On May 25th, 2018 the European Union's General Data Protection Regulation (GDPR) comes into effect. In this article we will explain what are the changes it brings with regards to our services and our software.
The EU GDPR requires us to automatically and irreversibly delete inactive user accounts. If you have not logged in to our site in the past 18 (eighteen) calendar months we will be legally obliged to delete your account on Friday, May 18th, 2018. The deletion is automatic and IRREVERSIBLE: we are legally forbidden from being able to restore your user information.
If you want to prevent your account from being deleted you simply need to log into our site. You DO NOT have to make any purchase WHATSOEVER. All accounts which have EITHER logged in the last 6 months OR have one or more active subscriptions are exempt from the automatic account deletion.
Please don't send us angry emails that we are terrible people for deleting your user account without asking you or that we're extorting you to make a purchase. Again a. the account deletion is required BY THE LAW (on penalty of up to twenty million Euros) and b. you ABSOLUTELY DO NOT need to purchase anything to keep your account active and prevent its deletion, you just need to log in AT LEAST once every 6 months.
Unfortunately we cannot exempt you from the account deletion policy even if you ask us to. The law does not give us that option.
The GDPR is legislation designed to promote a privacy first approach to handling your personal data with more transparency and a way to reasonably exercise your data rights. While it only covers citizens of any member state to the European Union we consider it better to provide the same level of treatment to everyone. Not only it's more sane for us (since we can't know what is your nationality, to begin with) but also because we care deeply about your privacy and security.
First and foremost, you will see that there our Privacy Statement and our Cookies Policy are now separate documents from our Terms of Service. However, accepting the whole lot is still required to use our services. The Terms of Service does state that the privacy statment and our cookies policy are integral parts of our Terms of Service.
Per the GDPR you now have to give your explicit consent to us processing your personal information. That's a fancy way of saying that you let us give your invoicing information to the tax authorities and our accountants and auditors, as well as let our staff (who are technically subcontractors) to provide you support. Starting May 19th you will need to indicate your consent if you subscribed before April 2018 or do not have an active subscription with us. You can withdraw your consent at any time but we won't be able to provide any of our services to you until you give your consent again. Managing your consent (revoking your consent) is possible after that. Read the "Exercising your Data Rights" section below for more information.
Cookies can likewise be rejected, including the login / session cookie of our site. If you reject cookies you will not be able to log into our site and we will not be able to provide you our services due to no fault of ours. We might revise this policy in the future since login cookies are exempt by the GDPR. It's just that the third party extension we currently use does not have that option. Most importantly, when you reject cookies you just disable Google Analytics. We don't use any other cookies on our site as of the time of this writing; check the Cookies Policy for the most up to date information. Cookie consent can be given and revoked at any time. Look at the bottom of every page of our site for the controls.
Finally, the GDPR mandates data minimization. That's a complicated way of saying that we must delete your information when we have no reasonable business use for that. This means that we will delete your data profile 6 months after your last subscription expires or you last logged into our site, whichever comes later. This is a legal requirement. We will send you an email to the email address we have on file for you a month before we delete your user account as a courtesy and to prevent any issues. You DO NOT have to buy a subscription or otherwise pay us to keep your data with us. You can very simply log into your user account with us at least once every six months. Please note that emails will NOT be sent to the first batch of users who have not logged in the past 18 months, to be deleted between May 17th and May 25th, 2018.
Since profile deletion is permanent and irreversible we are going to be ramping up the deletion period over time. We will start with an 18 month cutoff period (instead of 6 months) until September. Then we will reduce it to 12 months. On January 2019 we will reduce it again to 6 months. Please DO NOT email us asking to not delete your user account or why we deleted your user account. If you want your user account to not be deleted just log into our site. If your account is deleted it's because we are legally required to do so and no, we cannot reinstate your account because we no longer have your data and we are not allowed by the law to do it anyway. If you do send us an email we will point you back to this page since there are only so many ways this can be put into words. Yes, we do understand that for the average client this is horrible and will lead to frustration but no, we cannot ignore the law. The highest fine for ignoring the GDPR is 20 million Euros which is very much higher than our total company income since we started writing our software in October 2006.
Starting May 19th, 2018 you are able to exercise your Data Rights using our self-service Data Processing Options self-service page. You can get to that self-service page in the following ways:
Kindly note that you must be logged for the link to work. We DO NOT keep personal information for any natural persons who do not have a user account on our site. As a result, all your personal information is linked to your user account. For obvious security and privacy reasons you need to log into our site to verify that you are in control of the user account you are trying to manage Data Processing Options for. If you cannot log into your account use the "Forgot my username" and "Forgot my password" links on our site. If you can log in but cannot get past your account's Two Step Verification please use the Contact Us page to request our assistance.
The following data rights are available from that page:
Keen readers may have spotted that the rights to amendment and objection are not mentioned. Your right to amendment has always been possible through the My Profile link on our site. It's at the top of every page of our site once you log in. The right to objection is invalid in the context of our relationship. Your invoicing information is required to be transmitted by the tax laws which override the GDPR protections. Security logs are exempt from GDPR. The information you send us in tickets or contact requests is processed only under active consent. Therefore there is no case where objection has reasonable grounds.
As a further clarification, we'd like to note that emails and any off-site communications are deleted immediately after we conclude our communication (typically: after we send you a reply). We do not keep any copies. Please keep in mind that from May 25th, 2018 onwards we will NOT consider email or other out-of-site communications as binding us in any way whatsoever since we are not allowed to keep copies, therefore we are not allowed to have a permanent audit log of such communications which renders these communications effectively off-the-record. This includes the Contact Us page which simply sends us an email. If you want to conduct communication which is official and binding you MUST tell us in advance and explicitly waive your right to be forgotten in the strict scope of that particular communication.
Moreover, we'd like to remind our users and clients that should you email us or otherwise ask us to manually exercise your data rights on your behalf you will be asked to use the Data Processing Options self-service page. You will also receive a link to this document. This is for your own security and privacy. We do not have the know-how or technical means to verify identities off-line. We can only trust that if you know the log in to a user account you have the authorization to manage the Data Processing Options for that person. That's why we ask you to log in.
Let us reiterate that we DO NOT keep personal information for people who do not have a user account with us. Do not ask us for information regarding a non-user, we have none. If you do, you'll just get a link to this page.
Moreover, we cannot divulge who is a user or not, whether a user account exists or confirm any property of a user account. If you send us a request about a non-user or the existence and / or properties of a user account you will be linked to this page without further reply. We do this to protect your privacy and security.
Disclaimer: this is not legal advice; we are not lawyers. If unsure or have questions about GDPR compliance please consult a qualified laywer.
In the following paragraphs we will discuss how the information collected by our various software, installed on bot our site and,most importantly, your sites affects the GDPR compliance of the site where they are installed.
All of our software comes with on opt-out feature called "Usage statistics". It very infrequently (maximum once a week) sends anonymous information to our statistics collection site (abrandnewsite.com). This information consists of a unique, random ID which cannot be attributed to a real person, the version of our software, PHP, MySQL (or other database) and Joomla / WordPress (as applicable) that you are using. We use this information to see how many people use obsolete versions of PHP, database software and Joomla / WordPress. In turn, this lets us determine when to drop support for obsolete software.
Since this information is truly anonymous it does not fall under the GDPR. If you do not want to send this information to us you can go to the Options or System Configuration page of our software and disable the Usage Statistics Collection feature. Kindly note that doing so means that you no longer have any reasonable grounds of protesting when we drop support for the version of PHP, MySQL, Joomla, WordPress etc you are using. Our decisions are based on the usage statistics we collect. If you remove yourself from the pool of data points we can't take into account what you're using. It should be obvious, but it never hurts putting it into simple and clear words just in case.
Backups, by their nature, keep averbatim copy of the entire site including personally identifiable information. We recommend that you use the JPS (Encrypted Archives) format with a strong password and / or store the backups on an encrypted disk to comply with the GDPR's requirements for implementing common technical measures to prevent data leaks. Ideally, the JPS password should not be stored in the database. Instead, you should pass it as a command line parameter to the CLI CRON script that runs the backup. If you are not using the CLI CRON script then at the very least make sure that you are only ever accessing your site through HTTPS to protect the JPS password from eavesdropping.
