GDPR Compliance which come into effect on the 28th of May 2018?

originally posted by: Blaine91555
a reply to: studio500

I think you are misunderstanding what data they are talking about. No such data is asked for, stored or available here.

If I am then that's great, like I said... I have no idea what data is stored here and please remember I'm only bringing it here for ATS awareness purposes just in case it does apply.

I don't claim to know any more than what I've posted and I hope it does not apply to ATS. However, from what I am reading, any identifiable information is covered under this act. That can include usernames or even ip address.
If I were to ask, what information is stored on me, everything should be made known.

Here's one more bit of data I have found.

GDPR: How the definition of personal data will change.
The EU General Data Protection Regulation (GDPR) will be enforced from next year, superseding the Data Protection Act (DPA).
With the Regulation expanding the definition of personal data, many organisations have expressed their uncertainty as to what the new definition now includes.

The scope of personal data Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements.

This set of circumstances is now broader than under the DPA, with Article 2 of the GDPR stating that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.

What constitutes personal data?
The GDPR’s definition of personal data is now also much broader than under the DPA.

Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”.
It adds that: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Perhaps the biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs.

Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).

The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone.
The same issue applies to the DPA, and the ICO uses the example of a person’s name to explain this issue: By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual. However, it also notes that names are not necessarily required to identify someone: Simply because you do not know the name of an individual does not mean you cannot identify [them].

Many of us do not know the names of all our neighbours, but we are still able to identify them. Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.

www.itgovernance.co.uk... tion-of-personal-data-will-change/

originally posted by: Blaine91555
a reply to: studio500

I'm glad you posted your question. I was not aware of this and I find it interesting.

Blaine. it's now 02.33hrs here and I was only planning on asking a quick question.

I really do hope it doesn't affect ATS and only you and the management will know the answer. So may I leave it with you as I have little more to add really as I'm just as much in the dark.

I thought it should be raised so at least ATS management would be in a position to review the law and make a valid judgement as to whether it would or should apply to ATS or not.

As I have said previously, I really hope it doesn't but there's no harm in at least being aware. (I hope)

May I wish you all good night for now and thank you for your kind assistance .

One last thought that from a link that I read earlier that may offer food for thought.

If google analytics is used on a website for example, it can identify a user through ip address. Google receives and can use that information, yet the user may not want to have that personal information shared with Google and may ask that no information is shared.
Equally, they are entitled to ask (from what I'm reading anyway), what information do you hold in any shape or form about me, or they may ask to be shown that information including any software or plugins etc that may also store information.

That's just one example of a company using identifiable information that is over and above name, address, location etc.

Right, I really am off now.

a reply to: studio500

GDPR is optional for US based companies and is not mandatory. It is nothing more than yet another stiffling regulation imposed by the EU and fostered by the Obama administration as a means to control and access personally identifiable information on consumers.

ATS is not selling people anything and therefore personally identifiable information is not being transmitted. Unless ATS is storing "personally identifiable information" then there is nothing here to see.

GDPR - has almost zero relevance to forum sites like ATS

After reading through much of the 88 page EU directive available here

It would appear that there is one key point in the legislation that would determine if the law applied to ATS or similar forum type websites.

Primarily, the legislation is applicable to any non-EU business or organization with a web presence that offers 'Goods or Services' to members of EU states.
It is also apparent that no financial transaction needs to take place with respect to either the Goods or Service offered.

A Business is any entity which receives an income as a direct or indirect result of its activities. So in that sense, if I or anyone else sets up a website or forum and I monetize that website or receive financial reward due to the activity on my website, then it could technically be classed a business. It does not matter that the user hasn't paid a cent to use that internet based service.

Goods or Services
Facebook for example offers both Goods and services to a worldwide audience including EU nationals. Their services are provided through the free use of the social media platform and monetized through targeted advertising.
Here is the Facebook response to GDPR

As we know in the case of ATS, no Goods are offered, so we can rule out the provision of Goods, leaving us with the question: Is ATS providing a Service?

But, what is the exact definition of 'Service' and does it apply to US based websites or indeed ATS .

I have searched through the entire legislature and I cannot find an exact definition to what the EU explicitly defines a service to be. So no help there.

The ultimate question of any non-EU website or entity would be, Is providing the use of a forum which contains an element of paid advertising or which holds and uses an EU nationals data for monitoring or tracking purposes, (such as website metrics), technically classed as a service for the purpose of the act?

