Latest News › Forums › Site technical issues and feedback › Right to be forgotten in Internet forums
- This topic has 6 replies, 1 voice, and was last updated 2 years, 2 months ago by mods-cm-org.
-
AuthorPosts
-
Oscar
Hello again:
In another thread -now closed- I asked that all my messages posted on this forum be deleted. I also made the request through other channels. I said that if my request was not granted I would explore “legal means”.
Some laughed then, out of ignorance as often happens, because they interpreted that I was making a bluff. Certainly to suggest that a legion of lawyers are going to go after Mr. Murray or the moderators is ridiculous, as is to think that I meant that. Although I am not an expert in law, I have something to say.
In the European Union we have the famous and pioneering General Data Protection Regulation (GDPR). Your Data Protection Act 2018 is your national implementation of the European Regulation (in Spain we also have a legal equivalence). I do not know to what extent it will remain in force or if it has been modified by a more recent one.
According to these regulations (at least in the European Union), every website has to have a privacy policy, and other things depending on the personal data it processes or stores. A simple email address provided for a newsletter subscription, for example, is considered personal data.
And every citizen of the Union has several rights in relation to their personal data: access, rectification, opposition, deletion (“right to be forgotten“), etc. If any person considers that their rights are not being duly taken care of, that person can go to the Control Authority of each country. You don’t need “powerful lawyers” to assert his rights in this context. And obviously there are highly variable penalties and fines depending on the case, if it is determined that the GDPR has been breached.
I wanted to clarify all this, since some users mocked my comment. And the issue of privacy, as well as the right to be forgotten, are matters in which I am very involved and that I consider crucial -along with other principles- for the survival of our democracies.
When I said I would explore “legal means”, as I said, I meant first of all to read the privacy policy of the website (which there is not, I recommend that you work on it) and exercise my right of suppression in accordance with it. Next, I planned to inform myself about how the two regulations mentioned -the EU and the UK- applied to the particular case of internet forums.
There is a lot of debate about it and I haven’t found any definitive answer from any expert, at least not an answer that isn’t contradicted by another expert.
So I have drawn my own conclusions for this case, based on what little I know about the GDPR, the international legislation about Human RIghts and my personal values.
An eventual deletion of my messages would interrupt the flow of archived communications and make it impossible to understand what happened, how it happened and why. In this case, my presumed right to be forgotten would collide with articles 18 and 19 of the Universal Declaration of Human Rights (UDHR) and in its legally binding version for our countries, with those same articles of the International Covenant on Civil and Political Rights (ICCPR) . It would also collide with the rights related to freedom of expression and information (Art. 85 of the GDPR), among others.
Taking into account that I have only provided my email address and that it is not public, and that my nickname is a pseudonym, I withdraw my request to delete data. Among all the players in the closed “conversation”, I’m not the one who should feel the most embarrassed (Although admittedly, when I was overwhelmed by the “unprecedented flurry of replies [personal attacks and insults] in such a short space of time”, I felt ridiculed). In addition, I consider that, although most of my messages are worthless, there are 3 or 4 that are true gems in terms of reflections and resources that they provide (whether you are able to appreciate their value or not is another thing). Perhaps someone, now or later, will find these resources useful. That and no other has always been my desire in relation to this forum.
Of course, If someone knows Law, and the subject has not been treated before, and wants to correct or refine something of what I have said, I will gladly read it and learn from her or him.
With this I conclude my participation here (this was the only “loose end”).
Thank you. And goodbye.-
mods-cm-orgHello Oscar,
Thank you for your enquiry, particularly for your astute evaluation of the data protection regulations and how they relate to this blog.
I understand and appreciate your concerns and can reassure you that the blog team takes data protection issues seriously. I’m familiar with the GDPR and the DPA and their implications for data processing. A few years ago I met several of the senior officers in the Information Commissioners Office (ICO) at a conference for Data Protection Practitioners, and when the DP Act 2018 came into effect I contributed to the development of information governance policy for a leading institution. Moreover, correspondence with the person or persons responsible for site administration on this blog indicates that they are also very well informed and alert to data protection issues.
The GDPR does apply to this blog, and steps have been taken to comply. We already stored the minimal amount of information required to operate the site successfully, as noted in the link to the privacy policy page below the comment box under the blog articles (“This site uses Akismet to reduce spam. Learn how your comment data is processed.“). Access to the backend is very carefully restricted and the level of permissions granted is in accordance with the functions required for the role (i.e. owner, site admin, moderator). It’s also very secure, and any attempts to penetrate that security have been successfully countered. Accordingly, if necessary, we can prove to the ICO that the data is in safe hands.
The question of whether WordPress should be amended for full GDPR compliance is one of those opinionated issues with no specific guidance or ruling as yet. As things stand, I’m not aware of any prosecution for misuse or security lapses on personal blogs. Unless there is a widespread vulnerability, the matter is unlikely to be addressed by an ICO investigation.
There are some considerations that would complicate any request for deletion of published messages in the blog comments section or the forums. The GDPR does not extend to redacting (never mind deleting) comments unless those specific messages contain personal information – and even then the DPA contains applicable exemptions, to be considered on a case-by-case basis. The case for retention would very likely override any request from a contributor who has second thoughts about their submitted arguments; indeed in some cases such requests could be considered vexatious and be dismissed accordingly.
Furthermore, it’s worth noting that a data protection request must be submitted formally to have any legal force. The data controller must be fully assured that the request has genuinely been submitted by the data subject concerned. (Obviously it’s important to ensure that third parties aren’t empowered to remove someone else’s data without their consent.) The standard Right to Erasure Request Form requires the full name, address, phone number and email address of the person making the request, along with photocopies of proof of identity (passport, driving licence, etc.) and proof of address (e.g. a utility bill or financial statement within the previous 3 months). These details are then held on file for proof of valid authorisation. Accordingly, in some respects the erasure process to hide minor personal information from the data controller would confound the intention behind making the erasure request in the first place.
It could be counterproductive to use legal channels to enforce a desired action. Long-term readers will be aware of Craig Murray’s defiant attitude towards legal coercion, even from high-powered lawyers acting on behalf of wealthy clients. (Alisher Usmanov was firmly rebuffed – and he’s one of the richest people in the country.) For numerous reasons, it would be a more sensible idea to make a polite request to the moderators who may respond sympathetically as a courtesy; but that’s less likely to happen to requests backed by impotent legal threats.
We would be much more inclined to act to redact personal information published in the blog comments rather than data transactions recorded in the logs. There’s little point in erasing data that isn’t publicly visible. If necessary, moderators can modify the contents of the email address field (though not the IP address), and may do so if there is good reason and only a few records are affected. But there is also a strong rationale for retaining such details to protect the integrity of the site from abuse. In any case, we’d have to verify the email address first – a process which would create further email records.
It’s worth weighing up those issues before making demands for erasure.
__________
Now, regarding the reason that prompted your request, you do have a valid point. The tone and attitude in the discussion forum can be quite hostile at times, sometimes stooping to abject mockery. I’m sorry you felt humiliated. The grievance is valid, albeit not of a profound or urgent nature.The discussion forum is not moderated as firmly as the blog comments, by design. It’s the right place for commenters to post information that doesn’t relate directly to the topic of Craig’s articles, or to tease out complex or profound questions. Ideally, differences of opinion can be settled amicably, but petty squabbles are rarely resolved. Moderators don’t want to be bothered with these debates too much because they’re secondary to the purpose of the blog.
This latest episode of squabbling helps to highlight a deficiency of the light-touch regulation system: it doesn’t protect constructive debate. Craig Murray invites engagement with his blog, and I don’t think he would approve of new participants being hounded out by a hostile environment. That problematic discussion thread provides a good opportunity to inspect the dialectical patterns for any issues that could do with being addressed – albeit by advice rather than direct moderation. The process is already underway, and an assessment will be posted in the Blog Support Forum under an appropriate title, where there will be an opportunity to air opinions and potentially influence the forum guidelines.
