Excuse how long this post is going to be. My original post was intended to highlight that certain caveats should exist, the shape of those caveats is the fine line between ensuring confidentiality/sensitivity without unduely witholding information from users. Different companies have different policies. Riot Games provide three months of chat logs and report history. Activision Blizzard keeps much longer logs in terms of report history. Riot therefore provides three months of history, Blizzard provides years. Here is an example of forum moderator considerations:
https://blog.vanillaforums.com/communit ... ity-forums
Riot Games are known for using automated reporting tools to scan chat logs so employee discussion of users is rarely carried out by a Riot employee. The same goes for Facebook and YouTube. Even appeals or reports meant to be made at "humans" go to automated systems. In many ways comparing Chatlands to larger corporations is apples to oranges as Chatlands has little to no automation. You need to therefore look into more manually-orientated case studies on how data should be retained and published to those who request it. I've included an example below. While it is not specific to forum moderation/chat moderation
per se the principles are the same in the case of Chatlands moderation as a whole.
The problem Chatlands has, which is a conversation that has been had before, is that discussions about users are not tagged to specific accounts in an isolated way. Chatlands discussions are scattered via forums different means thus making data more difficult to collate.
Companies are taking a more and more automated approach to reporting to cut costs and to avoid wide ranging GDPR requests being a problem. GMs for Activision Blizzard rarely collaborate with one another, that is evident by how broadly they process the same report from various users. Anecdotal evidence has been seen over the years that consistency within Activision Blizzard support exists and that is likely due to a lack of collaboration when it comes to handling user tickets. They will have set processes in place, guidelines for how much leeway they can provide and a supervisor/manager who oversees their report handling. Reports are maintained on user accounts and not within a forum as they are on Chatlands. Blizzard are a company that seems to have more human intervention than companies such as Facebook or YouTube.
Facebook and YouTube do have human moderation. I've never seen an example of a GDPR request for someone with human intervention from Riot or Blizzard as my accounts don't have that type of information tied to them. Riot interestingly shows aggregate report history including reports
made and
received about a user. I cannot provide full information of what reports received looks like as I have no reports against my Riot account to look at. The fact that Riot includes both received and sent reports should indicate that maybe Chatlands should include that. How an admin receives the report does not matter as Chatlands is a more scattered ecosystem. The point is that they are received and thus should be reported on. I've seen the reports that come through from Riot, they include the entire chat log from a match or lobby made by the reported user. They do not release
who reported it. They do however release
all reports, whether they are found to be punishable or not.
Chatlands could take a similar approach "received following report on X date [insert logs] after discussion user was given a warning/ban for X days/weeks/months/permanent".
https://support-leagueoflegends.riotgam ... count-Data
Your Summoner name, username, and server
The phone number attached to your account
Your registered date of birth
Aggregate report history, including reports made and received from the last 3 months (or the past 100 games, if you’ve played more than that in the last 3 months)
In-game chat logs for the last 3 months (or the past 100 games, if you’ve played more than that in the last 3 months)
Login history for the last 3 months
Player Support ticket history
Account modifications for the last 3 months
All store transactions (skins, champions, etc.)
All monetary (RP) purchases
Discord
Discord absolutely should be mentioned as a platform you willingly
share user information to. Information on Discord is arguably within Discord's privacy policy but they act as a data
processorfor Chatlands, as well as a
data controller. Discord controls the personal data submitted by users to their platform, but you ask them to process
private information when posting user information to their platform. Joint-controllers exist as a concept.
https://www.highspeedtraining.co.uk/hub ... rocessors/. This has been done without fully informed user consent at present. If user logs or IP addresses or any identifying personal info of a user is sent to Discord, it should be declared as a data processing platform.
https://www.blizzard.com/en-gb/legal/8c ... 2232422245 Blizzard make it very apparent in their privacy policy that they share information to other platforms. They detail where data is stored. Note how they state it is stored at Blizard Entertainment, Inc. This is likely due to Blizzard using applications within internal instances on their California ran servers:
With partners and service providers. Blizzard may provide information to its vendors, consultants, marketing partners, research firms and other service providers or business partners. For example, we may provide information to such parties to help facilitate event ticket sales, conduct surveys on our behalf and process payments for our products and/or games. We share some of our players’ game data with our community of developers, who create applications and websites that benefit our player community. You may opt out of having your game data included in this program by opting out of game-data sharing in the Privacy section of your Battle.net account.
With subsidiaries and affiliates. We share information with our subsidiaries and affiliates to help us provide our services or conduct personal information processing on our behalf. For example, Blizzard processes and stores information at Blizzard Entertainment, Inc. in the United States.
IP Addresses
Other websites that are GDPR compliant routinely use IP addresses for administrative purposes. To the best of our knowledge, the Chatlands privacy policy covers its use of IP addresses and is in compliance with GDPR.
My original post did not refute the usage of IP addresses but did point to IP addresses being considered personal data. As seen above, IP addresses are included in requests for personal data by other providers. That was why I mentioned IP addresses in my original post.
