Jump to content

Invision Community Blog


Managing successful online communities

Matt
Sign in to follow this  
 

Your GDPR questions answered

You've no doubt heard about GDPR by now. It's a very hot topic in many circles. Lots of experts are weighing in on the best approach to take before the May 25th deadline.

Which reminds me of my favorite joke:

"Do you know a great GDPR expert?”

Yes, I do!

“Could you send me his email address”

No, I'm afraid not.

I wrote about how Invision Community can help with your GDPR compliance back in December. I've seen a lot of posts and topics on GDPR in our community since then.

First, let's get the disclaimer out of the way. I'm a humble programmer and not a GDPR expert or a lawyer. The information here is presented to assist you in making decisions. As always, we recommend you do your own research and if you're in any doubt, book an appointment with a lawyer.

It is also worth mentioning that GDPR is very much a living document with phrases like "legitimate interest" and "reasonable measures". None of these phrases have any real legal definition and are open to interpretation. Some have interpreted them severely, and others more liberally.

GDRP is about being a good steward of the data you store on a user. It's not designed to stop you from operating an engaging web site. There's no need to create stress about users linking to other sites, embedding images, anonymizing IP addresses, and such on your site. These don't impact any data you are storing and are part of the normal operation of how the web works. Be responsible and respectful of your users' data but keep enjoying your community.

Let's have a quick recap on the points we raised in our original blog entry.

Individual Rights

The right to be informed
Invision Community has a built in privacy policy system that is presented to a new user, and existing users when it has been updated.

Terms1.png.3d027181ba57709cf44aee4d4062f371.thumb.png.13eeb5cea4329bbd61db410565627b49.png

 

What should your privacy policy contain? I personally like the look of SEQ Legal's framework which is available for free.

This policy covers the important points such as which cookies are collected, how personal information is used and so on.

There may be other services out there offering similar templates.

Right to erasure
I personally feel that everyone should listen to "A Little Respect" as it's not only a cracking tune, but also carries a wonderful message.

The GDPR document however relates to the individuals right to be forgotten.

Invision Community allows you to delete members. When deleting members, you can elect to remove their content too. There is an option to keep it as Guest content, thus removing the author as identifiable.

It's worth using the 'keep' option after researching the user's posts to make sure they haven't posted personal information such as where they live, etc.

Emailing and Consent
Invision Community has the correct opt-in for bulk emails on registration that is not pre-checked. If the user checks this option, this is recorded with the member's history. Likewise, if they retract this permission, that action is also recorded.

consent3.png.faf513cca718f5be919f0ba9b24076a6.thumb.png.18dd0b7272f5561e75a8428fc92eb1eb.png

 

When you edit the terms and conditions or privacy policy, all users are required to read it again and opt-in again.

Cookies
A lot of GDPR anxiety seems to revolve around these tiny little text files your browser stores. If you read the GDPR document (and who doesn't love a little light reading) then you'll see that very little has actually changed with cookies. It extends current data protection guidance a little to ensure that you are transparent about which cookies you store.

Invision Community has tools to create a floating cookie opt-in bar, and also a page showing which cookies are stored and why.

This is the page that you'd edit to add any cookies your installation sets (if you have enabled Facebook's Pixel, or Google Analytics for example).

Your GDPR Questions
Now let's look at some questions that have been asked on our community and I'll do my best to provide some guidance that should help you make decisions on how to configure your Invision Community to suit your needs.

300863890_Monosnap2018-05-1113-48-57.thumb.jpg.8e5bfdcf308f51274e1e731139224d5d.jpg

Alan!!

Is the soft opt-in cookie policy enough? What about the IP address stored in the session cookie?
Great question. There's conflicting advise out there about this. The GDPR document states:

Quote

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The ICO states that session cookies stored for that session only (so they are deleted when the tab / window is closed) are OK as long as they are not used to profile users.

This is re-enforced by EUROPA:

Quote

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.


My feeling is that GDPR isn't really out to stop you creating a functioning website, they are more interested in how you store and use this information.

Thus, I feel that storing a session cookie with an IP address is OK. The user is told what is being stored and instructions are given if they want to delete them.

Given the internet is very much driven by IP addresses, I fail to see how you can not collect an IP address in some form or another. They are collected in access logs deep in the server OS.

