Simple Machines Community Forum

Archived Boards and Threads... => Archived Boards => SMF Feedback and Discussion => Topic started by: Norv on April 29, 2012, 09:29:45 AM

Title: [Brainstorming] EU data protection regulations
Post by: Norv on April 29, 2012, 09:29:45 AM
Please see:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

I'm starting this topic for brainstorming and discussion.
Do the existing or projected regulations affect SMF forums installations, and how? Perhaps particular forums, targeted at user services such as offering download services?
Do the existing regulations affect already SMF forums, in particular EU jurisdictions, why and how?

I'll note: it has been argued repeatedly in the past, that the user of a site/forum, has all rights to their personal data, such as email, website, and other profile data, to at least *see* them when they see fit (ask to know what the site/owner/company operating the site, "knows" about them). Of course, SMF allows that, unless a particular admin changes their installation.
It has been argued though, that under some laws (i.e. Finland, IIRC), this extends also to the posts they made... which is different: it's content, not personal contact information. Does it extend to content, how, why (what laws/regulation), any precedents?
Do note also that the ToS (the registration agreement) intervenes here as well.

I'll keep this topic short, it's only an invitation for you SMF admins and users, to share your knowledge on the matters. Please lets try to keep it to *actual* facts.

Please do also note: SMF admins need to make sure that their site operates correctly within the bounds of their respective jurisdictions. However, the first step is understanding them, their impact, and their reasoning, I'd say, and we can see if or how we can help.
Title: Re: [Brainstorming] EU data protection regulations
Post by: Antechinus on April 29, 2012, 05:14:41 PM
Just be aware that posts may contain personal information, so the argument that posts are "content" isn't really going to work. Personally I'm going to get hardass on my ToS/registration agreement. It'll be worded so it is actually possible to run the place, bearing in mind the necessity of being able to deal with trolls, spammers and other miscreants without them being able to lead you on a merry chase. Let's face it, in practice you need to keep records of emails, IP's, etc to run the place effectively.
Title: Re: [Brainstorming] EU data protection regulations
Post by: CircleDock on May 01, 2012, 01:17:41 PM
The applicable legislation in the UK is the Data Protection Act which is enforced by the Information Commissioner (ICO).

Forums necessarily record the username, email address, password, the IP Address used to register and the last-used IP Address. As far as the Data Protection Act is concerned, none of these is considered to be private information and thus can be retained without the need for the website to register with the ICO as a Data Controller.

But users often beef-up their profile with other information which could be used to identify them. Whilst they remain a member of the site, there's no problem since they have access to that information and can modify or remove it at will. A problem does occur if a member is banned since they no longer have access to their profile or private messages and thus can not remove them. Sites that retain this information should either register with the ICO or remove that personal information.

This can be overcome by extending the ban function to include removing non-essential information from the members' profile along with all his sent and received PMs.
Title: Re: [Brainstorming] EU data protection regulations
Post by: feline on May 01, 2012, 03:22:22 PM
This can be overcome by extending the ban function to include removing non-essential information from the members' profile along with all his sent and received PMs.
Simple delete the banned member account and create a new empty with the same name  ;)
Title: Re: [Brainstorming] EU data protection regulations
Post by: Kindred on May 01, 2012, 03:33:15 PM
(or just don't allow users to delete accounts)
Title: Re: [Brainstorming] EU data protection regulations
Post by: Antechinus on May 01, 2012, 05:40:31 PM
The applicable legislation in the UK is the Data Protection Act which is enforced by the Information Commissioner (ICO).

Forums necessarily record the username, email address, password, the IP Address used to register and the last-used IP Address. As far as the Data Protection Act is concerned, none of these is considered to be private information and thus can be retained without the need for the website to register with the ICO as a Data Controller.

But users often beef-up their profile with other information which could be used to identify them. Whilst they remain a member of the site, there's no problem since they have access to that information and can modify or remove it at will. A problem does occur if a member is banned since they no longer have access to their profile or private messages and thus can not remove them. Sites that retain this information should either register with the ICO or remove that personal information.

This can be overcome by extending the ban function to include removing non-essential information from the members' profile along with all his sent and received PMs.
For ages we've had our registration agreement include a specific stipulation that we are not required to delete anything, and people must agree to this as part of the registration process.

You really need this if you aren't going to open yourself to being played. Usually you want to ban trolls and spammers. Both will keep coming back, and you need ways to track them and block them. This means you need to keep records on them for comparison with new applicants. Deleting all their PI whenever you ban them isn't going to work.