GDPR Art. 17 Right to Erasure compliance?

[Iwon8]

Hello

From may 25 all EU citizens get the right to erasure if they give up their consent, so all EU citizens may ask to remove their account completely from getDare while being legally backed up.

How will getDare comply with this?

(This is not even taking into account other rules of the GDPR which for example state that all user data has to be encrypted at all times, so no SSL means the website is in violation and could face a fee of €20 million)

[Magnetic]

That is actually an excellent question.

GetDare have been refusing to add SSL to their site for some time, along with other most important things. Let's hope they do it now once for all, now that they will be fined severely if they don't.

Once they add it for EU citizens, it would literally mean that they would need to put in extra effort to give that protection only to EU citizens, so they would simply add it for everybody... As Fred Flingstone used to say: Ya bba dabba doooooooooo!!!

While they are at it, can they please modify their vBulletin skin so that it is mobile friendly? That is the other major improvement that this site BADLY needs.

[RiskyFlame]

Quote:

Originally Posted by Iwon8

How will getDare comply with this?

Not?

- - - - - - - - - - - - - - - - - - - - -

I am neither a lawyer nor someone who has dealt with legal stuff before but I took a closer look at the GDPR and found out that getDare is not applicable to this data protection regulation of the European Union. I hope that I have understood the GDPR document right and in order to avoid a mistake or confusion, I'll go through how I came to understand all this.

Please correct me if I made a wrong turn somewhere.

- - - - - - - - - - - - - - - - - - - - -

At first, I read about GDPR in the media but like most media websites, it's way too vague. Writing that it's an EU law but it applies to 'most' websites based outside the EU as well. So instead of trying to find information about whether forums must comply with these data protection regulations as well, I decided to actually read the GDPR. No idea where I had to begin but once I opened the document, it was pretty obvious that I had to read article 3: territorial scope, under general provisions. (bold added)

Source: https://gdpr-info.eu/

Quote:

Originally Posted by Art. 3 GDPR: Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
   
   
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
   

   1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
      
      
   2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Article 3.1 - getDare is not established in the European Union so getDare is not applicable.

Article 3.2a - getDare offers not goods but services, including to EU data subjects that decide to register on the entirely US-based website forum called (you guessed it!) getDare.

Article 3.2b - getDare does not monitor EU data subjects' behaviour.

Article 3.3 - Member State law applies not to the USA.

The only thing to determine in order to know whether getDare is applicable to GDPR, is to see if getDare is applicable to article 3.2a (applicable to be applicable? I guess so). So we go to Recital 23 which states the following.

Quote:

Originally Posted by Recital 23 GDPR

Applicable to processors not established in the Union if data subjects within the Union are targeted*

¹In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. ²In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. ³Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

* This title is an unofficial description.

¹ About ensuring to not deprive EU data subjects to their right of GDPR, sort of...

² getDare is only applicable to the GDPR if it is apparent that getDare envisages offering services to EU data subjects.

³ getDare's accessibility to an e-mail address or other contact details (of EU data subject), or the use of the third countries language (= USA --> English), is insufficient to show intentions to target EU data subjects with getDare's service. Factors such as the usage of an EU-Member State's language or currency to offer getDare's services, or mentioning of users who are in the EU, may make it apparent that getDare envisages offering services to EU data subjects.

So by these definitions on whether getDare is applicable to article 3.2a, thus the GDPR; getDare is not applicable. Neither have I seen getDare use languages or currencies of an EU-Member States nor the mentioning of users who are in the EU.

- - - - - - - - - - - - - - - - - - - - -

And just to clarify, if you ask a mod nicely and give a reason as to why you want certain posts to be deleted then a mod will do it for you. Or at the very least, I will do it for you provided it doesn't damage the other content on getDare. Don't delete great dares or create big holes in threads.

[Magnetic]

Isn't GetDare itself a service, RiskyFlame? Don't you provide us with the service of contacting and communicating with each other?

If this you consider the website a service, according to article 2, paragraph 2, point B, GetDare does qualify.

[RiskyFlame]

Quote:

Originally Posted by Magnetic

Isn't GetDare itself a service, RiskyFlame? Don't you provide us with the service of contacting and communicating with each other?

I guess it's a service although, I don't know exactly how to describe the services that getDare provides its members. Maybe I can describe it as the service of offering free content and the service of the possibility to share content.