Finally, there is a strong legitimate interest in creating a session cookie. It's part and parcel of the website's function and the cookie is not used in any 'bad' way. It just allows guests and members to retain preferences and update "last seen" times to help deliver content.

Do I need to delete all the posts by a member if they ask me to?
We have many large clients in the EU with really impressive and expensive legal teams and they are all unanimous in telling us that there is no requirement to delete content when deleting a user's personal information. The analogy often given is with email: once someone sends you an email you are not obligated to delete that. The same is true with content posted by a user: once they post that content it's no longer "owned" by them and is now out in public.

Ultimately, the decision is yours but do not feel that you have to delete their content. This is not a GDPR requirement.

What about members who haven't validated? They're technically not members but we're still holding their data!
No problem. The system does delete un-validated users and incomplete users automatically for you. You can even set the time delay for deletion in the ACP.

1178220687_Monosnap2018-05-1115-17-41.thumb.jpg.a9098e7f8e737c9f57adcbad5279ccd3.jpg

 

What about RECAPTCHA? I use this, and it technically collects some data!
Just add that you use this service to your privacy policy, like so:

Quote

Spam Protection
Google reCAPTCHA (Google Inc.)
Google reCAPTCHA is a SPAM protection service provided by Google Inc.
The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

Personal Data collected: Cookies and Usage Data.

Place of processing: United States – Privacy Policy.

I see many companies emailing out asking for members to opt back in for bulk mail, do I need to do this?
Short answer: No.

Since Invision Community 4.0, you can only ever bulk email users that have opted in for bulk emails. There's no way around it, so there's nothing to ask them to opt-in for. They've already done it.

There is a tiny wrinkle in that pre 4.2.7, the opt-in was pre-checked as was the norm for most websites. Moving forward, GDPR asks for explicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission.

What about notifications? They send emails!
Yes they do, but that's OK.

A notification is only ever sent after a user chooses to follow an item. This falls under legitimate interest.

There is also a clear way to stop receiving emails. The user can opt-in and opt-out of email as a notification device at their leisure.

prefs.thumb.jpg.aed1f25b83178c657408a9f17d16d17f.jpg

 

Do I need to stop blocking embeds and external images?
No. The internet is based on cross-linking of things and sharing information. At a very fundamental level, it's going to be incredibly hard to prevent it from happening. Removing these engaging and enriching tools are only going to make your community suffer.

There's no harm in adding a few lines in your privacy policy explaining that the site may feature videos from Vimeo and Youtube as part of user contributions but you do not need to be worried. As stated earlier, GDPR isn't about sucking the fun out of the internet, it's about being responsible and transparent.

Phew.
Hopefully you've got a better understanding about how Invision Community can assist your GDPR compliance efforts.

The best bit of advice is to not panic. If you have any questions, we'd love to hear them. Drop us a line below.

Edited by Matt

Sign in to follow this  

Comments



Recommended Comments

3 hours ago, Charles said:

 … once a user posts content to the community that content is then owned by the community. 

I really doubt European experts said something like that. It’s just clearly wrong over here. Ownership of intellection property cannot be transferred in Europe. Either community content isn’t intellectual property at all, e.g. a short comment. Then no one really owns it. Or it is intellectual property, e.g. a gallery picture the user has taken himself or an article or article-like forum post. In this case the intellectual property is owned by the creator for life (and his family for a certain time after his death). So the web provider will never “own the content”. Never! It’s legally impossible. The European creator can’t even give it up if he wanted to. What he can do is issue usage rights. And that is something that needs to be clarified in the terms—upfront. 

Wether this type of “data” needs to be seen as part of the upcoming GDRP rules, well, that’s open for debate at this point it seems. 

Edited by opentype

Share this comment


Link to comment
Share on other sites

FWIW I agree on the interpration from IPS on most points here. The only thing I'm a bit surprised by is that they don't provide retention settings for:

  • IP addresses
  • Account history 

Ironically, the "worth" of an IP address diminishes the longer it's stored, but I still feel this is one thing it would be appropiate to have a retention setting for. I will likely make a custom script for this in my case which will likely operate with two retention settings: 

  • One for members who have NOT been warned and/or suspended the last year
  • One for members that have been warned and/or suspended the last year
Edited by TSP

Share this comment


Link to comment
Share on other sites
22 hours ago, jair101 said:

I have a question about the access we provide to IPS support when troubleshooting is needed. Technically, the support has access to the database and to the personal information (emails at least) of all members. Are you planning to include an explicit clause in the relations between us (the customers) and you (the provider of the software) that when the IPS staff access ACP in our communities they don't have permissions to copy or export any kind of data?

  

I think I will solve this by limiting the ACP access for IPS to not be able to access the Members area and SQL Toolbox. Haven't checked, but hopefully there are such settings and fingers crossed I won't encounter any bugs in these sections. 

It will be much more graceful if IPS can simply include a line or two similar to: "We have access to your members data, but we will never save it, export it and download it. The access will be used strictly for troubleshooting purposes".

I don't think this request is over the top, large chunk of  tapatalk business model is hanging on poaching user data from the people that install their plugin. 

Share this comment


Link to comment
Share on other sites

@Matt

I highly appreciate your efforts with this blog post. Your writing shows a lot of common sense and from a website publisher's perspective I do fully agree.

But (and that's a big but) unfortunately the courts over in Europe have time and time again surprised us with its findings and the new law (and even the old data privacy laws within the separate EU member states) do not share that common sense.

While US Courts effectively can make laws, the courts over here can not. Each and every case is subject to interpretation of the written law and as you've noticed: the law is far from being exact. I'd like to address a few flaws with the law and the effects on communities driven by IPS. As you I am not a lawyer but reside in the one country with the single most cease-and-desist orders in relation to online business, copyright infringement and intellectual property claims: Germany. Hallo und Guten Tag.

Let me go over the utilities the IPS suite now offers:

  • The right to be informed
    • Thank you - the cookie bar was long overdue ?
  • Right to DELETE
    giphy.gif
    • This is a unbelievably tricky subject. Reading through the comments and even your post about an EU customer I wonder if anyone has ever read the laws on intellectual property (over in Europe).
      If any part of anything I post here or in any other online community reaches the threshold of originality ("Schöpfungshöhe") it is automatically protected by a copyright law. (If you stretch the interpretation to its limits even this post right here could be covered since I aim to provide helpful information.) This copyright never expires and is not transferable to anyone else. Your original content will always be yours. The only way for a website publisher to keep the more creative posts of former users is, if those users have transferred an non-restricted usage rights to the publisher.
    • The one and only way by law to have a copyright transferred from one person to another is by death of the original author.
    • So even if you delete a former member from the community and keep the posts you are not immune to the Abmahnung. Years and years later a relative who inherited the intellectual property of a deceased member of your community could come after you.
    • This is very very relevant when users are posting self-taken photographs or write fanfiction.
    • There are ways to transfer unrestricted usage rights via your terms of service and I strongly suggest anyone within the EU does implement those.
    • I haven't deleted anyone recently but I do recall that once deleted, the posts from a deleted member that then are logged under a "guest" name cannot be selected collectively afterwards. So if you delete a member and keep the posts there is no way to do a second cleansing if this specific idiot tries to make your life hard.
    • Also there's a requirement to inform any third parties about the deletion of a specific dataset. So if your community system transferred personal data to Facebook (status updates...) you need to inform Facebook about the deletion. There's an exemption if this would require a "high effort" but what that means is for the courts to decide ?
    • Suggestions to solve this issues:
      • Have users sign away usage rights during sign-up via a checkbox (like with the opt-in for emails)
      • Make posts of deleted members search-able afterwards in the ACP to get rid of them if needed

Another big issue I see is with IP addresses. While it is absolutely common sense that an IP address is NOT personal information, the courts ruled otherwise. Time and time again. I will spare you tons of links and just post this one about a ruling from Germany's highest court:

https://www.lto.de/recht/hintergruende/h/bgh-urteil-vizr13513-dynamische-ip-adressen-personenbezogene-daten-speicherung-internetseiten-bundesrepublik/

Within this ruling you find the following:

  • IP addresses in itself, even dynamic ones, are personal data that need to be protected
  • While website publishers certainly have an interest to protect their infrastructure this interest only applies when there is a specific threat which is not the case during normal operations
  • All in all the IPs are NOT needed to serve the website to the visitor and therefore are not to be documented

Fun fact about this: the one that went to court was a member of a political party. The one he sued was the country Germany. The court ruled in his favor. The highest European court came to the very same conclusion in 2016.

Therefor we absolutely need an option to disable the collection of IP addresses and purge previously collected data. (since that's not new with the GDPR)

I recognize that you might be able to run a few db-queries to purge the IPs but since the GDPR requires companies to have a method description for all things related to IT this is not enough. Each tool used within your companies IT structure needs to be GDPR compliant on its own. Therefore the exclusion of IP address data collection has to be implemented within Invisionpower Software to be legal.

A few more features required in relation to GDPR:

  • A opt-in checkbox for the contact form that has to be checked before the user can send you his information with a disclaimer that tells the user that the information he sends will be stored and used to answer his question.
    • YES, this is f*cking obvious and seems totally retarded... ?
    • Needs to be documented...
  • An option to export all user data (posts, images, profile information) in a "standardized machine-readable form"
  • Each and every opt-in by a user has to be documented. IPS has implemented this for the opt-in for emails since every opt-in is now for a predefined specific purpose I'd argue that also the opt-ins for thread-updates, personal message etc. need to be gathered and documented.
  • Age verification (I saw this in previous version - does it still exist?)
  • ISP needs to provide a Data Processing Agreement - even if you do not host my communites your support can access them via an admin account for support. Therefor the agreement is needed.
    • I have attached a document in english from a large european hosting provider. Maybe that's of help to you.
    • I need one by May 24th.

 

Quote

I personally do not feel that public posts or personal messages constitute 'personal data'. I see that more like email address, age, address, credit card details, etc.

You're dead wrong here, sorry.

Quote

Probably. But there aren’t just the people working for the governments. It’s a common business model for private law firms to find legal problems on websites and send out formal warnings with a large fee. For those companies, the new regulations could be another gold rush. 

Hallo "Abmahnung". That's the real problem. I suspect tens of thousands of Abmahnungen will leave the fax machines on May 25th at 00:01 am.

Data Processing Agreement.pdf

Share this comment


Link to comment
Share on other sites
9 hours ago, Charles said:

We have been told repeatedly by clients in the EU with very large legal teams that GDPR does not apply to content posted. 

Hi @Charles I'm worried by this statement, this is factually wrong. I assume that IPB haven't engaged their own lawyer. The creator owns the content. There was a very famous case recently of a monkey winning a copyright claim over the photographer, as it was the monkey who took the selfie. It didn't matter that the photographer owned all the equipment and set it up.

Look at what Wordpress are doing to allow export for blog posts and comments etc, look at what Facebook have done to allow you to download everything.

Let's just say you're right about the forum posts. We still need this functionality for address, email, contact info, subscription dates, private messages.

 

 

Share this comment


Link to comment
Share on other sites
1 hour ago, asigno said:

Hi @Charles I'm worried by this statement, this is factually wrong. I assume that IPB haven't engaged their own lawyer. The creator owns the content. There was a very famous case recently of a monkey winning a copyright claim over the photographer, as it was the monkey who took the selfie. It didn't matter that the photographer owned all the equipment and set it up.

Look at what Wordpress are doing to allow export for blog posts and comments etc, look at what Facebook have done to allow you to download everything.

Let's just say you're right about the forum posts. We still need this functionality for address, email, contact info, subscription dates, private messages.

 

 

No, the monkey did not win the copyright claim.

Share this comment


Link to comment
Share on other sites
6 minutes ago, Aaron M said:

Thanks for the correction. I feel my point still stands though, in that this went through the courts for years over the monkey owning the content. It wasn’t easily dismissed for a non human. 

We’d never win a case of us owning a real human’s post content on our forums.

Share this comment


Link to comment
Share on other sites
4 minutes ago, Aaron M said:

First please note that this was not an European court. Second please consider why. The reason the court had to award the victory to the photographer is because copyright law does not extend by definition to animals. If this case would be tried in a German court the image would be public domain since it was taken by an entity (the ape) that is not able to take credit for a creative act.

This being said, it was a bad example for a valid point in regards to the GDPR ?

Share this comment


Link to comment
Share on other sites
2 minutes ago, DReffects2 said:

First please note that this was not an European court. Second please consider why. The reason the court had to award the victory to the photographer is because copyright law does not extend by definition to animals. If this case would be tried in a German court the image would be public domain since it was taken by an entity (the ape) that is not able to take credit for a creative act.

This being said, it was a bad example for a valid point in regards to the GDPR ?

I'm not disputing that. I corrected his fallacy since the point is immaterial.

Share this comment


Link to comment
Share on other sites

I’m sorry for not checking the facts before posting. I didn’t want to divert this away from the GDPR. 

Lets get this back on track.

Do we need functionality for users to export their data? If so what data needs to be exportable?

Share this comment


Link to comment
Share on other sites

More information will be made available about our position with regards to the GDPR in the next day or so and a few more provisions are being added to the software (this will be detailed more in the upcoming post) by the implementation deadline. Beyond that, I'd ask that you slow the roll so-to-speak on personal interpretations and armchair legalese for there is no need to get worked up into a frenzy. Much like Y2K when everyone thought the world was going to end, the power grid was going to shut down and we'd be left with a smoking pile of circuitry ashes - I assure you, May 26th will be uneventful and we will all carry on as normal - just with some additional data processing safeguards. The regulations will be further interpreted, tested via case law and the world (including IPS) will adapt accordingly. In the interim, please relax and wait for our next update this week. It should address the remaining concerns we've interpreted and determined to be valid. 

As an aside, the software does not prevent you from controlling content. It is not our position nor that of the numerous experts we've consulted with that contributed content to a public community-centric entity constitutes personal information in accordance with the GDPR. If you believe otherwise, the software allows you to delete that content upon receipt of a right to erasure request from a data subject. You can also include in your terms and conditions (which you can require your users to accept) verbiage that addresses copyright, if you so desire. All of this is your decision based on your (and ideally, your legal expert's) individual interpretation of applicable laws - we are just providing baseline tools based on our interpretation. 

Please stay tuned while we further address your GDPR concerns such as obtaining technical support, data portability, etc. 

Share this comment


Link to comment
Share on other sites
2 hours ago, Lindy said:

I assure you, May 26th will be uneventful and we will all carry on as normal

Please consult a German or at least EU-based lawyer about this and take this matter more seriously.

Receiving and paying for an "Abmahnung" ist day-to-day business over here. Such cases do not need to be brought to court, in fact that's the whole point of the Abmahnung. An arbitrary "competitive relationship" is enough to get one of these letters - more than often there's no way to defend against this without risking a huge amount of money in court.

Fees and costs are determined by LAW by a fictional litigious value with the lowest of values starting at 10.000-20.000 EUR which results in about 700-1.200 EUR in legal fees you have to pay to your lawyer AND the lawyer of the opposition. This is per incident.

Bringing this to court to defend yourself would result in even more costs for the first court instance alone. Taking the "usual" 50.000 EUR litigious value this brings you to:

image.thumb.png.39b7c69d748a3f5640579b4860deb5ea.png

That's about 11.300 USD of risk for defending against a bogus claim. That's why most of the time its common sense to pay for the Abmahnung after a little bit of negotiating.

During the last 15 years running a small company I was subject to seven Abmahnungen. While two of them raised valid points the rest were based on the kind of bullsh*t laws we have and purely for the sake of profit.

The last one I got was for calling myself the manager of my company. Which technically is not true since I am an "sole proprietor" with two employees and therefor no "company" with its own juristic person exists. So legally there is no "company" and since there's no manager or CEO does not exist - so you get an Abmahnung. This one alone cost me 1.250 EURO and it makes no common sense because within common german language use you simply call yourself the manager or CEO of your company. There actually are not even different German words for my position in my own uhm... company available in the dictionary. By law am allowed to call myself "Sole proprietor" on my business card. But no one does that because it sounds rather stupid and a bit untrustworthy. I could run a fortune 500 company and not be allowed to be the "CEO" or "Manager" of that company as long as the legal status is the one of a sole proprietor. If someone from the competition calls you and asks you "are you the boss" and you answer with "yes" you'll get an Abmahnung due to "competitive distortion". Makes no sense at all.

The german trade association IHK is currently warning about a new wave of Abmahnungen because they do know about crooked lawyers. There's a whole business structure here. Competitive distortion will be the number one claim starting May 25th.

2 hours ago, Lindy said:

You can also include in your terms and conditions (which you can require your users to accept) verbiage that addresses copyright, if you so desire. All of this is your decision based on your (and ideally, your legal expert's) individual interpretation of applicable laws

My legal experts tell me: If the tool you are using is in itself not GDPR compliant the outcome of your undertaking is not GDPR compliant. While I am most certainly be able to include tons of stuff within my terms and conditions those do NOT have legal binding due to their unexpected nature and therefor are void. (See https://dejure.org/gesetze/BGB/305c.html )

To be valid those unexpected terms and conditions have to be acknowledged individually by the user. This not only goes for all the intellectual property stuff but also for the new requirements of the GDPR. That's why I was asking for individual checkboxes during signup, commenting, contact forms etc.

The most pressing issue is a data processing agreement and the collection of personal data that's unnecessary (IP Addresses...). Please address that.

Thanks! ?

Share this comment


Link to comment
Share on other sites
21 minutes ago, DReffects2 said:

The last one I got was for calling myself the manager of my company. Which technically is not true since I am an "sole proprietor" with two employees and therefor no "company" with its own juristic person exists. So legally there is no "company" and since there's no manager or CEO does not exist - so you get an Abmahnung. This one alone cost me 1.250 EURO and it makes no common sense because within common german language use you simply call yourself the manager or CEO of your company. There actually are not even different German words for my position in my own uhm... company available in the dictionary. By law am allowed to call myself "Sole proprietor" on my business card. But no one does that because it sounds rather stupid and a bit untrustworthy. I could run a fortune 500 company and not be allowed to be the "CEO" or "Manager" of that company as long as the legal status is the one of a sole proprietor. If someone from the competition calls you and asks you "are you the boss" and you answer with "yes" you'll get an Abmahnung due to "competitive distortion". Makes no sense at all.

 

It makes perfect sense and you even gave the explanations. Your imprint provides information legally necessary, so of course they need to be correct. If you intentionally or unintentionally make your business appear bigger than it actually is, than that is indeed “competitive distortion”. You registered you business. You know what it is and you can put that on your websites. And as business owner you have the responsibility to know about these issues. So you made a mistake and you paid for it. And all that has nothing to do with GDPR …

Share this comment


Link to comment
Share on other sites
1 hour ago, opentype said:

It makes perfect sense and you even gave the explanations. Your imprint provides information legally necessary, so of course they need to be correct. If you intentionally or unintentionally make your business appear bigger than it actually is, than that is indeed “competitive distortion”. You registered you business. You know what it is and you can put that on your websites. And as business owner you have the responsibility to know about these issues. So you made a mistake and you paid for it. And all that has nothing to do with GDPR …

My imprint is and was correct. I do not claim to be something I am not in the imprint.

I was served because i declared myself the "Geschäftsführer" while using common language in a blog entry.

You honestly do think that a CEO of a company with thousands of employees is not allowed to call himself the "boss" in letters and E-Mails? Do you recall the Schlecker drug stores? Anton Schlecker was a sole proprietor,  he employed 36.000 people. He was not allowed to call himself "Manager" or "CEO" on his business cards despite being the boss.

I do employ two people. I consider myself their boss. My employees think of me as their boss. I am not allowed to call myself boss on paper. I specifically chose this example to demonstrate how complex and misleading EU and German law can be at times. And this exact problem also exists with the official translation of the EU GDPR law. It is not exact in any way, at times very misleading and up for interpretation and on lots of instances fail to apply common sense.

Take the requirement for a dedicated opt-in checkbox for contact forms. Everyone knows that if you submit data via a contact form it gets stored in order to provide an answer to your question - just like everyone knows that if you employ people you are their boss. Yet the interpretation of the law requires you to point out the obvious. If you do not, you can be in legal trouble.

1 hour ago, Matt said:

es, I think we're wandering down a different path now.

The new blog will be up in about 5 minutes. 

A little bit perhaps. I just wanted to raise awareness on the at times strange laws here. Looking forward to your new blog! ?

 

Share this comment


Link to comment
Share on other sites

Thanks Charles and co for bringing some focus and much needed perspective to the discussion. The intellectual property rights of photographed monkeys aside, its really interesting to read the viewpoints and interpretations here but, as always, a little knowledge is a dangerous thing.

In the UK, the ICO has been inviting questions and answering them on GDPR for quite some time, some of the points and questions here, they really should have in their FAQs. 

Looking forward to reading the mentioned IPS update.

 

Share this comment


Link to comment
Share on other sites
16 hours ago, TSP said:

FWIW I agree on the interpration from IPS on most points here. The only thing I'm a bit surprised by is that they don't provide retention settings for:

  • IP addresses
  • Account history 

The account history is actually a particular cases where we need to keep some IP addresses indefinitely (the ones that are associated with "consents").

11 hours ago, DReffects2 said:

Therefor we absolutely need an option to disable the collection of IP addresses and purge previously collected data. (since that's not new with the GDPR)

I recognize that you might be able to run a few db-queries to purge the IPs but since the GDPR requires companies to have a method description for all things related to IT this is not enough. Each tool used within your companies IT structure needs to be GDPR compliant on its own. Therefore the exclusion of IP address data collection has to be implemented within Invisionpower Software to be legal.

I disagree that you need to completely disable IP address collection (or even anonymize all IP addresses before storing then).

Recital 49 says:

Quote

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security [...] constitutes a legitimate interest of the data controller concerned.

This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.

Storing IP addresses for a limited amount time (a few months) is a perfectly proportionate measure to be able to investigate a security incident or block brute force attempts, for example.  This is something you cannot simply enable after the fact, so you need to collect them under normal operation.

There are also IP addresses such as the ones that are part of the proofs of consent, which you likely want to store indefinitely, and here I guess you can use "compliance with a legal obligation" as legal basis.  You would only delete those IP addresses if you deleted the member account.

This may be a delicate subject, though.  I'm aware that German law has been traditionally more protective of IP addresses than some other European countries.

35 minutes ago, DReffects2 said:

To be valid those unexpected terms and conditions have to be acknowledged individually by the user. This not only goes for all the intellectual property stuff but also for the new requirements of the GDPR. That's why I was asking for individual checkboxes during signup, commenting, contact forms etc.

I'm not sure if this is what you are asking for, but I would say that having a feature that allowed admins to define custom consents checkbox, which would be logged in user history in the same way as newsletter consents, would be very useful.

Share this comment


Link to comment
Share on other sites
1 minute ago, ptprog said:

I disagree that you need to completely disable IP address collection (or even anonymize all IP addresses before storing then).

I based my writing on the rulings of the european high court and BGH (germanys highest court). Due to this rulings google has implemented the anonymize_ip function in google Analytics. German providers offer the option to truncate the last 3 digits in weblogs as well.

Logic behind the ruling was that you are not allowed to store unless there is an actual threat against your server. Crime prevention by globally logging IPs is not what the court wants. No Minority Report dystopia in the EU.

6 minutes ago, ptprog said:

I'm not sure if this is what you are asking for, but I would say that having a feature that allowed admins to define custom consents checkbox, which would be logged in user history in the same way as newsletter consents, would be very useful.

?

Read about it here: https://ninjaforms.com/gdpr-compliance-wordpress-forms/

Quote

1. Request Consent

Explicit consent has to be obtained before data collection can take place. In other words, before the user submits the form. They must be made aware that this form is collecting personal data with the intent to store that data. You’re also responsible for letting the user know how that data will be stored and used. Don’t sweat, it’s easier than it sounds.

This explicit consent also applies to many non GDPR-related agreements - at least in most EU countries - in regards to intellectual property. A individual cannot sign away usage rights for their content by accepting a 30 page "Terms of Service" document as these clauses are deemed "surprising" and therefor void. This is why many agreements require a more explicit form of consent to be credible.

Share this comment


Link to comment
Share on other sites
21 minutes ago, DReffects2 said:

You honestly do think that a CEO of a company with thousands of employees is not allowed to call himself the "boss" in letters and E-Mails? Do you recall the Schlecker drug stores? Anton Schlecker was a sole proprietor,  he employed 36.000 people. He was not allowed to call himself "Manager" or "CEO" on his business cards despite being the boss.

We are going around in circles. He and you must put the legally correct term on his business card. That’s neither hard to understand, nor hard to do. If you are a sole proprietor, you are a sole proprietor. If you are the CEO, you’re the CEO. If your business type cannot have a CEO, you can’t call yourself that. 

Equating any of these legal terms with the colloquial “boss” is not correct, but that is the entire foundation of your argument. 

21 minutes ago, DReffects2 said:

Take the requirement for a dedicated opt-in checkbox for contact forms. Everyone knows that if you submit data via a contact form it gets stored in order to provide an answer to your question …. Yet the interpretation of the law requires you to point out the obvious.

