I've had trolls whom I had banned from online forums attempting to use GDPR as a tool for trolling me (with the chore of gathering all data, but I already had an API that did this). And then attempting to use it to gut forums by claiming several identities and requesting deletion of all comments (try and imagine HN if comments by patio11 were deleted throughout).
On the forums I run email is the only identifying property and in my case the trolls (2 of them I think) were unable to sign in as the users in question, so I have refused to recognise the request (and then had the threats of legal action... but what else can one do if someone cannot prove their identity?).
I was wondering about a catch 22 where someone misbehaves, then gets banned, cites GDPR and demands their data be deleted (they can do that right?) ....and signs up again later with the same data.... wash rinse repeat....
IANAL. I think you can't store raw email without user consent. It is personal data one wants to be forgotten. However you can keep pseudonymised data [0] [1]. E.g. just keep MD5/SHA hash of the email string.
Your right to be forgotten is not absolute, but instead balanced against the business's interests: you can process personal data without consent when you have a legitimate interest in doing so. Recital 47 of the GDPR states: "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned". Storing a hash is likely a better practice for mitigating the damage of a data breach, though you have to process the raw email to get and compare hashes either way.
Hopefully that means you could keep some data like an email address that is key to creating an account to prevent abuses or duplication or other things.
Does signing in really prove identity? What happens if I share accounts with someone else (against TOS potentially) and one person then abuses GDPR to dox the other person? GDPR seems so poorly thought out.
Right now most forums are pseudonynous, which has its own considerations in the GDPR. They also don't require personal data other than the email, which is required to log in, so if someone logs in, it means they already had access to that data by some other means. And data that's made public by the user, which they could ask you to remove, but can't claim that you made it available without their consent.
Forums which collect other personal data, like maybe date of birth, and allow it to remain hidden... those might have a problem, depending on the sensibility of the data, but still if you shared the account details with someone, it seems to me difficult to claim that the forum and not the user is the one responsible.
> if you shared the account details with someone, it seems to me difficult to claim that the forum and not the user is the one responsible.
I kinda wanted to make a larger point on how even if someone logs in to your service you don't know who you are talking with and might be going against wishes of owners of the account which would be unethical if you haven't priorly obtained their informed consent to do so.
Here are scenarios under which third parties might try to unethically obtain access to your user's data, perhaps as you described by logging in or via some other means:
1) PC gets hacked and owner loses control over their email. It's easy for a hacker to replace password and log in. You can't blame user for shity state of this industry when it comes to security. You are talking to a hacker.
2) SIM card is cloned via social engineering and passwords changed if email is improperly secured. You are talking to a hacker.
3) People share computers. Persistently logging out from websites on spouse's computer seems shifty. You are talking with a family member.
4) Not all people agree or understand that for some services people shouldn't share accounts. You can't know which pieces of data belong to whom so you can't give it out. It's also unreasonable to demand from all services to require each account to be used by only one person just for the sake of GDPR to be workable. You are talking only to one user.
5) People trade accounts. It's unethical to give data to a new owner if previous owner wasn't aware of what data you store. You are talking only to the newest owner.
6) People can be forced to sign in to their accounts. You are talking with an abuser.
In all these cases I think it isn't ethical to reveal data that couldn't already be accessed by normal means. It seems to me that GDPR, ironically, weakens users' privacy.
On the forums I run email is the only identifying property and in my case the trolls (2 of them I think) were unable to sign in as the users in question, so I have refused to recognise the request (and then had the threats of legal action... but what else can one do if someone cannot prove their identity?).