General Data Protection Regulation(GDPR) Complaince

[tachyons]

Is your feature request related to a problem? Please describe.
We need to make app comply with GDPR to legally enable this app in EU. We need to review user tracking, user details storage, deletion policy etc

Describe the solution you'd like
Need to evaluate to potential violations first.

Some possible violations:

• Do I need to collect this data for the scope of my business (and not to sell it to third parties)?
• Has my user been warned and affirmatively consented (filled a not-pre-filled checkbox, for example) that I’ll be collecting this data and why I need it, how I’ll use it and who it will be shared with?
• Have I given my user a way to update this data by themselves?
• Have I given my user a way to withdraw their consent and by doing so stopping all processing of their data?
• Have I given my user a way to delete all data we have collected from them permanently and notify third parties not to process their data further?
• Have I given my user a way to download/export all their data in an industry standard format (.json, .csv, .xls, etc.)?
• Have I recollected consent from all users previous to the GDPR deadline?

Are you working on this? (Yes/No)
No

[satu0king]

Yes, thank you for creating this issue.

[satu0king]

I will consult an expert in college regarding this and get back.

[satu0king]

https://medium.com/@thiagoko/gdpr-checklist-for-small-business-and-startups-who-want-no-trouble-1de5cc08be45

These are some of the checks we need to do to be GDPR compliant.

1. Do I need to collect this data for the scope of my business (and not to sell it to third parties)?
2. Has my user been warned and affirmatively consented (filled a not-pre-filled checkbox, for example) that I’ll be collecting this data and why I need it, how I’ll use it and who it will be shared with?
3. Have I given my user a way to update this data by themselves?
4. Have I given my user a way to withdraw their consent and by doing so stopping all processing of their data?
5. Have I given my user a way to delete all data we have collected from them permanently and notify third parties not to process their data further?
6. Have I given my user a way to download/export all their data in an industry standard format (.json, .csv, .xls, etc.)?
7. Have I recollected consent from all users previous to the GDPR deadline?

I think for step 1 we are fine, apart from name and email we do not take any information at all. We are collecting usage statistics for gratia which is a research project. I think if we list it in the Privacy Policy, we are fine. @arkokoley can you send a PR with an update to the privacy.

Step 2 and Step 7, we will need to implement it. We can have a boolean attribute privacyConsent in the users table and prompt the user to accept the privacy-policy after signing up.

Step 3 - Apart from email ID, they have complete control of all data.

Step 4 - We can give an option to the user to request a user data deletion (by email), that deletes all user data. Either way, we do not process user data in any way except for analytics like google analytics and metabase. I don't think this counts as "processing". I am not sure about Gratia though.

Step 5 - read step 4

Step 6 - This might be a tricky one to implement. We can choose to delay this if necessary.

[satu0king]

@vik-y @tachyons do you have any inputs?

[JoshHeng]

• We also need to automatically delete the user's data after a specified amount of time (like 3 years for example), but that could be impractical for analytics (such as how many users we have had).
  • Maybe we should just remove all personal data (e.g. names, emails, etc.) but keep the ghost account? Otherwise we can just delete the whole thing.
• As far as I'm aware we don't really send data to third parties so that isn't an issue.
• If we ID users through an email ID like @satu0king said it might be better to replace it with a randomly generated number or string
• We should have a GDPR account page where a user can choose to manually delete their account and also export their data through CSV
  • Theoretically this should just be a case of exporting/deleting all the data from the users table and any rows where the users' ID is referenced
• @satu0king said we should have a field in the users table saying if they have consented to the policy which is good for tracking existing users' consent, but technically if they haven't consented we shouldn't actually be storing their details in the first place.
  • Have this as a mandatory checkbox in the signup/registration form as well
  • Once this is implemented we should notify all users that they need to consent to the privacy policy in a certain time (e.g. 2 months), otherwise their account will be deleted

As a sidenote I noticed that the password field in the database is called encrypted_password. I couldn't find where this is set in the controllers code, however if passwords are only encrypted they should urgently be changed to being securely hashed instead.

