SMF 2.0.18 has been released! Please update. Read more.
Started by outdoors-stuff, November 20, 2017, 01:01:06 PM
Quote from: Arantor on November 24, 2017, 11:29:35 AMIf only it were that simple, but it almost certainly isn't.First of all, there's Privacy Shield. If you happen to be hosted with someone who implements Privacy Shield, they're actually potentially liable under having signed up. Which means... if someone in the EU complains and their supervisory authority agrees, the complaint will certainly land at their door along the way - and it's likely they'll just suspend or terminate the account.GoDaddy, for example, is signed up here. As are other hosts.
QuoteIf you have subscriptions or ads, again, they're *going* to have to be compliant even if you aren't, so you can likely expect those revenue streams to disappear.
QuoteAs for setting up a firewall to keep out the EU, this baffles me on some levels. Sure, for local or regional forums, you wouldn't need that. But for broader matters, why exclude a target market larger than the entirety of the US? (US population ~315m, EU population ~504m)
QuoteAlso, consider what it is you're actually saying: you don't care about your members' privacy? You don't want their data to be properly protected?
Quote from: Arantor on November 24, 2017, 11:48:40 AMPrivacy Shield is voluntary in concept. If you don't comply with it, you have no right to EU data anyway - that's on the US side, not the EU side. The EU has quite strong principles about not giving out data to areas with fewer protections in law than it does and long since declared US protections of user data inadequate. They also declared Safe Harbor inadequate.
QuoteHow are ads going to have to be compliant? Because the provider is going to have to be compliant in their own right unless you're dealing with someone totally outside the EU that explicitly doesn't collect user data. Google Adsense will have to be compliant. So will PayPal.
QuoteThe government puts things in place so that users' rights are covered - because a large amount of this continent knows in living memory what living in a surveillance state looks like and takes privacy very seriously. The right to deletion is simply to protect user personal data - if you can prove a suitable case for not deleting it, that's fine. For example in my day job I work with universities who are somewhat freaking out about the GDPR right now, because they're trying to reconcile right to deletion with the fact that they have to keep records of learning for years.
QuoteAs for 'it shouldn't have been posted publicly in the first place', you've never done anything that you've regretted, ever, online? You've never made a mistake in your life, ever? Also, I'm guessing you've never had to deal with identity theft either on a simple level like someone just pretending to be you on a forum, or having your life turned upside down by your entire identity being compromised. THAT is why this is important.
QuoteI care more about being legally mandated by a government to delete data that's not being sold off for commercial gain. We care very much about internal data privacy, and go well above and beyond to protect the data that's internal to us. We also will redact (but keep the post) any kind of personal info (names, city, state) posted by mistake when a user asks us nicely. In the cases of accidentally posted highly-sensitive personal info, we always delete this stuff even if the user doesn't ask us to. However, we always retain accounts, logs, IP addresses, e-mail addresses, etc for moderation and administrative purposes. This is where we drew the line. Things that are distributed to us internally (ie, e-mail address, birthdate, age) shouldn't have been given to us in the first place if they didn't want us to have it.
QuoteIn that case, it's on the user to not use our site.
QuoteThe question is what constitutes an acceptable right, who makes that determination, and what happens when an acceptable right to a company is declared unacceptable by the EU?
Quote from: Arantor on November 24, 2017, 12:37:10 PMGood luck telling the authorities that.
QuoteBroadly your comment there is actually reasonably in line with the intent of the law, with the part about retaining account info. You can certainly put forward the case that you retain it for moderation and administrative purposes (you'd have to give a list of what these are, but being able to prevent bans is certainly a valid case) - though having some kind of expiry on this would be a good idea because keeping the data forever on the off chance it might ever be useful is not such a valid case: they're quite big on 'once you don't need it any more, don't keep it'.
QuoteThe problem is that none of this is set out in actual law, and we won't know what's truly considered acceptable until someone actually falls foul of it.
QuoteBut there is certainly a decent amount of precedent with existing data protection laws to have some idea of what is acceptable and the simple case of making a good faith effort goes a long way. The really big scary stuff (where the much discussed 4% of global revenue or €20M whichever is higher fine) is only really an issue if you have a data breach and/or (probably and) are wildly and flagrantly abusing the personal data you have.
QuoteOf course, I'm not a lawyer, this is just my interpretation of it and what I plan to do for implementation going forward...