I don’t know the thinking behind this, but the traditional export tool (TOOLS => EXPORT) already allows exporting an individual author’s posts and pages (or any custom post type).
Well, that’s all well and good, but it seems contrary to the purpose of the personal data tools, which is to compile a user’s personal data into a single structured electronic package to comply with the GDPR and other such laws that provide a right of access for personal data.
In that regard, it seems like the tool should include a summary of posts and pages made, in the same manner it presents Media uploads. It’s honestly weird that it doesn’t, given that the tool otherwise produces what looks like a pretty comprehensive summation of other user data from WordPress core and participating plugins, which is why I was wondering if I was misunderstanding the way it’s supposed to work.
So far as I can see, the Export tool for posts or pages isn’t subject to the same request/confirmation/approval process as the Export Personal Data function, which is also not very convenient from a regulatory compliance standpoint.
I get that plugin authors may not set up their plugins to support the export, but this is about post and page authorship, which is definitely a core function. If core really can’t do that as part of the personal data export process, this should probably be a feature request, but before doing that, I want to make sure I’m not going to get yelled at for requesting a feature that already exists that I just don’t understand.
I perfectly understand your position. I also don’t live in a GDPR jurisdiction, so my thinking may be tainted somehow. So please take what’s below as a mere discussion point, and not an opinion in either direction.
That said, what I’m wondering is if… say, an online newspaper’s staff’s contributions published on a website ought to be considered “personal data” and therefore subjected to the same “personal data export” rules as a random visitor coming to the site?
I’m thinking the answer should be NO.
For, the staff writer may have a contractual relationship with the site/business that the random user may not.
And, indeed, the staff writer’s contributions may (arguably) not even be considered “personal data” at all. And whether “personal data” or not, the export and/or erasure of such content would require a consideration of the contractual agreement between the two parties.
Indeed, the staff writer may not even own the content at all… making combining “personal data” with such “content” that may be subject to a contract in a single export… very problematic.
But then again, the choice could be given to site administrators to decide whether to include such content or not in the personal data export. But, then again, as with all things WordPress, that’s where plugins may come in to fill the void.
The applicability of privacy laws to published information that’s readily available to the general public is an extremely troublesome one from a standpoint of freedom of expression and freedom of speech. That said, the GDPR explicitly applies to information that has been published — in fact, it even includes an obligation to try to get other people to stop reproducing or linking to information that the data subject has exercised their right to erase or restrict processing. (I think that’s wildly incompatible with U.S. concepts of free speech, but that’s another matter.)
The GDPR does include stipulations that a controller can refuse to ERASE data where doing so would prevent the exercise of free expression. However, that exemption does not apply to the right of ACCESS or to the right of data portability.
I’m not a lawyer, but it would certainly appear that posts or pages contributed by a website user located in an area subject to the GDPR would likely be subject to the access and portability rights in the same way and to the same extent comments would. This is where the limitations of the Export Personal Data tool become troublesome from a compliance standpoint.
I’m aware that there are plugins that allow other data to be exported. That’s not the point: The point is that a registered user of a WordPress website who requests a copy of their personal data using the core request tool would probably reasonably expect (and may have an enforceable legal right) to receive at least an indication of which posts and pages they’ve contributed as part of the package of information that tool outputs. If that tool really can’t do that, that’s a pretty substantial compliance issue.
