The thing is that when you set up Jetpack and authenticate, you sync your self-hosted site with a clone that resides on the WordPress.com infrastructure. This is to facilitate the backend services that Jetpack provides.
This is needed for things like the Elasticsearch index and all sorts of things.
So, say you do your best to make your site compatible with your local privacy regs because you may be taking medical appointments or if you are selling adult toys on your WooCommerce site and some genius installs Jetpack, personally identifiable information makes to non-EU controlled and hosted infrastructure.
We may go as far as saying that Automattic is pushing the liability from themselves to you as a site owner. (In other words, you are responsible for your own customers' data but not them.)
There are certain requirements for GDPR compliance that I still have a hard time seeing as being fulfilled. (And I did work in GDPR compliance projects before moving over to Automattic and have discussed this with people in the data privacy and security scene that have raised their eyebrows over the whole thing.)
It is very strange to go from being proud of working on this and then not being able to recommend using it for much other than the CDN that doesn't require the sync process.
Jetpack the plugin does not send end-user data home, only Jetpack the paid service does that, the customer base of Jetpack is small. If a plugin's theoretical access to user data is enough to cause GDPR responsibilities for the developer that would have broad ramifications across the world of open-source, as code written by some developer in their free time is being used by every company.
This is factually incorrect. Jetpack, even the free version, sends all sorts of data over to Automattic. Automattic has access to the details of any site running Jetpack. This may have changed with the shift to modularized separate plugins but prior to 2022, there was a ton of data being sent to Automattic.
The thing is that when you set up Jetpack and authenticate, you sync your self-hosted site with a clone that resides on the WordPress.com infrastructure. This is to facilitate the backend services that Jetpack provides.
This is needed for things like the Elasticsearch index and all sorts of things.
So, say you do your best to make your site compatible with your local privacy regs because you may be taking medical appointments or if you are selling adult toys on your WooCommerce site and some genius installs Jetpack, personally identifiable information makes to non-EU controlled and hosted infrastructure.
We may go as far as saying that Automattic is pushing the liability from themselves to you as a site owner. (In other words, you are responsible for your own customers' data but not them.)
There are certain requirements for GDPR compliance that I still have a hard time seeing as being fulfilled. (And I did work in GDPR compliance projects before moving over to Automattic and have discussed this with people in the data privacy and security scene that have raised their eyebrows over the whole thing.)
It is very strange to go from being proud of working on this and then not being able to recommend using it for much other than the CDN that doesn't require the sync process.