advertisement


The Audio Forum

Just a caveat to all this, based on my comments upthread. The privacy policy of the Proboards forum is pants, and grants all sorts of rights to exploit users' personal information, with no way to decline it. It's basically 'if you don't like it, don't join'.
The 'if you don't like it, don't join' is, per se, perfectly OK under GDPR (I am not a lawyer but I have worked with lawyers on GDPR issues, and on drafting ISO standards for auditing privacy compliance).

You do have to be given the means to make that a meaningful and informed choice. The policy does provide me with some concerns, but it's one of the shorter, clearer and simpler policies I have read. Processing personal data necessary for providing the service is essential if you do sign up and the policy seems largely clear. The management of personal data processing by third party controllers and how the data subject can exercise his/her rights may need some improvement but this might be addressed by appropriate practice consistent with the policy.

There are some over-expectations regarding data subject rights under GDPR. There are some improvements. In, for example, the definition of what is personal data and the provision and withdrawal of consent. But the GDPR's major impact will be in compliance and enforcement.

Given the recent fuss about Facebook, this should give people pause. It's also not going to meet the minimum requirements under GDPR, and when it doesn't, it's not Proboards who will be liable, it's the 'owner' of the forum.
The GDPR's provisions fall upon whoever collects and processes personal data. ProBoards certainly falls into that category, and there are new enforcement mechanisms that may be useful when there are problems. However, I can imagine a system where whoever sets up a board does not himself/herself collect and process personal data, or perhaps does so to a very limited extent such as managing membership. There will have to be a few precautions there but I am not sure it will be quite as bad as you suggest.
 
There is a heck of a lot of confusion in the forum community regarding GDPR at present. I have seen nothing at all yet that clearly explains how it will impact us specifically, and the legislation is way too broad, complex and far-reaching for a layman such as myself to comprehend. The idea one set of legislation applies to the likes of Amazon, eBay, PayPal, your bank etc, all of whom hold real personal data, and discussion forums, which have little beyond a registration email address is just bizarre. It is a total nightmare, but at least we forums owners are all in the same boat (i.e. all equally confused & terrified). Some discussion over on the Xenforo support forum here, and vBulletin look to be even further behind the curve here.

The general gist is it probably doesn’t apply too much as long as we don’t use any third parties to do anything with the very limited personal data we hold, e.g. allowing any third-parties to access or utilise users registration email address for whatever reason (which pfm would never even consider) etc. The core functionality of the forum software (cookies, user-set notification emails etc) should be ok, but I’ll probably need to give the AUP a nip and tuck before 25th May. I stuck a very basic privacy policy up earlier just to give something to modify as I better understand what it needs to do. I just pinched it from XenForo’s own community and ripped out the aspects that don’t apply to pfm (they sell software, hold license keys etc). I’ll assume they have to be GDPR compliant so I’ll keep an eye on what they do!
 
Does the "Right to forget me" thing apply to forums? It would be a big annoyance if it permitted Joe Blogs, who has made 2,500 posts over ten years, to contact a forum and demand that his user name and all his posts be removed. I can see why this could be important in certain circumstances for an individual working fora company, but I hope it doesn't apply to forums.

Rob
 
Does the "Right to forget me" thing apply to forums? It would be a big annoyance if it permitted Joe Blogs, who has made 2,500 posts over ten years, to contact a forum and demand that his user name and all his posts be removed. I can see why this could be important in certain circumstances for an individual working fora company, but I hope it doesn't apply to forums.

The consensus is no, it doesn’t apply to fully public domain content, which posts on an open forum clearly are. The GDPR is about personal info, and yes, a user can request their account deleted, posts be set to ‘guest’ etc, and they could also ask for certain specific posts that in some way identified them to be deleted (e.g. had they posted their address, a picture of their house or whatever), but that is about it. Thankfully. The alternative would be the end of forums as we know them. Here’s a little hypothetical example I thought up with regard to pfm’s DIY room:

Poster A: In the diagram above am I correct with my wiring?

Poster B: No! Your diagram is for the original version, you have a version 2.0 amp and if you were to wire it like that the whole casing would be live!!! You need to wire X to Y instead.

Poster C: That is 100% correct.

Poster A: Many thanks, that worked a treat.

Now imagine poster B demands all their posts deleted! That now incomplete thread could kill or maim someone.

Bulk post deletion on all public sites utterly trashes the content, on technical sites such as pfm, DIY Audio etc it could very easily kill, cause house fires etc etc. As such I as forum owner couldn’t do it whether I wanted to or not, it would be spectacularly irresponsible. Thankfully the GDPR doesn’t seem to mandate it as far as I can tell after speaking to a forum specialist and someone with good legal knowledge. Personal data is personal data, it is not content willingly placed fully into the public domain. The equivalent would be for The Lancet or whatever to be required to recover and destroy all back issues were a contributor to want their letter or paper deleted!
 
Thanks Tony, that is an excellent example! We are going through something similar where I work in terms of what is personal data and what isn't. It seems all emails are considered personal, but items such as engineering drawings are not. Can you imagine having to trawl through thousands of technical drawings just to remove an individuals name? The whole thing seems bonkers to me...

Rob
 
The 'if you don't like it, don't join' is, per se, perfectly OK under GDPR (I am not a lawyer but I have worked with lawyers on GDPR issues, and on drafting ISO standards for auditing privacy compliance).

You do have to be given the means to make that a meaningful and informed choice. The policy does provide me with some concerns, but it's one of the shorter, clearer and simpler policies I have read. Processing personal data necessary for providing the service is essential if you do sign up and the policy seems largely clear. The management of personal data processing by third party controllers and how the data subject can exercise his/her rights may need some improvement but this might be addressed by appropriate practice consistent with the policy.

There are some over-expectations regarding data subject rights under GDPR. There are some improvements. In, for example, the definition of what is personal data and the provision and withdrawal of consent. But the GDPR's major impact will be in compliance and enforcement.


The GDPR's provisions fall upon whoever collects and processes personal data. ProBoards certainly falls into that category, and there are new enforcement mechanisms that may be useful when there are problems. However, I can imagine a system where whoever sets up a board does not himself/herself collect and process personal data, or perhaps does so to a very limited extent such as managing membership. There will have to be a few precautions there but I am not sure it will be quite as bad as you suggest.
I, too, have some experience of GDPR and I feel much less comfortable than you about that privacy policy. I realise that 'take it or leave it' is a valid position, but hardly in the spirit of GDPR (and that's assuming the user has even bothered to read it, which 99.99% won't have done). And 'better than some I've seen' is hardly a ringing endorsement. I'm therefore, less convinced than you that any 'consent' obtained will meet the sterner test for consent required under GDPR, nor yet that this policy will satisfy the tighter transparency and accountability requirements under GDPR. Assuming (unlikely, I know) that the ICO came calling, how would you, as a host, demonstrate that you had obtained consent, and that any such consent met the GDPR standards of being 'fully informed and freely given', nor still that you could demonstrate what the user had actually consented to? (Noting that it says that the privacy policy can change, and users are 'expected' to familiarise themselves with it at every visit).

https://ico.org.uk/for-organisation...ion-gdpr/lawful-basis-for-processing/consent/

I disagree with your last paragraph. Anybody setting up a Proboards forum will be the data controller (they are determining the method and purpose of processing) and Proboards will just be a data processor. As you may know, unless the data processor departs from the terms of any contract, it is the data controller who carries the can for any breaches of GDPR. Not sure I can see any contract for Proboards to depart from...
 
Does the "Right to forget me" thing apply to forums? It would be a big annoyance if it permitted Joe Blogs, who has made 2,500 posts over ten years, to contact a forum and demand that his user name and all his posts be removed. I can see why this could be important in certain circumstances for an individual working fora company, but I hope it doesn't apply to forums.

Rob
The right to be forgotten does apply, but it isn't an absolute right. Operators of online forums would often, IMHO, be justified in refusing such a request on the grounds that it threatened the integrity of the forum content. Also, of course, many forum participants operate in a pseudonymised way anyway (hint, I'm not really a Sue...) and actually making a link to an identifiable person might not be possible anyway. And if it is, a workable solution in many cases might just be to rename the account and delete any identifying elements of the profile.

There may be an occasional example where an individual has peppered their posts with personal identifiable anecdote, but these will be isolated cases, best dealt with case-by-case.
 