That appears to be the main question here and it's does not appear to come with an easy answer.

It is also apparent that if just one EU national is 'employed' by a non-EU organization or business, then they will fall under the jurisdiction of this law.

Obviously, I have no idea of the current business model or internal structure of ATS or what income is received through advertising etc, nor is it any of my business.

I certainly do not have the answers to any of the above and it is up to each and every organization to undertake sufficient research to determine if any of this new legislation does indeed apply to them.

My sole aim was to ask ATS management if they had looked into this and if not, at least increase awareness.

I am not writing here insisting that ATS do anything, nor am I saying that they will fall under the legislation because it is neither my place or my business to do so. It is up to the management to ascertain if GDPR applies to ATS or not.

I don't think any amount of further discussion here will matter because none of us (I assume). have a legal working knowledge of this legislation or have the capacity to advise accordingly. I've simply offer a brief insight as to what I'm reading but I am sure that the ATS management team will look into this further and make the correct, informed decision as to the legal relevance if any exists.

I hope I have been of some assistance to the ATS team and I now respectfully bow out of the conversation, as I feel that further supposition on my behalf would be of no benefit to management or the ATS community.

Useful Links:
ico.org.uk... al-data-protection-regulation-gdpr

US-EU gdpr data regulations

a reply to: studio500

That's one for Bill or Mark to address, not me. Personally, I don't think it will apply here.

originally posted by: studio500
a reply to: Blaine91555

It does not matter if the site is not in the EU. If it serves members of the EU, (Which it does), it must still comply.
Failure to do so can result in huge fines.

That's probably one reason why Facebook and Google aren't too happy about it but they still must comply.

No, Facebook and Google comply because they have corporate locations within the EU and there is a realistic impact on their business if they get blocked, therefore they (mostly) comply.

ATS can happily tell the EU to urinate into the wind - the only real "sanction" is that, in theory, EU-based users could be restricted from accessing the site.

originally posted by: Blaine91555
a reply to: studio500

I think you are misunderstanding what data they are talking about. No such data is asked for, stored or available here.

Cookies (in the vast majority of larger sites, especially with advertising) count as data for this purpose.

Users are also required to sign up with an email address, which provides a route for personally identifying the person (even if ATS itself may not be able to access that information).

The EU can bleat and whine as much as it likes, I can't see a US court doing anything other than telling the EU to suck-start a shotgun.

I haven't read the legislation (and I need to do it, as I'm responsible for a few websites, among other things), but I think there's one thing missing on a forum like ATS to be affected by this: the processing of the personal data.

From what I read in this thread, it looks like they are talking about automated processing of personal data. The only personal data ATS uses (as far as I know) is email addresses, social network name and (maybe considered personal data) IP addresses, but I don't think there's any processing, as that data is only collected as part of the registering process or to help the functioning of the forum.

I started reading the Regulation, and it looks like collecting the data is considered processing, but I think article 6, paragraph f) ("processing is necessary for the purposes of the legitimate interests pursued by the controller") means that the data collected by Internet forums (email and IP addresses) is considered lawful processing, and, as such, there's no need for a specific consent from the data subject.

originally posted by: ArMaP
I started reading the Regulation, and it looks like collecting the data is considered processing, but I think article 6, paragraph f) ("processing is necessary for the purposes of the legitimate interests pursued by the controller") means that the data collected by Internet forums (email and IP addresses) is considered lawful processing, and, as such, there's no need for a specific consent from the data subject.

You want to look at Article 4, it sets out some of the definitions.

Processing covers essentially everything, including collection and storage.

Legitimate interest is the category that many organisations are aiming for (because the new consent system sucks) but it remains to be seen how the right to object will impact on this.

I could, for example, object to ATS (assuming it was based in the EU and therefore beholden to GDRP) using my email address to login - the same objective could be met through using the unique userid as a method of anonymisation, therefore there is no actual legitimate business interest for my email to be stored any longer than is necessary to confirm registration.

Whether that argument is valid is not the point, it's about the uncertainty that this change is bringing and the challenges that might be faced.

originally posted by: EvillerBob
You want to look at Article 4, it sets out some of the definitions.

Processing covers essentially everything, including collection and storage.

I did, thanks.

Even manually collecting data may be considered processing.

Legitimate interest is the category that many organisations are aiming for (because the new consent system sucks) but it remains to be seen how the right to object will impact on this.

