Right to Erasure compliance #2
Comments
|
The username changes extension allows users to request a change in username, which then has to be approved by a moderative authority. We could do the same with user deletion. Another thing I was considering, if even possible, would be to provide tooling to do accurate redaction of PII in content. This is especially hard with posts that quote for instance. But also understanding what classifies as PII in an autonomous way for the code. Do any API's exist that could help with this? |
This is woefully incorrect. In fact, it is a legal requirement that you do so. In fact, the bare minimum of what should be provided to comply in any legal basis is laid out here on my rabbit sanctuary site |
Interesting :) I'd be curious to understand the legal basis. If so, it could cause broader issues. Perhaps you could explain your legal thinking here a bit? Point us to the principles or regs you think create the need for such a button? Also, what is the scope of the earsure you think is needed? Typical account deletion is not the same thing as erasure. |
|
This is the subset of the ICO requirements |
|
Yup, I'm aware of the general principles of the Right to Erasure. I guess the question is what the upshot is in a practical software sense. Note the following from what you linked
Or
The question here is whether this necessitates a computational solution, particularly in light of the balancing of rights each request requires (see the same doc you linked) |
Yes, it does. You need to have a way of logging all access, erasure, and change requests, so it makes more sense to have a centralised platform that handles this. Once a request is sent, you have 30 days in order to comply with that request. Failure to do so is considered non-compliance, and the fines are either a maximum of €20m, or four times the annual turnover of any parent. |
|
Indeed, those are the penalities. Perhaps we're talking at cross purposes here. My original point was that there is no need (and in fact it would be dangerous to have) a button that, when you click it, it would automatically then and there attempt to delete all of your data in compliance with the right of erasure. It sounds like what you're talking about is a clear method of notifying the data controller that you wish to trigger that process, rather than what I've been referring to as a "computational solution", i.e. an expanded version of typical account deletion (which happens automatically). I'm assuming that if I submitted my email in the input on the HoppyHope website this would send a certain kind of notification to the website admin? Then the admin would process the request manually? |
|
If you selected to delete your account, It would be automatic, as this is the point of self-deletion. A request for information triggers an email to the site admin. |
Agreed, this is absolutely correct.
It doesn't need to be automatic. and in fact, some places do send a log to a central (if you like) ticketing system, where it can then be approved by an administrator. For example, there are some (albeit it, admittedly rare) instances where the data has to be retained for legal reasons - such as data related to safeguarding. (I know, I know, my legal head is coming on.... sorry.) Though what I would propose here as far of the scope of this extension that the deletion should be automated in the sense of the below: Click button for data deletion If no --> "You have cancelled your data erasure request." |
In every single case where I've deleted by account on sites (and there were tens of them when I was testing vendor responses to deletion requests before May 25 when GDPR landed) it has been instant. The entire objective of a delete request is for it to be actioned as quickly as possible and confirmation sent to the requester. The 30 period afforded to this process is designed for larger institutions where information is typically chained across multiple systems, where discovery and gathering of data takes more time. In the case of a single site, you cannot argue the same case. There is also no option for approval. The right to deletion is a legal requirement, and cannot be rejected Finally, regulatory requirements can and will always trump GDPR. For example, in my (work) case, we are regulated by the SEC in the US, FCA in the UK, MAS in Singapore, and Autorité des marchés in France. The SEC mandates 7 years retention for books and records meaning that there is a genuine legitimate interest for not deleting that data which would also suffice in a court of law. Such extension of retention could also be permanent if the data in question is subject to legal hold. However, the nature of the everyday forum does not have this right in terms of regulatory governance and therefore needs to comply with requests as a custodian of any data that can be attributed to an EU citizen. This includes the timely execution of requests for information, changes, and deletion. |
Actually incorrect. Some data is protected for the purposes of legal requirement. For example, you could not ring the police and ask that they delete your data under the GDPR act. Which is why I proposed the below:
|
In the case of a simple forum where there are no legal boundaries whatsoever, it's correct. |
Absolutely agreed. :) |
|
For the purpose of assisting in further efforts, please see the below extension for MyBB GDPR compliance: |
|
For context, what we're talking about here is (primarily) Article 17 of the GDPR:
