Table of contents of the article:
GDPR stands for General Data Protection Regulation.
This is a new legislation imposed in Europe on May 25, 2018 that requires companies to protect the personal data of their customers.
The General Data Protection Regulation (GDPR) is a data protection law introduced by the European Union in 2016. It aims to protect the personal data and privacy of EU citizens.
The GDPR applies to all companies offering goods or services to EU citizens, regardless of their location. It also applies to companies that monitor the behavior of EU residents, even if they do not have a physical presence in the EU.
Let's see how to recognize a GDPR compliant hosting and what are the most common problems such as, for example, the false and misleading declarations of non-compliant Hosting that claim to be.
European GDPR Hosting and European Hosting Companies.
A GDPR compliant Hosting service must mainly respect two principles. That of territoriality and legal presence.
With the principle of territoriality, the data must necessarily reside PHYSICALLY within the European borders of the member countries belonging to the European Union.
Do you want to rely on a Swiss Hosting company with servers on Swiss soil? You can not.
Do you want to rely on a hosting company in San Marino with servers in the San Marino area? You can not.
Do you want to rely on American Enterprise Hosting such as WPENGINE, WordPress VIP, Fastly, Pantheon, RunCloud, CloudWays? No you can not.
The servers as repeated must be on European territory and all the services described above make use of servers located on NON-European but US territory that no longer enjoy the free port that was created with the effectively abolished privacy shield.
USA hosting and Privacy Shield.
The Privacy Shield is (or rather was) a framework that allows the transfer of personal data from the EU to the United States.
The program was created in 2016 after the European Commission found that the Safe Harbor program did not provide adequate protection for EU citizens. The Privacy Shield replaces the Safe Harbor program and sets stricter requirements for companies wishing to operate in the United States and provide services to European customers.
What is the Privacy Shield and what is it for?
The Privacy Shield is a framework that allows companies to transfer personal data from the EU to the United States. It replaces an earlier agreement called the Safe Harbor, which was deemed inadequate by regulators because it did not provide sufficient guarantees for the privacy rights of EU citizens. The new framework was developed by the U.S. Department of Commerce and approved by European officials in July 2016, after negotiations had been ongoing since September 2015.
When was the privacy shield abolished?
With the judgment of 16 July 2020 in case C-311/18 between the Data Protection Commissioner / Maximilian Schrems and Facebook Ireland, the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield incompatible with the GDPR and, therefore, no longer valid.
The reason behind this decision is that the current level of protection of personal data under US law cannot be considered equivalent to that of the GDPR. This is largely due to US surveillance programs and the lack of an adequate mechanism for European users.
The cancellation of the Privacy Shield took effect immediately, which means that the Privacy Shield is no longer a valid basis for transferring EU data to the United States.
False declarations of GDPR compliance by hosting and service companies.
To understand this step you need to keep in mind a very simple concept: It is not illegal or a crime for a non-European company to sell services to European companies.
On the other hand, it is illegal and a crime for a European company to buy services from non-European and non-GDPR certified companies.
On this asymmetry, the false declarations of compliance of companies that claim to be compliant with the GDPR regulation are at stake.
Take for example wordpress-vip, the Enterprise Hosting service developed by AUTOMATTIC, the company that produces and develops WordPress so to speak.
Reading their statement regarding WordPress VIP and GDPR we have the following concepts (translated with Google Translate for convenience):
The General Data Protection Regulation in Europe (aka GDPR) is a far-reaching privacy regulation that came into effect in May 2018.
This page provides information on the law and our plans for implementing the important GDPR principles for WordPress VIP products and services, including WordPress.com and VIP Cloud. We are currently working to add features to improve user choice and bring greater transparency to our practices regarding the collection, storage and use of your data.
For example, for your convenience, we now have an addendum available for WordPress VIP data processing. If your business is exploring how to confirm vendor GDPR compliance, this document can help as it addresses the particular nuances of hosting services.
WordPress VIP products and services are GDPR compliant and will meet the dates set by the European Union.
We will also provide additional tools and information in
so that users of our services can take the necessary steps to comply with the law, if necessary.
At first glance, therefore, we could safely trust considering the size and fame of the company that communicates it to us, the tone and tenor of the statement that leaves no interpretation to it.
But are we really sure? Can we really rest assured and not risk a fine of 4% of our turnover?
Let's see better and let's see who is WordPress VIP and who is AUTOMATTIC.
In their footer we immediately see that their company name is missing, their address is missing and their VAT code is missing. It would be impossible for a European company to operate on European markets without eloquently showing this MANDATORY information in the footer.
Let's go and see if at least AUTOMATTIC has a European headquarters, a branch or a branch by going to their website automattic.com
Also in this case no information of a legal nature on their site that could identify a company incorporated in Europe, but only an Automattic Inc and nothing more.
Searching the net on Google does not come out a single reference to a European branch of AUTOMATTIC but instead everything seems to lead back to the only Automattic INC based in San Francisco in the United States.
