Loomio
Mon 17 Mar 2014 10:29PM

Forgot all data

DU [deactivated account] Public Seen by 71

EU preparing legislative to forgot function in applications on internet.
Forgot function mean delete all data from user especially private data.
My question is, is diaspora ready to this changing?

Thank you

B

Blindsite Mon 17 Mar 2014 11:06PM

Could you provide a link. And sorry what, they're preparing to "forget all data." Diaspora is hosted on private pods and is decentralized. How can the EU legislate anything concerning our data?

JR

Jason Robinson Tue 18 Mar 2014 7:34AM

@blindsite well legislation does apply to any web application, not just corporate ones ;) If it is what I think it's a good thing, to make sure that web apps allow users to delete their own data.

@maxsamael diaspora* already has this function AFAIK. Though using it doesn't guarantee the removal of said data from other pods, but that cannot be technically guaranteed anyway and cannot be assumed responsibility of pod owner to do.

SVB

Steffen van Bergerem Tue 18 Mar 2014 2:17PM

@jasonrobinson Do we already remove the user's comments? When someone tries to delete his account we tell him

Your comments will hang around, but they would be associated with your diaspora* ID instead of your name.

IMO we would also have to delete the comments.

G

goob Tue 18 Mar 2014 2:40PM

I'd be surprised if the law specified that every comment made by a user had to be removed. I think it's more likely to be about personal data (e.g. account data containing information about the person). It would make a nonsense of conversations if comments were to be removed wholesale.

Of course a person can already delete their account data (including posts, but not comments), and can delete comments manually if they wish.

We'll need some details about what this law actually is going to say, and what it won't say, before it's worth discussing steps to take.

JR

Jason Robinson Tue 18 Mar 2014 6:16PM

Personally if comments I've made were not deleted when I delete my account I'd consider it a bug :P

G

goob Tue 18 Mar 2014 6:37PM

Really? I think that once you've said something, you can't expect it to be unsaid.

Let's find out what the law actually says on this, if anything.

G

goob Tue 18 Mar 2014 6:39PM

It would make sense to remove any link to an account name in comments, replacing it with 'Deleted account' or some text like that. That would mean that it can't be traced to the person who has deleted their account, while meaning that conversations in which that person took part still make sense!

DU

[deactivated account] Tue 18 Mar 2014 7:21PM

Thank you for answers.
This law isn't already yet, but is it the discussion in EU parlament.
I have this information from TV news.
Is it prepared, becouse there is problem on internet with private data.
I haven't detailed law yet, maybe isn't there exact sentence now.
But it will be this law soon.
BTW many laws is in EU discussed without know of people. I try to search more informations on the internet.

JR

Jason Robinson Fri 21 Mar 2014 8:03PM

Really? I think that once you’ve said something, you can’t expect it to be unsaid.

In that case we shouldn't delete the persons posts either hmm? :)

M

Maciek Łoziński Sat 22 Mar 2014 1:19PM

Deleting comments may break a conversation, while deleting post does not.

JR

Jason Robinson Sun 23 Mar 2014 12:47PM

Sure, still as a user I would expect when I delete my account to all my data to be deleted. Keeping personal data in a network that claims to "give ownership of your data" after account deletion is imho betraying that whole promise.

I wonder if Facebook does this better and actually deletes comments :D

G

goob Sun 23 Mar 2014 2:08PM

I wouldn't say that something I've said is 'personal data', though. If the comment is no longer linked to my profile (which should have been deleted), there's no reason it shouldn't remain, and good reason that it should remain, for the sake of keeping sense in a conversation.

JR

Jason Robinson Sun 23 Mar 2014 2:45PM

Sure people will see this differently. I for one would not consider it account deletion unless all data goes with it :P

R

Ryuno-Ki Wed 26 Mar 2014 9:27AM

So I queried DuckDuckGo for the “Right to be forgotten” and found some news article and the proposal

I would have to dig more into it to get the current state, though …

G

goob Wed 26 Mar 2014 11:41AM

From the 'Regulation' link under Commission Proposals on the data protection reform: legislative texts (which downloads this PDF document):

3.4.3.3. Section 3 – Rectification and erasure
Article 16 sets out the data subject's right to rectification, based on Article 12(b) of Directive
95/46/EC.
Article 17 provides the data subject's right to be forgotten and to erasure. It further elaborates
and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and
provides the conditions of the right to be forgotten, including the obligation of the controller
which has made the personal data public to inform third parties on the data subject's request to
erase any links to, or copy or replication of that personal data. It also integrates the right to
have the processing restricted in certain cases, avoiding the ambiguous terminology
“blocking”.
Article 18 introduces the data subject's right to data portability, i.e. to transfer data from one
electronic processing system to and into another, without being prevented from doing so by
the controller. As a precondition and in order to further improve access of individuals to their
personal data, it provides the right to obtain from the controller those data in a structured and
commonly used electronic format.

If anyone can find these articles, we should be able to find out what the specifics are. There are articles starting about half-way down this page (the 'Directive' link directly under the previous link), but they don't seem to accord with the text above. Article 16 is about erasure, but 17 and 18 are about other matters).

Article 16 Right to erasure

  1. Member States shall provide for the right of the data subject to obtain from the controller the erasure of personal data relating to them where the processing does not comply with the provisions adopted pursuant to Articles 4 (a) to (e), 7 and 8 of this Directive.

  2. The controller shall carry out the erasure without delay.

  3. Instead of erasure, the controller shall mark the personal data where:

(a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;

(b) the personal data have to be maintained for purposes of proof;

(c) the data subject opposes their erasure and requests the restriction of their use instead.

  1. Member States shall provide that the controller informs the data subject in writing of any refusal of erasure or marking of the processing, the reasons for the refusal and the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

Article 17 Rights of the data subject in criminal investigations and proceedings

Member States may provide that the rights of information, access, rectification, erasure and restriction of processing referred to in Articles 11 to 16 are carried out in accordance with national rules on judicial proceedings where the personal data are contained in a judicial decision or record processed in the course of criminal investigations and proceedings.

CHAPTER IV CONTROLLER AND PROCESSOR

SECTION 1 GENERAL OBLIGATIONS

Article 18 Responsibility of the controller

  1.       Member States shall provide that the controller adopts policies and implements appropriate measures to ensure that the processing of personal data is performed in compliance with the provisions adopted pursuant to this Directive.
    
  2.       The measures referred to in paragraph 1 shall in particular include:
    

(a) keeping the documentation referred to in Article 23;

(b) complying with the requirements for prior consultation pursuant to Article 26;

(c) implementing the data security requirements laid down in Article 27;

(d) designating a data protection officer pursuant to Article 30.

  1. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraph 1 of this Article. If proportionate, this verification shall be carried out by independent internal or external auditors.
R

Ryuno-Ki Mon 31 Mar 2014 7:05PM

@jasonrobinson Can you confirm, that closed accounts (like Molnet Storage …) aren't removed from the contacts list? We should note this, when talking about how far the erasure shall be.

@goob Please write down, which articles you're looking for. There are references mentioned. Do we need these, too?

Throwing 95/46/EC into DuckDuckGo points me to http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

JR

Jason Robinson Mon 31 Mar 2014 8:53PM

@ryunoki not aware of the extent of any removal, sorry - but it should be checked :)