Topics

moderated Account export and GDPR update


 

Hi All,

The account export feature now lets you specify which groups you'd like to export data from. There's also an option labeled 'Any other groups' which exports data from any groups you may have posted to in the past and later unsubscribed from. I have also broken out the messages by group into separate mbox files in the archive. Please let me know if you see any issues.

I expedited implementation of the account export as well as the expanded group export features because of GDPR. I expect that I will have to make some other minor changes for GDPR, specifically how to display identifying data from someone who has deleted their account. If you're viewing a message posted by someone on the website who has deleted their account, I may have to somehow obscure the person's name. But I am not sure about that yet. Also, I expect that some ToS and Privacy Policy changes may have to be made.

These things are still up in the air because every lawyer involved with GDPR stuff is slammed right now and getting time with my lawyers has been challenging. I'm doing what I can, but my guess is that these changes will happen after Friday. I've been told that this won't be a problem, and indeed, several of the companies I depend on for Groups.io, including our hosting company, have not put up their GDPR mandated materials yet.

More when I know.

Thanks,
Mark


Marina
 

On Wed, May 23, 2018 at 03:27 pm, Mark Fletcher wrote:

I expedited implementation of the account export as well as the expanded
group export features because of GDPR. I expect that I will have to make
some other minor changes for GDPR, specifically how to display identifying
data from someone who has deleted their account. If you're viewing a
message posted by someone on the website who has deleted their account, I
may have to somehow obscure the person's name.
Thank you for all your efforts, Mark. That is a tricky point. I am the owner of a former Yahoo group whose members are 90% European citizens based in Europe. I moved the group without much regard to GDPR and now I wonder how could I comply if a member who has left (or is leaving, for that matter) the group should ask me to delete all his posts. There should be a feature (accessible only to moderators/owners) to bulk remove one member's posts on request. Maybe a "Bulk remove" option shown in the "All Posts by this Member" page.
Just a thought.

Have a nice day (or a nice night),
Marina


 

On Wed, May 23, 2018 at 11:59 pm, Marina wrote:
how could I comply if a member who has left (or is leaving, for that matter) the group should ask me to delete all his posts.
I haven't read the GDPR but I would be surprised if it required a website to remove posts that someone posted themselves after granting rights (via the TOU) for the website to the publish the posts. Does it require this? I do understand that it would (as I understand it) require the site to remove information *about* the person published by others.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

Mark, Marina, J.

 

Mark, thanks for all your work. I think that some of this GDPR tuff is eaten less “hot” than it´s cooked.

 

Our groups are mailing lists, and if s.o. joins a mailing list, they are aware of the fact that their mails and their mail addresses do not only show on the website but equally in numerous private accounts of other group members. It´s self-evident, that theoretically mails and mail accounts are thus distributed infinitely and all over the world.

 

If s.o. leaves the group, they cannot expect, that all their mails are deleted, which I do not think would ever be possible.

 

My solution has been from the start, that I bring these facts to the attention of prospective members before they join. My terms are mentioned in the guidelines visible to everybody on the homepage of the group. And there it is stated (among other terms of private policy) that a member has to accept the fact that their mails are read in private accounts and on the website and that their contributions to the group (reports, files and photos) remain the property of the group, even after they leave. This in my eyes is enough.

 

Whoever joins my group must accept these guidelines by filling in a questionnaire and clicking a box that they have accepted this.

 

Apart from that: Wouldn´t it be much easier if mail addresses were possible to be made invisible not only in archives but also in the mails that reach members in their private accounts? As far as I know this is not avoidable/clickable at the moment. This at least could make it impossible for anyone to collect mail addresses for commercial purposes.

 

Greetings

Victoria


 

On Thu, May 24, 2018 at 05:41 am, Victoria wrote:
Our groups are mailing lists
Groups.io is also a website and has to comply with the new privacy (etc.) rules. I'm sure Mark is doing this correctly.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


toki
 

On 05/24/2018 09:26 AM, J_Catlady wrote:
I haven't read the GDPR but I would be surprised if it required a website to remove posts that someone posted themselves after granting rights (via the TOU) for the website to the publish the posts.
Not only does the GDPR require that, but it also requires that all posts
that quote the individual be removed.

I do understand that it would (as I understand it) require the site to remove information *about* the person published by others.
Doesn't matter where the content came from, if the subject requests
removal, it has to be removed. No ifs, ands, or buts, unless you want to
pay a very large fine.

I am not a lawyer.
This is not legal advice.

jonathon


 

On Thu, May 24, 2018 at 08:20 am, toki wrote:
Doesn't matter where the content came from, if the subject requests
removal, it has to be removed.
I'll have to read it. I still find it very hard to believe that an author granting publication rights to a website for their content (which is essentially what's happening here) can then demand that it be removed. What if I'm a journalist writing for an online news outlet and I've granted rights to the publication? The publication does not then have to remove my articles on my demand just because my name is on the byline. Articles *about* me, or that mention me, would be a completely different story. But not content *by* me that I have given to the publication myself. I'm going to have to read it.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


toki
 

On 05/24/2018 12:41 PM, Victoria wrote:
Whoever joins my group must accept these guidelines by filling in a questionnaire and clicking a box that they have accepted this.
Just be aware that in most (¿all?) countries in continental Europe, one
can neither waive, nor sign away one's rights. As such, it doesn't
matter what your agreement says, for European residents the GDPR
applies. Depending upon country of citizenship, European citizens might
covered by the GDPR, regardless of physical domicile.

