[bullenweg]

> WordPress and Automattic as Subject to EU Legislation

I'm loath to defend Mullenweg but WordPress.com is not 43% of the internet. WordPress (the software) is used by 43% of websites, WordPress.com is used by a few million, making it smaller than Wix, Squarespace and even other WordPress hosts like WPEngine.com. Automattic has no relationship with a meaningful amount of end-user data.

[closewith]

The argument seems to be about specific services like Jetpack, which is not limited to Wordpress.com.

I also don't think it's clear that the legal boundaries between the various entities (the person, Automattic, Wordpress Foundation, Wordpress.org, Wordpress.com, etc) would hold, particularly in the EU and particularly where the beneficial owners are identical or have large overlap.

[ndheebebe]

How does Jetpack play into that?

Wordpress.anything in general must be a data juristional nightmare. Every plugin has access to UGC and could be sending bits of that anywhere.

[aldavigdis]

Author here. I know how the sausage is made.

The thing is that when you set up Jetpack and authenticate, you sync your self-hosted site with a clone that resides on the WordPress.com infrastructure. This is to facilitate the backend services that Jetpack provides.

This is needed for things like the Elasticsearch index and all sorts of things.

So, say you do your best to make your site compatible with your local privacy regs because you may be taking medical appointments or if you are selling adult toys on your WooCommerce site and some genius installs Jetpack, personally identifiable information makes to non-EU controlled and hosted infrastructure.

We may go as far as saying that Automattic is pushing the liability from themselves to you as a site owner. (In other words, you are responsible for your own customers' data but not them.)

There are certain requirements for GDPR compliance that I still have a hard time seeing as being fulfilled. (And I did work in GDPR compliance projects before moving over to Automattic and have discussed this with people in the data privacy and security scene that have raised their eyebrows over the whole thing.)

It is very strange to go from being proud of working on this and then not being able to recommend using it for much other than the CDN that doesn't require the sync process.

[bullenweg]

Jetpack the plugin does not send end-user data home, only Jetpack the paid service does that, the customer base of Jetpack is small. If a plugin's theoretical access to user data is enough to cause GDPR responsibilities for the developer that would have broad ramifications across the world of open-source, as code written by some developer in their free time is being used by every company.

[ahumanoverhere]

This is factually incorrect. Jetpack, even the free version, sends all sorts of data over to Automattic. Automattic has access to the details of any site running Jetpack. This may have changed with the shift to modularized separate plugins but prior to 2022, there was a ton of data being sent to Automattic.

[aldavigdis]

I think you still need the sync to happen to use any of the modular plugins.

[aldavigdis]

Hi Bullenweg. If you reach out, then I'll tell you one or two things on how the sausage is made.