In the meantime, we would respectfully ask all participants to be more careful to avoid sarcasm and to be mindful of using accusatory tones or phrasing that could belittle others in the debate.
OscarHi Mod,
Thank you for your understanding and above all for explaining the legal and technical issues that I consider to be fundamental throughout the Internet, especially in its implications for Human Rights. It is clear that there is much more work behind the scenes at Mr. Murray’s website than meets the eye – “invisibility” which often indicates a job well done. Now I understand why you found the unexpected flow of messages an “interesting development”. 🙂
I hope that together we can keep healthy and accessible to all everything he has done and makes possible what we know today generically as “Internet”. I sincerely believe that our fundamental freedoms and rights depend on it. We often take for granted that unprecedented technological and human development in History, when it really covers a short period of time. Whether it is a parenthesis in Human History or not depends not only on geopolitical and sociopolitical issues, as well as energy ones, but also human ones. And that concerns us all.
For my part, I take note of what happened here and I examine my conscience for my mistakes so as not to repeat it here or in other forums.
I wish a long and healthy life to this forum. And I thank Mr. Murray again for the public service he provides by opening up these discussion forums to people, gratitude that extends to all of you who make this public square possible, from those of you working on technical issues to users, including those that literally had me sleepless for a night. 🙂
Fraternally,
César (aka Oscar)
Clark*** SITE TEAM *** – You can delete the topic and its entire thread as far as I’m concerned.
– – – – – – – – –Oscar, I’m sorry that we failed to achieve communication.
– “The Moving Finger writes; and, having writ, Moves on: nor all your Piety nor Wit Shall lure it back to cancel half a Line, Nor all your Tears wash out a Word of it.”
— Omar Khayyam, Rubaiyat
Not quite true in these days of the internet, but I expect the latest posts will be archived soon:
Observer2016The question of whether WordPress should be amended for full GDPR compliance is one of those opinionated issues
Whether or not one should comply with the law is not an “opinionated issue”. The law is the law. A moral exception can be made for civil disobedience in protest against a law widely regarded as unjust (see Thoreau and others) but that isn’t the case here. People value privacy, and the laws protecting it.
(There is some legal “small print” to be taken into account: after Brexit, the UK GDPR is not identical to the EU GDPR, but it is very close indeed).
I think that the retention of a poster’s IP address, against the will of the person who posted a message and then asked for deletion, would violate both EU and UK GDPR. I’m not a lawyer but have taken advice in connection with a website which I operate (the circumstances are not identical). IMHO Craig’s website should also seek legal advice concerning retention of IP addresses associated with names or email addresses – and follow it.
OscarThat’s how it is. It would be a shame if Mr. Murray’s opponents, what they have failed to achieve by other means, achieve by a “little and simple” breach of privacy and other laws…
For my part this whole matter is forgotten.
But I strongly suggest that you work on the topic addressed here (and other topics if any).
Cheers,
César (aka Oscar)
mods-cm-org“The question of whether WordPress should be amended for full GDPR compliance is one of those opinionated issues”
“Whether or not one should comply with the law is not an “opinionated issue”.”
That’s not the point that was being made, Observer2016. The sentence you quoted didn’t allude to an operational decision for the blog team, but instead referred to ongoing discussions within the WordPress development community about what changes to make to the WordPress platform. If you would care to read up on it further, on developer forums and legal sites, you would find that the issue is indeed very complex and nuanced and there is as yet no settled conclusion.
One of the key issues is that in order for an identity to be subject to the data protection legislation, it must be a genuine identity; fictional personas are not covered. Data controllers can require several forms of proof of id (as noted above) before undertaking the work required to remove the data. And (as again noted above) the right is not absolute and there are mitigating considerations to be taken into account. Such decisions would be subject to evaluation in a court of law. If the data controller has legitimate reason to believe the persona is fake and the data doesn’t identify the authentic author, redaction would not be mandated. The merits of the case would have to be tested in court. The decision isn’t automatic, much as some would wish it so.
That’s merely an incomplete précis of the information already provided above. Please refine the argument if you wish to discuss the matter further.
-
AuthorPosts