Making a clear statement about the correctness of whether it must be automatic or not based off of, essentially, "undue delay" seems a bit premature to me, especially since the only timeframe given in the GDPR is the 1 month timeline (which is nowhere mentioned as limited to organisations or systems based on their size or complexity). It really depends on how that's interpreted by actual authorities. Not by how a handful of other websites have interpreted it so far. @phenomlab I would agree with your point about the relevance of other regulatory regimes here. If the automated solution purports to actually comply with the right of erasure in a programmatic fashion, this would have to go further than normal account deletion, which typically retains a number of pieces of data about a user. It would actually have to remove all personal data of that user. Otherwise it's the worst of both worlds, not actually in compliance with the right and potentially in conflict with other interests and duties as a result of its programmatic nature. There are many legal contexts relevant to online discussion in which the retention of records is a requirement, especially in the broad context of all possible users of a forum (who could be from any jurisdiction). Take an issue like defamation for example. If a user on a forum defames someone and there is a one click button on that forum that attempts to automatically comply with the right to erasure, the forum could quite easily fall foul of the laws concerning data retention in defamation law. I don't think you can say with confidence that there are no legal regimes in any jurisdiction which could potentially impose a data retention requirement on user data, such that having a programmatic erasure of all personal data of a user would be unproblematic for an online forum available to any jurisdiction. I can think of a few off the top of my head based on my own legal experience (in addition to defamation (or libel) laws in various jurisdictions (UK, Australia etc), Singaporean laws concerning speech or US laws concerning copyright, each of which I have studied and applied in legal practice). I have no doubt there would be a number of others. Attempting to really comply with the right of erasure in a programmatic fashion (not just delete accounts in a standard fashion) still seems risky to me, and unwarranted given the actual wording of the law and the lack of authorities saying otherwise. |
|
Moreoever, the right itself explicitly requires the data controller to consider a list of exceptions.
It's arguable that a programmatic attempt to comply with subsection 1 of Article 17 is in prima facie breach of the article as a whole, as the data controller cannot be said to be taking into account subsection 3. |
|
The deletion of the data should be in full - that's the point of erasure as @phenomlab so rightly said. |
Yes, I think we all agree on that. What we need to resolve here is what Flarum needs to incorporate in a programmatic fashion in order to comply with the right of erasure (i.e. Article 17), the initial question being does it need to incorporate anything new at all? Once we resolve that question we can either drop this or move onto the question of scope. I've given the start of my own legal analysis above as to why I'm wary about attempting to handle this right programmatically, as opposed to manually via the admin running DB queries by hand upon the completion of an internal administrative review of a request for erasure. Indeed this is the reason I didn't include a right of erasure feature in the Discourse legal tools plugin. I could give some further analysis but I want to give you both the chance to respond. To move forward on this one we need to get into actual legal analysis rather than just assertion. I'm more than happy to be proven wrong, but you both need to give some proper legal analysis as to why my reading of the actual words of Article 17, in context of the rest of the other articles of the GDPR, are incorrect. Mere assertion of a position is not going to cut it here. I may not be an expert on EU law, but I have 3 law degrees from 3 different jurisdictions and have a fair bit of experience with international and comparative law. I need to see your working at this point to engage with your position on the level of legal analysis. Beyond the importance of this for Flarum (and it is important), this has some quite real consequences for me as well as the Discourse legal tools plugin is currently in use by 1000s of Discourse sites. Depending on the outcome here, we may determine what gets added to both Flarum and Discourse. |
If the 30 day period is included in the law, doesn't that mean that all sites enjoy its protections, regardless of their size / infrastructure? From that perspective A few thoughts from a software engineering perspective:
|
Yes - any institution or company regardless of size has a maximum of 30 days to comply (note comply, and not simply acknowledge or respond) with the request |
Re 7. and 8. what @BartVB does (at Bokt.nl) is keep the user but give it an |
IIRC, the current plan is to have 2 erasure modes: soft anonymization, and user account deletion. |
|
Why was this closed sorry @luceos ? |
The extension is now able to anonymize and delete, as far as I know that completes the requirements from this item? |
From @phenomlab
On this front, I wonder about having a feature that allows the user to do this themselves. Here's the relevant portion of the Discourse stuff re this (from https://meta.discourse.org/t/providing-data-for-gdpr/83595/23?u=angus).
And the following post from Sam.
Interested in your thoughts though @phenomlab and @katosdev.
The text was updated successfully, but these errors were encountered: