EU-DSGVO or GDPR Aspects on Development

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.2.x. If you need support for phpBB 3.2.x please visit the 3.2.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
KaiMI
Registered User
Posts: 4
Joined: Mon Apr 30, 2018 12:48 pm

EU-DSGVO or GDPR Aspects on Development

Post by KaiMI » Mon Apr 30, 2018 12:59 pm

Hi all,

first I struggled a bit to implement the cookie notice (and adapt the texts) delivered with the newest phpbb Version.
But now I made it and it works fine.
Many thanks for that functionality.

Now, regards the DSGVO / GDPR:
Currently, I check with our lawyers, if the normal cookie notice ("OK, got it") is sufficient.
They verbally told me, that this may not be the case any more, but they are also still in check with the states dataprotection officers.

However: It may be, that DSGVO suggests or forces us to have the cookies as "opt in".
As you guys have cookie consent from Insites implemented, and they have also an opt-in option:
Is it planned to implement this function? And, of course, if the user is not accepting cookies, to block all cookies from beeing sent to the user?

Hope this makes some good sense,

best regards

Kai

User avatar
DarkBeing
Registered User
Posts: 83
Joined: Sun Jul 19, 2009 2:32 pm
Location: Currently Estonia
Contact:

Re: EU-DSGVO or GDPR Aspects on Development

Post by DarkBeing » Mon Apr 30, 2018 6:09 pm

https://www.phpbb.com/community/viewtop ... &t=2419821 Might be an interesting read. Although it discusses some other aspects of the DSGVO.

CHItA
Development Team
Development Team
Posts: 156
Joined: Thu Mar 12, 2015 1:43 pm
Location: Budapest, Hungary

Re: EU-DSGVO or GDPR Aspects on Development

Post by CHItA » Tue May 01, 2018 5:11 pm

KaiMI wrote:
Mon Apr 30, 2018 12:59 pm
However: It may be, that DSGVO suggests or forces us to have the cookies as "opt in".
As you guys have cookie consent from Insites implemented, and they have also an opt-in option:
Is it planned to implement this function? And, of course, if the user is not accepting cookies, to block all cookies from beeing sent to the user?
I doubt that this would be needed, as we only have session cookies and generally cookies that are required to run the site are an exception from the opt-in rule.

User avatar
canonknipser
Registered User
Posts: 68
Joined: Mon Sep 19, 2011 4:42 am
Location: Germany

Re: EU-DSGVO or GDPR Aspects on Development

Post by canonknipser » Thu May 03, 2018 8:18 pm

CHItA wrote:
Tue May 01, 2018 5:11 pm
as we only have session cookies
That correct for a vanilla phpBB. But there are other cookies set by extensions (check the official collapsible categories extension as an example), so how is that case handled? Do extension author need to implement a own opt-in for those cookies?
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB

User avatar
david63
Registered User
Posts: 253
Joined: Mon Feb 07, 2005 7:23 am
Location: Lancashire, UK

Re: EU-DSGVO or GDPR Aspects on Development

Post by david63 » Fri May 04, 2018 6:10 am

canonknipser wrote:
Thu May 03, 2018 8:18 pm
But there are other cookies set by extensions (check the official collapsible categories extension as an example), so how is that case handled? Do extension author need to implement a own opt-in for those cookies?
The cookie that you quote there is an "operational" one and is therefore exempt from the Cookie regulations.

Ultimately it is the board owner's responsibility to comply with any, and all, regulations/laws that apply in the country where the board operates.

I could see a valid argument for extension authors stating that their extension is setting cookies although to be honest I am not aware of many that do - I know that my Cookie Policy/Privacy Policy extension does but when it does you have already accepted cookies so that is not an issue.
David
Remember: You only know what you know -
and you do not know what you do not know!

KaiMI
Registered User
Posts: 4
Joined: Mon Apr 30, 2018 12:48 pm

Re: EU-DSGVO or GDPR Aspects on Development

Post by KaiMI » Thu May 10, 2018 9:59 am

Spoke to our Lawyer. She recommended the following:
  • Banner, that informs about Cookies
  • Two Buttons, "Agree" and "Disagree".
  • No function of the board at all if nothing is chosen
  • If chosen "Disagree", either set no cookies any more, or make the user leave the forum (if technically cookies are must-haves)
This is the "best"-option.

Fallback Option is to show a banner that tells the user how to disable cookies in the browser and that the forum might not work properly afterwards.

(all in de legal reach. Other EEC countries might be different)

CHItA
Development Team
Development Team
Posts: 156
Joined: Thu Mar 12, 2015 1:43 pm
Location: Budapest, Hungary

Re: EU-DSGVO or GDPR Aspects on Development

Post by CHItA » Thu May 10, 2018 9:32 pm

KaiMI wrote:
Thu May 10, 2018 9:59 am
Spoke to our Lawyer. She recommended the following:
  • Banner, that informs about Cookies
  • Two Buttons, "Agree" and "Disagree".
  • No function of the board at all if nothing is chosen
  • If chosen "Disagree", either set no cookies any more, or make the user leave the forum (if technically cookies are must-haves)
This is the "best"-option.

Fallback Option is to show a banner that tells the user how to disable cookies in the browser and that the forum might not work properly afterwards.

(all in de legal reach. Other EEC countries might be different)
Well, from a development point of view I find it rather unlikely that we would provide any functionality that would describe how not to use the software. It also seems to me that German law is more restrictive than any other regulation so your problem is better solved by an extension then any features in the core.

KaiMI
Registered User
Posts: 4
Joined: Mon Apr 30, 2018 12:48 pm

Re: EU-DSGVO or GDPR Aspects on Development

Post by KaiMI » Sat May 12, 2018 12:10 pm

Hi,

I'm pretty sure, that latest with the e-Privacy laws this (or a very similar) function will be a mandatory function in the EEC.
My recommendation is to be prepared.

Best regards

User avatar
david63
Registered User
Posts: 253
Joined: Mon Feb 07, 2005 7:23 am
Location: Lancashire, UK

Re: EU-DSGVO or GDPR Aspects on Development

Post by david63 » Sat May 12, 2018 12:22 pm

KaiMI wrote:
Sat May 12, 2018 12:10 pm
Hi,

I'm pretty sure, that latest with the e-Privacy laws this (or a very similar) function will be a mandatory function in the EEC.
My recommendation is to be prepared.

Best regards
The requirement is that the site owner has to comply with all regulations/laws applicable in the country in which they operate - and this may involve several different sets of regulations.

It is not a requirement of any software package to provide the tools that are necessary to comply with these, or any other, regulations.
David
Remember: You only know what you know -
and you do not know what you do not know!

KaiMI
Registered User
Posts: 4
Joined: Mon Apr 30, 2018 12:48 pm

Re: EU-DSGVO or GDPR Aspects on Development

Post by KaiMI » Sat May 12, 2018 5:00 pm

...well, you can turn that as far as you want. Still, all website owners / forum operators will face the same problem and be fined worst case. If it's the duty of any software package is a non discussion (as there are no rules of software packages carved in stone, as far as I know at least). This forum is about development. So, why not address a problem that all of you will face sooner or later. I will solve mine, that's for sure. Better you solve yours before you arre on the hook, or consult your lawyer in any doubts.

Post Reply