The case for web sites is an interesting one.
The Court of Justice of the European Union considered that even a dynamic IP address may be enough to identify a person if the web site operator can get from the user's ISP the identifying data.
As a web site needs to know the IP address of the visitors so it knows where to send the data requested by the visitor, there's no way of asking for permission before gathering the data, as even a text asking for permission needs to know where to be sent.

I could, for example, object to ATS (assuming it was based in the EU and therefore beholden to GDRP) using my email address to login - the same objective could be met through using the unique userid as a method of anonymisation, therefore there is no actual legitimate business interest for my email to be stored any longer than is necessary to confirm registration.

That's true, and can really be considered that the email address, after registration, is not needed, unless the administration needs to contact the user outside the forum, to warn them, for example, that their password was changed for security reasons. In that case I think it's a legitimate use. Besides, that's something easily added to the consent text when people join the forum.

Lots of (digital) ink will flow regarding this legislation.

a reply to: studio500

We don't have any personally identifiable data, nor do we allow any to be posted (for this very reason). We have never sold any of the data we don't have either. Even if we did have any data of value (we don't) we wouldn't sell it, I think it's just a dirty business, all this data selling.

originally posted by: ArMaP

I could, for example, object to ATS (assuming it was based in the EU and therefore beholden to GDRP) using my email address to login - the same objective could be met through using the unique userid as a method of anonymisation, therefore there is no actual legitimate business interest for my email to be stored any longer than is necessary to confirm registration.

That's true, and can really be considered that the email address, after registration, is not needed, unless the administration needs to contact the user outside the forum, to warn them, for example, that their password was changed for security reasons. In that case I think it's a legitimate use. Besides, that's something easily added to the consent text when people join the forum.

Lots of (digital) ink will flow regarding this legislation.

Email was not really a good example because there are further requirements in relation to alerts (ie possible data breach), it was more a matter of finding an easy to follow example.

For various reasons (including some theoretical arguments currently being floated about consent requirements for usage being invalid - i.e., arguably, websites may not be able to restrict access to only those who consent to the use of cookies, etc) I would very strongly look towards underpinning everything with a reason other than (or as well as, for the belt and braces approach) consent.

originally posted by: Springer
a reply to: studio500

We don't have any personally identifiable data, nor do we allow any to be posted (for this very reason). We have never sold any of the data we don't have either. Even if we did have any data of value (we don't) we wouldn't sell it, I think it's just a dirty business, all this data selling.

For the purposes of this legislation, you do. Email addresses, cookies, IP logs, etc.

Even pseudonymised data such as my username can be considered personally identifiable data in this context, because it can be readily associated with my email address by staff.

Thankfully ATS is not beholden to the new Directive, it's just interesting to explore the theoretical impact if it was.

originally posted by: EvillerBob
For the purposes of this legislation, you do. Email addresses, cookies, IP logs, etc.

Cookies? Only if they have personal data, right?

I hereby authorize The Above Network the permission to sell my personal data they don't have stored on that server they don't own that's not residing in a sub-basement in Langley for whatever they can monetarily obtain for it.

I think they can get at least $1.87. Maybe even a buck ninety.

originally posted by: ArMaP

originally posted by: EvillerBob
For the purposes of this legislation, you do. Email addresses, cookies, IP logs, etc.

Cookies? Only if they have personal data, right?

This is where a lot of people are going to get caught out. It's not "personal data" in the way that most people think, it's "data about an identified or identifiable person, either directly or indirectly". That's a really broad scope; on a plain reading it doesn't even require that identification had occurred, just that the potential for doing so exists.

Cookies allow your device (and often you personally) to be uniquely identified and associated with, for example, tracking or analytical data.

You might want to check out Recital 30, it specifically mentions cookies as one of the things that can form personal data. It doesn't apply in every use case, but it probably applies in 87% of cases at least.

originally posted by: AugustusMasonicus
I hereby authorize The Above Network the permission to sell my personal data they don't have stored on that server they don't own that's not residing in a sub-basement in Langley for whatever they can monetarily obtain for it.

I note that your consent doesn't include collecting, storing, processing, transmitting, etc. In "normal world", all of these things would be implicit in that consent that you gave. In "mental EU GDPR world", arguably that still isn't enough.

To add insult to injury, although there is a big push to prepare for GDPR, the UK will actually be relying on its own new Data Protection Act that will exercise certain derogations, so the UK implementation will be slightly different to the GDPR as it currently stands.