Storing backups is not illegal and no, you don't have to go back to all your backups and delete personal inforamtion whenever someone asks you to delete their profile on your site. You must, however, keep an audit trail of profile deletions and replay it after restoring from a backup. In other words, after restoring an older backup make sure you delete the information of the people who had already asked you to delete their personal information between the date you took the backup and when you restored the backup. For this reason it makes sense to keep automated daily backups; this will minimize the work you will have to do.
Where your store your backups and where you are hosted is also important. If you are an EU site you SHOULD use servers in the European Union or otherwise use services which comply with the GDPR. Unfortunately, cheap / free storage such as Dropbox, OneDrive and Google Drive do NOT meet the GDPR requirements. Dropbox for Business, while too expensive for most of you, does offer storage exclusively in EU servers and does comply with GDPR. Big cloud storage providers such as Amazon, RackSpace and Microsoft do offer EU-only storage. We recommend that you do that. As an important aside, if you only ever store encrypted (JPS) archives then even consumer-grade storage such as Dropbox and OneDrive would be acceptable: even though these services do not guarantee the privacy of your data stored with them, the total encryption of the backup archive (a key feature of the JPS format) does.
Regarding our handling of our site's backups, they are encrypted, stored on EU ground with Amazon S3 (Frankfurt) and we have written our own GDPR compliance software which allows us to replay audit logs even in the unlikely event of a catastrophic failure of our site. We apply the audit log replay every time we restore backups, including on our local testing servers (this onlyapplies after May 25th). Furthermore, should our subcontractors require a copy of our site for development reasons they do NOT get access to ANY personally identifiable information (we apply deep scrubing and / or complete anonymization of the data).
While storing IP information may be considered personally identifiable information, the GDPR makes an exception for IP information stored in the context of security. As such the Admin Tools' security exceptions log and related IP whitelist, IP blacklist, automatic IP blocks and automatic IP blocks history is outside the scope of personal data protection. It's also worth noting that IP addresses per se are not personally identifiable information. If your organization has the legal means to compel ISPs to divulge the real world identity belonging to an IP address (that is to say, without having to go through court) OR if you store the IP address in cojuction with personally identifiable information (e.g. email address) or a personal marker (e.g. user ID) then that IP address becomes personally identifiable information. But, again, if it's just used for security logs it is exempt from the requirement of providing consent.
Text log files may, however, contain privileged information as they capture the entirety of the request sent by the user to your site. We therefore recommend that you DISABLE the "Keep a debug log file" option in the Configure WAF page.
Furthermore, the GDPR calls for data minimization. To comply with this requirement we urge you to set the "Maximum security exceptions log entries" option to a non-zero value in the System - Admin Tools plugin. Typically, a value of 1000 to 10000 provides a good balance between data minimization and security.
The Project Honeypot and "Warn about use of well-known passwords" features do transmit information to third parties. However, this information is anonymous and should, therefore, fall outside the scope of the GDPR.
Using the GeoIP feature is also GDPR compliant. The IP address does not leave your server. The copy of the MaxMind GeoLite Country IP Database used to determine the country and continent of an IP address is stored on your own server. And no, before you ask, if you are outside the EU you can NOT use GeoIP blocking to dodge GDPR completely. The GDPR applies to all EU citizens regardless of where they live. A French person sitting in a cafe in New York city is protected by the GDPR the same way as if they were sitting in a cafe in Paris. GDPR concerns the nationality of the user, not their physical location. Not to mention that there are VPN and proxy services to fake the GeoIP location of a user, as well as the imperfect (around 90%) accuracy of GeoIP in general. Don't try to use GeoBlocking to dodge the GDPR, you will only make matters worse for you.
Finally, it is possible that in the past you may have enabled the feature to log failed login passwords. This might be a security concern or a violation of the GDPR. We have now removed that feature but you may still have information stored in your database. We recommend that you go to the Security Exceptions Log page, filter by reason "Login failure" and delete all records presented to you.
Akeeba Ticket System by its very nature stores personally identifiable information in tickets. It is impossible to encrypt the ticket titles and body because the hit in performance and the inability to search through the content renders it impractical. To the best of our knowledge GDPR accepts that line of reasoning.
However, you should NEVER, EVER store passwords or other sensitive information (such as a person's real address) as unencrypted data in the database. For this reason, ATS supports encrypted Manager Notes by default since version 2.4.3 (to be released in mid-May). The support staff is responsible for moving the sensitive information into Manager Notes and giving a warning to the user that privileged information was redacted from the ticket and put in encrypted storage.
Another sticky point with regards to GDPR is the ticket-by-email and the ticket notification by email features. According to the GDPR it's illegal to accept personal information over unencrypted email. Since implementing support for encrypted email is complicated and technically infeasible in most cases we have to warn you that it's ILLEGAL to use that feature after May 25th, 2018. We plan to remove it in the next version ofour software (2.5.0). Regarding email notifications to tickets, you are advised to remove the ticket content from the email template. We cannot do this automatically. You have to go an edit your email templates for PRIVATE tickets.
Speaking of which, the GDPR provisions for privacy do not apply to public tickets, obviously. People electing to file public tickets do so being fully aware that their information will be visible to anyone and they do receive adequate warning. You may, however, want to set up your ATS categories to ofer private tickets by default. The idea is that the GDPR asks you to implement your sites with privacy by default. We understand the implication to that is that the default ticket visibility should be Private as a result.
Using Gravatar is GDPR compliant. No personally identifiable information is transmitted to Gravatar. What is transmitted is an MD5 sum of the email address. This is a pseudonymous identifier which can NOT be decoded back to the personal infomration (email address). Transmitting pseudonymous identifiers is GDPR compliant.
On top of the aforementioned features, we have added another feature to our site. As soon as you close a ticket, the encrypted manager notes are immediately deleted. This conforms to the data minimization guidelines of the GDPR. This is implemented as a plugin and it will be made available in ATS soon (we need to document it first and make sure it works reliably by putting it to real world test on our site).
Moreover, old private tickets of inactive clients will be removed from our site as they may contain sensitive information. If you are an active client (you have a subscription) or you have logged in the last 18 months on our site please review your private tickets. If they have private information please ask us to remove them and remember to give us the ticket numbers (or we will remove ALL your private tickets!). No, if you ask us to check we cannot do that; we do not have the manpower. That's why you can log in and check for yourself. Also note that we do explicitly tell you to give us temporary access, therefore we do not have any responsibility if you failed to revoke our access since your ticket was closed.
Some TSV methods do use personally identifiable markers (YubiKey ID, PushBullet token) or personal information (email address, phone number). Starting with version 3 we will be encrypting all the LoginGuard method setup information by default. Existing information will not be encrypted until your first log in. This is reversible encryption, not hashing, since Two Step Verification IS NOT a password. TSV typically uses a key to generate a time based password, therefore access to the unencrypted key is required. This can obviously only be achieved with reversible encryption, not hashing.
If you are unsure, we recommend that you only use the Google Authenticator (TOTP) and Security Key (U2F) methods on your own site. These are GDPR compliant by definition. They store absolutely no personally identifiable information.
We will be deploying LoginGuard 3 on our site in mid-May.
Most Social Login methods store a unique, per application identifier. This means that the user ID you get can only be used by your site. Still, they all give you access to one or more of the following on the social platform: user's real name, username and email address. Therefore that's personal information, or at the very least a personally identifiable marker, as we currently understand it.
Since this information is stored in Joomla! user fields it's impossible / impractical to encrypt. Is that GDPR compliant? It actually depends on how you have set up your integration / API "app" on the social media platform, e.g. the custom Facebook App you create for the Login by Facebook plugin of Akeeba SocialLogin. If you follow our Wiki instructions to the letter your integration will be GDPR compliant if and only if you do NOT allow the creation of new user accounts with SocialLogin AND you do not allow automatic login if the email address on the social media site matches the user record on your own site. So you can only allow people to manually link their Joomla! user account on your site with their social login before they are allowed to use social login. That's because they must give their explicit consent to you storing their personal information before you can store the link to the social media platform which is personal information. Of course that genuinely cripples SocialLogin and removes the main reason of its existence: reducing the friction to user account creation.