I am not a lawyer.
This is not legal advice.

jonathon


toki
 

On 05/23/2018 10:27 PM, Mark Fletcher wrote:

These things are still up in the air because every lawyer involved with GDPR stuff is slammed right now
I suspect those lawyers will be able to bill 200+ hours per week, for at
least another three months.

I'm doing what I can, but my guess is that these changes will happen after Friday. I've been told that this won't be a problem,
Typically, European bureaucracies are more concerned with getting the
organization into compliance, than in fining them. OTOH, they are
slightly more sympathetic towards domestic organizations, than foreign
organizations. On the gripping hand, given the major data breeches in
the last year, that involved organizations that appear to be based in
the United States, those would be the first to be placed in their
cross-hairs.

jonathon


toki
 

On 05/24/2018 03:25 PM, J_Catlady wrote:

journalist writing for an online news outlet and I've granted rights to the publication? The publication does not then have to remove my articles on my demand just because my name is on the byline.
That comes under both _The Right to be Forgotten_, and _Moral Rights_,
of Copyright Law.

I am not a lawyer.
This is not legal advice.

jonathon


 

On 24 May 2018, at 16:20, toki <toki.kantoor@...> wrote:

Doesn't matter where the content came from, if the subject requests
removal, it has to be removed. No ifs, ands, or buts, unless you want to
pay a very large fine.

Not true.
The right to erasure is not an absolute right. It is all laid out here <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/> A lot of people are worrying unduly about all this - there are not a million miles between the current Data Protection Act 1998 (UK) and the GDPR.

kind regards

Nick
___

dUNMUR | member of the AOP


Dave Sergeant
 

I am not sure GDPR requires that.

Things like email lists come under the GDPR legitimate purpose clauses
- which allows the supplied data to be used for the purposes of running
the organisation/email list/whatever. When somebody subscribes to a
groups.io list they supply their email address and other information
they choose to supply for them to access the service. Anything they put
in their posts are offered by themselves and will be fully aware that
their posts will be distributed to all on the list. Everything comes
under legitimate purposes and no extra permission is required.

It is of course completely impossible to delete all references to an
individual in the archives since this is distributed in an unknown
number of places on individual computers and by deleting posts a group
could not work as it was intended as related posts in threads would no
longer make sense.

The groups.io website is somewhat different as more detailed
information about moderators is held, particularly for those on paid
plans. Mark has stated he will be updating his privacy terms to reflect
this.

In my experience the current flood of GDRP emails I have been receiving
are a disguised attempt to add people to organisations marketting
campaigns - tick this box if you want to receive exciting offers from
us, but if you don't you will still get your membership renewal
mailings and other basic features.

Dave

On 24 May 2018 at 15:20, toki wrote:

On 05/24/2018 09:26 AM, J_Catlady wrote:
I haven't read the GDPR but I would be surprised if it required a
website to remove posts that someone posted
themselves after granting rights (via the TOU) for the website to the
publish the posts.

Not only does the GDPR require that, but it also requires that all posts
that quote the individual be removed.

http://davesergeant.com


 

On Thu, May 24, 2018 at 08:44 am, Nick Dunmur wrote:
The right to erasure is not an absolute right
Exactly. It couldn't possibly be.
I'll have a look at that link. Thanks for posting.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

On 24 May 2018, at 16:25, J_Catlady <j.olivia.catlady@...> wrote:

What if I'm a journalist writing for an online news outlet and I've granted rights to the publication?

If you’re writing commercially, you will likely have a contract of some sort and if you’ve granted rights to that publication under that contract, GDPR will not over-ride it.

kind regards

Nick
___

dUNMUR | member of the AOP


 

On Thu, May 24, 2018 at 08:46 am, Nick Dunmur wrote:
you will likely have a contract of some sort and if you’ve granted rights to that publication under that contract, GDPR will not over-ride it.
Exactly. That was just my counterexample to Toki's "no ifs, ands, or buts." And in the case of groups.io, members HAVE granted rights, via the contract that is the TOU.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

All,

I don't think that speculation about what Groups.io has to do for GDPR is productive. I have been told by my lawyers that I will not have to remove messages posted from someone as part of their right to be forgotten.

Thanks,
Mark


 

J

 

Groups.io is also a website and has to comply with the new privacy (etc.) rules. I'm sure Mark is doing this correctly.

I am very much aware of that and also of the fact that it´s more productive if he speaks for himself.

 

Victoria


 

Jonathon,

Just be aware that in most (¿all?) countries in continental Europe, one can neither waive, nor sign away one's rights. As such, it doesn't matter what your agreement says, for European residents the GDPR applies. Depending upon country of citizenship, European citizens might covered by the GDPR, regardless of physical domicile.

I´ve got 2 business homepages, a private one and a blog, all of them in Germany. So a couple of months ago - naturally after gaining legal advice - I updated my privacy policy terms right after the GDPR terms were made public.

Here we´re talking about mailing lists/groups. If s.o. leaving my group asked me as owner to have their mails deleted, I wouldn´t even be able to do this, for there is no delete button in the activity log. But I trust in Mark that this wouldn´t be necessary anyway.

Victoria


Marina
 

On Thu, May 24, 2018 at 09:57 am, Mark Fletcher wrote:


I don't think that speculation about what Groups.io has to do for GDPR is
productive. I have been told by my lawyers that I will not have to remove
messages posted from someone as part of their right to be forgotten.
Thank you, Mark. Sorry, I didn't mean to spark a new discussion on GDPR here, just suggested a bulk remove option which could be uself to moderators/owners.
All the best,
Marina