TL;DR: How can one make use of the GDPR rights in this forum?
I’ve tried to find a way to download all my data in the account page, but sadly with no luck. The only option I’ve found was in profile -> activity -> Download All which downloads all posts. But this obviously is far from all the information related to my account (in particular it contains close to 0 metadata which is shown in the summary tab).
Similarly there seems to be no “Delete Account” button. While I didn’t intend to do that, it is good practice imo to have one.
On a different note, I am highly averse to the statistics kept by discourse (e.g. shown here http://forum.solidproject.org/u). While some people apparently find it useful, there should definitely be an easy way to opt-out of them (which, again, I didn’t find). I personally don’t see value in them at all, so I would suggest to disable them if possible, but providing a way to individually disable them seems essential to me.
I don’t know how easy it is with discourse to directly embed the Right of Access and Right to Erasure. I think it will be possible to do this (considering the scale of discourse), but if not it should be made clear where else one can make use of these rights.
@MitziLaszlo Do you happen to know if there are currently buttons integrated for exporting/deleting the personal data in this forum? Or if not, what other way is suggested to make use of ones GDPR-rights?
Re: deletion. It is possible to get your PII and account removed. What stays behind are your public posts (now shown as ‘posted’ by an anonymous placeholder account), unless you delete them manually prior to this action (which can be highly disruptive to the thread flow).
Don’t know about export. Look for GDPR compliance on Discourse’s own forum meta.discourse.org … some long discussions have taken place there on this topic.
My suggestion is that a user’s rights end where the “home of the mind” begins. Once a user intentionally publishes data on the web, it is no longer erasable because of the damage it would do to related data provenance and as Aschrijver cautions, due to the disruption to the thread flow. If not published intentionally (determining “intention” is a matter of “cyber law”, a.k.a. the “MAGna Carta of the web”) then that right to privacy remains protected. You just can’t “un-ring the bell.”
Notice that conversely, the GDPR is all encompassing ("‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)" in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical (human body), physiological (biometrics, eyes, fingerprint, etc), genetic (nano-level genome infrastructure), and mental (the quantum “home of the mind”, or what I call the great blood/brain barrier reef), economic (again work product of the mind), cultural (geophysical and geo-temporal) or social identity (aggregate quanta and continuum of a person’s soul). https://gdpr-info.eu/art-4-gdpr
I know that deletion is technically possible, but afaik there is still no dedicated place to submit a deletion request (at least it’s not in the privacy policy which is from pre-GDPR times).
In think the main thread from May/June 2018 can be summarized with these two posts:
here it’s claimed that the Download All button covers the data access right (which, as explained above, is far from all personal data stored). This was referred to before locking the thread
here where they refer to a legal-tools plugin which seems to also cover metadata and probably some other functionality. I’m not familiar with Discourse so I don’t know if it is useful or not and what exactly it’s capabilities are.
I didn’t find any other more up to date information than this. Also notable is, that they stated it’s up to the providers to ensure GDPR compliance.
Afaik this is covered by the “legitimate interest” the forum providers could have for meaningful threads. But I’m not a lawyer, and I didn’t do much research, so don’t rely on this :))
Also keep in mind that GDPR compliance is a must, not a nice-to-have. Except if the idea is to exclude EU-citizens, but this is hopefully not the case, but I haven’t seen anything in that direction and hope it won’t be in the future. So any considerations regarding privacy should use the GDPR as the minimum.
And that question is still open from my point of view.
(EDIT)
Aaaaand it’s still open. Sorry for being so sassy about this, but I find it ridiculous to work on a project about data ownership on a forum, which tracks your reading activity, without an opt-out option or even a way to access the stored data. GDPR is a legal minimum. I don’t get why the Solid Forum should have such a hard time with this.
If the only option to opt-out of tracking is to opt-out of this forum, I’ll take it into consideration. Definitely not what I want, but unnecessary tracking is also something I definitely don’t want.
So, once again:
How can one make use of the GDPR rights in this forum?
And how can one disable tracking? (Or why don’t you just disable it in general?)
Thank you for raising these concerns. The forum was initiated as a simple self-service and volunteer platform to quickly enable the community to grow and has been maturing into administration by a Solid team.
It is in the process of transition to more formal Solid administration now, which means updates to service terms from the default platform, and some platform extensions will be made that can offer self-service data portability.
As you already found the “Download All” button on the default profile settings page offers much of the information you requested. Also as you already found the http://forum.solidproject.org/u page gives a fair idea of the data collected and its stated purpose for the forum to operate. All of this soon will be more clearly explained by the Solid community administrators.
Thanks for your reply, it is good to hear that these topics are being considered and I’m looking forward to any updates on it. I’ll reconsider being more active in this forum once it is GDPR compliant, until then I will limit my activity here (partly because of this issue, partly because of time constraints)
I would disagree with this, as (1) it gives me no clue what other data is collected, and (2) doesn’t provide insights into its purpose (I’m fairly confident that the forum without this statistic page would operate as good as it does now, hence from my perspective this can’t be the purpose). So a clarification in the privacy policy would definitely be welcomed. Or just disabling it…
Hi Otto. Yes, we’ve been working with Justin Bingham to help update the forum software, which will also include an update to the ToS and a self-service data export feature. First step was done last week (maintenance outage notice for upgrade), and you’ll see more maintenance notes posted in the forum as we continue the process.
It took a bit of a time to get the proper notices worked out and in place. We’ve got everything ready now, so will be scheduling and conducting some changes over the next few weeks. Will update this thread as progress is made.
Non-GDPR compliance does not exclude EU citizens unless a foreign site decides to exclude them.
The EU does not have legal jurisdiction to enforce in the US for example.
US based websites are legally allowed to publish things available on the Internet.
It’s up to Communist China or the EU if they wish to block it.
Currently, the EU is not blocking US sites as far as I know.
First of all, it shouldn’t matter if it is a legal requirement or not. As said before “I find it ridiculous to work on a project about data ownership on a forum, which tracks your reading activity, without an opt-out option or even a way to access the stored data”. It doesn’t matter to me if this is legal or illegal.
Apart from that, GDPR certainly applies to non-EU entities in some cases. GDPR would be useless if it only applies to organizations or data processing within the EU. It needs to protect the data of EU citizens. Therefore it does apply to non-EU entities in several cases. I’m not a lawyer so I won’t speculate if it is the case for this forum, but feel free to take a look at this explanation or article 3 of the GDPR.
I’m not a lawyer either. I live in Europe and had to implement GDPR for a site I built and then had to take a course on it in connection with public work involving private data. I was tuned in to the topic for a while; noticing when the US pulled out of an agreement that allowed European Courts jurisdiction in the US. The move wasn’t GDPR specific. It just countered the EU imposing law on the US - interferring with the country’s s sovereignty.
Hi @A_A - apologies this took a while, but please see this post which provides a TLDR on our updated Privacy Policy and Terms of Service. We believe this better reflects our compliance with GDPR and explains in more detail what information we collect in order to run the Forum, why we collect this information, and how we use it.
In general I am OK with the GDPR notice it should be sufficient for now to run the site. Beyond the ‘Download All’ is there a standardized way to request a copy of any of my personal data which is being processed as well as other relevant information on the Solid Forum? I noticed that it is mentioned in the privacy policy but not how a user can actually perform a data subject access request.
And in more general terms is there a W3C standard or a Solid Pod implementation that has standardized API calls to deal with such a request from any potential users of my own Solid Pod?