Admin intervention for personal data export really needed?

[rconde]

Currently, the required intervention of the administrator for the sole purpose of clicking on "Send Export Link" after the user has confirmed the action via e-mail seems to add a workload completely unnecessary.

I have to highlight that, once the request has been confirmed by e-mail by the user, the administrator has to enter the panel and click individually on each user to have their zip file sent with their data.

Is the administrator intervention -for clicking the "Send Export Link" button- really required here?
Is the administrator doing something / verifying something apart of clicking a button?

I think it creates a completely avoidable workload.

Why can we simply send the export link to the users that have confirmed the export action?

[knutsp]

Yes, the data must be complete for all systems the organisation/company, not just the WordPress website. This may involve other steps, more or less manually, to add or complete the data.

WordPress may not be used for this at all, but core must have a way to contribute it's data. WordPress may be used for this, but company/owner may add data to the file or the email.

[carike]

We had a chat about this in #core-privacy on Slack: ​https://wordpress.slack.com/archives/C9695RJBW/p1580816313173700 (You need a Slack account to view the conversation).

We do not believe that removing the requirement for admin-initiated action is in the best interest of the majority of users, as the CCPA, for example, requires that personal data export and erasure requests need to be subjected to varying levels of verification.

We propose adding a simple filter that you will be able to override using functions.php or an MU plugin. This would allow you to disable the admin-initiated requirement quite easily.

Would amending this ticket in such a way be acceptable to you?

[rconde]

Well, the functionality for the user to initiate the data export request is already present, I've made a plugin that allows the user to initiate the data export request on the user side with no administrator involved.

The flow of the data export is as follows:

1 - The user requests its data export via plugins (this is already possible, as I've already made) or by contacting the the admin somehow so the admin can manually create the data export request.

2 - The user receives an e-mail to confirm the requested action. The user clicks on the link and the request is user-confirmed. At this moment, the request is already admin-confirmed (or pseudo-confirmed) as the admin have created the plugin to allow user-instantiated data exports or had created the request manually.

3 - The administrator receives an e-mail that an user has confirmed some action so the administrator must log in and confirm the action.

4 - Now the administrator needs to log-in, go to the "Export personal data" tab and click on the button "Send Export Link" so the user receives its requested zip file.

Is this admin-mail (3) or this manual click action (4) really needed?

Let's focus on wp-admin/export-personal-data.php, there's nothing to add, nothing to configure. Just a button that changes from "Waiting for confirmation" (not a button) to "Send Export Link" to "Remove Request".

If there were any type of manual configuration prior to sending the zip, I could understand it.

But what we are really doing is forcing the administrator to make manual clicks for each user that have confirmed its data download. There isn't even a bulk action for sending export links for all the users that have confirmed the action.

At least adding a bulk action (non-existant now) to send the export link to all the user-confirmed requests would help.

[carike]

We are not creating core functionalities for any specific piece of legislation.
That having been said, we need to keep in mind possible use cases when deciding on sane defaults for core.

As far as 3.) goes, it is very likely in medium to large organizations that the Data Protection Officer would need to confirm that the verification requirements have been met (such as having a signed affidavit on file that confirms under penalty of perjury that the person is who they say they are).

As far as 4.) goes, it is very likely, again in medium to large organizations, that the DPO would need to collate personal information held about the user on other systems to include in the .zip folder.

However, we do acknowledge that for small to micro-organizations, where comments are likely the only personal information kept by the site, a higher level of automation may be highly desirable.

That is why we are suggesting a compromise in the form of a very simple TRUE / FALSE filter, rather than removing the admin-approval by default in core.

We can discuss including a bulk-functionality of some sort, but such a filter would be faster to implement (as we have a core developer who is willing to do this) and would allow for the plugin developer to by-pass the "manual" administrator clicks at the website owner / admin's own risk (by installing a plugin / adding their own code in functions.php / a MU plugin).

[rconde]

"We are not creating core functionalities for any specific piece of legislation."

• In this specific case (GDPR and data portability), WordPress core developers are creating, indeed, core functionalities for a specific piece of legislation. Wordpress has the "Export data" already implemented in its core.

For the "As far as 3/4 goes" and "a higher level of automation may be highly desirable.", do you think a medium to large organizations, say a WP installation with 100.000 users where 5% of them request their data download out of curiosity, a DPO is checking manually 5.000 request just in case something is missing? I don't really think that. 5.000 manual clicks for sending the export link to each user? Nah.

And about multiple sources of personal data. Why would something be missing? This would means that the plugin is poorly written/developed.

A DPO inserting/modifying personal data into a zip file puts in danger the data itself. A DPO is a human and can mix personal data from another users maybe, where a well structured SQL query and code don't.

As I've said, I think we are creating an artificial and avoidable workload in most cases.

I think that by adding at least a bulk "Send Export Link" to all user-confirmed requests is the minimum implementation to facilitate the task of the administrator in this case.

[xkon]

Replying to rconde:

For the "As far as 3/4 goes" and "a higher level of automation may be highly desirable.", do you think a medium to large organizations, say a WP installation with 100.000 users where 5% of them request their data download out of curiosity, a DPO is checking manually 5.000 request just in case something is missing? I don't really think that. 5.000 manual clicks for sending the export link to each user? Nah.

I'm not disagreeing with this, that's why as mentioned we already talked about it during our weekly meetings and we agreed that we will be looking into this as it will surely help take some load of plenty of Admins or DPOs that don't have any extra source of data to check & gather.

Not all exports require manual inspections and cross-checking external sources so we can adjust the code and provide this functionality to any website that might need it.

---

And about multiple sources of personal data. Why would something be missing? This would means that the plugin is poorly written/developed.

A DPO inserting/modifying personal data into a zip file puts in danger the data itself. A DPO is a human and can mix personal data from another users maybe, where a well structured SQL query and code don't.

That's not entirely correct. And we have to define what "Export Request" really means here as I think there was a misunderstanding.

On one side we have the implemented WordPress Export Personal Data functionality and on the other we also have the actual "Export Request" that any of your members/clients are sending.

I'm pretty sure that @carike was mentioning the latter and in that case data would/could be missing from an "Export Request" exactly because there might be "multiple sources" and that means sources outside of WordPress that we can't handle or know about in Core.

This is why we also gave the option to Download the packaged export .zip for cases that there might be a need to gather data from other sources as well and bundle them all together in a file to send an e-mail manually by a DPO or Admin etc.

As an example:
I am using WordPress as my website so my clients can send me their export requests there (this takes care of the "request" action itself and all the data that are kept within WordPress.

But I also have 10 extra software running in parallel that are not connected with WordPress and I keep data for these clients there also.

I would prefer to manually send 1 email that contains 10 different packaged export files from various sources than send 10 different emails to a user per source.

Still I'm not editing anything here, I'm just gathering the exports from all the various software that I have :-).

Does this make sense in this context?

---

As I've said, I think we are creating an artificial and avoidable workload in most cases.

I think that by adding at least a bulk "Send Export Link" to all user-confirmed requests is the minimum implementation to facilitate the task of the administrator in this case.

A bulk send can be discussed as well to see it's pros and cons.

[rconde]

I agree that when using multiple sources non-linked to each other, a manual data download tom make a compilation from every source is suitable.

But, for the organizations that only have WP as a source of personal data and have a lot of personal data requests, a bulk send would be nice and save a lot of effort regarding the manual clicks I've mentioned.

Or an option to automate the proccess of sending the link to the zip file to the user that have accepted the request via mail.

[rconde]

-

[garrett-eclipse]

Dropping privacy focus as it's already in the Privacy component.