Right to Erasure compliance

[angusmcleod]

From @phenomlab

One final point which changes all of this is the request for deletion. For example, deletion of an account is currently not possible by the user in Flarum (unless you are using the WordPress extension from Clark as I do), but is possible via various WordPress plugins - some designed as a fully fledged replacement for the login and registration system and some that simply provide the feature to completely remove an account. Flarum needs this capability in order to ensure it remains compliant with GDPR. It's essentially the "right to be forgotten", meaning that if you execute the deletion, ALL information and records that relate to you as an individual must also be either permanently deleted, or at the very least, sensitive information redacted so that attribution to the owner is no longer possible.

On this front, I wonder about having a feature that allows the user to do this themselves. Here's the relevant portion of the Discourse stuff re this (from https://meta.discourse.org/t/providing-data-for-gdpr/83595/23?u=angus).

Concerning the Right to Erasure (aka “Right to be forgotten”), I would reiterate that the applicable timeline (like with the Right to Data Portability) is one month. There is no need to provide a one-click “Forget me” button for users. It is quite possible to comply with requests to be forgotten within the existing functionality of Discourse.

Moreover, It is not clear to me that it would be a good idea to allow a user to completely erase all data concerning them themselves as the Right to Erasure explicitly requires the data controller to consider exceptions and countervailing rights when complying with a request.

And the following post from Sam.

Interested in your thoughts though @phenomlab and @katosdev.

[luceos]

The username changes extension allows users to request a change in username, which then has to be approved by a moderative authority. We could do the same with user deletion.

Another thing I was considering, if even possible, would be to provide tooling to do accurate redaction of PII in content. This is especially hard with posts that quote for instance. But also understanding what classifies as PII in an autonomous way for the code. Do any API's exist that could help with this?

[phenomlab]

There is no need to provide a one-click “Forget me” button for users.

This is woefully incorrect. In fact, it is a legal requirement that you do so.

In fact, the bare minimum of what should be provided to comply in any legal basis is laid out here on my rabbit sanctuary site https://hoppyhope.org/privacy-tools/

[angusmcleod]

This is woefully incorrect. In fact, it is a legal requirement that you do so.

Interesting :) I'd be curious to understand the legal basis. If so, it could cause broader issues.

Perhaps you could explain your legal thinking here a bit? Point us to the principles or regs you think create the need for such a button? Also, what is the scope of the earsure you think is needed? Typical account deletion is not the same thing as erasure.

[phenomlab]

This is the subset of the ICO requirements

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

[angusmcleod]

Yup, I'm aware of the general principles of the Right to Erasure. I guess the question is what the upshot is in a practical software sense. Note the following from what you linked

The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for erasure verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.

Or

You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.

The question here is whether this necessitates a computational solution, particularly in light of the balancing of rights each request requires (see the same doc you linked)

[phenomlab]

The question here is whether this necessitates a computational solution, particularly in light of the balancing of rights each request requires (see the same doc you linked)

Yes, it does. You need to have a way of logging all access, erasure, and change requests, so it makes more sense to have a centralised platform that handles this. Once a request is sent, you have 30 days in order to comply with that request. Failure to do so is considered non-compliance, and the fines are either a maximum of €20m, or four times the annual turnover of any parent.

[angusmcleod]

Indeed, those are the penalities.

Perhaps we're talking at cross purposes here. My original point was that there is no need (and in fact it would be dangerous to have) a button that, when you click it, it would automatically then and there attempt to delete all of your data in compliance with the right of erasure.

It sounds like what you're talking about is a clear method of notifying the data controller that you wish to trigger that process, rather than what I've been referring to as a "computational solution", i.e. an expanded version of typical account deletion (which happens automatically).

I'm assuming that if I submitted my email in the input on the HoppyHope website this would send a certain kind of notification to the website admin? Then the admin would process the request manually?

[phenomlab]

If you selected to delete your account, It would be automatic, as this is the point of self-deletion. A request for information triggers an email to the site admin.

[katosdev]

There is no need to provide a one-click “Forget me” button for users.

This is woefully incorrect. In fact, it is a legal requirement that you do so.

In fact, the bare minimum of what should be provided to comply in any legal basis is laid out here on my rabbit sanctuary site https://hoppyhope.org/privacy-tools/

Agreed, this is absolutely correct.

If you selected to delete your account, It would be automatic, as this is the point of self-deletion. A request for information triggers an email to the site admin.

It doesn't need to be automatic. and in fact, some places do send a log to a central (if you like) ticketing system, where it can then be approved by an administrator. For example, there are some (albeit it, admittedly rare) instances where the data has to be retained for legal reasons - such as data related to safeguarding. (I know, I know, my legal head is coming on.... sorry.)

Though what I would propose here as far of the scope of this extension that the deletion should be automated in the sense of the below:

Click button for data deletion Confirmation prompt. If yes --> Data is deleted, and a log sent to administrator on a panel in the admin panel.

If no --> "You have cancelled your data erasure request."

[phenomlab]

@katosdev

It doesn't need to be automatic

In every single case where I've deleted by account on sites (and there were tens of them when I was testing vendor responses to deletion requests before May 25 when GDPR landed) it has been instant. The entire objective of a delete request is for it to be actioned as quickly as possible and confirmation sent to the requester. The 30 period afforded to this process is designed for larger institutions where information is typically chained across multiple systems, where discovery and gathering of data takes more time. In the case of a single site, you cannot argue the same case.

There is also no option for approval. The right to deletion is a legal requirement, and cannot be rejected

Finally, regulatory requirements can and will always trump GDPR. For example, in my (work) case, we are regulated by the SEC in the US, FCA in the UK, MAS in Singapore, and Autorité des marchés in France. The SEC mandates 7 years retention for books and records meaning that there is a genuine legitimate interest for not deleting that data which would also suffice in a court of law. Such extension of retention could also be permanent if the data in question is subject to legal hold.

However, the nature of the everyday forum does not have this right in terms of regulatory governance and therefore needs to comply with requests as a custodian of any data that can be attributed to an EU citizen. This includes the timely execution of requests for information, changes, and deletion.

[katosdev]

@katosdev There is also no option for approval. The right to deletion is a legal requirement, and cannot be rejected

Actually incorrect. Some data is protected for the purposes of legal requirement. For example, you could not ring the police and ask that they delete your data under the GDPR act. Again, I fully acknowledge that this is a very extreme use-case, and definitely would not apply to most (if not all) forums.

Which is why I proposed the below:

Click button for data deletion Confirmation prompt. If yes --> Data is deleted, and a log sent to administrator on a panel in the admin panel.

If no --> "You have cancelled your data erasure request."

[phenomlab]

@katosdev

Actually incorrect

In the case of a simple forum where there are no legal boundaries whatsoever, it's correct.

[katosdev]

@katosdev In the case of a simple forum where there are no legal boundaries whatsoever, it's correct.

Absolutely agreed. :)

[katosdev]

For the purpose of assisting in further efforts, please see the below extension for MyBB GDPR compliance: https://github.com/kawaii/mybb-amnesia

[angusmcleod]

For context, what we're talking about here is (primarily) Article 17 of the GDPR:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies... (see further )

Making a clear statement about the correctness of whether it must be automatic or not based off of, essentially, "undue delay" seems a bit premature to me, especially since the only timeframe given in the GDPR is the 1 month timeline (which is nowhere mentioned as limited to organisations or systems based on their size or complexity). It really depends on how that's interpreted by actual authorities. Not by how a handful of other websites have interpreted it so far.

@phenomlab I would agree with your point about the relevance of other regulatory regimes here.

If the automated solution purports to actually comply with the right of erasure in a programmatic fashion, this would have to go further than normal account deletion, which typically retains a number of pieces of data about a user. It would actually have to remove all personal data of that user. Otherwise it's the worst of both worlds, not actually in compliance with the right and potentially in conflict with other interests and duties as a result of its programmatic nature.

There are many legal contexts relevant to online discussion in which the retention of records is a requirement, especially in the broad context of all possible users of a forum (who could be from any jurisdiction). Take an issue like defamation for example. If a user on a forum defames someone and there is a one click button on that forum that attempts to automatically comply with the right to erasure, the forum could quite easily fall foul of the laws concerning data retention in defamation law.

I don't think you can say with confidence that there are no legal regimes in any jurisdiction which could potentially impose a data retention requirement on user data, such that having a programmatic erasure of all personal data of a user would be unproblematic for an online forum available to any jurisdiction. I can think of a few off the top of my head based on my own legal experience (in addition to defamation (or libel) laws in various jurisdictions (UK, Australia etc), Singaporean laws concerning speech or US laws concerning copyright, each of which I have studied and applied in legal practice). I have no doubt there would be a number of others.

Attempting to really comply with the right of erasure in a programmatic fashion (not just delete accounts in a standard fashion) still seems risky to me, and unwarranted given the actual wording of the law and the lack of authorities saying otherwise.

[angusmcleod]

Moreoever, the right itself explicitly requires the data controller to consider a list of exceptions.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: ...(see further)

It's arguable that a programmatic attempt to comply with subsection 1 of Article 17 is in prima facie breach of the article as a whole, as the data controller cannot be said to be taking into account subsection 3.

[katosdev]

The deletion of the data should be in full - that's the point of erasure as @phenomlab so rightly said. You can't say "we have completed your erasure request" and retain some information. What you can say is that ID was deleted from the database on this date - because that doesn't identify the user in any way.

[angusmcleod]

The deletion of the data should be in full

Yes, I think we all agree on that.

What we need to resolve here is what Flarum needs to incorporate in a programmatic fashion in order to comply with the right of erasure (i.e. Article 17), the initial question being does it need to incorporate anything new at all? Once we resolve that question we can either drop this or move onto the question of scope.

I've given the start of my own legal analysis above as to why I'm wary about attempting to handle this right programmatically, as opposed to manually via the admin running DB queries by hand upon the completion of an internal administrative review of a request for erasure. Indeed this is the reason I didn't include a right of erasure feature in the Discourse legal tools plugin. I could give some further analysis but I want to give you both the chance to respond.

