GDPR in this forum

TL;DR: How can one make use of the GDPR rights in this forum?

I’ve tried to find a way to download all my data in the account page, but sadly with no luck. The only option I’ve found was in profile -> activity -> Download All which downloads all posts. But this obviously is far from all the information related to my account (in particular it contains close to 0 metadata which is shown in the summary tab).

Similarly there seems to be no “Delete Account” button. While I didn’t intend to do that, it is good practice imo to have one.

On a different note, I am highly averse to the statistics kept by discourse (e.g. shown here https://forum.solidproject.org/u). While some people apparently find it useful, there should definitely be an easy way to opt-out of them (which, again, I didn’t find). I personally don’t see value in them at all, so I would suggest to disable them if possible, but providing a way to individually disable them seems essential to me.

I don’t know how easy it is with discourse to directly embed the Right of Access and Right to Erasure. I think it will be possible to do this (considering the scale of discourse), but if not it should be made clear where else one can make use of these rights.

4 Likes

@MitziLaszlo Do you happen to know if there are currently buttons integrated for exporting/deleting the personal data in this forum? Or if not, what other way is suggested to make use of ones GDPR-rights?

Re: deletion. It is possible to get your PII and account removed. What stays behind are your public posts (now shown as ‘posted’ by an anonymous placeholder account), unless you delete them manually prior to this action (which can be highly disruptive to the thread flow).

Don’t know about export. Look for GDPR compliance on Discourse’s own forum meta.discourse.org … some long discussions have taken place there on this topic.

1 Like

My suggestion is that a user’s rights end where the “home of the mind” begins. Once a user intentionally publishes data on the web, it is no longer erasable because of the damage it would do to related data provenance and as Aschrijver cautions, due to the disruption to the thread flow. If not published intentionally (determining “intention” is a matter of “cyber law”, a.k.a. the “MAGna Carta of the web”) then that right to privacy remains protected. You just can’t “un-ring the bell.”

Notice that conversely, the GDPR is all encompassing ("‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)" in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical (human body), physiological (biometrics, eyes, fingerprint, etc), genetic (nano-level genome infrastructure), and mental (the quantum “home of the mind”, or what I call the great blood/brain barrier reef), economic (again work product of the mind), cultural (geophysical and geo-temporal) or social identity (aggregate quanta and continuum of a person’s soul). https://gdpr-info.eu/art-4-gdpr

Hello Aschrijver, long time no see old friend.

Thanks for the suggestions.

I know that deletion is technically possible, but afaik there is still no dedicated place to submit a deletion request (at least it’s not in the privacy policy which is from pre-GDPR times).

In think the main thread from May/June 2018 can be summarized with these two posts:

  1. here it’s claimed that the Download All button covers the data access right (which, as explained above, is far from all personal data stored). This was referred to before locking the thread
  2. here where they refer to a legal-tools plugin which seems to also cover metadata and probably some other functionality. I’m not familiar with Discourse so I don’t know if it is useful or not and what exactly it’s capabilities are.

I didn’t find any other more up to date information than this. Also notable is, that they stated it’s up to the providers to ensure GDPR compliance.

Afaik this is covered by the “legitimate interest” the forum providers could have for meaningful threads. But I’m not a lawyer, and I didn’t do much research, so don’t rely on this :))

Also keep in mind that GDPR compliance is a must, not a nice-to-have. Except if the idea is to exclude EU-citizens, but this is hopefully not the case, but I haven’t seen anything in that direction and hope it won’t be in the future. So any considerations regarding privacy should use the GDPR as the minimum.

And that question is still open from my point of view.

(EDIT)
Aaaaand it’s still open. Sorry for being so sassy about this, but I find it ridiculous to work on a project about data ownership on a forum, which tracks your reading activity, without an opt-out option or even a way to access the stored data. GDPR is a legal minimum. I don’t get why the Solid Forum should have such a hard time with this.

If the only option to opt-out of tracking is to opt-out of this forum, I’ll take it into consideration. Definitely not what I want, but unnecessary tracking is also something I definitely don’t want.

So, once again:
How can one make use of the GDPR rights in this forum?
And how can one disable tracking? (Or why don’t you just disable it in general?)

3 Likes

Otto,

Thank you for raising these concerns. The forum was initiated as a simple self-service and volunteer platform to quickly enable the community to grow and has been maturing into administration by a Solid team.

It is in the process of transition to more formal Solid administration now, which means updates to service terms from the default platform, and some platform extensions will be made that can offer self-service data portability.

As you already found the “Download All” button on the default profile settings page offers much of the information you requested. Also as you already found the https://forum.solidproject.org/u page gives a fair idea of the data collected and its stated purpose for the forum to operate. All of this soon will be more clearly explained by the Solid community administrators.

2 Likes

Thanks for your reply, it is good to hear that these topics are being considered and I’m looking forward to any updates on it. I’ll reconsider being more active in this forum once it is GDPR compliant, until then I will limit my activity here (partly because of this issue, partly because of time constraints)

I would disagree with this, as (1) it gives me no clue what other data is collected, and (2) doesn’t provide insights into its purpose (I’m fairly confident that the forum without this statistic page would operate as good as it does now, hence from my perspective this can’t be the purpose). So a clarification in the privacy policy would definitely be welcomed. Or just disabling it…

1 Like

Have there been any updates on this issue?

1 Like

Hi Otto. Yes, we’ve been working with Justin Bingham to help update the forum software, which will also include an update to the ToS and a self-service data export feature. First step was done last week (maintenance outage notice for upgrade), and you’ll see more maintenance notes posted in the forum as we continue the process.

5 Likes