[tachyons]

encrypted_password actually stores hashed password with salt, it is done using bcrypt algorithm

[JoshHeng]

Ok @tachyons that's fine, just checking

[sakshi1499]

Here in, CircuitVerse we don't get any terms and conditions or any consents filled before signing up. I think we should focus on having that. I think there are websites that help making terms for other websites. Also, do we even have any delete my account feature?

[JoshHeng]

Here in, CircuitVerse we don't get any terms and conditions or any consents filled before signing up. I think we should focus on having that. I think there are websites that help making terms for other websites. Also, do we even have any delete my account feature?

There currently isn't a delete account feature on the production website

[sakshi1499]

I think for us to make people agree to the terms we need to give them this option. Also, we have to make sure that after deleting all their data is deleted. Do we plan on deleting their public circuits also? Is there some provision that some data is kept and other gets deleted and still it follows GDPR?

[JoshHeng]

I think for us to make people agree to the terms we need to give them this option. Also, we have to make sure that after deleting all their data is deleted. Do we plan on deleting their public circuits also? Is there some provision that some data is kept and other gets deleted and still it follows GDPR?

I think we can keep some data as long as it isn't personally identifiable and more for analytics purposes (like how many users the platform has had, total number of circuits, etc.) but it's probably better off and safer just deleting their whole account.
If they want to delete their account their public circuits should also be deleted

[sakshi1499]

But then we have to decide that people who have replicated that circuit as in shared it on their account or like if the teacher deletes his account then students associated with the assignment, they shouldn't be left hanging. So the deletion process has a lot of details we should consider. Lets list all the pointers with solutions and various cases including above points that @tachyons has mentioned @JoshHeng .

[JoshHeng]

But then we have to decide that people who have replicated that circuit as in shared it on their account or like if the teacher deletes his account then students associated with the assignment, they shouldn't be left hanging. So the deletion process has a lot of details we should consider. Lets list all the pointers with solutions and various cases including above points that @tachyons has mentioned @JoshHeng .

Forked circuits should just become independent circuits. For teachers, I think the assignments should just be set to be issued by a 'deleted user' (i.e. just have the user id on the database blank)

[sakshi1499]

Lets try to write all the points in one comment and look for best solutions from our side. So like pick the first point and research on net and come to a solution, suggest it. Lets discuss first if there is some confusion and then we can focus on making a full comment including everything. As of assignments, they are submitted after a deadline is reached so we can't keep that id blank. What we can do though is discard the assignment and notify students that its no longer available. Lets organize all points in one comment first. Otherwise we'll have 20-30 comments of random discusssion. Though if something is unclear we can obviously discuss that. Okay? I am reading all the points myself so if you get stuck we can discuss here/on the dashboard 😊

[tachyons]

This is a issue need research which includes some legal help. If someone can do the research and list out the things to be done for GDPR compliance, that will be great

[JoshHeng]

Notes

• All of GDPR must be fulfilled as CircuitVerse offers service to people in the EU and/or is based in the EU.
• Not fulfilling it can lead to a huge fine.

Principles

• Consent: All new and existing users must directly give consent to the storage of their personal data. They must also be able to easily withdraw it. The GDPR notice must be clear, transparent and concise.

  • There should be a mandatory consent checkbox that the user has to tick when they register.
  • Existing users should be sent an email asking for consent. If they don't respond or don't accept within 2 months, all their data should be deleted.
    • A database column will need to be created recording this, probably recording the date they consented.

• Fair Processing Notices: The privacy policy must explain what personal data is stored. The user must also be aware that their consent may be withdrawn, the rights they have and how to complain about GDPR.

  • We need to have a clear privacy policy easily accessible on the website. This must include the Google Analytics privacy notice.

• Type Of Personal Data Stored: Any personal data stored must be fully justified and necessary. This data cannot be used for any other purpose than what it was originally collected for.

  • This shoudn't be a problem as as far as I'm aware we already do this.

• The Period Personal Data Can Be Stored: Personal data should only be stored for as long as is necessary, and not permanently.

  • We may need to automatically delete users after five years if there is no activity and they have not responded to warning emails

• Users Can Have Their Data Deleted: Any user can request to have all their data deleted and it must be done so within a reasonable timeframe

  • There must be an option for a user to have all their data permanently deleted. This probably includes all their circuits and tasks, so CircuitVerse must be able to handle this.

• Personal Data Must Be Accurate And Up To Date: Personal data should be as accurate and up-to-date as possible. This includes giving the user the ability to update their data if they need to

  • Users can already update their data themselves but they need to be able to change their email

• Users Can Request To Have A Copy Of All Their Data: Any user can request to have a copy of all their personal data, which must be provided

  • We should have an option for all of a users' data to be emailed in a CSV format. This is probably only the user row in the table, any references to the user ID in the database (such as circuits), etc.

• Data Must Be Stored Securely And Safely

  • Only certain people should be able to see all the personal data, and only if absolutely necessary
  • It might be worth encrypting email addresses along with creating a blind index hash (used for logging in and comparing an email address to the ones in the database)

• Personal Data Breach: Organisations must notify the authorities/local data protection regulator within 72 hours of a breach. If the breach is high risk, all individuals must also be notified. A personal data breech register must also be kept internally.

  • We should keep things secure to avoid a breach, and be aware of who we need to report a breach to if a breach does happen (this probably depends on where the founder/main person running CircuitVerse is located)

• Third Parties & The Transport of Data: Personal data cannot be exported outside of the European Economic Area unless the destination country has adequate data protection safeguards.

  • This shouldn't be a problem as we don't have any third parties

I think that Google Analytics (and other analytics) don't need specific GDPR action/consent (apart from cookie notices) as they do not store personally identifiable data

[sakshi1499]

Its not just for EU , India has adopted these measures, so it'll work. As far as I know there is one issue which discusses that not all the fields are filled by the user when they register. So that can be

• The first step that we fill all the data.
• Then we can ensure that we give them a checkbox option for their data usage.
• We can ensure we bring up a delete my account feature.
• We can make sure that the loose ends including Public circuit being used by other users or teachers who made assignment are fixed.
• The point where their csv(and other forms) data has to be given to them when they ask for it, requires some work too.
• We should also focus on setting a time frame as @JoshHeng mentioned.
• Data transfer across borders should be save, so this has to be made sure too.
• The data we have collected should be anonymized so as to prevent misuse.

Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”).

Article 35 – Article 35 requires that certain companies appoint data protection officers.

Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

[sakshi1499]

@tachyons I think @JoshHeng did his research work. I filled up where ever I felt it was required. Should I go ahead and approve his task?

[tachyons]

FYI there are no proper data protection laws in India

[sakshi1499]

https://economictimes.indiatimes.com/tech/internet/the-india-draft-bill-on-data-protection-draws-inspiration-from-gdpr-but-has-its-limits/articleshow/65173684.cms?from=mdr

https://thenextweb.com/asia/2019/07/30/india-to-seek-eus-approval-on-gdpr-compliance-for-adequacy-status/

Though strangely its not effective and fails to account various measures. India is trying to execute proper laws. Lets hope it happens soon @tachyons

[JoshHeng]

Article 35 – Article 35 requires that certain companies appoint data protection officers.

Under the GDPR, you must appoint a DPO if:
- You are a public authority or body (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

I don't think we need a DPO

[sakshi1499]

@JoshHeng We don't. If you go through these articles, they'll specify that these are the most important articles that should be taken care of, if not then it might lead to article 79. @tachyons should I approve the task?

[tachyons]

Is this task added to GCI already ?

[sakshi1499]

Yes it was added long back, with aim of just researching and providing solutions

[ericsheng495]

https://docs.google.com/document/d/1x_DZx3ruqdcsQNMZPHLftjH7DpT2_4t2ZSpwopENFHY/edit?usp=sharing

[github-actions]

No activity on this issue for a prolonged duration, will be closed if no further activities in next 7 days

[MrBartusek]

I think I should mention it here
This issue is blocked by: #849. It is needed to fully implement deleting the account or downloading user's information.

[github-actions]

No activity on this issue for a prolonged duration, will be closed if no further activities in next 7 days

[satu0king]

@Aayush-05, how much is ready?

[aayushgupta05]

Basically we require an export script for user's data and some changes to the Privacy Policy/TnC reflecting new additions. Rest all is covered.