Joomla User Management and GDPR

[michele654]

With GDPR fast approaching, how does Joomla user management comply? Straight Joomla 3.8.2 install, no additional user extensions, I have Mosets installed but it refers to the Joomla user id.

Anyone looked into how Joomla user management is affected by GDPR?

-Michele

[abernyte]

In which way do you fear that GDPR impacts on Joomla's user management that the current DPA doesn't already?

[Webdongle]

That applies to the data that is placed on the site not the software used. If you want to know if it applies to you https://ico.org.uk/for-organisations/re ... ssessment/

[abernyte]

Webdongle is quite correct in that it is the Data Controller and Data Processor on which this duty falls. Both are not necessarily the same person.
Joomla per se is not directly effected but how the data collected and managed by the user is. I took the view when the EU changed the data protection regulations on cookies the last time that Joomla could have done more to assist users comply and do not retreat from that view.
While no obvious issue is prominent in GDPR it does impose a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
Over to you dear user.

[mandville]

the "new" act is very straight forward. most people who run a site will be in the best option of having no users.
for the rest it all depends on how you actually deal with data at present and giving it a good review.
AFAICS there will be no suitable extension like with the cookie rule, it all depends on , like i said, how the website organisation -DP and DC control their data.
Personally reviewing how this will affect the sites i admin or am in control of, or advise for will only work for my individual circumstances as each website has different data processed in different ways..
i would seriously suggest you ask your host and isp how they will be dealing with it.

you can see how jsphere is dealing with this https://volunteers.joomla.org/teams/compliance-team

[Webdongle]

... most people who run a site will be in the best option of having no users. ...

Disagree beacuse
#8. https://ico.org.uk/for-organisations/re ... ssessment/
Do you only process personal data for:
accounts or records (ie invoices and payments)

A yes answer returns

You are under no requirement to register

You are only processing personal data for the core business purposes. You therefore do not have to register with the ICO.

Also if the site is for a hobby then you don't have to register.

Where it is unclear is data breach. It is not made clear if he laws about data breach only apply to individuals/companies who have to register or also to individuals/clubs who have a hobby site and don't need to register.

...
Personally reviewing how this will affect the sites i admin or am in control of, or advise for will only work for my individual circumstances as each website has different data processed in different ways.. ...

You will be aware of https://ico.org.uk/for-organisations/re ... ssessment/ ?

[mandville]

The GDPR is not the ICO, eg the ICO /DPA is in many ways contrary.
eg the latest (released today) BBC personal data use page http://www.bbc.co.uk/usingthebbc/privacy/privacy-policy "

Under the Data Protection Act you have the right to request a copy of the personal information the BBC holds about you and to have any inaccuracies corrected. (We charge £10 for information requests and require you to prove your identity with 2 pieces of approved identification).

under the GDPR this is free. and section 12 of their policy is worse.

[abernyte]

As GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals then registration is not the determining factor.

For instance if my hobby site with x number of registered users is hacked and rendered unavailable then that would be an availability breach and may not require notification. However if the hack may have allowed access to the user management then it is potentially a confidentiality or even integrity breach involving a risk to the rights and freedoms of the individual and which then must be notified to your national body and possibly the individuals concerned.

Each case will be unique and will require the Data Controller to be diligent.

[Webdongle]

... under the GDPR this is free. and section 12 of their policy is worse.

But https://www.eugdpr.org/gdpr-faqs.html

If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement

They will have great difficulty fining a company that is solely outside of the EU e.g. USA for instance because what court would they prosecute the company in ?

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Good luck to them policing posts on social networking sites

The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form

Definitions and legalese are important if it goes to court ... surely without specific definitions how can a court make a correct judgement ?

A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.

Again ... enforcing it in onto a company that is solely in a non EU country may prove difficult.

Will the GDPR set up a one-stop-shop for data privacy regulation?
The discussions surrounding the one-stop-shop principle are among the most highly debated and are still unclear as the standing positions are highly varied. The Commission text has a fairly simple and concise ruling in favor of the principle, the Parliament also promotes a lead DPA and adds more involvement from other concerned DPAs, the Council’s view waters down the ability of the lead DPA even further. A more in depth analysis of the one-stop-shop policy debate can be found here.

Another good reason to leave the EU and be subject to our laws not theirs.

[Webdongle]

As GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals then registration is not the determining factor.

For instance if my hobby site with x number of registered users is hacked and rendered unavailable then that would be an availability breach and may not require notification. However if the hack may have allowed access to the user management then it is potentially a confidentiality or even integrity breach involving a risk to the rights and freedoms of the individual and which then must be notified to your national body and possibly the individuals concerned.
...

Only for sites of companies (or individuals) who are in an EU country ... non EU countries have no obligation to be subordenate to EU courts surely ?

[abernyte]

It doesn’t matter whether you are based in an EU state or not – if your company(or individual) processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with GDPR. Enforcing the provisions is another issue entirely.

[Webdongle]

... Enforcing the provisions is another issue entirely.

Exactly the point I was making

[michele654]

I'm looking at the "pseudonimisation" requirement, and how that might impact my registered users. Yes, their activity in Mosets is tracked by user id in the tables, but in the same database is the table that reconciles user id used in Mosets to personal data (Joomla user). Is there a way to anonymize this data that I'm not aware of? Has any CMS provided this ability to date?

What about the "Right to be forgotten"? Right now, Joomla provides no way for a user to remove their account. Or to even request that the account be closed. I can add a statement providing an email address to request account removal, but it would be nice if the user could take care of this themselves.

It would be nice if Joomla offered a "delete account" button in the Maintain Account screen. Yes there are 3rd party extensions, but I subscribe to the idea that the fewer 3rd party extensions the better, less risk, less monitoring, etc. This is such a basic part of user maintenance, if the user can create the account without a 3rd party extension, they should be able to delete it without one.

The rest I can deal with in the user registration process, with active consent, and legalese about requesting details, data, and removal.

[Webdongle]

@michele654
1. Do you sell to people in the EU ?
2. Are any registered users in the EU ?

#1 It is unlikely the EU would be able to stop you selling ... isn't it ?
#2 If you had a data breach it might well cost them more to prosecute you than they would get in fines wouldn't it ?

What about the "Right to be forgotten"? Right now, Joomla provides no way for a user to remove their account. Or to even request that the account be closed. I can add a statement providing an email address to request account removal, but it would be nice if the user could take care of this themselves.

Even if a user could delete their account (on many sites) they would not be able to delete all their tracks.

[sozzled]

Notwithstanding that the GDPR will affect Joomla websites created/hosted or serving people living outside Europe, there is one matter that I'd like to address.

The question of allowing people to delete their own accounts has probably been discussed before (and it's probably been done to death). Regardless of whether or not Joomla should provide a feature for self-deregistration or not, whenever user accounts are removed from a Joomla website this raises issues about how to handle content that was created by those accounts.

Content can be created on a Joomla website in a variety of ways: user-written articles, forum posts, weblinks, image (and shared image galleries), etc. If the accounts that create this content are simply removed from the website then what happens to that content and the ability of other accounts to view it or for the site administrator to manage it?

While I think the general principle of the less third-party extensions the better is generally agreed, the "standard Joomla website" is not all things to all people and that's why site administrators search for (and install) third-party extensions (especially templates) and some "essential tools" such as Akeeba Backup.

While the GDPR provisions will, undoubtedly, affect webhosting providers, ISPs and site owners and while, it seems, the general thrust of those provisions are aimed at protecting individual privacy, surely all websites should have a privacy policy that informs people, up front, of their rights before they register accounts? In other words, a lot of the responsibility for informing people of their rights lies with site owners and not with governments, webhosting companies, ISPs, open source software communities (e.g. Joomla, Wordpress and Drupal)—or even proprietary software companies that invest in this space —that are largely agnostic about what exists on the internet and who was actually responsible for putting it there in the first place.

In the same manner as "the standard Joomla website" is not all things to all people, neither, too, is the GDPR.

[abernyte]

I see that we have been reconvened in the basement.

[abernyte]

A coterminous discussion is happening at present.
https://github.com/joomla/joomla-cms/issues/18160

We should all be interested in the report referred to by Brian.

[Webdongle]

And who is the expert he is referring to ?
Is it you abernyte ?

[abernyte]

Me? In my dreams! Expert suggests money changing hands.

Sozzled's points regarding orphaned content are good ones though. It will be interesting to see if Joomla deals with this or if it is left to the "market" to solve.

[Webdongle]

...
Sozzled's points regarding orphaned content are good ones though. It will be interesting to see if Joomla deals with this or if it is left to the "market" to solve.

imho it would be simple enough for users to delete themselves from Joomla core ... article author could be replaced by a 'standard user'. (simple for anyone who can write the script safely). The problem would be if a site used a comment system that allowed quotes from other users ... the 3rd party extension would have to handle that. Perhaps users self deleting their account could be optional (default No) in Joomla so the webmaster could choose ?

[michele654]

@webdongle
I don't sell goods or services to people in the EU, but GDPR guidelines add "or monitor the behaviour of" in there, which essentially covers my user registration and Mosets activity. My websites do deal with people in the EU, the parent company is in the UK, and our DPO has said that if there is a user from the EU, I have to follow GDPR. Since my user base is worldwide, I'll need to deal with it. Not withstanding the practicality questions, the parent company doesn't want their compliance to be based on "it's too difficult to prosecute, so we'll ignore."

I agree with the issues of deleting users and orphaned content, I'm working out plans for that now. I reviewed the discussion on GitHub, and hope that it ends up reaching out to extensions, as the only user content is through Mosets. I have tried and tried to get to the GDPR working group link that is in that thread, I always get a 404. It would be nice to see what is coming for this, to be able to report up the line.

I'm also creating a privacy policy that makes sure I'm the one responsible, and not Joomla, for whatever happens, providing a process to request removal of information from our system, and create the procedure to do that thoroughly and efficiently. I do believe GDPR should be addressed in Joomla though, as so much of it could be done in the CMS and offered as features.

I'm going to do an email blast to all registered users requiring an active response to retain their login, ensuring we meet the "active consent" requirement for us to hold their personal information. For those that don't bother to respond, I will then go in and transfer any content that should be retained for those users to a generic user. I expect to lose up to 90% of my user base, I guess it's a good time to clean house.

I hope that Joomla might consider adding the ability for an active consent tick box to the user registration process, allowing the customization of the active consent statement by the website, along with "I have viewed the privacy policy and agree", etc. This could just be options and configuration in the Registration Form.


But no one has addressed the "pseudonymisation" requirement, which I don't see how I can accomplish without Joomla's assistance. The data at rest is in SQL tables, and a very brief look at extensions doesn't give me a way to encrypt/decrypt that data as it flows in and out of Joomla to the database. So visitor activity in Mosets, although separated from their PII by user id, is easily matched to their PII in the user table, which is in the same database... I have to assume that if the Mosets tables are compromised, the user table is also compromised. And I don't yet have a clue how to approach this without leaving Joomla, because I can't see how to do it in Joomla.


Just trying to muddle through...
-Michele

[sozzled]

imho it would be simple enough for users to delete themselves from Joomla core ... article author could be replaced by a 'standard user'. (simple for anyone who can write the script safely).

Well, perhaps but, as I wrote earlier, website content is not limited to people writing articles. In fact, the majority of Joomla content published on websites is not written by "ordinary" users. As I wrote earlier:

Content can be created on a Joomla website in a variety of ways: user-written articles, forum posts, weblinks, images (and shared image galleries), etc. If the accounts that create this content are simply removed from the website then what happens to that content and the ability of other accounts to view it or for the site administrator to manage it?

While it might be feasible to develop a process within Joomla to manage the expected orphaned website content left behind after a person self-deregisters, there's more to this than meets the eye. In any event, however, when people register at a website and create content—regardless of what that content may be or however it may be created—the question remains: what happens to that content after an account is removed? Further, what happens to replies/responses/comments made to that content?

I somehow doubt that something could be achieved to accommodate the hundreds of extensions that people install on websites to facilitate content creation/management in the event that the "owner" of that content were to be removed.

Typically, website content is not actually owned by the person who created it. The content actually belongs to the website and, as part of most sites' terms of use policies, the creator of the content assigns copyright/ownership to the owner of the website.

As I wrote before, the issues here are more about privacy and "protections" for individual people who feel that their personal safety may at risk. While I have no real opinion about the GDPR per se—these rules do not apply to me anyway—it's interesting to see how the discussion will unfold. Cheers.

[Webdongle]

I hope that Joomla might consider adding the ability for an active consent tick box to the user registration process,

There is ... admittedly it's in the user Plugin not the main registration page but it is in Joomla.

As for 'pseudonymisation' https://iapp.org/news/a/top-10-operatio ... ymization/ makes no sense to me. It sounds like a lot of waffle that has no real meaning.

[abernyte]

@michele
I do not believe that this legislation is designed as a stick to beat the hard pressed web admin or Joomla with.

You are expected to put into place comprehensive but proportionate governance measures. The regulation advises that if the admin can show that they had considered the threats and or the privacy issues then applying the fullest range of privacy techniques to a minimal dataset would not be required.
If you only store name and email and identifier as the personal data then, IMCO, pseudonymisation is not needed. It is not a requirement of GDPR only a recommendation in certain cases.

Compliance can be tailored to the data set and the risks to it - no one size fits all here. Perhaps you shouldn't set your bar so high. You will be ahead of many an organisation already, I would wager.

[michele654]

Explained the data encryption issue and how it relates to pseudonymization of the user's Mosets activity, and he agreed that as long as we researched it, and can reasonably show that it's not possible without extreme measures, we're good.

Still hoping for an active consent tick box at user registration...

[Webdongle]

...
Still hoping for an active consent tick box at user registration...

https://issues.joomla.org/ make a suggestion there

[michele654]

Suggestion made, I hope correctly. Thanks for everyone's input and help!

[Webdongle]

Link please

[michele654]

https://github.com/joomla/joomla-cms/issues/19078

[mfleeson]

I've been looking into applying GDPR restrictions across our websites and the biggest issue I think Joomla site managers will have is proving active consent. According to GDPR all registered users who have given us recognisable identifiable information must also have given 'Consent' to us storing and processing it. I'm currently putting the final stages to a component that can be installed that checks if the logged in user has given consent and if not redirects to an article explaining why we need them to click the checkbox!

[ redacted ]


Best Wishes

Mark