@Matt
I highly appreciate your efforts with this blog post. Your writing shows a lot of common sense and from a website publisher's perspective I do fully agree.
But (and that's a big but) unfortunately the courts over in Europe have time and time again surprised us with its findings and the new law (and even the old data privacy laws within the separate EU member states) do not share that common sense.
While US Courts effectively can make laws, the courts over here can not. Each and every case is subject to interpretation of the written law and as you've noticed: the law is far from being exact. I'd like to address a few flaws with the law and the effects on communities driven by IPS. As you I am not a lawyer but reside in the one country with the single most cease-and-desist orders in relation to online business, copyright infringement and intellectual property claims: Germany. Hallo und Guten Tag.
Let me go over the utilities the IPS suite now offers:
The right to be informed
Thank you - the cookie bar was long overdue ?
Right to DELETE
This is a unbelievably tricky subject. Reading through the comments and even your post about an EU customer I wonder if anyone has ever read the laws on intellectual property (over in Europe).
If any part of anything I post here or in any other online community reaches the threshold of originality ("Schöpfungshöhe") it is automatically protected by a copyright law. (If you stretch the interpretation to its limits even this post right here could be covered since I aim to provide helpful information.) This copyright never expires and is not transferable to anyone else. Your original content will always be yours. The only way for a website publisher to keep the more creative posts of former users is, if those users have transferred an non-restricted usage rights to the publisher.
The one and only way by law to have a copyright transferred from one person to another is by death of the original author.
So even if you delete a former member from the community and keep the posts you are not immune to the Abmahnung. Years and years later a relative who inherited the intellectual property of a deceased member of your community could come after you.
This is very very relevant when users are posting self-taken photographs or write fanfiction.
There are ways to transfer unrestricted usage rights via your terms of service and I strongly suggest anyone within the EU does implement those.
I haven't deleted anyone recently but I do recall that once deleted, the posts from a deleted member that then are logged under a "guest" name cannot be selected collectively afterwards. So if you delete a member and keep the posts there is no way to do a second cleansing if this specific idiot tries to make your life hard.
Also there's a requirement to inform any third parties about the deletion of a specific dataset. So if your community system transferred personal data to Facebook (status updates...) you need to inform Facebook about the deletion. There's an exemption if this would require a "high effort" but what that means is for the courts to decide ?
Suggestions to solve this issues:
Have users sign away usage rights during sign-up via a checkbox (like with the opt-in for emails)
Make posts of deleted members search-able afterwards in the ACP to get rid of them if needed
Another big issue I see is with IP addresses. While it is absolutely common sense that an IP address is NOT personal information, the courts ruled otherwise. Time and time again. I will spare you tons of links and just post this one about a ruling from Germany's highest court:
https://www.lto.de/recht/hintergruende/h/bgh-urteil-vizr13513-dynamische-ip-adressen-personenbezogene-daten-speicherung-internetseiten-bundesrepublik/
Within this ruling you find the following:
IP addresses in itself, even dynamic ones, are personal data that need to be protected
While website publishers certainly have an interest to protect their infrastructure this interest only applies when there is a specific threat which is not the case during normal operations
All in all the IPs are NOT needed to serve the website to the visitor and therefore are not to be documented
Fun fact about this: the one that went to court was a member of a political party. The one he sued was the country Germany. The court ruled in his favor. The highest European court came to the very same conclusion in 2016.
Therefor we absolutely need an option to disable the collection of IP addresses and purge previously collected data. (since that's not new with the GDPR)
I recognize that you might be able to run a few db-queries to purge the IPs but since the GDPR requires companies to have a method description for all things related to IT this is not enough. Each tool used within your companies IT structure needs to be GDPR compliant on its own. Therefore the exclusion of IP address data collection has to be implemented within Invisionpower Software to be legal.
A few more features required in relation to GDPR:
A opt-in checkbox for the contact form that has to be checked before the user can send you his information with a disclaimer that tells the user that the information he sends will be stored and used to answer his question.
YES, this is f*cking obvious and seems totally retarded... ?
Needs to be documented...
An option to export all user data (posts, images, profile information) in a "standardized machine-readable form"
See the right of transfer (§20 GDPR) https://www.datenschutz-grundverordnung.eu/grundverordnung/art-20-ds-gvo/
Each and every opt-in by a user has to be documented. IPS has implemented this for the opt-in for emails since every opt-in is now for a predefined specific purpose I'd argue that also the opt-ins for thread-updates, personal message etc. need to be gathered and documented.
Age verification (I saw this in previous version - does it still exist?)
ISP needs to provide a Data Processing Agreement - even if you do not host my communites your support can access them via an admin account for support. Therefor the agreement is needed.
I have attached a document in english from a large european hosting provider. Maybe that's of help to you.
I need one by May 24th.
You're dead wrong here, sorry.
Hallo "Abmahnung". That's the real problem. I suspect tens of thousands of Abmahnungen will leave the fax machines on May 25th at 00:01 am.
Data Processing Agreement.pdf
I am missing an option to export all user data in a standardized format as required by EU law...
There are a bunch of websites I run for cities that are powered by invisionpower. Will there be a fully GDPR compliant version by May 25th or does invisionpower choose to abandon all EU customers?
SUPERB!
So does the new relational field thingy now support importing a 3.x database with relational fields and does it have all the features of the 3.x field?
SUPERB!
So does the new relational field thingy now support importing a 3.x database with relational fields and does it have all the features of the 3.x field?
DReffects2 got a reaction from Markus Jung in Your GDPR questions answered
DReffects2 reacted to Charles in How Invision Community's tools can help with GDPR compliance
DReffects2 got a reaction from MeMaBlue in How Invision Community's tools can help with GDPR compliance
DReffects2 got a reaction from Haku2 in Pages Improvements
DReffects2 got a reaction from sobrenome in Pages Improvements