Quote:

Originally Posted by Magnetic

If this you consider the website a service, according to article 2, paragraph 2, point B, GetDare does qualify.

Taking a closer look at recital 24 (quoted below) to see whether getDare applies to article 3.2b, I understand that getDare is not applicable to this article. Because getDare does not track natural persons on the internet.

Then you might think: what about taking decisions concerning EU data subjects using processing techniques which consist of profiling a natural person? A getDare moderator or administrator is but a member of getDare and not employed by getDare. As I said, I am rarely in touch with legal documents and don't know much about the laws on topics such as these but shouldn't gD mods and admins be employed to be a part of getDare? To be paid or at the very least, receive a compensation for the work. Honestly, I wouldn't know whether, by law, getDare mods and administrators are part of getDare. If they are part of getDare then I guess the GDPR applies to getDare (still not entirely sure). If it's not part of getDare then the GDPR doesn't apply to getDare, right?

Quote:

Originally Posted by Recital 24 GDPR

Applicable to processors not established in the Union if data subjects within the Union are profiled*

Recital 24 Applicable to processors not established in the Union if data subjects within the Union are profiled*

¹The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. ²In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

* This title is an unofficial description.

[Magnetic]

Quote:

Originally Posted by RiskyFlame

I guess it's a service although, I don't know exactly how to describe the services that getDare provides its members. Maybe I can describe it as the service of offering free content and the service of the possibility to share content.


Taking a closer look at recital 24 (quoted below) to see whether getDare applies to article 3.2b, I understand that getDare is not applicable to this article. Because getDare does not track natural persons on the internet.

Then you might think: what about taking decisions concerning EU data subjects using processing techniques which consist of profiling a natural person? A getDare moderator or administrator is but a member of getDare and not employed by getDare. As I said, I am rarely in touch with legal documents and don't know much about the laws on topics such as these but shouldn't gD mods and admins be employed to be a part of getDare? To be paid or at the very least, receive a compensation for the work. Honestly, I wouldn't know whether, by law, getDare mods and administrators are part of getDare. If they are part of getDare then I guess the GDPR applies to getDare (still not entirely sure). If it's not part of getDare then the GDPR doesn't apply to getDare, right?

Maybe you are right, maybe you are not. I think you should at least ask a lawyer who specializes in European law about it... You will not want to be hit with a civil, much less a criminal, lawsuit.

[Butterfly's Prisoner]

The key point here is whether getDare and its administrators are outside the EU.

If both the website and the administrators are outside the EU, then whether they fulfil the requirements laid in European law is irrelevant. Even if they go against European law, they wouldn't be prosecuted for that. European law applies in Europe, not abroad.

Technically, I imagine they could be liable to extradition, but that would be extremely unlikely. Even ignoring all the legal and political requirements involving a citizen's extradition, no judge in any EU member state is ever going to request extradition of a forum's administrators simply because they refused to delete someone's posts in a forum. That's a lot of work and something they only do for serious crimes.

[Magnetic]

Quote:

Originally Posted by piopio1949

The key point here is whether getDare and its administrators are outside the EU.

If both the website and the administrators are outside the EU, then whether they fulfil the requirements laid in European law is irrelevant. Even if they go against European law, they wouldn't be prosecuted for that. European law applies in Europe, not abroad.

Technically, I imagine they could be liable to extradition, but that would be extremely unlikely. Even ignoring all the legal and political requirements involving a citizen's extradition, no judge in any EU member state is ever going to request extradition of a forum's administrators simply because they refused to delete someone's posts in a forum. That's a lot of work and something they only do for serious crimes.

Bahh!

It is not true, but I won't argue any more about it. If they slap you with a lawsuit later, don't say I did not warn them.

All I am saying is for GD to ask an European lawyer. You might find out that the law still applies anyway.

Anyway, I am unsubscribing from this thread now.

[Lacram]

Quote:

Originally Posted by piopio1949

The key point here is whether getDare and its administrators are outside the EU.

If both the website and the administrators are outside the EU, then whether they fulfil the requirements laid in European law is irrelevant. Even if they go against European law, they wouldn't be prosecuted for that. European law applies in Europe, not abroad.

Technically, I imagine they could be liable to extradition, but that would be extremely unlikely. Even ignoring all the legal and political requirements involving a citizen's extradition, no judge in any EU member state is ever going to request extradition of a forum's administrators simply because they refused to delete someone's posts in a forum. That's a lot of work and something they only do for serious crimes.

