Yes, so it is, but was not thinking of you but the sender here.
This isn’t true for several reasons.
First, as this article notes, one of the lawful reasons to contact people on a list you own is for “legitimate interests,” and it’s at least arguable that we have a legitimate interest in fulfilling the desires of our subscribers by sending them the free publication that they signed up for.
Second, if you have an existing mailing list, you would only have to ask subscribers to opt-in again if you had subscribed them in “soft” ways before (such as by a checkbox that was pre-filled on some form, or by subscribing them and then sending email giving them the opportunity to opt-out). Since everyone who subscribed to TidBITS did so completely intentionally and without any deceptive practices, we don’t have to ask everyone to resubscribe.
The main thing that could trip up a company is that the GDPR also wants a record of that consent, and for any list that’s been around for a long time, it may be hard or even impossible to provide that information.
All that said, I do believe that people who are running a mailing list that isn’t trying to market to its members are probably in a much better position than your standard direct marketer.
Good article! Still puzzled a bit by this as see seemingly fine mailing-lists send out messages asking for renewed consent, even when I have signed up intentionally for them, but it could be they are also puzzled. Was also thinking that many send out the re-consent e-mails just because they could not prove previous given consent in every case.
Also for my own mailing-lists it has always been a mixture of people signing up intentionally and me adding them because I think them may be interested (usually because they have bought something or shown an interest without directly asking for being added to a list). Never added any people to a list without good reason though. So for “legitimate interests" for sure (mostly the legitimate interest of the recipient rather than the sender, but both), but also occasionally “by subscribing them and then sending email giving them the opportunity to opt-out” (or rather a note at the end how they unsubscribe or a note telling them I have added them).
But good to see you know how to deal with this!
Oh I’m considering the sender as well. No sender has the right to bombard people with stuff they don’t consent to. If somebody doesn’t tell you he/she wants your stuff, you shall not send them your stuff. It’s their call. If they’re too lazy, well then that’s their choice too and you shall respect that. This right hasn’t been respected well in the past at all - not even in the analog world (junk mail). If in the digital world the EU’s GDPR is the instrument that changes that, more power to them.
I think Adam’s above post shows quite nicely how a legitimate content distributor like TidBITS has nothing to fear from GDPR.
My strong suspicion is that any small player who’s trying to do the right thing will probably be OK in the long run.
As @ace said, this is probably the reason. I know I used to run mailing lists and the ‘confirm subscription’ emails were never something that I kept (or even saw). A request to join the list generated a single email to the address asking for confirmation. If the user confirmed, that message was automatically handled by the mailing list and discarded.
So, under that system, a list would need to, I guess, ask for confirmation again and this time keep it.
I assume that GDPR also mandates some way for a list to remove a user’s posts? I haven’t thought about that, but that would be quite a problem if there is.
Actually, that would be largely impossible, since you would need to be able to remove their quoted content as well.
Hmm, glad I’m not running a mailing list, but maybe someone has looked into this.
OTOH, mailing list are fast becoming the next USENET. Sure, some people still use them, but far fewer than there used to be.
Me too, just that one get a bit nervous trying to figure out if it will be up to people’s decisions or the law so to speak. One wonders if the regulation will save money or be a loss – either way there are big costs. Also not totally sure the guy in the article is totally correct. (“Legitimate interests” might be up to different interpretations … .)
But this is essentially a new sort of mailing list. I know that the software has a method to anonymize posts, but I wonder how successful it would actually be at catching all instances of somebody’s name in quotes, as you mention…
Yes, that’s the “right to be forgotten.” Here in Discourse, that’s easy with new users because of how it’s architected, but I can’t even begin to imagine how you’d erase someone from a traditional mailing list archive. Realistically, I suspect that (a) this won’t happen to hardly any traditional discussion lists and (b) if it does, and the list admin perceives a real threat, they’ll just kill access to the archive since it won’t be worth the manual effort. That’s what I’d do anyway.
Assuming an email or web forum post counts as “personal data,” when is it “no longer necessary in relation to the purposes for which they were collected or otherwise processed?” One could argue it will always be necessary as it is part of the record of the discussion (their name could be removed from the posts though).
I think removing or editing my messages or posts in which I quote or talk about someone who wishes to be deleted would violate my rights. As a matter of copyright, quotations should be protected on fair use/ fair dealing principles but I admit I don’t really understand the degree to which some Europeans think attempts to control information about oneself should supersede other interests.
The language of the GDPR is clearly much more about non-public data organizations have, not information freely provided by users to the public or to others outside the organization (e.g. members of a private mailing list or forum). I have seen mentions of “reasonableness” in the regulation. A web forum removing a user’s name, email address, and alias from a Users table (but leaving the row in place with a random or anonymous id) is likely reasonable in most system. Doing a large search and replace for their name as a string in text archives or in the body of messages is probably not reasonable. I’m hoping reasonableness will prevail and this will be a minor issue for web fora.