This is also NOT correct, as I clarified before

Share this comment


Link to comment
Share on other sites
9 minutes ago, opentype said:

This is also NOT correct, as I clarified before

That would be great, yet data privacy advisers tell me to do so. I'd like to think that I am better off with a checkbox. I do not want to be the one who has to go through all court instances and spend a fortune to prove that to be right.

eRecht24, one of the most respected online services for data privacy advise you to implement a checkbox opt-in:
https://www.e-recht24.de/news/abmahnung/10651-abwarnung-kontaktformulare-einwilligung.html

I've seen alternating posts that say that no explicit opt-in for contact forms is required but still a notification directly above the "submit" button that give notice to the usage of your data. That's also an option that is not available in IPS software.

19 minutes ago, opentype said:

Equating any of these legal terms with the colloquial “boss” is not correct, but that is the entire foundation of your argument. 

You might have guessed it, but english is not my native language. The term in Question in Germany was "Geschäftsführer" which can be translated as "boss", "manager", "ceo" and a few others. If I talk to potential customers on the phone they ask me if I am the "Geschäftsführer" and I answer yes. Because in a common usage of language I am. In legal terms I am not.

Share this comment


Link to comment
Share on other sites
1 minute ago, opentype said:

Yes, since the privacy policy is linked from any page anyway. 

Here is one for you in your language: ? 

https://www.datenschutz-guru.de/braucht-mein-kontaktformular-jetzt-eine-checkbox/

 

I know about this podcast. He's among the very few people who actually advise in this direction. And I guess if I get an Abmahnung and send him the bill he is not willing to pay for it.

If just having a privacy policy link in the footer is enough - why have all the major law firms, state operated sites and large companies either removed their contact forms or implemented a checkbox and/or dedicated data privacy notice above the submit button?

I'd love nothing more to be wrong about this. I simply don't see how to protect myself with IPS software at this moment in time.

Share this comment


Link to comment
Share on other sites
1 hour ago, ptprog said:

The account history is actually a particular cases where we need to keep some IP addresses indefinitely (the ones that are associated with "consents").

But other parts of account history is unnesseary. 

For example, do you need to know that someone changed from mypreviousmail@myjob.com to unemployednow@yahoo.com for a year? You are perfectly able to make a good argument for keeping such entries for some months after the member changed it, but you're really stretching it when it goes beyond a year for some of the information they store to account history now. 

Edited by TSP

Share this comment


Link to comment
Share on other sites
2 hours ago, DReffects2 said:

I based my writing on the rulings of the european high court and BGH (germanys highest court). Due to this rulings google has implemented the anonymize_ip function in google Analytics. German providers offer the option to truncate the last 3 digits in weblogs as well.

Logic behind the ruling was that you are not allowed to store unless there is an actual threat against your server. Crime prevention by globally logging IPs is not what the court wants. No Minority Report dystopia in the EU.

My understanding of the European Court decision is that not only it decided that IP address are personal data, but also said the the German law limitations on storing personal data based on legitimate interest were not in accordance with the EU directive.

https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-10/cp160112en.pdf

Quote

The operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks.

[...]

Second, the Court states that EU law4 precludes the legislation of a Member State under which an online media services provider may collect and use a visitor’s personal data, without his consent, only to the extent that it is necessary to facilitate and invoice the specific use of services by that visitor, so that the objective aiming to ensure the general operability of those services cannot justify the use of such data after those services have been accessed.

The Court recalls that, according to EU law, the processing of personal data is lawful, inter alia, if it is necessary to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.

The German legislation, as interpreted by the majority of legal commentators, reduces the scope of that principle, by excluding the possibility of balancing the objective of ensuring the general operability of online media against the interest or the rights and freedoms of visitors.

In that context, the Court emphasises that the Federal German institutions, which provide online media services, may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites.

This latter part has been interpreted by some as meaning you can store the IP addresses for some time based on legitimate interest.  It is also my interpretation, but I'm not a lawyer.

1 hour ago, TSP said:

But other parts of account history is unnesseary. 

For example, do you need to know that someone changed from mypreviousmail@myjob.com to unemployednow@yahoo.com for a year? You are perfectly able to make a good argument for keeping such entries for some months after the member changed it, but you're really stretching it when it goes beyond a year for some of the information they store to account history now. 

I agree.  I was just stressing that the rules to keep personal information may be tricky to define, as there is some information that needs to be retained for longer periods, and that information may not be properly "isolated".

Edited by ptprog

Share this comment


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...