"The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."

The servers could be in Tobago, doesn't matter. Let's be honest, it's a complex topic and there are more questions to answer than i have characters left - only a lawyer could say whether or not those laws apply to gD. I'm pretty sure they do but i'm not a lawyer after all.

Also, some interesting side notes:
"According to the PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million."

[Butterfly's Prisoner]

Poor choice of words there from my side.

Technically, yes, the law is applied to everyone who offers services to people in EU member states. What I mean is that if you live outside of the EU, you don't have offices there and your servers are somewhere else as well, it's extremely unlikely that you'll be prosecuted for violating the GDPR. Even more so considering that this is simply an Internet forum which doesn't sell any services and has a relatively small user base.

That said, earlier today I found out that there is a bilateral agreement between the EU and the US regarding data protection. So actually, if gD is based in the US (that I don't know), the best person to offer guidance might be a US-based lawyer who is aware of said agreement and can offer more insight into whether gD could get into trouble for failing to comply with European law.

[Lacram]

Quote:

Originally Posted by piopio1949

Even more so considering that this is simply an Internet forum which doesn't sell any services and has a relatively small user base.

You can get yourself a paid subscription for 10$ a year or $3.50 a month.

[Big White]

Gdpr also has a clause concerning the storing of data that relates to sexuality, iirc. I think getdare is in more than a gray area here.

I understand that you don't want a fragmented board with a lot of deleted posts and incomplete threads. Ofcourse, people post stuff willingly. However, s/M advertisements get locked and contain a lot of personal sexual information. These are just stored and accessible to everyone, definitely a breach in GDPR.
A quick fix would be to delete locked advertisements after half a year or so. Better safe than sorry, that's definitely a breach, and one that's actionable by individuals.

[lbdsmplay]

Good on you risky flame
I think European laws are intrusive to other countries and invade their space as well as been a financial burden on other countries and yes of course I am going to get people how much they help poor countries it very easy with some one else's money gratefully soon to become a UK citerzen again and can only say bye bye to the EU and it regulations and laws and unfortunately I am not in the minorite who just wish to change a voters right

[RiskyFlame]

Quote:

Originally Posted by Big White

Gdpr also has a clause concerning the storing of data that relates to sexuality, iirc. I think getdare is in more than a gray area here.

I understand that you don't want a fragmented board with a lot of deleted posts and incomplete threads. Ofcourse, people post stuff willingly. However, s/M advertisements get locked and contain a lot of personal sexual information. These are just stored and accessible to everyone, definitely a breach in GDPR.
A quick fix would be to delete locked advertisements after half a year or so. Better safe than sorry, that's definitely a breach, and one that's actionable by individuals.

I don't mind deleting M/s advertisements upon request because it adds nothing to getDare in general (no useful information for others). If someone wants their ad deleted, just ask. And honestly, I haven't seen any users with hundreds of posts request their account to be deleted (or I've forgotten). It's more common that users with up to 20 posts want their account deleted. Usually with the reason that their contact details are showing up in Google's search results. Which, really, is their own fault for being short-sighted. Nevertheless, I don't want getDare to be a burden so I delete the post with their contact details or edit them out.

- - - - - - - - - - - - - - - - - - - - -

Something entirely else. I tried to figure out whether getDare has to comply with the EU's GDPR because the negativity I read: no SSL = big fee, they'll be fined severely now, bad website layout. It just ticked me off a bit. If it was more neutral, I probably still would've tried to figure out whether getDare is applicable or not. But that's not the point I'm trying to make. My point is that I want to make it very clear that a moderator cannot improve getDare, only moderate the data flow (generally described).

We need an administrator with enough access (Depp, possible Rachie) for these kinds of improvements. I'm usually for improving getDare unless the improvements are minimal compared to the amount of work. But it doesn't matter what I think if no administrator wants to put effort into a specific idea to improve getDare. All I can do is to think of reasons why it should or shouldn't be implemented. This is the main reason why I usually approach new ideas from the downside and give reasons why it shouldn't be implemented. Just to give a bigger picture of the effects implementing a new idea would have on getDare.

So the main point I want to make is that, even though it might seem that I don't want to improve getDare, I want to improve getDare. But I can't. So if believe that you think an idea for improving getDare goes unheard, approach an administrator directly.

[frukostflingor]

Facebook, instagram, whatsapp, twitter and all other sites/services that are available in the EU need to adapt do GDPR.

Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.