0

I was recently tricked by an admin into getting booted off a forum of his where I had been active for years.

This happened in a thread (my last) where this admin claims a number of things that are at best a distorted truth, and thus harmful.

I registered under an alias that is comprised of my initials, and is thus identifying information. As far as I've been able to see almost all of my posts now appear as written by "Anonymous", which may be a sufficient change under the GDPR (if I read for instance Can i request a religious forum to delete my posts for GDPR compliance? correctly).

But that last thread still shows my posts under my initials. Am I right that this is a violation?

The forum uses phpbb, which I think means that my username could be anonymised programatically in all posts where it is used, do I have a legal right to insist that be done?

EDIT: I've already pieced together that there is (sadly) not enough legal ground on which to request the deletion of all my posts, so this question is not about that.

RJVB
  • 109
  • 2
  • 3
    Does this answer your question? Does a user have the right to request their forum posts deleted? – alexg Nov 15 '23 at 14:13
  • 1
    I don't think it's correct that initials constitute identifying information -- at least not in the context of a web forum without other information linking them to their owner. I suspect OP has no rights here at all. – bdb484 Nov 15 '23 at 16:00
  • 1
    Initials are not enough to be considered PII. Even first initial last name might sometimes have to be combined with other data to qualify. – Tiger Guy Nov 15 '23 at 20:26
  • I'd hope that this ("Initials are not enough to be considered PII") is subject to how unique the sequence of initials is, and/or how many people use that sequence as their handle. Be (almost) the only one to use any handle consistently everywhere and it probably becomes really easy to piece together what the real name of the person behind it is even if you just give away innocent tidbits of information at a time. – RJVB Nov 15 '23 at 21:47
  • Initials are PII. that is not the point. The question is if they are legitimately kept PII. – o.m. Nov 16 '23 at 05:21
  • The forum uses phpbb, which I think means that my username could be anonymised programatically in all posts where it is used. The use of a specific forum software is mostly irrelevant. At a fundamental level the data can always be manipulated. The far more relevant question is whether anybody with sufficient access has the knowledge to make the changes with the given tools - and in many cases forum software hosting is provided by a third party, or as a "just run this application somewhere" setup. – Clockwork-Muse Nov 16 '23 at 07:51

1 Answers1

3

You seem to assume that the 'right to be forgotten' is absolute, but it is not.

Under GDPR, the data controller needs a legal reason to retain personally identifying information on you. Your consent is just one possible reason, and revoking that consent removes that reason.

If you check that link, you can see that it is complicated, and if you want to take legal action on your specific case, you probably need a lawyer.

o.m.
  • 17,538
  • 3
  • 37
  • 64
  • I'm pretty certain that the forum database retains enough information to find out who made a given post, even if multiple used UUIDs share the same user name (say, Anonymous). IP addresses are also logged for every post. I have no real problem with that because that UUID is going to be random and specific to 1 particular forum and the source IP address isn't published. Note also that deletion of a post or thread on phpbb means moving it to an invisible section of the forum. – RJVB Nov 15 '23 at 21:57
  • The forum and I are both hosted in France btw, so that link to a UK legislative site is probably not 100% relevant (we like to think that privacy is valued a bit higher over here). But yeah, if I decide to take further action I will probably start by going through the ISP. – RJVB Nov 15 '23 at 21:58
  • @RJVB. with Brexit, UK and EU legislation can start to diverge on this, but the basics of the GDPR predate that. And it is not a question of technical possibility to tell users apart. For instance, they can probaby retain the information that you previously signed up and that they banned you for a long time. Otherwise, everybody who was ever banned could 'get forgotton' and start fresh. And many forum systems make users give copyright licenses to their post to the forum, getting banned does not revoke that. If you want to take action, talk to a lawyer. Also, tag this post 'France.' – o.m. Nov 16 '23 at 05:19