I am pretty sure that he GDPR considers email address to be personal. Also, many people have signatures that have other information that would be classified as personal.
But I don’t know that mailing lists posts wold be part of GDPR at all.
I meant the content of the message. Discourse doesn’t need to expose sender email addresses. I don’t know if a bare bones Mailman archive can but that’s the kind of thing that I think should fail a reasonableness test. Ditto for whatever one chooses to share in their .sig file.
I am not a lawyer, but my general assessment is that a great deal will depend on the nature of the mailing list and the specific consent given. If a user subscribes to the mailing list and is explicitly informed their posts will be available to list members/the public for the foreseeable future, then that consent is probably valid. If the nature of the mailing list and/or access to its contents changes, consent may need to be explicitly re-acquired.
If a user withdraws their consent and wishes their information to be removed under the “right to be forgotten,” then mailing list/archive maintainers may have an obligation to attempt to anonymize the material, and it probably extends not just to public services but to backups/archives as well. I have seen some assessments that this should also extend to the content of that users’ messages and and threads/messages that quoted them. However, this creates a minefield for trolls: imagine someone going through every thread in a forum, tacking on a smiley or “me too!” post, then demanding all those threads be deleted in their entirety under GDPR rules? Certainly not the intention of the regulations.
I have also seen some GDPR assessments that mailing lists and forums that that are not used for commercial/marketing purposes (for instance, not for commercial activity, do not conduct user profiling, do not share data with third parties, etc) will have little or no liability under GDPR, so long as they take reasonable steps to protect users’ personal information.
I think the specifics will vary quite a lot by mailing list/forum: there’s not going to be a single one-size-fits-all way to cope with the issues. But I am no more a lawyer now than I was when I started this reply.
Here’s a slightly different situation. A blog that is run by 2 persons with me as tech support. 5% or less of the visitors are from EU countries. Nothing is sold. This is not even a company. Literally run from a kitchen table 99% of the time. (At times from a porch at a beach.) But they do cover controversial subjects and at times blog posts can be about situations in EU countries.
This blog runs on WordPress. But we DO NOT require or even allow people to create accounts.
So talk about just factoring the GDPR CODB into our pricing is absurd. We have no pricing. We don’t take ads. We do have Twitter and Facebook buttons with appropriate pages for each. And we are running Google analytics so we can see where we are popular look at things like how big to assume a minimal screen size for both desktops and mobile.
And while once in our past we did remove all the comments from a person at their request it created such a mess that we said no more. Suddenly dozens of comment made no sense. 100s.
After 9 years we’re up to over 300K commments. Typically 4000 to 5000 unique visitors per day with occasional peaks lately of 10K to 20K.
To me this is going to be a very large PITA. Sigh.
I’m not sure that you have to do anything? You don’t have accounts and it doesn’t sound like you’re collecting personal information, so why would GDPR be an issue for you?
Per what I’ve read here and other places, IP addresses count. So do email addresses. And maybe handles. And for sure their names if they give it like at the end of their comment as a signature. Plus our posts and the comments may reference real people who really don’t want some things public about them.
Most commentors use their real email address. We tell them if they want us to get in touch with them due to an issue with their comments we need a real email. (We wind up with a non trivial number of moderated comments due to the subject matter some days.)
If they want to be removed could you just mark all of thier comments as removed by request. Then it won’t mess up the heirarchy.
Most of the comments refer to previous comments. Many quote part of or all of a previous comment.
A few months back a semi-regular went a bit nuts and I spent 3 to 4 hours cleaning up after purging his way over the edge comments. As I also got to go find all the links to his comments which included quotes from him and/or arguments about what he said that also had to be “purged”.
Also the standard Wordpress tools are not really geared to dealing with people who’ve commented 1000+ times. Or even 100+. And editing all their comments to remove what they said and replace it with “Comment removed” would get to be tedious at best.
And we have issues of future legal issues where people might have to explain why they said what they did about some person or topic but if they comments they were referring to are gone, then what? I wonder how this plays out in the EU in courts?
The GDPR only applies to enterprises, “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.” Presumably a web site having ads is sufficient to count as economic activity but since the blog in question doesn’t even have that, I don’t think it applies. GDPR would still apply to the blog, even without economic activity taking place on it, if the blog is run by an “enterprise” engaged in economic activity; e.g. I don’t think there’s any economic activity in the TidBITS Talk forum but TidBITS is an enterprise engaged in economic activity.
I checked the EU site, and there could potentially be a problem if this site is processing data, not simply collecting it:
“SMEs only have to keep records if data processing is regular”
IMHO, the chances of the EU going after this blog are the lowest end of minimal. Google, Amazon or Facebook it ain’t. Complaints need to be filed before any action is taken.