and commitment hurts Flarum. Every day there is uncertainty about the GDPR extensions is a missed opportunity. I'm sure many people don't even consider Flarum as a viable alternative because of this. They have a look at Flarum, find nothing about the GDPR on the main site, find nothing about GDPR on the blog and then land on this thread after a search. That's all you can provide as an semi-official statement about the (future) GDPR support in Flarum – hidden between the arrogant/ignorant views of some community members. It's a complete disaster. And the fact that you don't realize how bad it looks only amplifies it.

Darkle

streaps I find it rather hypocritical of you to say this, after your previous message was this

Now it's your turn to understand the other point of views. Then everyone feels understood ... 🤣

And now quote a message in which askvortsov updates us on the status and tells us that only he and ianm are actively working on the extension, implying that there are very few people and that's why it's taking longer than desired.

Tell me a single successful forum/community software where no business has been created around it, which one? I think you've got yourself into the worst possible place with forum/community software, does XenForo ring a bell, their basic license is $160+$300 to remove the horrible XenForo copyright mark. Invision Community, self hosted plan with Forum, Pages and Blog (all of them on Flarum and free) $500 + Renewal every 6 months of $75. We can go on like this all day if you want.

And yet the only business around Flarum are complex feature extensions that have the main purpose of paying the developer for the time spent on them. I really don't even know why I bother commenting on this, it's ridiculous.

Look how serious it was that even before the stable companies like giffgaff and Bunq have based their communities on Flarum, are you saying that these important companies don't respect the GDPR either? Wow, a telecoms company and a bank, I certainly think this needs to be reported to the EU authorities is pretty serious, note the irony...

askvortsov

I think the tone here is getting a bit confrontational. Discussion is good as long as it's productive. I want to address a few issues/concerns.

GDPR is important, and regardless of anyone's personal opinions, it is the law, and must be followed. A GDPR extension would make this easier, especially on large forums that get frequent requests. That being said, the vast majority of forums can be GDPR compatible without a specialized extension. Both data erasure and providing a copy of data can be done manually per request. It can be slow and tedious, but if your forum never / rarely gets requests, it's not really an issue.

For large forums, a GDPR extension can be very useful, and at some scale, absolutely necessary. If requests are received on a regular basis, infrastructure and a standard process for dealing with them is a must. That's why I'm personally involved with the development of Blomstra's extension, even though I'm not affiliated with Blomstra. Development is

streaps central feature that should have been in v1.0

taking a lot longer than we were hoping for many reasons, but it will be done eventually.

streaps should have been in v1.0

Same could be said for a rich text editor, a tags system, a UI for installing extensions, and many other features. Including something into core isn't a business decision or a reflection of its importance. It's purely an engineering decision from the perspective of maintainability. Flarum extensions are first class citizens, and some feature being relegated to an extension doesn't mean that it's not seen as being important.

« Previous Page Next Page »