| Author here. I know how the sausage is made. The thing is that when you set up Jetpack and authenticate, you sync your self-hosted site with a clone that resides on the WordPress.com infrastructure. This is to facilitate the backend services that Jetpack provides. This is needed for things like the Elasticsearch index and all sorts of things. So, say you do your best to make your site compatible with your local privacy regs because you may be taking medical appointments or if you are selling adult toys on your WooCommerce site and some genius installs Jetpack, personally identifiable information makes to non-EU controlled and hosted infrastructure. We may go as far as saying that Automattic is pushing the liability from themselves to you as a site owner. (In other words, you are responsible for your own customers' data but not them.) There are certain requirements for GDPR compliance that I still have a hard time seeing as being fulfilled. (And I did work in GDPR compliance projects before moving over to Automattic and have discussed this with people in the data privacy and security scene that have raised their eyebrows over the whole thing.) It is very strange to go from being proud of working on this and then not being able to recommend using it for much other than the CDN that doesn't require the sync process. |