we use Akismet on many websites and would like to continue using the Plugin.
Considering the GDPR in May, the plugin is not conform as it stores personal data on US servers. Does anyone know, if a data processing agreement (DPA) with Akismet / Automattic would solve the problem?
I’m glad for any information on this.
did you read https://wordpress.org/support/topic/gdpr-compliance-10/?
thanks, yes I have read this. But it sounds like they are still working on the topic (“working on getting into full compliance”) and this is just a start. And nothing new has been published yet.
It’s good to know that they made a contract with their subsidiary. But as a company we still need a contract with them, if we use their service.
I just received an email by their support that a DPA is possible for customers that use the paid service. So, looks like we can solve this.
A DPA itself might not be sufficient. Generally speaking, for forwarding data to any place outside the EU, either an “adequacy decision” of the European Commission is required, or other adequate safeguards must have been taken. An agreement itself would not necessarily suffice. One could well play around with checkboxes and something like “informed consent”, but this might not be everybody’s cup of tea. Thus, although it will be possible to legally use Akismet after 25 May 2018, it would not be too easy-going Or not easy-going enough for me. To be more precise:
The European Commission has taken an adequacy decision with regard to the U.S., but adequacy is only assumed in cases that the relevant enterprise in the U.S. submits to the EU-US privacy shield. A major effect of such submission is that U.S. agencies, and also courts, would rule on the question whether all of the nice safeguards contained in terms and conditions are met, and EU citizens would be able to sue the relevant U.S. enterprise for any breach of the terms in court. Automattic Inc. has submitted to the privacy shield, but as of today, the official government online file on this contains a caveat:
“This Privacy Shield Certification applies to our core WordPress.com VIP services, and does not include any plug-ins provided by third parties or Automattic (e.g., Jetpack and WooCommerce), or any other software or services, that our VIP clients elect to use on their websites. The certification also does not cover personal data related to WordPress.com user accounts or our standard WordPress.com service, …”
. Thus, for any transfer of data to Akismet service, there needs to be another exemption, and without specific authorization from an EU supervisory authority, this could only be one mentioned in Article 46(2) of the GDPR. As of yet, I do not see any terms and conditions, clauses, contracts etc., which meet those requirements. And once such clauses exist, they all must be “binding and enforceable” in some way. For me personally, it is too late for keeping Akismet active. The GDPR will enter into force on 25 May, we have prepared everything right on time, and this includes that we do not use Akismet any more, as we do not know enough about its future legality two weeks and a day before the deadline ends, and I also do not want to rely on the “checkbox loophole” in Article 49(1) a GDPR (express consent after information on the risk), as this is not how I would like to treat website users.
But it sounds like they are still working on the topic (“working on getting into full compliance”) and this is just a start.
As a member of the plugin support team mentioned in the WordPress.org forums, Akismet will be publishing GDPR compliance information as soon as they can. For now, there is more information in the Automattic GDPR documentation.
That’s all the information I have at the moment.
The topic ‘Akismet GDPR’ is closed to new replies.