I, too, have some experience of GDPR and I feel much less comfortable than you about that privacy policy. I realise that 'take it or leave it' is a valid position, but hardly in the spirit of GDPR (and that's assuming the user has even bothered to read it, which 99.99% won't have done). And 'better than some I've seen' is hardly a ringing endorsement. I'm therefore, less convinced than you that any 'consent' obtained will meet the sterner test for consent required under GDPR, nor yet that this policy will satisfy the tighter transparency and accountability requirements under GDPR. Assuming (unlikely, I know) that the ICO came calling, how would you, as a host, demonstrate that you had obtained consent, and that any such consent met the GDPR standards of being 'fully informed and freely given', nor still that you could demonstrate what the user had actually consented to? (Noting that it says that the privacy policy can change, and users are 'expected' to familiarise themselves with it at every visit).

https://ico.org.uk/for-organisation...ion-gdpr/lawful-basis-for-processing/consent/

I disagree with your last paragraph. Anybody setting up a Proboards forum will be the data controller (they are determining the method and purpose of processing) and Proboards will just be a data processor. As you may know, unless the data processor departs from the terms of any contract, it is the data controller who carries the can for any breaches of GDPR. Not sure I can see any contract for Proboards to depart from...
I won't go into details as this is not really interesting to most. However may I pick up on two issues.
  • The first comes from your "Anybody setting up a Proboards forum will be the data controller". This may be true (I don't know how ProBoards works) but that should be "A data controller". The indefinite article is very fundamental to understanding the impact of data protection legislation whether DP {Directive|Act} or GDPR. The key to getting your own obligations right is to understand (i) are you a data controller?; (ii) if so, a data controller for what? In general it will not be for everything.
  • The second is from your "Proboards will just be a data processor". This is clearly wrong. The policy makes it clear that ProBoards is a controller and may recruit other (not all named) controllers. It gets around its obligation to name all those that rely on consent given to it by stating that those controllers will independently ask for consent.
In general if you are already compliant to DP{D|A} for your specific role in operating a forum, the priority updates for GDPR are fairly well known. If you are a small organization and take reasonable steps towards dealing with those issues, my (non-legal) opinion is that will not get your local DP authority coming down heavily if you make a mistake. The bigger mistake will be to not understand what you actually do and drown yourself in lots of stuff that you may not need to do and miss the priority updates.
 
The thing I find annoying is no one has written a clear overview of what discussion forums need to do to be compliant. Even the major forum software brands (vBulletin, XenForo etc) seem confused, so what chance do the rest of us have?
 
The right to be forgotten does apply, but it isn't an absolute right. Operators of online forums would often, IMHO, be justified in refusing such a request on the grounds that it threatened the integrity of the forum content. Also, of course, many forum participants operate in a pseudonymised way anyway (hint, I'm not really a Sue...) and actually making a link to an identifiable person might not be possible anyway. And if it is, a workable solution in many cases might just be to rename the account and delete any identifying elements of the profile.

There may be an occasional example where an individual has peppered their posts with personal identifiable anecdote, but these will be isolated cases, best dealt with case-by-case.


I'm a Doris at the weekend. Every weekend. Curse those high heeled strippers shoes.
 
The thing I find annoying is no one has written a clear overview of what discussion forums need to do to be compliant. Even the major forum software brands (vBulletin, XenForo etc) seem confused, so what chance do the rest of us have?
It may not be generally possible to cover all cases. However my experience of dealing with organizations within a larger organization is that there's often a basic level of ignorance that has to be overcome first. I have never had to do this personally, but from talking to internal privacy auditors, the first step has to be to create a written inventory that many do not have, something like this:
  • The boundary: What is the relevant organization (from a single person upwards) for data protection compliance purposes?
  • Personal data already inside: What personal data does that organization currently store and where is it stored?
  • Personal data coming in: What personal data does that organization currently collect, from whom, and where is it stored?
  • Personal data going out: What personal data does that organization make available to third parties and who are these third parties?
Once that information is in place in first draft (don't spend too much time on draft 1 and come back later to update it), it becomes possible to be clearer about what obligations apply (lawful basis for processing, data subject rights, etc.), and to whom.
 
Hi Raga, the short answer is I simply don't obsess about amps and CD players anymore.
Audiophilia left me many years ago, I no longer obsess about anything audio, I just have fun with it, much better for the soul.
To be honest I rarely get chance to sit In front of my hifi & listen for periods of time, I mainly listen while doing other things, sweet spots & soundstage were never on the agenda in this tiny room, I just enjoy the rhythm, the emotion & the feel of the music, hifi illusion has never been high on my agenda.
 
It may not be generally possible to cover all cases. However my experience of dealing with organizations within a larger organization is that there's often a basic level of ignorance that has to be overcome first. I have never had to do this personally, but from talking to internal privacy auditors, the first step has to be to create a written inventory that many do not have, something like this:
  • The boundary: What is the relevant organization (from a single person upwards) for data protection compliance purposes?
  • Personal data already inside: What personal data does that organization currently store and where is it stored?
  • Personal data coming in: What personal data does that organization currently collect, from whom, and where is it stored?
  • Personal data going out: What personal data does that organization make available to third parties and who are these third parties?
Once that information is in place in first draft (don't spend too much time on draft 1 and come back later to update it), it becomes possible to be clearer about what obligations apply (lawful basis for processing, data subject rights, etc.), and to whom.

Again this is over-complicating it. There are thousands of little discussion forums dealing in all manner of topics such as audio, music, cycling, photography, sheds, antiques, vintage telephones, cars, boats, trains or whatever. We are all fundamentally the same thing and the GDPR will apply to us all similarly. Chances are we all use the same software (e.g. XenForo, vBulletin, PHPbb etc). I’m astonished that at this point with around a month to go there is no consensus. I was expecting by this point the forum software makers (XenForo, vB etc) would have released GDPR compatible upgrades that had any new tools needed, policy agreement templates etc we could tailor to our specific needs. As it is no two legal opinions seem to agree what it all means and no one else has a clue there is just no consensus at all. The only positive I can find in it is we (forum owners) are all in the exact same boat. pfm is no different from WigWam, AoS, DIYAudio or even hellholes like GuidoFawkes or wherever. It will apply to us all in the same way. My fear, given this nation is infested with low-grade scam ambulance-chasing lawyers is there will be a free-for-all in effectively blackmailing forum owners with bogus claims etc. I have a feeling the next few months will be remarkably stressful for many of us as this whole thing just looks like a total cluster**** from where I’m standing!
 
Sadly the forum was derailed by discussion of another forum and its residents. Despite my banning the topic, people carried on. They asked for a single thread to keep their off topic discussion from taking over the rest of the forum. As we were clearly losing members who had joined to talk about hifi. I agreed, whilst stipulating that discussion of other forums wasn't to turn into a slagging fest and should feature positive stuff too.

I also stated my intention to remove all the off-topic slagging from all other areas of the forum and return it to being about hifi. When I did this, the same people whose posts had driven away genuine hifi enthusiasts complained about loss of their "content".

I'd had enough by then and turned off the lights.

I'm try to use any failures as an opportunity to learn lessons, so yesterday I started a brand new forum with a clear agenda to talk ONLY about hifi. I've managed to crack the issue of people posting without registering and I have also set the registration to require my approval for new members. Anyone contributing to the issues that plagued the last forum nee not apply and any member straying into the same waters this time will be banned without notice.

This time it really is all about the gear and it will stay that way: http://audioaddicts.freeforums.net

If Tony or the mods would prefer the link to be removed, I totally understand. I would, however, appreciate it if the rest of my post could stay by way of bringing the story of the forum to a close.
 
I guess the main point with any new forum is you need to be around most of the time, particularly in the forum's early days, to 'keep it clean' and hoof out troublemakers quickly. You also need (at least) a couple of other admin/moderation bods for times when you genuinely can't be around, and you, as forum owner, need to back them up.

Good luck!
 
Thanks for the kind wishes, Joe. You're right and thankfully I will have more time available for a little while. I may also be able to get more help managing the forum now that I have an approach which offers nothing to anyone who wants to discuss more controversial topics outside of hifi. Last time I just couldn't get anyone I'd trust to agree to help and I don't really blame them.
 
I thought I'd take a look, but it seems to have been taken off Proboards now, so I can't !
 


advertisement


Back
Top