I"m not really a fan of the GDPR. I don't think it really protects privacy. I think it just uses the power of the EU, a fairly big and strong organization, to intimidate the rest of the world to comply with laws that it really shouldn't have legal jurisdiction to enforce globally. I think this is a scary precedent to set that the biggest bully on the block can de facto enforce such standards because the rest of the world is terrified of the consequences of standing up to them.<p>Isn't this the sort of thing people accuse the US of? The rest of the world makes ugly jokes about "Be careful what you say about the US or they might come <i>liberate</i> you too." The EU is now in the <i>protection</i> racket. When the mob says you should give us a few bucks because it would be a shame if something happened to your business, people recognize that is not nice behavior. But the EU can do the same on the web and some people laud it is a good thing for individuals in the name of personal privacy.<p>If you want none of your personal info on the web, I have a suggestion: Don't participate in forums, social media, etc.<p>(Yes, I am guilty of having this opinion without having actually read it. I blogged previously about my opinion this would do bad things to forums. I am shocked to see negative fallout happening so very soon.)
The owner says that he doesn't have time to review GDPR-related requests; that's fine. But I wonder if he would receive a US court order would he treat it the same way? What if he received a letter from NSA? A DMCA request? What if someone posted something illegal on the forum, would he ignore that as well?<p>It seems like he has no time only for legislation from EU.
Could/should probably ignore GPDR requests if your business operations are entirely US based, whether or not anyone from the EU uses your site. US national sovereignty doesn't disappear because the EU says jump. We are not bound by the laws of governments other than our own.<p>You can probably ignore them anyway if you aren't a big company. With millions of these troll letters going around (and probably getting ignored), odds of any corrective action against you seem very low.<p>In any case, the corrective demands of the EU give you time to comply after they declare that you've violated something? Could probably wait for that point even if you're in the EU.
I just sent a GDPR letter to a company in the UK, which is still part of the EU. I have one of their Android phones, and it came with a non-removable app. It appeared to just be a bookmark. One day that app woke up and sent me a notification asking me to visit a web site, which led to a SurveyMonkey form.<p>So I sent the company a letter asking what data they have on me. It's going to be interesting to see what happens.
From the prototype letter:<p>"I am a customer of yours."<p>Not until you pay me, you're not. Yes, Mr. Well Actually, I know that the law says otherwise, and that's exactly why the law is FUBAR.
Considering GDPR is actually a thing from 2016, and 25th May only marked the day from which on it would actively be enforced... that kind of comes late.<p>What I wonder: this is an Open Source project, so why not ask the community for help instead?<p>Being a long-time (very happy) Drone user, I would have happily helped to produce the necessary documents for the project if that had been asked before the final deadline.<p>Well, probably would even do that now.
I don't know why all these websites are shutting down due to GDPR when all you have to do is hire a competent law firm with GDPR compliance expertise to review your software and help you determine if any parts need to change to become compliant and also help you address any GDPR requests.<p></sarcasm>
Well, if the owner of the forum is receiving request e.g. to delete accounts or to disclose what data is recorded about someone, why not just comply with the request? What's the big deal?
I'm a little confused. <i>Who</i> is sending compliance requests? If it's not the ico, there's rely no problem. If it is the ico, ask what needs to change. No lawyers required.
The GDPR seems to me to be just another example of nontechnical authorities trying to regulate what they don't understand.<p>Why don't more technical people become politicians, or at least form lobbying groups or think tanks?
I have a contrarian opinion to much I am reading here. Until a few weeks ago, I hosted my own web site and used blogger to host my blog on a subdomain. With huge reluctance I disabled comments, and then when Google’s patches for GDPR compliance didn’t work for me, I converted my 2000+ blog posts from the last 20 years to Jekyll and now host as part of my web site.<p>While it is nice to have total control, now I need to be using my laptop to post new blog posts, and I miss having readers comment. I also feel badly that the interesting things that readers have posted are lost to the Internet.<p>Even with all that, as a US citizen, I approve of GDPR and I wish it were universal. As much as I miss user comments, I am fortunate to have many readers engage with me directly via email discussions.
Guy shuts down forum, goes through the nightmare letter dissecting each part as "good question" or "you should have this already" or "easy one". So what was his issue anyway?
I've been sending all kinds of companies a request of my data. Everyone that keeps sending me mails without me knowing why, I just sent them a nice request to give me a copy of my data.<p>After that, I request them to delete it all :)
Goes to show that when an industry does not self-regulate, it gets over-regulated, which often disproportionately benefits incumbents, which incentivizes future lack of self regulation.
