[Brainstorming] EU data protection regulations

Started by Norv, April 29, 2012, 09:29:45 AM

Previous topic - Next topic

Norv

Please see:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

I'm starting this topic for brainstorming and discussion.
Do the existing or projected regulations affect SMF forums installations, and how? Perhaps particular forums, targeted at user services such as offering download services?
Do the existing regulations affect already SMF forums, in particular EU jurisdictions, why and how?

I'll note: it has been argued repeatedly in the past, that the user of a site/forum, has all rights to their personal data, such as email, website, and other profile data, to at least *see* them when they see fit (ask to know what the site/owner/company operating the site, "knows" about them). Of course, SMF allows that, unless a particular admin changes their installation.
It has been argued though, that under some laws (i.e. Finland, IIRC), this extends also to the posts they made... which is different: it's content, not personal contact information. Does it extend to content, how, why (what laws/regulation), any precedents?
Do note also that the ToS (the registration agreement) intervenes here as well.

I'll keep this topic short, it's only an invitation for you SMF admins and users, to share your knowledge on the matters. Please lets try to keep it to *actual* facts.

Please do also note: SMF admins need to make sure that their site operates correctly within the bounds of their respective jurisdictions. However, the first step is understanding them, their impact, and their reasoning, I'd say, and we can see if or how we can help.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Antechinus

Just be aware that posts may contain personal information, so the argument that posts are "content" isn't really going to work. Personally I'm going to get hardass on my ToS/registration agreement. It'll be worded so it is actually possible to run the place, bearing in mind the necessity of being able to deal with trolls, spammers and other miscreants without them being able to lead you on a merry chase. Let's face it, in practice you need to keep records of emails, IP's, etc to run the place effectively.

CircleDock

The applicable legislation in the UK is the Data Protection Act which is enforced by the Information Commissioner (ICO).

Forums necessarily record the username, email address, password, the IP Address used to register and the last-used IP Address. As far as the Data Protection Act is concerned, none of these is considered to be private information and thus can be retained without the need for the website to register with the ICO as a Data Controller.

But users often beef-up their profile with other information which could be used to identify them. Whilst they remain a member of the site, there's no problem since they have access to that information and can modify or remove it at will. A problem does occur if a member is banned since they no longer have access to their profile or private messages and thus can not remove them. Sites that retain this information should either register with the ICO or remove that personal information.

This can be overcome by extending the ban function to include removing non-essential information from the members' profile along with all his sent and received PMs.

feline

Quote from: CircleDock on May 01, 2012, 01:17:41 PM
This can be overcome by extending the ban function to include removing non-essential information from the members' profile along with all his sent and received PMs.
Simple delete the banned member account and create a new empty with the same name  ;)

Kindred

(or just don't allow users to delete accounts)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Antechinus

Quote from: CircleDock on May 01, 2012, 01:17:41 PM
The applicable legislation in the UK is the Data Protection Act which is enforced by the Information Commissioner (ICO).

Forums necessarily record the username, email address, password, the IP Address used to register and the last-used IP Address. As far as the Data Protection Act is concerned, none of these is considered to be private information and thus can be retained without the need for the website to register with the ICO as a Data Controller.

But users often beef-up their profile with other information which could be used to identify them. Whilst they remain a member of the site, there's no problem since they have access to that information and can modify or remove it at will. A problem does occur if a member is banned since they no longer have access to their profile or private messages and thus can not remove them. Sites that retain this information should either register with the ICO or remove that personal information.

This can be overcome by extending the ban function to include removing non-essential information from the members' profile along with all his sent and received PMs.
For ages we've had our registration agreement include a specific stipulation that we are not required to delete anything, and people must agree to this as part of the registration process.

You really need this if you aren't going to open yourself to being played. Usually you want to ban trolls and spammers. Both will keep coming back, and you need ways to track them and block them. This means you need to keep records on them for comparison with new applicants. Deleting all their PI whenever you ban them isn't going to work.

Advertisement: