1. Is this forum prepared for the GDPR?

At jimcbrown's request, I've returned to the forum to discuss the effect of the GDPR on this forum.

For those who aren't familiar, the GDPR is a new regulation in the European Union that takes effect this May. It encompasses a wide ranging set of new rules on how personally identifying information is to be used. I imagine that this forum, which is open to the entire world, has at least a few users in the European Union. This means that the GDPR applies to us.

Yes, even if we're mostly Americans and the forum is hosted in America, the rules still apply.

Right now, we are collecting personally identifiable information and displaying it publicly. A person's name and location are optional, but if provided they are shared.

We also collect email addresses, which are required to sign up. Even though these aren't displayed publicly, policies to discuss how this data is retained and used are needed; as well as how this information can be deleted.

There might be other personally identifying information being collected (such as ip adddresses) and policies need to include that as well.

Also, the GDPR requires that we appoint a privacy officer. We need to start figuring out what needs to get done, and then do it.

Discuss.

new topic     » topic index » view message » categorize

2. Re: Is this forum prepared for the GDPR?

ABC said...

Also, the GDPR requires that we appoint a privacy officer. We need to start figuring out what needs to get done, and then do it.

LOL! "The GDPR requires..." I don't care what some European regulation "requires."

This is a non-issue for OpenEuphoria.

new topic     » goto parent     » topic index » view message » categorize

3. Re: Is this forum prepared for the GDPR?

European regulation applies to Europe only. Europeans don't want to rule the world.

Just remember Euphoria is not US only. Members come from different part of the world.

Jean-Marc

new topic     » goto parent     » topic index » view message » categorize

4. Re: Is this forum prepared for the GDPR?

I am currently dealing with GDPR for my practice. This is a non eu based forum, and GDPR does not apply. What europeans choose to do in the rest of the world is entirely at their own risk. If Openeuphoria traded with the eu, or had a base in the eu, then in order to do so it would be bound by eu regulations which would include complying with GDPR. Hence why amazon and google etc are updating their privacy policies.

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

5. Re: Is this forum prepared for the GDPR?

I fully agree. What I meant by "Just remember Euphoria is not US only" is to avoid US-centric members showing contempt for people around the world.

Regards

Jean-Marc

new topic     » goto parent     » topic index » view message » categorize

6. Re: Is this forum prepared for the GDPR?

ABC said...

At jimcbrown's request, I've returned to the forum to discuss the effect of the GDPR on this forum.

stamp of approval

new topic     » goto parent     » topic index » view message » categorize

7. Re: Is this forum prepared for the GDPR?

Following on from Jim's response to http://www.theregister.co.uk/2018/04/27/europe_icann_whois_gdpr/ via the admins email system, ICANN has data centres and controllers in the EU, and is thus bound by the EU GDPR, for those whose data it holds from the EU. It's a hideously complicated situation, and may well end up with ICANN's WHOIS database only being available to non EU countries, and only for those who are not EU citizens. In my view this is an utterly draconian policy set, created by a set of non elected beureucrats (while I am sure well meaning) in order to justufy their own existence. It has got companies all over the EU panicking that they are not going to comply or be able to comply in time. It applies to the smallest one or two man companies up to the largest multinational companies that trade within the EU. The extent of it is such that unless an individual agrees to being contacted by email before they are contacted, then that could be a breach of the GDPR, and medical companies, veterinary surgeries, physiotherapists, doctors etc, may not be able to keep medical records unless patients consent to - ie they will all have to be contacted in some way first in order to obtain their permission keep their data and medical records on file, and to contact them for (eg) vaccination reminders and the like.

Back to the original post - GDPR does not apply to companies outside the US that do not trade or have a base within the EU, and as such the OpenEuphoria forum that has a US base (and as far as I know, does not have an EU base) does not need to comply with the regulations.

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

8. Re: Is this forum prepared for the GDPR?

ChrisB said...

It applies to the smallest one or two man companies

GDPR does not apply to companies outside the US that do not trade or have a base within the EU,

We don't have a company. As I understand it, the forum is hosted on a VPS and the database with the relevant information is on it. The VPS is in euphoric's name. So technically, the forum is owned by a single private person.

Does it make a difference if it's a private individual rather than a company that has been formally set up (as an incorporated company, limited partnership, sole proprietor, etc) ? Or would euphoric theoretically be liable for the full $24.5 million US dollar fine if the forum hypothetically did trade with the EU?

ChrisB said...

and as such the OpenEuphoria forum that has a US base (and as far as I know, does not have an EU base) does not need to comply with the regulations.

We have users in the past such as jacques_desch and former dev team member CChris who are based in France, and andi49 in Germany.

We retain their account information even though they don't use the forum. This is what concerned me.

ChrisB said...

What europeans choose to do in the rest of the world is entirely at their own risk.

But if that European is in Europe when it happens ... I guess my question is, if a person with EU citizenship, while residing in and physically present in Europe at the time, signs up to our website - does the GDPR apply to us then?

Does allowing EU citizens in the EU to sign up on the forum count as doing trade within the EU?

Or does this instead fall under the category of a person choosing 'entirely at their own risk' to do something 'in the rest of the world' ?

new topic     » goto parent     » topic index » view message » categorize

9. Re: Is this forum prepared for the GDPR?

jmduro said...

European regulation applies to Europe only.

I don't believe this is correct.

Here's what cPanel has to say about the issue.

cPanel blog said...

https://blog.cpanel.com/general-data-protection-regulation-and-cpanel/

Although cPanel is a U.S. company, the GDPR applies to personal information about individuals in Europe regardless of whether that information is located in Europe or elsewhere.

Here's what XDA has to say about the issue.

XDA forum said...

https://www.xda-developers.com/what-is-gdpr-developers-users-eu/

Every single business, from a large corporation to an indie app developer, based in the EU or operates with personal information of EU residents must conform to the regulation or face the [very harsh] consequences.

Even if you're based in the U.S. or elsewhere, you'll feel its shock waves [...] in the coming months.

Here's a good blog post about the issue.

BlueVenn blog post said...

https://www.bluevenn.com/blog/gdpr-outside-the-eu

Should you care about GDPR if you're outside the European Union?

GDPR rules will apply to you if you store, process or share EU citizens' personal data.

jmduro said...

Just remember Euphoria is not US only. Members come from different part of the world.

This is the problem. Unless the forum wants to say 'NO' to European members, this can't be ignored.

new topic     » goto parent     » topic index » view message » categorize

10. Re: Is this forum prepared for the GDPR?

euphoric said...

LOL! "The GDPR requires..." I don't care what some European regulation "requires."

This is a non-issue for OpenEuphoria.

Ok. At least consider this.

Spiceworks Community said...

https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr

for U.S. companies that aren't tech titans like Google or Facebook, there's a common question: How exactly are EU regulators going to come after us?

How does an EU regulator fine a U.S. company under an EU law that has no analogue in the U.S.?

"There has [...] been long term and increasing enforcement cooperation between U.S. and EU data protection authorities,"

The bottom line: EU regulators can fine U.S. companies for violating GDPR, and they can do it with the help of U.S. authorities.

Also consider this.

FileMaker Community said...

https://community.filemaker.com/thread/181222

What are the realistic penalties for companies outside the EU that do not comply?

EU regulators rely on international law to issue fines.

"EU authorities have been aggressively pursuing data protection enforcement actions against U.S. companies [...] for a number of years."

new topic     » goto parent     » topic index » view message » categorize

11. Re: Is this forum prepared for the GDPR?

The GDPR protects european citizens about commercial usage or inappropriate use of their private data.

Does OpenEuphoria sell user's data? no. Does OpenEuphoria register sensible user data? no. So don't worry about the GDPR!

Jean-Marc

new topic     » goto parent     » topic index » view message » categorize

12. Re: Is this forum prepared for the GDPR?

If a US (and we'll use US to encompass the rest of the non-EU world too) company has a base or office within the EU, then that company must be bound by the GDPR.

If a company does not have a base or office within the EU, but trades with the EU, then it is likely that that company will need to be GDPR compliant in order to continue to trade with the EU.

If the company has neither a base within the EU, and does not trade withe the EU, then they do not have to be GDPR compliant. If a US company sells stuff to individuals within the EU, but has no trade agreement, then the company will not have to comply with the GDPR, but will have to comply with local data protection legislation. However, if there is a data leak, then the local regulations will kick in, or if the GDPR police decide to chase the company, then they will have to do it with the co-operation of the local agencies.

If EU companies (that are bound to GDPR) do business with US companies then the onus is on the EU companies to ensure that any data handling shared with the US company is GDPR compliant - it is the EU company that the GDPR police will come after, hence enforcing the policing of GDPR by EU companies.

The bottom line is no one is really too sure what is going to be the implications for international companies. I suspect that companies that do a lot of trade with the EU will ensure that they make efforts toward GDPR for simple market financial reasons, and those that don't, or only deal with individuals on an ad hoc basis won't.

If the web hoster has any offices within the EU, then I suspect that they will need to become GDPR compliant, otherwise, I suspect that most won't bother, and rely on the local regulations. It would probabbly be wise for the forum to post an acceptance of terms and conditions, and understanding that any data that is shared here is done so at their own risk, and that the data is held not in the EU, and as such subject to local regulations.

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

13. Re: Is this forum prepared for the GDPR?

jmduro said...

Does OpenEuphoria register sensible user data? no.

No? So no one's email addresses, IP addresses, real names are being registered?

Are you sure?

new topic     » goto parent     » topic index » view message » categorize

14. Re: Is this forum prepared for the GDPR?

ChrisB said...

The bottom line is no one is really too sure what is going to be the implications for international companies.

This is exactly the problem.

ChrisB said...

If a company does not have a base or office within the EU, but trades with the EU, then it is likely that that company will need to be GDPR compliant in order to continue to trade with the EU.

If the company has neither a base within the EU, and does not trade withe the EU, then they do not have to be GDPR compliant.

This is complicated. It seems like it should not count as trade if there is no money involved and no profit-making.

ChrisB said...

If a US company sells stuff to individuals within the EU, but has no trade agreement, then the company will not have to comply with the GDPR,

This is contrary to the legal advice that I have received. That should count as trade because goods and money are exchanged on a for-profit basis, and fall under the GDPR because it is trade with the EU.

ChrisB said...

but will have to comply with local data protection legislation.

By local, do you mean US legislation or EU member state legislation? For example if a German user signed up for the forum, the forum would then need to comply with local German data protection legislation, correct?

ChrisB said...

It would probabbly be wise for the forum to post an acceptance of terms and conditions, and understanding that any data that is shared here is done so at their own risk, and that the data is held not in the EU, and as such subject to local regulations.

The GDPR does not permit an implicit opt-in. The user must chose to opt-in by manually clicking the appropriate check-box.

new topic     » goto parent     » topic index » view message » categorize

15. Re: Is this forum prepared for the GDPR?

Sensible data is: financial data, religion, mac address.

The IP address, real name or email adresses are not considered as sensible data but may be subject to acceptation as Chris wrote. As far as they are not sold and not easily accessible (they should be stored in a safe way), there is no problem.

I had a course about the GDPR last week as I work for a telecom operator (but I forgot many details).

Jean-Marc

new topic     » goto parent     » topic index » view message » categorize

16. Re: Is this forum prepared for the GDPR?

jmduro said...

Sensible data is: financial data, religion, mac address.

So I thought you meant personal data. 'Sensible data' is not a legal term of art under the GDPR.

You are referring to the concept of sensitive personal data.

jmduro said...

The IP address, real name or email adresses are not considered as sensible data but may be subject to acceptation as Chris wrote.

They are not sensitive personal data, but they are still personal data.

techngenix web site said...

http://techgenix.com/personal-information-under-gdpr/

Linked personal data examples (directly linked to a person)

Full name

Email Address

Linkable personal types (combine to identify a person)

A portion of the address (country, street, postcode etc.)

IP address

jmduro said...

As far as they are not sold and not easily accessible (they should be stored in a safe way), there is no problem.

Ok. Are they being stored in a safe way?

Are they being collected in a manner that complies with the GDPR? That's important too.

new topic     » goto parent     » topic index » view message » categorize

17. Re: Is this forum prepared for the GDPR?

ABC said...

Also, the GDPR requires that we appoint a privacy officer.

I think we're good here.

https://www.lepide.com/blog/heres-what-you-need-to-know-about-gdpr-including-how-it-will-be-affected-by-brexit/ said...

organisations with over 250 employees are legally obligated to hire a data-protection officer (DPO).

We're not legally an organization. Even if we were, if you count every single owner and employee of RDS (Rob Craig's company) and every admin here, and every moderator, and every member of the dev team - past and current - you'd still not get to 250 people.

new topic     » goto parent     » topic index » view message » categorize

18. Re: Is this forum prepared for the GDPR?

Is there a need to store any personal data on this website. I think not.

All we need is a list of approved passwords that allow access to the website. A password does not have to be linked to any other information. Indeed, many passwords are linked to fake emails as it is.

We can not stop a password being assigned to a troll because they just invent a new fake email. If we insist on a real email then we increase the work the troll needs by a small amount. Without an email authentication it becomes too easy for robots to spam a website. But, no need to keep the email address.

Google knows, or at least tries very hard. When I first started using the Opera browser I got pages from Norway. Now that I have "location" turned off, Google reminds me to turn it back on, and tells me "I think you are in this city, and in this part of the city..." We are petty actors in comparison.

If we erase all personal data today then we should be prepared for GDPR.

_tom

new topic     » goto parent     » topic index » view message » categorize

19. Re: Is this forum prepared for the GDPR?

_tom said...

Is there a need to store any personal data on this website. I think not.

If we erase all personal data today then we should be prepared for GDPR.

Absolutely. This would definitively and completely solve the problem.

Just purge the database of email addresses, IP addresses, real names and locations. The last two show up on some users's profile page.

_tom said...

All we need is a list of approved passwords that allow access to the website.

A password does not have to be linked to any other information.

A username too, I'd wager.

_tom said...

Without an email authentication it becomes too easy for robots to spam a website. But, no need to keep the email address.

This. This is perfect.

Be careful here though. From what I understand, GDPR requires an explicit opt-in before email messages can be sent.

For logs, I think just keeping the IP addres in the web server logs until the logs roll over is good enough to resolve any problems with trolls or black-hat attackers. That complies with the GDPR as it falls under the legal obligation exception, where personal data can be collected and retained without consent when there is a legal obligation to do so.

new topic     » goto parent     » topic index » view message » categorize

20. Re: Is this forum prepared for the GDPR?

ABC said...
ChrisB said...

The bottom line is no one is really too sure what is going to be the implications for international companies.

This is exactly the problem.

ChrisB said...

If a company does not have a base or office within the EU, but trades with the EU, then it is likely that that company will need to be GDPR compliant in order to continue to trade with the EU.

If the company has neither a base within the EU, and does not trade withe the EU, then they do not have to be GDPR compliant.

This is complicated. It seems like it should not count as trade if there is no money involved and no profit-making.

ChrisB said...

If a US company sells stuff to individuals within the EU, but has no trade agreement, then the company will not have to comply with the GDPR,

This is contrary to the legal advice that I have received. That should count as trade because goods and money are exchanged on a for-profit basis, and fall under the GDPR because it is trade with the EU.

ChrisB said...

but will have to comply with local data protection legislation.

By local, do you mean US legislation or EU member state legislation? For example if a German user signed up for the forum, the forum would then need to comply with local German data protection legislation, correct?

No, I meant locally where the business resides.

ABC said...
ChrisB said...

It would probabbly be wise for the forum to post an acceptance of terms and conditions, and understanding that any data that is shared here is done so at their own risk, and that the data is held not in the EU, and as such subject to local regulations.

The GDPR does not permit an implicit opt-in. The user must chose to opt-in by manually clicking the appropriate check-box.

Hi

I know, that's what I meant. But equally (and figure this one out), non-acceptance of terms and conditions, and non-storage of data should not be a bar to registering with a company. That's going to be fun with patient records.

The EU has just created a multi billion euro business, out of nothing. Best business plan ever.

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

21. Re: Is this forum prepared for the GDPR?

Ugh. There's just so much to unpack here. Here's my take on all this. (Disclaimer: I am not a lawyer.)

  1. This is absurdly draconian and bureaucratic. These laws were clearly written by people who do not understand how the Internet works. Personal privacy is an extremely important ideal to me, so I want to do everything to support that, but this is ridiculous.

  2. We currently collect and store personal information from any number of EU residents (at least name, email, and IP address). So at the very least that makes us GDPR-adjacent. I think it would be wise to ensure we're GDPR compliant even if it's not required. Better safe that sorry, right?

  3. We do not use collected data for anything but use on this site. We do not share or sell information. We also have to keep your information if you've made any contributions to this site. We could anonymize any account requested to be deleted, such that you'd see posts from DELETED USER or some such.

  4. Anyone reading between the lines in some of my recent comments on other discussions will see that I've already been thinking about how to bake in GDPR compliance into a new website. But even if I had started all that a year ago, I still wouldn't have anything ready for the deadline next month.

  5. Adding to jimcbrown's comment about the total sum of "staff" we've ever had, I'd also estimate that the minimum fine of €20 million (~$24.3 million) is orders of magnitude more than the combined yearly incomes of all "staff" members, past and present.


All that being said, here's what I propose that we do to proceed. The first two steps should make us effectively compliant, even if we don't have to be.

  1. Set up a "GDPR Compliance" page listing how, why, and what information is collected for use on this site. List out the basic steps to request information and request to be deleted.

  2. Set up a written policy on how to handle a personal information request or request to be deleted. This is probably as simple as a few SQL queries. Dump info; send to user; done.

  3. Rebuild the entire website with GDPR in mind. Implement pseudonymization and automate personal data requests and account deleting. Better logging of website activity to help detect breaches, which must be reported under GDPR.


Again, not a lawyer. Kinda ticked off about the whole thing.

-Greg

new topic     » goto parent     » topic index » view message » categorize

22. Re: Is this forum prepared for the GDPR?

All good ideas, and don't blame you.

Chris

new topic     » goto parent     » topic index » view message » categorize

23. Re: Is this forum prepared for the GDPR?

ChrisB said...

No, I meant locally where the business resides.

Then you are most definitely wrong.

ChrisB said...

The EU has just created a multi billion euro business, out of nothing. Best business plan ever.

Again, wrong. A US company has shut down because of the GDPR.

Hacker News said...

https://news.ycombinator.com/item?id=16954306

StreetLend.com shuts down, citing GDPR regulations

new topic     » goto parent     » topic index » view message » categorize

24. Re: Is this forum prepared for the GDPR?

_tom said...

Is there a need to store any personal data on this website. I think not.

We can get away with forgetting about IP addresses after a period of time.

We need to retain pseudonyms (the usernames used to identify on the forum) and that's personal data under the GDPR.

_tom said...

But, no need to keep the email address.

We need to retain email addresses. This is the only way we can verify that it's the same user if that user forgets both the password and the secret answer.

_tom said...

If we insist on a real email then we increase the work the troll needs by a small amount.

Trolls are a different problem.

_tom said...

If we erase all personal data today then we should be prepared for GDPR.

That would be nice and easy. But it's not possible.

ABC said...

Be careful here though. From what I understand, GDPR requires an explicit opt-in before email messages can be sent.

I think we're fine here. The current process requires the end-user to initiate all emails to us, to which we reply. We no longer send unsolicited emails to perform verification of email addresses.

ChrisB said...

But equally (and figure this one out), non-acceptance of terms and conditions, and non-storage of data should not be a bar to registering with a company. That's going to be fun with patient records.

No, there's an alternative basis for hospitals et al. in this case.

https://www.itgovernance.eu/blog/en/gdpr-when-do-you-need-to-seek-consent said...

Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data,

The other lawful grounds are:

A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.

ChrisB said...

The EU has just created a multi billion euro business, out of nothing. Best business plan ever.

Kinda like the US did with imposing FACTA on European banks; drumming up business for tax lawyers worldwide.

new topic     » goto parent     » topic index » view message » categorize

25. Re: Is this forum prepared for the GDPR?

jimcbrown said...

there's an alternative basis for hospitals et al. in this case.

https://www.itgovernance.eu/blog/en/gdpr-when-do-you-need-to-seek-consent said...

Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data,

The other lawful grounds are:

A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.

Can we not claim to be an educational institution?

new topic     » goto parent     » topic index » view message » categorize

26. Re: Is this forum prepared for the GDPR?

ghaberek said...
  1. We currently collect and store personal information from any number of EU residents (at least name, email, and IP address). So at the very least that makes us GDPR-adjacent. I think it would be wise to ensure we're GDPR compliant even if it's not required. Better safe that sorry, right?

Agreed.

ghaberek said...
  1. Anyone reading between the lines in some of my recent comments on other discussions will see that I've already been thinking about how to bake in GDPR compliance into a new website.

Excellent news, the best I've had all day.

ghaberek said...
  1. But even if I had started all that a year ago, I still wouldn't have anything ready for the deadline next month.

If only I'd heard about the GDPR earlier. Apparently it passed in 2012 and was effective from 2016 - but with a two year grace period, making the real start date in 2018.

ghaberek said...

Kinda ticked off about the whole thing.

  1. This is absurdly draconian and bureaucratic. These laws were clearly written by people who do not understand how the Internet works. Personal privacy is an extremely important ideal to me, so I want to do everything to support that, but this is ridiculous.

Not sure I agree. The rules have to be as tough as they are BECAUSE of the nature of the internet - it is distributed, world-wide, with no single centralized authority controlling it.

Without extraterritoriality it'd be too easy for Facebook etc to just set up a website in Bermuda or something and require all European users to use that website, bypassing EU juristiction.

ghaberek said...
  1. We could anonymize any account requested to be deleted, such that you'd see posts from DELETED USER or some such.

That's pretty straightforward today, it's a simple SQL query.

ghaberek said...

All that being said, here's what I propose that we do to proceed. The first two steps should make us effectively compliant, even if we don't have to be.

  1. Set up a "GDPR Compliance" page listing how, why, and what information is collected for use on this site. List out the basic steps to request information and request to be deleted.

  2. Set up a written policy on how to handle a personal information request or request to be deleted.

Can we start a wiki page for this? The policy part.

ghaberek said...
  1. This is probably as simple as a few SQL queries. Dump info; send to user; done.

Yup. Agreed. Once the policy is written up, I can come up with a set of SQL queries and statements to handle dumping the info to user/purging info from our databases.

ghaberek said...
  1. Rebuild the entire website with GDPR in mind. Implement pseudonymization and automate personal data requests and account deleting.

I'm 100% behind this.

ghaberek said...
  1. Better logging of website activity to help detect breaches, which must be reported under GDPR.

Reporting to who?

new topic     » goto parent     » topic index » view message » categorize

27. Re: Is this forum prepared for the GDPR?

petelomax said...

Can we not claim to be an educational institution?

Even if we could, it's probably going to be hard to claim that "it's a public task" so we can keep the information without consent.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/public-task/ said...

One key difference is that the GDPR says that the relevant task or function must have a clear basis in law.

new topic     » goto parent     » topic index » view message » categorize

28. Re: Is this forum prepared for the GDPR?

ghaberek said...
  1. This is absurdly draconian and bureaucratic. These laws were clearly written by people who do not understand how the Internet works. Personal privacy is an extremely important ideal to me, so I want to do everything to support that, but this is ridiculous.

Personally, I advocate doing nothing about it. There's no way I'm going to bow down to this kind of absurd operations, especially from a collection of old dumbasses who-- like you said-- know nothing about how the Internet works.

When such time as a request for whatever is made, we can approach it then.

Sure, build the stuff you want to build, but don't make it active. There's no way we should support this.

new topic     » goto parent     » topic index » view message » categorize

29. Re: Is this forum prepared for the GDPR?

ABC said...
ChrisB said...

No, I meant locally where the business resides.

Then you are most definitely wrong.

ChrisB said...

The EU has just created a multi billion euro business, out of nothing. Best business plan ever.

Again, wrong. A US company has shut down because of the GDPR.

Hacker News said...

https://news.ycombinator.com/item?id=16954306

StreetLend.com shuts down, citing GDPR regulations

Hi ABC

We can all be wrong, and I am the first to admit it when I am, but Streetlend were a UK website, based / registered in Paris (France) Domain registrant hoster, and hence bound by GDPR, and Streetlend chose to shut down before they had to comply because it was simply less hassle, they weren't forced too, but sadly I think that this is what will happen to many small businesses, not just net related ones.

The setting up Facebook in Bermuda, don't think facebook haven't looked at it (guess, no evidence), but as long as they sell adverts to EU citizens, they will have to comply, or simply not be able to trade.

Data breaches have to be reported to the ICO in the UK, or whichever other EU equivalent on the European mainland.

I think all the suggestions made so far are sensible ones, and will demonstrate that due thought and consideration has been given to the GDPR, and will obviously be taken into account if there is a data breach, so it makes sense to limit the data held. I think any common sense organisation that polices this will look at these efforts, look at the size of the organisation, and decide it's not worth their while pursuing, or maybe just sending a letter to the owner of the openeuphoria.org.

I really don't think that Euphoria has too much to worry about.

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

30. Re: Is this forum prepared for the GDPR?

http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

Do a search for international, interpretations depending on where you are.

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

31. Re: Is this forum prepared for the GDPR?

ABC said...
jmduro said...

Does OpenEuphoria register sensible user data? no.

No? So no one's email addresses, IP addresses, real names are being registered?

Are you sure?

Dumb Question... What does it mean to "register" data?

regards,
jd

new topic     » goto parent     » topic index » view message » categorize

32. Re: Is this forum prepared for the GDPR?

ChrisB said...

Hi ABC

We can all be wrong, and I am the first to admit it when I am,

I made a mistake here.

ChrisB said...

but Streetlend were a UK website, based / registered in Paris (France) Domain registrant hoster, and hence bound by GDPR,

Yes, I made a typo. I meant UK.

ChrisB said...

and Streetlend chose to shut down before they had to comply because it was simply less hassle, they weren't forced too, but sadly I think that this is what will happen to many small businesses, not just net related ones.

Yes. This was my point. This does not bode well for the 'multi-billion dollar industry' - because the point was never about the money.

ChrisB said...

I think all the suggestions made so far are sensible ones, and will demonstrate that due thought and consideration has been given to the GDPR, and will obviously be taken into account if there is a data breach, so it makes sense to limit the data held. I think any common sense organisation that polices this will look at these efforts, look at the size of the organisation, and decide it's not worth their while pursuing, or maybe just sending a letter to the owner of the openeuphoria.org.

Yes, I agree.

ChrisB said...

I really don't think that Euphoria has too much to worry about.

It does appear that the right people are thinking about it and have a plan. Euphoric is being a bit silly about this, but otherwise I

new topic     » goto parent     » topic index » view message » categorize

33. Re: Is this forum prepared for the GDPR?

jessedavis said...

Dumb Question... What does it mean to "register" data?

regards,

That is not a legal term of art either but I assume this is referring to the collection, retention, and storage of personal data.

new topic     » goto parent     » topic index » view message » categorize

34. Re: Is this forum prepared for the GDPR?

euphoric said...

Personally, I advocate doing nothing about it. There's no way I'm going to bow down to this kind of absurd operations, especially from a collection of old dumbasses who-- like you said-- know nothing about how the Internet works.

Perhaps you'll feel differently when they come after you for 20 million euros, and start seizing your bank accounts and so on.

I know what the other poster said about OpenEuphoria not being a likely target beyond a letter. I think that there is a difference between these three situations:

  1. We make a good-faith effort to comply and we make a small mistake. A letter is sent to us telling us what to do to correct the mistake and we comply.

  2. We don't know anything about the GDPR until someone complains and we're investigated. As soon as we learn about it we scramble to comply.

  3. We know about the GDPR in advance but decide to actively and openly flaunt the law.

euphoric said...

When such time as a request for whatever is made, we can approach it then.

Sure, build the stuff you want to build, but don't make it active.

Another poster said even with a year's notice that is not enough time. We should start now so we're ready when the request comes in.

euphoric said...

There's no way we should support this.

This feels like saying, 'I do not believe in taxation. I will just ignore the IRS. See if they can stop me.'

Come on, really?

new topic     » goto parent     » topic index » view message » categorize

35. Re: Is this forum prepared for the GDPR?

ABC said...
euphoric said...

Personally, I advocate doing nothing about it. There's no way I'm going to bow down to this kind of absurd operations, especially from a collection of old dumbasses who-- like you said-- know nothing about how the Internet works.

Perhaps you'll feel differently when they come after you for 20 million euros, and start seizing your bank accounts and so on.

Won't happen.

ABC said...

This feels like saying, 'I do not believe in taxation. I will just ignore the IRS. See if they can stop me.'

It might "feel" that way to you, but it's not actually that way.

Fortunately, we don't operate on feelings, but on facts and logic.

We (OpenEuphoria) don't target data subjects in the EU, so the GDPR does not apply to us.

new topic     » goto parent     » topic index » view message » categorize

36. Re: Is this forum prepared for the GDPR?

euphoric said...

We (OpenEuphoria) don't target data subjects in the EU, so the GDPR does not apply to us.

Every single security and legal expert in the world seems to think otherwise. If we currently (or even have the potential to), have a member of this site who resides in the EU, it applies.

https://www.rsa.com/content/dam/pdfs/7-2017/A-Practical-Guide-for-GDPR-Compliance-Osterman-Research.pdf

A Practical Guide for GDPR Compliance Osterman Research said...

The new GDPR is important, for several reasons:

  • It almost certainly applies to you. If your organization controls or processes data on people living in the European Union – even if your organization is not located in the EU – it applies.

  • It has a significant bite, in the form of sky-high regulatory fines for non-compliance. If you meet the test of applicability for the GDPR, you cannot opt out of complying.

  • It touches every data process in organizations that collects or processes personal data on people, and it covers both direct and indirect data identifiers in every data system

That list goes on. Please do some more research before dismissing this out of hand. That PDF I linked to is very informative.

-Greg

new topic     » goto parent     » topic index » view message » categorize

37. Re: Is this forum prepared for the GDPR?

ghaberek said...

That list goes on. Please do some more research before dismissing this out of hand. That PDF I linked to is very informative.

I did the research and commented based on what I found. Here's an example, from Forbes:

"The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply."

Just because someone in the EU comes to our site, doesn't automatically mean we fall under the jurisdiction of EU legislation. And, it seems we do not engage in behavior that would make us fall under their jurisdiction.

I think it's reasonable that we encrypt all the data we collect, simply to keep it safe in the case of a breach. But, beyond that, it's just red-tape that doesn't apply to us.

However, if you want to spend the resources to get compliant, go for it!

I'm not saying, "Don't do it." I'm saying, "We don't have to."

A Security Firm's Take

new topic     » goto parent     » topic index » view message » categorize

38. Re: Is this forum prepared for the GDPR?

euphoric said...

Just because someone in the EU comes to our site, doesn't automatically mean we fall under the jurisdiction of EU legislation.

If an EU citizen simply visits the site then no, all we have is their IP address in our logs and no other personal information. As far as I can tell, this does not require compliance.

euphoric said...

And, it seems we do not engage in behavior that would make us fall under their jurisdiction.

As soon as they sign up, we engage with them by collecting (at the very least) a user name and password, which is considered personally identifiable, and so now we're required to be GDPR compliant.

euphoric said...

I think it's reasonable that we encrypt all the data we collect, simply to keep it safe in the case of a breach. But, beyond that, it's just red-tape that doesn't apply to us.

We have EU citizens already using the site, so we are obligated to comply immediately due to their presence here. Doing a quick search, I can find about 50 registered members who list their location somewhere in the EU.

euphoric said...

However, if you want to spend the resources to get compliant, go for it!

I'm not saying, "Don't do it." I'm saying, "We don't have to."

I appreciate that, but at this point I'm confident we have to. Jimcbrown and ABC certainly seem to agree, given we're having this conversation.

-Greg

new topic     » goto parent     » topic index » view message » categorize

39. Re: Is this forum prepared for the GDPR?

ghaberek said...

As soon as they sign up, we engage with them by collecting (at the very least) a user name and password, which is considered personally identifiable, and so now we're required to be GDPR compliant.

I'll say this one last thing, then I'll be done. A username and password does not fall under the domain of PII. (How could it, since my username is euphoric and my password is not known by OpenEuphoria?)

Email and IP address could be, and we can encrypt those.

So, encryption of stored emails and IP addresses will suffice to make us compliant.

I appreciate you doing the work, Greg!

new topic     » goto parent     » topic index » view message » categorize

40. Re: Is this forum prepared for the GDPR?

jimcbrown said...

Not sure I agree. The rules have to be as tough as they are BECAUSE of the nature of the internet - it is distributed, world-wide, with no single centralized authority controlling it.

Without extraterritoriality it'd be too easy for Facebook etc to just set up a website in Bermuda or something and require all European users to use that website, bypassing EU juristiction.

I know, and I get that part. What I'm saying is that, by choosing to sign up for a website, an individual is volunteering some of their personal information to that site. I don't ever expect to get that privacy back, and that's what GDPR is requiring that data controllers do.

jimcbrown said...

Can we start a wiki page for this? The policy part.

Done. See GDPR.

jimcbrown said...

Reporting to who?

Uh... that's a little vague. On the Wikipedia page, under Data breaches it says:

Wikipedia said...

Under the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).

And under Single set of rules and one-stop shop, it says:

Wikipedia said...

A single set of rules will apply to all EU member states. Each member state will establish an independent supervisory authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state will co-operate with other SAs, providing mutual assistance and organising joint operations. If a business has multiple establishments in the EU, it will have a single SA as its "lead authority", based on the location of its "main establishment" where the main processing activities take place. The lead authority will act as a "one-stop shop" to supervise all the processing activities of that business throughout the EU (Articles 46–55 of the GDPR). A European Data Protection Board (EDPB) will coordinate the SAs. EDPB will replace the Article 29 Data Protection Working Party.

So if we haven't got any "establishments" in any "member states" (of the EU) then we shouldn't need to assign a "supervisory authority" so I don't think we have to notify anyone. But we might just need to make the breach public? Maybe, I guess? Or notify some regulatory authority in the EU?

This is why I'm so fed up with this whole thing: a lot of it is vague and doesn't provide a lot detail about how non-member states should actually comply.

-Greg

new topic     » goto parent     » topic index » view message » categorize

41. Re: Is this forum prepared for the GDPR?

euphoric said...

I'll say this one last thing, then I'll be done. A username and password does not fall under the domain of PII. (How could it, since my username is euphoric and my password is not known by OpenEuphoria?)

I know you're done but unfortunately you're also wrong. I'm not trying to be confrontational, I just want to make sure we're not going to get ourselves in trouble.

According to that PDF I linked to earlier, it states: (emphasis mine)

A Practical Guide for GDPR Compliance Osterman Research said...

The personally identifiable information (PII) that will be relevant in the context of the GDPR includes data subjects’ biometric data, network identifiers, images, hobbies, political preferences, religious preferences, sexual orientation and other information about EU residents.

The phrase "network identifiers" and the ever-more-vague "other information" could very well include a username.

And if you look up Personally identifiable information on Wikipedia, it says: (emphasis mine)

Wikipedia said...

NIST definition

The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology (described in detail below):

  • Full name (if not common)
  • Face (sometimes)
  • Home address
  • Email address (if private from an association/club membership, etc.)
  • <snip>
  • Telephone number
  • Login name, screen name, nickname, or handle

So there you go. That seems pretty straight-forward to me.

-Greg

new topic     » goto parent     » topic index » view message » categorize

42. Re: Is this forum prepared for the GDPR?

Hi

The GDPR Wiki page is very good. Appreciate the effort that's gone into this.

And may I just say, on bahalf of all Europeans that visit Openeuphoria, I apologise for the bureaucratic waste of time that this has created. And the Eurovision Song Contest (although Euphoria did win one year).

Cheers

Chris

new topic     » goto parent     » topic index » view message » categorize

43. Re: Is this forum prepared for the GDPR?

euphoric said...

I appreciate you doing the work, Greg!

Me too! Thanks Greg!

jimcbrown said...

Can we start a wiki page for this? The policy part.

ghaberek said...

Done. See GDPR.

ChrisB said...

The GDPR Wiki page is very good. Appreciate the effort that's gone into this.

Seconded.

ghaberek said...

What I'm saying is that, by choosing to sign up for a website, an individual is volunteering some of their personal information to that site. I don't ever expect to get that privacy back, and that's what GDPR is requiring that data controllers do.

I guess there are two ways to look at it. From a technical perspective, you are right. You can't unring a bell or unscramble an egg - or be unintroduced to a person.

However, from a moral perspective, maybe we should have that right to get our privacy back. You can't really undo the volunteering of personal information, but the legal fiction of it is still worth pursuing. Much like you can't stop theft everywhere, but by making it illegal and enforcing penalties against it you can go a long way to making the situtation better overall.

ghaberek said...

So if we haven't got any "establishments" in any "member states" (of the EU) then we shouldn't need to assign a "supervisory authority" so I don't think we have to notify anyone. But we might just need to make the breach public? Maybe, I guess? Or notify some regulatory authority in the EU?

This is why I'm so fed up with this whole thing: a lot of it is vague and doesn't provide a lot detail about how non-member states should actually comply.

Agreed. It would be a lot better if there was a helpdesk that was available 24/7, free to call, never busy, and their answers were legally binding (at least to the extent that the regulatory agencies couldn't fine us later for following that advice) - so if we follow their advice then we know we're good.

I think I better understand now why it's frustrating on a practical level. Morally, I think it's still a great idea - but a little help on the implementation of it would be nice.

euphoric said...

Email and IP address could be, and we can encrypt those.

So, encryption of stored emails and IP addresses will suffice to make us compliant.

Sadly, no.

https://gdpr.report/news/2017/07/31/gdpr-summit-london-5-common-gdpr-myths-debunked/ said...

Myth 5: Our company uses pseudonymisation and encryption to protect personal data, so that should be enough for GDPR purposes.

Fact: Pseudonymisation and encryption are advised, however, that is still not enough to comply with the upcoming regulation.

euphoric said...

However, if you want to spend the resources to get compliant, go for it!

I'm not saying, "Don't do it." I'm saying, "We don't have to."

That's a reasonable position.

ghaberek said...

I appreciate that, but at this point I'm confident we have to. Jimcbrown and ABC certainly seem to agree, given we're having this conversation.

Seconded.

euphoric said...

I did the research and commented based on what I found. Here's an example, from Forbes:

"The organization would have to target a data subject in an EU country. Generic marketing doesnt count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply."

Just because someone in the EU comes to our site, doesn't automatically mean we fall under the jurisdiction of EU legislation. And, it seems we do not engage in behavior that would make us fall under their jurisdiction.

I think it's reasonable that we encrypt all the data we collect, simply to keep it safe in the case of a breach. But, beyond that, it's just red-tape that doesn't apply to us.

A Security Firm's Take

The problem is that this contradicts what you'll find elsewhere. It seems that even the lawyers can't agree here.

https://gdpr.report/news/2017/07/31/gdpr-summit-london-5-common-gdpr-myths-debunked/ said...

Myth 1: Were a US based company so the GDPR doesnt apply to me.

Fact: GDPR will impact every business that touches the personal data ofEU citizens, including businesses that dont collect the information themselves. So even if you are a non-EU company and you deal with EU citizens data you will also have to comply.

I tracked this down to a discrepancy in the GDPR law itself (which requires that everyone outside of the EU who handles EU citizen's personal data to comply) and the draft of the GDPR guidance rules: https://privacylaw.proskauer.com/2017/06/articles/privacy-law/gdpr-compliance-update-which-government-authorities-have-issued-official-gdpr-guidance/

The guidance is more lenient and create an exception for those who are not targeting data subjects in the EU. But the guidance is also non-binding, meanwhilee the literal law itself has no such exception.

A lot of people seem to expect that the guidance will be followed anyways, but there is some risk here. Better to play it safe.

new topic     » goto parent     » topic index » view message » categorize

44. Re: Is this forum prepared for the GDPR?

jimcbrown said...

The VPS is in euphoric's name. So technically, the forum is owned by a single private person.

would euphoric theoretically be liable for the full $24.5 million US dollar fine if the forum hypothetically did trade with the EU?

I suppose in that case, euphoric is the only one who has to worry about this. He'd get sued and have to pay the fine, but the rest of us would get off scott free.

new topic     » goto parent     » topic index » view message » categorize

45. Re: Is this forum prepared for the GDPR?

ghaberek said...
euphoric said...

However, if you want to spend the resources to get compliant, go for it!

I'm not saying, "Don't do it." I'm saying, "We don't have to."

I appreciate that, but at this point I'm confident we have to. Jimcbrown and ABC certainly seem to agree, given we're having this conversation.

-Greg

I am confident that we have to, too.

I guess since euphoric is the only one who is at risk in the event of a lawsuit with respect to the GDPR then it should be up to euphoric?

new topic     » goto parent     » topic index » view message » categorize

46. Re: Is this forum prepared for the GDPR?

ABC said...
jimcbrown said...

The VPS is in euphoric's name. So technically, the forum is owned by a single private person.

would euphoric theoretically be liable for the full $24.5 million US dollar fine if the forum hypothetically did trade with the EU?

I suppose in that case, euphoric is the only one who has to worry about this. He'd get sued and have to pay the fine, but the rest of us would get off scott free.

Is this right? I just checked out the wiki page and it said this.

GDPR wiki said...

We are the OpenEuphoria Group and we maintain the website at http://openeuphoria.org/. We are an unincorporated nonprofit association based in the United States.

Following that link, does this mean that ALL members could get sued? Could I get sued? Did I become a member of the OpenEuphoria Group just by doing a favor to jimcbrown to discuss the GDPR here?

new topic     » goto parent     » topic index » view message » categorize

47. Re: Is this forum prepared for the GDPR?

ABC said...

Is this right? I just checked out the wiki page and it said this.

GDPR wiki said...

We are the OpenEuphoria Group and we maintain the website at http://openeuphoria.org/. We are an unincorporated nonprofit association based in the United States.

  1. We are a group of people.
  2. We serve a common purpose.
  3. We are not incorporated.
  4. We accept donations.
  5. We do not seek profit.

Simply by existing under those conditions makes us an unincorporated nonprofit association. We can't really change that unless we just shut everything down and go home.

ABC said...

Following that link, does this mean that ALL members could get sued? Could I get sued? Did I become a member of the OpenEuphoria Group just by doing a favor to jimcbrown to discuss the GDPR here?

Sure, why not? You or I or any one else here could get sued for our activity on this website, or for anything else for that matter.

Legally, the members of the group might just be the eight or ten people who have set up the website and/or contribute to the code.

-Greg

new topic     » goto parent     » topic index » view message » categorize

48. Re: Is this forum prepared for the GDPR?

I updated the GDPR page a bit. Included a "draft" status at the top until we consider this our official plan. Also added "request for access" and "request for removal" sections.

-Greg

new topic     » goto parent     » topic index » view message » categorize

49. Re: Is this forum prepared for the GDPR?

ghaberek said...

I updated the GDPR page a bit. Included a "draft" status at the top until we consider this our official plan. Also added "request for access" and "request for removal" sections.

-Greg

Excellent Greg. I think that is kind of what people should agree to before getting an Open Euphoria account.

new topic     » goto parent     » topic index » view message » categorize

50. Re: Is this forum prepared for the GDPR?

I asked someone outside the EUforum community for advice following the policy and received the following suggestion:

"It'd be nice to state how long IP address data is stored, and what justifications there are in keeping it more than a few days. Everything else looks good"

new topic     » goto parent     » topic index » view message » categorize

Search



Quick Links

User menu

Not signed in.

Misc Menu