Confidentiality of natural persons vs a data processor
As I stated originally: Data can be anonymised where appropriate/possible (omitting
who said what but not
what they said). If a user is reported and then an admin discussion occurs regarding what disciplinary action they should face, the exact posts should arguably be included within a GDPR report as it's data about a user. It depends on the content of the post. If an admin posts a huge write-up linking several accounts together to decipher a ban hop, that user really should be privvy to that information as it pertains to them,
their account and they may be able to refute the evidence attributed to being theirs. One could argue that including and anonymising every single post from an admin thread would be an unreasonably large request for Chatlands, therefore a high-level view of posts, including key "fact finding" posts would potentially be more appropriate.
This would require legal advice from a governing body to confirm. I have only acted in a capacity for a larger body where we can enact automated data scraping techniques with sanity checks at the end. Chatlands is a different beast in that regard. A governing body may be able to provide more information on what would be deemed appropriate for Chatlands.
Aggregated reports could be as simple as "three counts of a vote for a week long ban and two counts of a vote for a one month ban" or it could be the posts with data on
who made the post omitted. Hence my caveat of "well under GDPR admin discussions are not strictly entirely 100% confidential". Users do not have the right to know
who posted it, they do not have the right to know
who replied with thoughts. They do have the right to know what those logs are. Users have the right to know what they have been investigated for in the past. If you opt to have indefinite holding of information, under GDPR you have to be willing to provide indefinite timelines of data publishing.
GDPR is not meant to harm a data processor by identfying them as a natural persons thus, as said many times, omitting who said what and any identifying information would be well within the scope of GDPR laws. Posts which make it obvious who posted despite anonymising of data would also be appropriate to omit.
A good example is how the law considers things such as disciplinary files would be HR files:
https://www.breathehr.com/en-gb/blog/to ... s-requests
You must provide all the personal data that you hold about the employee who is making a SAR, including anything held in an HR system, on paper, in spreadsheets, email correspondence and every other type of record.
The scope of a SAR is far reaching and includes emails that refer to an employee, their performance reviews, job interviews, payroll records, absence records and any information about disciplinaries.
The data must be provided free of charge to your employee.
All data must be provided to an employee in a secure format. If you provide the data electronically, it needs to be password protected.
Data must be provided in an easily accessible format.
The data needs to be easy to read and understand.
Businesses must now respond to SARs within 30 days (it was previously 40).
SARs no longer have to be made in writing. Employees are free to make requests as they see fit and this includes a verbal request.
I've seen a full GDPR compliant HR file in the past while assisting with a constructive dismissal case, they genuinely do contain a wide range of communications discussed about an employee being investigated. Signatures, tos, froms and CC fields were redacted. Meeting minutes without the person being investigated being present were also included. Those involved in HR discussions retain their privacy from their names being redacted.
Private informal thoughts about someone are protected due to them being considered the thoughts of a
natural person, but data as it is processed during a report proceeding would not. There's a difference between private thoughts and thoughts pertaining to the investigation of a user's conduct. There is a fine line between wanting to protect admins and moderators from voicing frustrations and witholding user data. A good example would be complaints sent to you privately. As the data controller, reports you receive are considered under GDPR to still be complaints. If they are complaints about an identifiable individual, they are the subject to GDPR requests. Again anonymising of data is appropriate to protect those who reported the incident. It would however be inappropriate for you to deny the contents of the report or said report's existence. Other platforms publish reports they receive, as outlined above in my example from Riot Games. Chatlands is obliged to do the same.
The method in which you receive the report does not matter. If a data processor or data controller acting on behalf of Chatlands receives a report about a user, the user has a right to know under a GDPR request.
Public vs Private
Even in Google and Facebook, where they have automated archives for user data access requests, it never returns logs where other individuals are discussing your account.
Public posts on Facebook have been fair game for years, prior to GDPR. Publicly made logs on Chatlands are kept hidden. When I stated that logs from other users should have a caveat, this is what I was referring to. Publicly posted logs are publicly posted logs. If done in private then they are considered private thoughts. I can search for various terms on YouTube to see if comments containing usernames exist publicly. I didn't at any point name genuine private conversations as being the target of a GDPR request.
With of course the caveat of when someone is acting as a data processor.
Facebook has a place to view posts that a user has been tagged in. We as Facebook users can search our names and find all public posts which mention our names, they may not even be posts about us, just someone with the same name. When it comes to private groups that adds a level of obfuscation and becomes "private thoughts". Facebook is also a sort of terrible example of GDPR compliance
https://www.bbc.co.uk/news/articles/cp9yenpgjwzo . They have in recent months been quoted as to trying to resist Europe's attempts to maintain user privacy laws. Going so far as to threatening to pull out of Europe entirely as a provider
https://www.exchangewire.com/blog/2022/ ... h-us-ends/. The EU met their threats with an "OK go for it then." Facebook has been considered to be a company skirting the fine line of GDPR since its inception.
Closed Facebook groups have been used in the past to hide attempts at harassment, those groups get removed by Facebook. It would still be a user's legal right to know what information was posted about them in a private group if they became aware of said group. They may only be told the specific information or specific mentions of their name with no other context.
The facility to remove tags manually has existed for years. It removes the tags entirely and no longer links back to a specific profile page, thus anonymising the data as it could belong to anyone of a specific name. Depending on where the tag is, the user's name can be completely omitted from a post. The ability to have photographs, posts and videos removed for having personal likeness in them has also existed for years.
Private messages between two people can fall under the category of communications as a "natural person" but it depends entirely on the
context.
https://law.stackexchange.com/questions ... opean-gdpr
This Regulation does not apply to the processing of personal data: ...
(c) by a natural person in the course of a purely personal or household activity; ...
Private messages between two users would be purely personal by natural persons, however publicly posted logs would not be considered private data. They have chosen to make said communication public and thus it should be distributed when requested. That is why Facebook allows for such public searching of posts. You can also search YouTube comments from users/based on words.
If two moderators have a discussion about user conduct in the forum, that's not purely personal. That's data processing of a specific user. It is very important under GDPR laws to strictly define and understand when a moderator is acting as a data processor and when they are acting as a natural person.
Yes we are not employees but Chatlands essentially has "moderator files" on users. Disciplinary discussions about users do take place in a format where data retention is indefinite. Moderator threads are the online forum equivalent of a HR file. I understand the need for confidentiality but forum moderation really skirts the edges. Moderators do not act as a natural person when moderating chatlands, they act as a
data processors.
Regarding the concern about admin discord conversations as related to GDPR compliance, this is not the way this law works.
In this situation you do not understand the law. I've acted as a data processor in the UK since before GDPR laws came into effect. In this situation I do know more than you and I have posted evidence above to support that fact.
12 months prior to GDPR coming into play I had to undertake training to understand the full scope of the legislation.
Pretty much everyone who is employed in the UK acts as a data processor in their line of work. This is not something that makes me particularly special but it does make me more familiar with the law than you are. To state that a law does not work in a certain way shows your ignorance in this matter. Everyone in the UK has to work with GDPR in mind as it's a law that affects everything. From Uber Eats drivers to dog groomers. We all have to act with GDPR in mind. Whether people do is an entirely different matter.
If you, the overseers or any Chatlands administrator is willingly posting user information to another platform, you must be prepared to collate that information upon request.
Discord has not collected that information about the person, you have and you have posted it to Discord. If it is seen as a "formal" platform for communication of administration, it comes under scrutiny. The same as for the forums. Dumping something into a system is still dumping something into a system, be it a forum or third-party service. Part of the collating process should be skimming mentions of users in Discord and at a
minimum disclosing that their information has been posted to Discord at some point, ideally with all the information posted with appropriate anonymising
of who posted it.
To put it into perspective, at work we have in the past been asked to scrap our emails and internal communications software for mention of natural person off the back of a GDPR request.
Within my job I also act as a natural person, it's important to understand the difference between those two concepts and when they come into play.
An example of compliant GDPR behaviour:
1) Colleague A contacts me via our internal approved communications system with information about a problem relating to our environment. This is an approved method of communication laid out by our employer as a method of communication. The communications have a retention policy and we are made fully aware that data pertaining to a client or our line of work may be monitored and collated if requested.
2) Colleague A and myself have a voice call via our approved communications system. During the call we discuss the fact that colleague A is going through something personal and we talk about what it is they are going through. It is not a discussion relating to work or our jobs and is a purely private conversation. At this point we are acting as private individuals on a company ran system. Our company is allowed to record/retain said conversations under UK case law. The company would not be allowed to publish private/personal conversations between myself and a colleague that did not pertain to the company in question.
3) Our client has made a demand for a specific window of an emergency deployment. We cannot resource the window due to absences within the team. The client cannot request a reason as to why or who is unavailable due to absences.
An example of non-compliant behaviour/behaviour that does not fall within the scope of GDPR:
1) Colleague A contacts me via Facebook Mesenger with information about a problem relating to our environment. This would be a direct breach of GDPR guidelines. We would be discussing a non-personal matter and thus would not be considered as acting as a natural person. We would be acting as data processors in a non-compliant/approved environment.
2) Colleague A contacts me via personal email with some property listings to get my thoughts on his next investment opportunity. He asks for my opinions. Our work would have no legal ground to monitor these communications and they would be private communications between the two of us. No one outside of me, my coworker and the email provider(s) we use would be privvy to these conversations.
3) I submit a request to my boss requesting holidays via our work's email system. My boss approves the leave request. This request would not be considered data for myself, my boss and my employer to be privvy to. While I do work for specific clients, they would not be privvy to such a conversation as it pertains to me as a natural person and includes my private data.
That's the difference.
Am I saying that all administrator conversations should be posted? No that was not ever laid out as being a concept. I am happy to work with you on this to make Chatlands as compliant as possible as quickly and painlessly as possible. It would not take much and it would not require a knee jerk reaction to dismantle long standing Discord servers and methods of communication that admins are comfortable with. It's basically a game of cheques and balances.