The GDPR does not apply if it is for personal use or for a hobby only. I don’t know how the structure of this forum is set up, but this can be a good reason to run such forums on your personal name.
By the way, what I really love about GDPR is that now I finally can disallow a website to log and analyze my behaviour to provide any kind of "personalisation" they want and still use it. It's just so great they can't say "agree or go away" any more.<p>I thought it was going to be another stupid thing like a "cookie law" (which, I hope, is going to be canceled now as we''ve got the GDPR), the recent US FOSTA or a "store all my data in my country on a government-certified server with a police backdoor" law but fortunately it absolutely is not.<p>I really hope non-EU countries are going to clone this law, it seems to be the second (the first being the US net neutrality policy) law I love.
The EU is already targetting Open Source in the new legislation. We should start making a stronger case for the internet while we still have it. The Pirate Party tends to be the best resource for the support, they organise petitions and have elected officials in the Parliament.
The thing I have to wonder is who did this and more importantly, why?<p>If you're a startup competing against an open-source project, then this is potentially a great (not good) way to get a leg up. You get the benefit of access to the code until you don't need it anymore, then get the project shut down and reap the benefit of being the last man standing.<p>Sure, you might eventually run up against the license on the software you just lifted, but open-source projects can't afford the same protections that a well-funded startup has.<p>And if you somehow get sued for license violations, the penalties are usually more a slap on the wrist than an effective notice to knock that shit off.<p>I really hate the way my mind works some days.
I wonder is the drone.io guy has read the link he provides to the end of it:<p>>>
So, there you go, that should take the sting out of answering the ‘nightmare letter’, even if not all the questions are appropriate (or appropriately worded) you can answer the bulk of them in relatively short order and with automation you can take the sting out. If this is the worst you can expect under the GDPR then that’s not so bad, and the effect might actually be positive:<p>- we get to know about a lot of undisclosed breaches<p>- it will be clear who has their house in order and who hasn’t<p>- if you don’t have your house in order just answering the letter will help you to get there
<<
It's really hard to know what exactly was asked of him by the letter and by whom. I get the nightmare letter scenario but is that the exact request he got?<p>Can he not extract all that user's data and delete if that is what is being requested?
Well that sucks, I wonder if this means other discourse instances might be hit with the same GDPR letters? There'll probably be someone who has (or will have) forked discourse to make these changes.
Can't wait for future nightmare letters coming from Saudi Arabia when they find moral indecency on my web site or China finding imperialist propaganda that needs addressing. This will be used as a precedent for every other control freak pushing their values onto us. What happened to free and open internet?
Unless I’m missing something, shutting down the forum does precisely nothing to limit GDPR liability as the main drone.io site itself has an account/login area. Whilst it’s private beta currently, unless EU access is blocked, GDPR liability will continue to apply to any personal data collected via that.<p>The only benefit here is that there’s one fewer system to keep track of when it comes to tracking/deleting personal data - the need to respond to subject access requests, right to be forgotten, form letters etc remains.
Can you send a GDPR letter to a public body, for example, the Office for National Statistics? Can you ask them to delete your data? Should they comply or are they waived from GDPR compliance?
Overbearing legislation applied by unelected representatives is being abused. If only there were technical solutions provided with an assumption of goodwill instead of 88 pages of mandates without such an assumption.
So basically drone.io is saying that discourse is not RGPD compliant and reddit is better equipped to deal with RGPD requests so he's moving his community discussion from a self hosted discourse to reddit.<p>Looks like a knee jerk reaction and missing the point that you can evade RGPD by outsourcing to a third party, one can still send RGPD requests to drone.io and owner is still responsible for answering those but now has to deal with getting the relevant data from reddit.
I don't really see this as a GDPR troll. This guy is saying he can't manage formal GDPR requests. He's running an internet forum for christs sake. We had forums before we ever had tracking, and anonymous internet handles were practically invented on forums. What's he doing exactly that he can't answer GDPR requests with a simple "we don't collect personal information"?<p>Of course, he probably is collecting PII, because he's using discourse. But since he says he doesn't have time to answer GDPR requests you can be pretty sure he doesn't take the time to ensure his infrastructure hasn't been owned. I'd wager he doesn't even know what PII the system he runs is collecting, so how can he be securing it on his users behalf?<p>It's totally reasonable for his users to ask how he's protecting their personal data. If he wants to flip tables and storm out when they ask, that's up to him. From my perspective, the system works. He wasn't making the effort his users deserve to securely store their PII, and so now he isn't storing it at all. No one had to sue anyone, no one had to go to court, and he made the sensible decision to get out of the PII game he had no business being in. Success if ever I heard it.