inSided stated in their data erasure policy that when a user account is being removed - in order to anonymize a user:
- “no personal data is available anymore, nor in the system nor in any backup - the user record can no longer be retrieved”
- “their content will be left intact to avoid damage to the community - but the attached user record is now Anonymized”
But unfortunately that’s not fully true.
What happens:
- A user (in this case “Spreeandre”) registers in the community, posts topics and / or comments
- Other users interact with this user by quoting or mentioning them
- The user then asks for his account to be deleted
- After the account is deleted, the user’s own content is being anonymized
- But: The username in mentions and quotes won’t be anonymized → inSided’s claim that “no personal data is available anymore” isn’t true because it is still easily possible to connect the anonymized content to the original username (which can easily be found via Google)
The reason why this happens is:
- The username is being inserted as a plain text so after a posting was published, the username is a fix part of the content
- The correct way of doing it would be to load the username from the database every time the content is being loaded → So when a change is being made (e.g. username change or user is being removed), the data will be loaded from the database and instead of the plain text username the updated “Anonymous” (or changed username) will be displayed
That’s why our proposal is:
In order to really ensure the “right to be forgotten”, it is necessary to change the way the usernames are being displayed in mentions and quotes. It is necessary to pull the data from the database instead of inserting usernames in plain text.
If this isn’t done, inSided customers are violating the GDPR because they don’t fully remove the identifiable user data from the platform automatically (and doing it manually by editing every single piece of content where an anonymized user was being mentioned or quoted is a very time-consuming and error-prone work around).
Hey@bjoern_schulze , thanks for sharing this idea! I’ll review this with some other colleagues internally and get back to you.
Thanks for bringing this up@bjoern_schulze - this is an important fix!
Any updates or news on this idea?
This matter has come up again in our community and the legal view is quite clear - a user has the right to be forgotten and that includes all the messages they’ve posted in the community.
This is related to this one:
I dont test this so I have to ask. What is the situation with this idea at the moment?
This issue is still ongoing to this day.
This issue is still ongoing to this day.
Oh no… I hoped this is fixed as a mandatory GDPR related development. This is not “fancy stuff” though.