Packages to help with GDPR, user privacy and data protection


#1

So for the late comers GDPR is here. This thread is not about if it is good or bad, but instead about what resources are out there to improve in our apps all stuff related to GDPR and in extension user privacy and data protection.
To start of, there is a discussion if and what should be baked into Meteor (and official packages) in order to better facilitate these things:

Obviously there won’t be too much that can be put into Meteor itself due to the different requirements of each app. So I would like to ask the community to share packages that you made or found useful in getting things done in this area.

I start with my own package which I made to manage different legal agreements and user’s consent to them:
https://atmospherejs.com/freedombase/legal-management


#2

We came into the same conclusion than you : the need to develop our own package, which we just released to atmosphere:
https://atmospherejs.com/yellowsquare/gdpr

We wanted to make a “drop-in like” package for our apps to comply with the basis of presenting legal documents to the user and ask for opt-in + giving the ability to the user to contact us to ask for access/edit/delete of his personal data.

We are still in the process of implementation of it in our apps, but feedback would be very valuable.

Regarding other GDPR themes, the obligation to suppress the user personal data on-demand is for us the one that will demand the more changes: we need to rethink our backup processes taking into account this constraint. I would be happy to read your strategy regarding this matter.


#3

I’m curious about the application of the GDPR right-to-be-forgotten in the case of a forum. Let’s say a user exercises his (or her) right-to-be-forgotten. What happens to all the forum threads he started – are they all deleted? That seems unfair to all the other people who participate in them.

Or let’s say he contributed to a forum thread and someone else quoted him. Are those quotes supposed to be deleted? If so many posts to the thread will be incomprehensible.

How is GDPR applied in a case like that? Perhaps all his posts remain, but are attributed to a user named ‘anonymous’. Would that be acceptable under GDPR?


#4

You need to delete personal information. That does not include forum posts. Just information you can use to identify the person in question.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


#5

This seems wrong or at best, not so clear.

Using the terminology from the text, it seems to me that a forum post is information relating to a natural person that can (potentially) be identified by reference to an online identifier.

For example, the posts in this thread are information, each one relates to its author, and each author can be (potentially) identified by an online identifier (i.e., his/her username). MDG already knows who many of us are, for example – that alone probably triggers the condition – it is very broadly worded.

Aside from MDG’s knowledge, a username is commonly anonymous, but that is not guaranteed (consider (self-)doxxing), and probably not a point that can be productively argued with a litigious end user.

Furthermore, what limited precedent there is on the matter does not inspire, see for example http://www.bbc.co.uk/news/technology-43752344.

The safe play would seem to be to delete all the posts of the user. I think some sites already do this, maybe Quora (looks like they compromised, so far anyway: https://www.quora.com/How-do-I-delete-all-my-questions-and-answers-on-Quora-at-once). Looks like StackExchange is trying to hang on to the content by claiming you licensed it, but I bet this posture will be mercilessly shredded by the GDPR (as it violates both the letter and spirit). [Can’t link to the SE page, my quota is exceeded] OTOH, StackExchange probably has a slightly bigger legal budget than any of us.

As someone recently tweeted, “it’s the GDPR’s world now, we just live in it.” Maybe re-assigning as ‘anonymous’ gets you there, but until we see precedent, there’s no way to be sure.

I am not a lawyer - this is not legal advice - find a professional.


#6

No, again, it’s personal information, i.e. information which can be used to identify a person.

If you cannot identify someone from the text he posted then you can leave it. Your interpretation is way overzealous.

And your “precedent” about the Google case? It’s because the articles they want removed included their names and photographs. I.e. just the kind of personal data I’m talking about.

Or, to put this another way: Can you use this very post to determine any kind of personal information about me (excluding my username, of course)?


#7

I understand your position, but disagree:

The term is “personal data”, and the definition is “any information relating to an identified or identifiable natural person (‘data subject’)”. The definition is not, as you wrote, “information which can be used to identify a person.”

The purpose of the precedent I gave was to show that Google fought the law, and the law won - it was meant as a cautionary tale, in which a whale was beaten in a somewhat-related legal matter; the implication is that minnows should beware.

To answer your final, no I cannot determine any kind of personal information about you. My counter-question is: do your posts “relate” to you?

A key theme of my previous post was that clarity is not currently available on the matter, so although I appreciate your confident assessment – and also I hope you are right – I disagree that confidence is warranted.


#8

No, my posts do not relate to me. As they should. Then again, doxxing yourself or others is something a moderator needs to be on the lookout for, anyway.

And, yes, the law won. However, it won in a rather narrow sense. You’ll note that they are supposed to delete all search results leading to the persons in question in combination with the crimes.

And not “Wipe those names from Google altogether”.


#9

Fair enough, re doxing and Google. It seems we’re converging on the question of what does “relating” mean in the text? IMO my posts do “relate” to me… I especially wouldn’t be too sure what to expect from a judge.

Not sure how to proceed. Maybe a poll of “Do you think your forum posts ‘relate’ to you?”. Although I suppose that wouldn’t prove much. Either way, thank you for the lively debate.


#10

I view this as relational data. One table contains personal information (i.e. user data), the other their posts. You can create a relation between the two through foreign keys or similar.
As soon as the data is gone from the “user data” table however, the “posts” table contains no relatable data anymore.

Because the information which actually makes it relatable is gone.

A question which answers your actual goal (“Do I comply with the aim of the GDPR?”) is simply:

“Can I use this bit of information to identify the person behind either completely or at least partially?”


#11

Thanks for starting this thread. I posted some info about GDPR compliance in relation to the okgrow:analytics package here: https://github.com/okgrow/analytics/issues/208


#12

Regarding user deletion, in my app I delete all of their profile, payments related stuff, user info and any unpublished works/content. What is published remains and since I don’t have their username it just displays that it is from deleted user. As such I keep DB backups unchanged for archiving and security purposes. Should I restore from backup then I would have to manually go in and trigger the delete for that user again.


#13

I think you are supposed to deleted the personal data across all backups. We are thinking of a strategy of backuping personal data in one side, and backuping non-personal data on the other side. As such, we could delete the personal data from production and from like 3/4 backups manually and delete all the other personal-data backups, while keeping all the non-personal data in backups…


#14

True, but you also have exceptions to that rule. Since my app includes payment system I don’t delete that data from backup for archiving purposes in case of fraud or other illegal activities that might trigger a request from the authorities. That said we only keep backups for one year.