To move forward on this one we need to get into actual legal analysis rather than just assertion. I'm more than happy to be proven wrong, but you both need to give some proper legal analysis as to why my reading of the actual words of Article 17, in context of the rest of the other articles of the GDPR, are incorrect. Mere assertion of a position is not going to cut it here. I may not be an expert on EU law, but I have 3 law degrees from 3 different jurisdictions and have a fair bit of experience with international and comparative law. I need to see your working at this point to engage with your position on the level of legal analysis.

Beyond the importance of this for Flarum (and it is important), this has some quite real consequences for me as well as the Discourse legal tools plugin is currently in use by 1000s of Discourse sites. Depending on the outcome here, we may determine what gets added to both Flarum and Discourse.

[askvortsov1]

The entire objective of a delete request is for it to be actioned as quickly as possible and confirmation sent to the requester. The 30 period afforded to this process is designed for larger institutions where information is typically chained across multiple systems, where discovery and gathering of data takes more time.

If the 30 day period is included in the law, doesn't that mean that all sites enjoy its protections, regardless of their size / infrastructure? From that perspective

A few thoughts from a software engineering perspective:

1. The simplest approach to deleting a user completely is just deleting their record from the database. This will take out any foreign key cascade relations with it. Therefore, allowing users to delete their own accounts could be a decent first step.
2. If a system like Moderator Notes or Moderator Warnings is used, just deleting an account takes out this moderation history entirely. I don't suppose forum owners have a choice here?
3. Lets say a user wants to delete their posts. If I'm understanding the above discussions correctly, whether or not this ability is required by GDPR is not that simple:
   1. Regulatory obligations can supercede GDPR and require keeping data. Defamation law is another example discussed above.
   2. Given an appropriate privacy policy / ToS, couldn't it be argued that posts become the property of the community? Alternatively, if a community requires a subscription, other users are arguably paying for access to the site's content, so couldn't a community's right to keep posts up be based on fulfilling their contract with other users?
4. (continuation of 3): so is there a reliable heuristic for whether broadly deleting all posts should be allowed?
5. If an account is deleted via (1), cleaning up posts and other data associated via a "set null" relation becomes almost impossible. Although I don't suppose this was considered by lawmakers. Perhaps the confirmation prompt could offer 2 options, and say that if an account is deleted without deleting all posts, it won't be possible to automatically delete all posts later?
6. We can check the database for certain structured data (user id, username, etc) in records. What about unstructured data in posts? Something could be done to redact mentions (replacing @user with @DELETED maybe?), but let's say there's a series of posts talking about a user, referring to them by name. What are the requirements here?

[phenomlab]

If the 30 day period is included in the law, doesn't that mean that all sites enjoy its protections, regardless of their size / infrastructure?

Yes - any institution or company regardless of size has a maximum of 30 days to comply (note comply, and not simply acknowledge or respond) with the request

[luceos]

• If an account is deleted via (1), cleaning up posts and other data associated via a "set null" relation becomes almost impossible. Although I don't suppose this was considered by lawmakers. Perhaps the confirmation prompt could offer 2 options, and say that if an account is deleted without deleting all posts, it won't be possible to automatically delete all posts later?

• We can check the database for certain structured data (user id, username, etc) in records. What about unstructured data in posts? Something could be done to redact mentions (replacing @user with @deleted maybe?), but let's say there's a series of posts talking about a user, referring to them by name. What are the requirements here?

Re 7. and 8. what @BartVB does (at Bokt.nl) is keep the user but give it an anon-<randomId> username. Further anonimize all other fields (like mail address). It's then still possible to see which user posts belong to. His GDPR implementation allows him to keep anonimized posts of users that have a massive influence on the content of the community. Users with minimal impact are simply deleted.

[askvortsov1]

• If an account is deleted via (1), cleaning up posts and other data associated via a "set null" relation becomes almost impossible. Although I don't suppose this was considered by lawmakers. Perhaps the confirmation prompt could offer 2 options, and say that if an account is deleted without deleting all posts, it won't be possible to automatically delete all posts later?

• We can check the database for certain structured data (user id, username, etc) in records. What about unstructured data in posts? Something could be done to redact mentions (replacing @user with @deleted maybe?), but let's say there's a series of posts talking about a user, referring to them by name. What are the requirements here?

Re 7. and 8. what @BartVB does (at Bokt.nl) is keep the user but give it an anon-<randomId> username. Further anonimize all other fields (like mail address). It's then still possible to see which user posts belong to. His GDPR implementation allows him to keep anonimized posts of users that have a massive influence on the content of the community. Users with minimal impact are simply deleted.

IIRC, the current plan is to have 2 erasure modes: soft anonymization, and user account deletion.

[katosdev]

Why was this closed sorry @luceos ? This is still outstanding AFAIK?

[luceos]

Why was this closed sorry @luceos ? This is still outstanding AFAIK?

The extension is now able to anonymize and delete, as far as I know that completes the requirements from this item?