In case the social media marker is not considered personal information you can keep using SocialLogin without a problem. Please ask your lawyer. Please share your lawyer's feedback with us and tell us which country you are from. We want to understand if there is a point in continuing to develop this software.
Right now we have canceled our plans to integrate SocialLogin to our site. Moreover, we decided to put Akeeba SocialLogin on the backburner until it becomes clear if creating a user account through social media login is allowed. For this reason all the open issues pertaining to new features are not going to be deal with in the foreseeable future. Sorry, it looks like GDPR is killing this cool product :(
Akeeba Release System does store the IP information of whoever is downloading software. The successful records for logged in users do link the IP address with a real identity so they might be considered personal information. However, if you anonymize or delete the account pursuant a GDPR right to be forgotten request they are anonymous again. Therefore there should be no reason to delete them.
Collecting this information may not require consent since the download log is your proof that your user has forfeited their right to a refund (upon starting a download for non-public downloads) per the EU Consumer Protection Directive. Since collecting this information is a legal requirement it trumps the GDPR.
On our site we delete old download records anyway. Moreover, records linked to your user account are both exported as part of you exercising your data portability rights and deleted when you exercise your right to be forgotten.
Things are a bit more complicated because pretty much all of the information collected by users is personal. The invoicing information is definitely personally identifiable. However, collecting it is a requirement under the EU VAT and invoicing regulations. Since there is a legal requirement to collect it the GDPR privacy provisions are superseded, i.e. you can still collect it no matter what. This information cannot be stored encrypted because you need to be able to search through it and databases don't support searching through encrypted information.
The invoice (and credit note) body itself, however, is stored encrypted as of Akeeba Subscriptions 6.1.0 which will be released in mid-May 2018. Moreover, Akeeba Subscriptions no longer stores this information as files on disk. Whenever you ask Akeeba Subscriptions for an invoice preview or to download your invoice as a PDF it will decrypt it and send it to you. Of course this also applies to credit notes.
As a general rule, we recommend that you remove or pseudonymize the subscriptions, user records, invoices and credit notes of inactive clients. We do that on our own site as part of the automatic deletion of the user profile. You may need to keep copies elsewhere to satisfy tax laws (in which case your legal requirement supersedes the GDPR provisions to privacy).
We are deploying the new version of Akeeba Subscriptions on our site. All invoices and credit notes will be only stored encrypted. We will run a special script to encrypt all of the existing information AND we will remove the copies of the invoice PDF files from our server. Copies of the invoices will be kept for a minimum of 10 years due to legal requirements both in an encrypted Amazon S3 bucket in the EU (Frankfurt) and off-line with our accountants. Do note that the accountants are also auditors and are therefore bound to existing privacy regulations which are stricter than GDPR itself. Finally, we do not allow users to delete their user profile with us within the first 90 days after they have bought their latest subscription since a. it may not have been reported to the tax authorities / VIES / VAT Mini One Stop Shop services (legal requirement) and b. that's the maximum time period after a pruchase when a client can file a payment dispute or chargeback request (meaning that we need to keep a record of the client's information to use as proof of service provisioning in these cases). Legal requirements trump GDPR provisions in these cases. Of course after 90 days from your last purchase you can delete your user account without refund if you so wish.
Important clarification: your transactions on third party sites, e.g. the payment processing companies, is NOT deleted when your user account is deleted and is NOT included in data exports requested on our site. This information is submitted to and stored by third parties. You should contact them directly to exercise your data rights with them.
To the best of our understanding, our other software does not store personal information of any kind. Therefore the GDPR is irrelevant to its use on our site or anywhere else.
GDPR compliance (data rights) uses a component we built ourselves. At this point there are no plans to release it as a commercial extension since Joomla! 3.9 will come with its own solution called com_privacy. We cannot yet guarantee that our software will work together with com_privacy in the future since we don't even know how it's supposed to work on account of it being under development at the time of this writing (May 15th, 2018).