Anyone who take any private information from any EU citizen for commercial purposes have to comply with GDPR and related regulations (Like selling goods to EU citizens). I believe they need do it even if they just advertise ads to EU citizens.
Under this regulations personal information is even real name (also if email address says their real name like name-surname@mail.com) and in some cases things like even I.P. address can be under GDPR personal information. Basically everything what can indicate specific individual have this information if data breach happen.
If you did see that popup what showed new cookies here on 2+2 recently to be accepted you can tell they are trying to comply with GDPR regulations what force them tell about cookies more clearly and explain what information they are collecting and how they are using it.

Few days ago i send Bobo Fett and Mason Malmuth link with most cases where 2k or less was involved and private information like address/ID was involved. (Sent them single excel file with more then 40+ cases to start with)
Mason Malmuth said they will take good look into it and forwarded message to David Sklansky.
They are well aware of cases and most job have done by me already collecting them in single file.

If no action is taken in reasonable time frame i will ask around in privacy/data protection related forums where i can report them case by case for more pressure.

ehh, my understanding is that enforcement outside the EU is going to be extremely difficult. At the very least I doubt non-EU entities will be immediately targeted.

Again, IANAL but if I were an EU citizen or legal entity who's holding the personal information of any other EU citizen without their explicit consent I'd be either swiftly deleting it or getting a lawyer to explain why I'm not deleting it and what I intend to do with it. Anyone outside the EU will likely have a little time to assess their legal options in light of the inevitable consequences for the EU crowd.

Yeah that true. Non EU companies will probably not be first in line to be targeted and enforcement could be very difficult.

But also most companies not show tens and tens EU citizens ID's/Addresses publicly.

I've seen posts like this a few times. Does anyone have a link to the actual law? Not the GDPR; that's a separate issue.

The thread, and even this entire forum, is primarily here as a service to our members. I mean, of course more threads and forums can mean more page views which is good for us overall, but that's not much of a direct benefit.

I don't think the amount of money should matter. Either we allow it, or we don't.

The two things are in no way related. But the fact that we haven't taken the stance you think we should about privacy doesn't mean we don't care a singe bit.

We aren't collecting the information posted in this forum. AFAIK, 2+2's lawyer's opinion has always been that posters are responsible for what they post, and I don't think the GDPR changes that.

But even if we are under no legal obligation to change what we allow to be posted (and I'm not saying for certain that we aren't as IANAL), I'm not against the idea of making changes if it seems prudent to do so; I welcome the discussion.

Mat Sklansky, FWIW.

The discussion here, and what I and other mods take back to them as a result, will play a part in any decision that is made - whether to keep things as they are, or make changes.

Not sure what to make of this. Your PMs and previous posts talk about wanting to help, and to have discussion about this. Now this post sounds like you've made up your mind that everything you think should be deleted needs to be deleted, or else. Doesn't seem all that helpful, but perhaps I've misunderstood you.

As a direct response to the newly created OP.

Privacy - what should people be allowed to post about alleged scammers?

A good start in my opinion would be the players usernames on all sites and what transpired between the 2 parties. Its ridiculous that these stakers force their horses to send them a utility bill and passport for the opportunity to gamble for them and give them half the profits. You can call them companies all you want but unless you run a site and make your profits from rake all the parties in this thread backers and stakers alike are gambling.

Posting peoples real name and address is nothing but a scare tactic and could have serious consequences and put them in danger. The most common defence is "don't steal/watch enough videos a month and your name and address wont get posted. Do two wrongs make a right? Does the punishment fit the crime?

Its been open season in this sub forum on what stakers can post hopefully that changes in the future.

Posting peoples passports, driving license and bank cards/documents on public forums without the individuals consent is a breech of the UK data protection act.

https://www.gov.uk/data-protection

https://www.gov.uk/data-protection/make-a-complaint

handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Closest thing i could find Bobo. Putting someones passport on the internet over a $200 debt isn't something google can get its head around as im struggling to find a case of this happening. Its so obvious this is a criminal act its difficult to find the exact law stating don't publish someones passport over a debt. The data protection act is the law being broken in this instance.

https://www.justanswer.com

If anyone has $5 spare you can get a expert opinion here on whether its legal or not. I will chip in $1 if 4 other people are willing.

Well, it's both about privacy and both about compliance with the law.

Agreed.

There can be more than one entity responsible. This forum invites users to post negative feedback about people, provides guidance about what to post (see post #1 of the feedback thread) and makes this personal information public and searchable. I'm not qualified enough to say how far the responsibility of 2+2 goes, but a blanket statement that solely the individual posters are responsible is definitely wrong for most jurisdictions and the EU. EU law applies because 2+2 intentionally chooses to serve EU customers.

My suggestion would be to allow all info that serves the legitimate purpose of making potential future backers aware of past experiences and forbid everything that serves the illegitimate purpose of scaring/coercing horses in case of a disagreement or even a scam.

Thus in case of a negative experience: 2+2 name, site user names, and in case of a scam the real name as well. Posting of passport copies, house addresses, telephone numbers and social security numbers serve no legitimate goal at all and only intend to shame and/or scare the person in question.

While I'm not judging if this is a good enough reason to allow it, I believe the shaming/scaring sometimes gets people's money paid back.

That is a legitimate goal indeed, but then the second question is if the means are legitimate as well and the third for 2+2 if it should be willing to function as platform to facilitate shaming and scaring as coercion technique if it's done with information that doesn't serve any purpose as relevant feedback for future decisions. I'd answer no to the second and third question especially if the proportionality is questionable as is often the case with many personal details published after negative experiences that don't necessarily constitute evil intent.

Scammers should definitely be outed and the posting of relevant and proportionate information will already scare people off to a lesser degree.

This is somewhat debatable but i can see your point here for sure.
But my issue posting things over recreational player stealing 100$ is that while it effect backer lot less, it effect person who have been stealing same in real life/online life as someone stealing 10000$.
*Someone can try make fake accounts with your name and address to use illegal credit cards or do similar activities.
*Someone living in same country can blackmail and threaten you knowing your phone/address.


No, i am totally up for discussion where line is drawn, i think line right now is not where it should be. I am not saying everything i think should be deleted is what should be deleted, i am not only person involved and don't know where perfect line is ect.
Just saying if line stays where it is and 2+2 is not open to discussion, i don't have much options other then asking other more informed people what i can do about this sensitive information on forum if forum administration is not open to discuss issue.
So far i can't say 2+2 had not been interested to discussing issue, as we are clearly doing it right now.


I don't see how it 2+2 responsibility to help backers get their money back by allowing to shaming/scaring people. Even if 2+2 stop allowing it, there will be always backers who will create their websites and message scammer family on facebook ect., not allowing it on 2+2 will not make it much harder for people who want to do it still keep doing it.
While allowing it on 2+2 in some small % might help, i would think in most cases it just unnecessary sensitive information what don't get any money back anyway and what don't help future backers but put person stealing in additional danger to identity theft or getting into dangerous situation in real life.

I am not sure exact % cases retracted in this forum section, but going over years of cases i seen very very few cases where post have been removed because got repaid. (Would guess it around 1%-3% but might be wrong).
I see it as 2+2 do nothing much for backer also while giving perfect list for criminals (Identity theft/real life danger):
If backer creates his own website, threaten scammer via skype and contacts scammer facebook contacts himself he still publish all same sensitive information while 2+2 still would not allow it on forum (Often all other steps will be made even after posting on 2+2 anyway) - results also is same and 2+2 don't need be involved -shamed/scared/and if his name is googled he come up as poker scammer, but in this way it lot less likely that someone with bad intentions (to use his private information for illegal activity) get this information as he would need to know that this website exist and what to google for to find it.
What 2+2 basically is doing is listing all theses private information websites (information what theses websites would provide) at single list for criminals to find easier while not giving real additional value for backer (As he can still create website/contact Facebook contacts or whatever he wants to do while not posting more then information for future backers on 2+2 - information what actually prevent him being backed again like poker room usernames/skype information ect.).
Basically i think point about shaming/scaring is with flawed logic because 2+2 is very clearly not only place where backer can take this very sensitive information and post it and scammer shaming/scaring will happen anyway (not sure what bunch of poker players seeing his passport/face/address do for more shaming/scarring) and i would argue that 2+2 actually is one of least effective place to shame/scare but possibly best place for criminals find every person private information listed like some online directory.
2+2 is for information for poker community and future backers, if backer who got scammed wants take more action against him like posting private information online to shame and scare he will find more places to do it anyway and would be more effective anyway but he also take full responsibility for his actions when he does it. 2+2 will not need take role of 3rd person being involved (Even if it passive role what just not remove posts with some information what might be against law to post publicly and not help future backers to avoid individual but intention is clearly just shaming/scaring) by allowing this information to stay.

Is this only reason why 2+2 have not taken any action against this sensitive information? or there is some other reasons you can tell us about why 2+2 is allowing all this information what was not intended to be posted in original post? (Regardless if it against law or not)

They are generally either taken down or edited to show the debt has been repaid. It's usually a demand from the person that has done the stealing/scamming that they want their name removed so it doesn't come up in google searches saying they are a thief.

If backers didn't take the posts down it would be a lot harder to get repaid in the future.

If reasoning why people repay is because they see their name come up in google there still no reasoning for it being posted on 2+2.
Any backer can create free/10$ website what show information and get same result and it will come up in google same way when searched for name and in same time 2+2 will not need act like private information directory for criminals.

The only real question here is whether 2+2 is exposed to any liability from these postings, and that is a question for a lawyer. From the standpoint of being a poker community it seems obvious to me that naming and shaming bad horses is a productive endeavour, in order to protect staking outfits from being the victims of ripoffs and to encourage a healthy functioning staking market.

This thread is not about if bad horses should be shamed (Violating his private information) but if 2+2 should be place to do it.
Posting on 2+2 relevant information for future backers and doing shaming on your own website or similar place is lot different then shaming them on 2+2 and creating place where criminals can abuse this private information lot easier because it beautifully listed with tens and tens other people private information like some online private information directory.
If you want shame and scare your horse there is no need for 2+2/poker community to know about it after you have posted poker rooms usernames/email/skype ect. and warned about bad horse with relevant information.
There is no real purpose for shaming people on poker forum when you can do it on your own "privately" without posting on forum and get same visibility for people in bad horse life/search engine results for his name ect..
I would strongly argue that theses people who actually pay back after sensitive information is posted don't do it because they are worried about what 2+2 forum/poker community members will think about them but because their name in google come up as scammer and there is no need for posting it on 2+2 to get scammer name listed on search engines as scammer (As there is alternatives, you can create your own website for free/10$ ect and get same result, it gets same result for search engine for backer ect. but put bad horse private information in lot less risk for identity theft/real life dangerous situation).

Yes, that i was saying from the start.
I was assuming 2+2 have nothing to benefit from allowing theses posts with sensitive information around and i am confused why would 2+2 take even 1% chance to get in problems with anyone and not just enforce no sensitive information rule.
Basically i am asking again what is 2+2 reasoning to allow theses posts when lot simpler and safer would be just remove all sensitive information (Because 2+2 have nothing to benefit from it directly and thread was intended that way) and make backers choose alternative places to post this private information like their website or other forum or whatever place they want and get same results like posting on 2+2 (And not create private information database to criminals to use in negative feedback thread format).

There's no way that someone creating a brand new site about a scammer gets anywhere near the visibility that they do with a post on our forum.

And another benefit that hasn't been discussed is preventing others from being scammed by the same person in the future. In that case, I'm thinking more about their real name than, for example, a passport photo.

I assume the belief is that the risk is much, much lower than 1. Perhaps approaching 0.

If we're going to be concerned about any risk, there are a lot of things we should remove. This whole feedback forum. Perhaps the whole Marketplace. The transfers threads. Any threads about propbets. And I'm sure there's a lot more.

Of course I'm going a little over the top there, but I don't think it's a good use of time to worry about how much or little risk there is to 2+2. That'll be something for the lawyers to concern themselves with. I think discussion of the reasons for or against allowing this information would be more productive. That's not to say your opinion on 2+2's risk isn't appreciated. It is, and is duly noted.

I don't see how it's being broken.

2+2 is not using anyone's personal information.

It's very clear when reading through that site, that it's about finding out what information businesses are storing about you and how they're using it. IE, you give a business your address to ship something - are they keeping your information private?

What we're talking about is information posted about you in a publicly viewable thread, by other posters. You know exactly what's there. 2+2 isn't using it. I really don't see how the Data Protection Act in any way, shape, or form, relates to what we're talking about here.

Are the posters breaking the law by posting that information? Possibly. That doesn't need to be 2+2's concern, but that doesn't mean it isn't - but at this point I'm not sure what law, if any, they're even breaking.

Yes, you are true in some sense that yesterday created website will not be tracked nowhere near twoplustwo and might not even show up in google at first.
However there is 2 cases:
1)Name and surname is semi-common and there is no way 2+2 can be top position anyway as facebook/social networks/professionals with same name will dominate first several pages anyway.
(See example Chris Jones who have been reported as scammer on twoplustwo)
2)Name and surname is unique and while brand new website will not make top positions day 1, it will still climb to be top positions in some time what should not be that long as search volume and results for that words combination should be very low.

If we can use only unique names and surnames while there might still be some cases where 2+2 will create more visibility for google searches but i would think in most cases it not increase it that much over some time tracked website with very minimal SEO (Less then 1min work) like adding html meta tags and having relevant domain like name-surname-is-x.com (Not brand new website who was created yesterday and use some type subdomain obv).
(Obviously we don't have good sample size to see if websites who have been made with domain including specific name and surname and have allowed time for google to start track it have better results then using twoplustwo thread)
Also even if there is any extra exposure for twoplustwo versus newer more relevant domain it only effect people with unique names and surnames as it irreverent if Chris Jones come up as scammer in page 12 or page 32 for search "Chris Jones".

(we assume google search force repayments, and we assume scammer not care what poker community thinks about him but care only about search results when his name and surname is typed).

What posting on 2+2 does more is create more visibility specifically for poker community but it not something what most scammers will care much about and what will force them to repay as they are not hoping to get stake using same name anyway.

Yes, i can see real name being useful information for future backers especially if it live poker.
But overall i would think there is 3 categories of information shared in negative feedback thread:
1)Very useful information for future backers like poker usernames and emails/skype usernames.
2)Semi-useful information for future backers like real name (If live stake it might be category 1 also).
There can be made case for allowing it and some case allowing it only if it was live stake deal but i would think this is not what is most important right now to solve and removing category 3 information is lot more urgent issue.
3)Useless information for future backers like passport photo, face, address, phone number ect.


Agree, there is 2 separate questions, 2+2 risks and privacy and this thread is about privacy specifically in negative marketplace thread.
I was not trying to focus on 2+2 risks that much.

More then anything I was asking question what is arguments from twoplustwo side for allowing this information if it can not allow it? (If there is more arguments then shaming/scarring)
Asking this question i am assuming twoplustwo for now is taking stand of "We are allowing post passports, address and phone numbers in our negative feedback thread" as action is not taken to not allow it. Ignoring this sensitive information posted regularly and saying users themselves is responsible for their posts is not really something you can call not allowing it.

Also EU citizens can now request to remove any link who contain private information about him on google search via google request form irrelevant what domain information is posted on (From google search page not from website obv).
So for even chance to twoplustwo helping google exposure target need not have semi-common to common name (To twoplustwo post even show in google search 1st page) and not be EU citizen.
(Assuming more relevant newer domains for more unique names and this domain being allowed time to get tracked by search engines don't show up better then 2+2 in first place).

@Bobo_Fett

Did some digging and found some information you might find useful.

Found this paper on specifically social networks and forums for old Data Protection Act 1998 what is now updated and lot more strict against everyone and probably allow lot less:
https://ico.org.uk/media/for-organis...a-guidance.pdf

30. In other cases the forum might be provided free of charge or
the person or organisation running the site might take much
less of a role in moderating content. For example, members of
many large social networking sites are able to add posts
directly to the site without first having them checked by a site
moderator.
31. However, even if the content is not moderated before posting
this does not necessarily mean that the person or organisation
running the site isn’t a data controller. If the site only allows
posts subject to terms and conditions which cover acceptable
content, and if it can remove posts which breach its policies on
such matters, then it will still, to some extent, be determining
the purposes and manner in which personal data is processed.
It will therefore be a data controller.

(Not removing posts what is against original post (2+2 rules)/vBulletin rules and other terms might make 2+2 as data controller because 2+2 determine the purpose and manner in which personal data is processed)

Also when you are running vBulletin script you accept it rules here:
https://www.vbulletin.com/en/terms/

Content prohibited from our sites and services includes but is not limited to: (1) illegal content; (2) content in facilitation of the creation, advertising, distribution, provision or receipt of illegal goods or services; (3) offensive content (including, without limitation, court ordered defamatory statements, threatening, hateful or pornographic content); (4) content that discloses another's personal, confidential or proprietary information; (5) false or fraudulent content (including but not limited to false, fraudulent or misleading responses to user ads transmitted via our sites and services); (6) malicious content (including, without limitation, malware or spyware); (7) content that offers, promotes, advertises, or provides links to posting or auto-posting products or services, account creation or auto-creation products or services, flagging or auto-flagging products or services, bulk telephone numbers, or any other product or service that if utilized with respect to our sites and services would violate these TOU or our other legal rights; and (8) content that offers, promotes, advertises or provides links to unsolicited products or services. Other content prohibitions are set forth in supplemental terms for particular categories or services on our sites and services and all such prohibitions are expressly incorporated into these TOU as stated in the introductory paragraphs above.

(We are not talking about real names but about passports/address/phone ect., real names probably is more double-edged sword as it still considered personal information but without it you cannot basically report any live poker scammer)

About time vBulletin makes negative feedback about 2+2 for blatantly ignoring the terms they both agreed to. Hypocritical that 2+2 has a whole list of terms it expects it's users to agree to, but has no regard for the agreements they made themselves.

[x]the site only allows posts subject to terms and conditions which cover acceptable content
[x]can remove posts which breach its policies on such matters

2+2 basically is data controller according to GDA when it have power over what posts stay and what don't after posting it terms and conditions what is acceptable posts.
According to GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.

I am not lawyer and I might be totally wrong about all this and also about what that GDA paper actually says in this case but it looks like 2+2 is data controller and store the data from EU citizens (As 2+2 determine
the purposes and manner in which personal data is processed (stored, shared ect.) by not removing ones who is against terms) but in this absurd case data controller store this private information publicly sharing it with all users.

GDPR: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

@Bobo_Fett

Some more on GDPR
Page 6 is How do you determine whether an organisation is a data controller or a data processor?
https://ico.org.uk/media/for-organis...p-guidance.pdf
(Would think 2+2 decide whether to disclose the data, and if so, who to; here if 2+2 have power to remove posts who is against OP/vBulletin terms but decide not to do it therefor determining the purposes and manner in which personal data is processed (How it shared and stored))

This is Data sharing code of practice, explains data sharing and when it allowed.
Would think there is few points where poster (and potentially 2+2 also as another data controller when it have power to remove posts what is against terms but decide not to do it therefor 2+2 is determining
the purposes and manner in which personal data is processed alone or together with poster) breaks terms of transparent and lawful personal data sharing with individual consent:
https://ico.org.uk/media/for-organis...f_practice.pdf

I don't know how it would make sense to you that those terms have anything to do with using their forum software. Let's just start with the second paragraph:

Do you see any direct links to that TOU on our site?

Or, we could look at the terms themselves, which make pretty much no sense as terms for how someone uses software they supply - they read like terms for posting things on their own forum, which I'm pretty sure is exactly what they are. I mean, have a look at points 7 & 8 in your quote - does it make sense that 2+2 (or anyone) would use forum software that dictated what we are allowed to advertise on our own site?

I appreciate what you're trying to do, and I don't want to come off as if I'm attacking you personally. But what I was really hoping to get from this thread was some different opinions from our members as to whether they think we should allow some of this information to be posted. I asked the question about a link to the law that is being broken only because I've seen a few people (not just in this thread) state it as simple fact, so I figured someone might already know what this law is. I don't think you trying to be an Internet detective/lawyer is going to get us too far. It's the same reason I'm not doing the same thing and trying to chase down a million links - I'm not a legal expert, and I don't think it's a productive use of my (or your) time.

This is the second time you've jumped in trying (and failing) to make 2+2 look like the bad guy. It's really not helpful.

We provide Data Privacy Notice wording and ask all players to sign a contract to Consent to the fact that we may post their PERSONAL information should we be in a position to do so. We will not post any SENSITIVE information.

Upon joining our team new players will provide us with some form of ID which we will confirm the below personal criteria and this will be held in a secure database. The details provided to us (ie driving license) will then be destroyed so it is not held anywhere. Once a player leaves, all data will be destroyed.

The criteria we provide ensures enough coverage to allow other backers to know the history of a player without releasing too much data.

Structured Data
Cardroom Screenname:
Real name:
Email:
Skype:
Country:
Owes:
Unstructured Data
Details of incident.

If any of our players do not want us to post this information then they either need to keep their integrity throughout their deal they signed a contract for or withdraw their consent from us. Withdrawing consent will include returning all funds owed (makeup and roll) and ending the deal.

Further information can be found here: https://ico.org.uk/