Obviously it is not up to us to go and judge the reasons why a company like AUTOMATTIC does not open a European branch in order to operate peacefully with their services, however as of today 21 May 2022 these are the documented and documentable facts.
The same goes for Managed Hosting configuration services that make use of multiple locations and multiple providers.
It is worth spending a few lines on those suppliers like Run Cloud o CloudWays for example that they actually offer a managed hosting platform to deploy popular PHP-based applications on infrastructure hosting in just a few clicks.
Said in a very simple way if you want to install and configure Cloud instances for PHP projects, but you are not a system engineer and you don't want to go crazy in configuring Database, Web Server or Cache Varnish, these systems allow, upon registration and payment of the service, to allocate a 'instance perfectly configured on different Cloud Hosting providers such as Linode, Vultr, AWS, Google Cloud, etc.
As we all know these suppliers, at least for sure Vultr, AWS and Google Cloud they have different regions divided into continents and therefore we tend to think that if we used RunCloud or CloudWays to generate instances maybe on AWS in Milan (yes AWS also has regions in Italy in Milan), we could in fact be GDPR compliant in terms of physical the applications run on intra-community and therefore European territory.
The reasoning at first glance might seem absolutely correct and linear, too bad that going into a technical examination things are a bit more complex than they may seem.
In fact, RunCloud and CloudWays are not mere "creators" of instances but in fact they are PaaS services (Platform as a service) that live in full symbiosis with the created instance.
In short, it is not possible to create an instance with RunCloud and CloudWays, deactivate the two services and then continue to use the instance created, instead it is necessary to continue to use the instance passing through the initial service such as RunCloud and Cloudways that will have access to yours. instance through their API and will in fact be able to carry out operations on your instance not caring about what are the European laws.
After all, both RunCloud and CloudWays do not have headquarters, branches or branches on European territory.
Specifically RunCloud is a company based in Malaysia; therefore, it is absolutely not GDPR compliant although on their site they try to hide the problem with confusing and misleading information.
Having headquarters in Malaysia and customers in the EU, therefore, as indicated above is not their problem but of you European customers who do not comply with the European requirements.
CloudWays specifically is a company based in Malta; therefore, as is the case with RunCloud it is absolutely not GDPR compliant although on their site they try to hide the problem with confusing and misleading information.
Being based in Malta and customers in the EU, therefore, as indicated above is not their problem but your European customers who do not comply with the European requirements.
As we have seen, it is common practice to try to convince a potential customer that the company complies with the GDPR requirements, boasting good intentions and many beautiful words that are, however, devoid of effectiveness and legal value.
It is not enough to say "we are committed", "we are doing", "we are good people" to be in compliance with a law.
Formal and substantial requirements must be met: data and datacenters on European territory (in one of the EU member countries), and companies, branches, branches, branches established in Europe in a member country and related European VAT. Anyone who does not comply with these two conditions is automatically considered not compliant with the GDPR law.
If Automattic or other non-GDPR-compliant hosting mentioned in this article will operate in compliance with the DATA protection regulation, we would take care to rectify the article and make the necessary changes.
Let's see below, the ones that are non-compliant and GDPR compliant WordPress hosting.
As we can see from their website they have offices in the following locations, none in the European Union.
Searching on Google does not reveal in any case the presence of branches, branches or branches with European VAT.
WP Engine GDPR
WP Engine is a WordPress hosting provider in Austin Texas with a branch in the UK. With Brexit, therefore, it is undisputed to say that there are no European positions.
Irongate House, 22-30 Duke's Place
London, EC3A 7LP United Kingdom
Going to see the list of their sub-processors it is even more eloquent, listing exclusively non-European sub-processors.
Pantheon.io GDPR Hosting
Although Pantheon.io is based in the United States in San Francisco, Pantheon.io also exhibits a false declaration of conformity which has no legal value.
What are the consequences of using non-GDPR compliant Hosting?
Le administrative penalties related to privacy can come up to 20 million euros and can be equal to 2 percent or 4 percent of turnover for business.
To be clearer, in the case of an example of a small company that bills 500 thousand euros with a profit of 250 thousand euros, the fine imposed would be 20 thousand euros.
The GDPR only regulates the pecuniary administrative sanctions,Article 83 provides for an amount equal to a maximum of:
- 10 million euros or 2 percent of turnover annual global year of the previous year for companies that, for example, do not appoint the DPO, do not communicate a data breach to the Guarantor Authority, violate the conditions on the consent of minors or unlawfully process the personal data of users;
- 20 million euros or 4 percent of turnover for companies in cases, for example, of illegal transfer of personal data to other countries or non-compliance with an order imposed by the Guarantor.
In any case, the consequences for businesses and professionals they commit violazioni they are different:
- criminal penalties;
- administrative sanctions;
- compensation for damage in favor of the interested party;
- prohibition of processing personal data until the non-compliance situation is remedied.
In short, it is not a joke or something to be taken lightly given the potential dire consequences that we have shown above with a real case.
Do sanctions of this type often occur for violating the GDPR?
They range from 8 Thousand to 11,5 Millions of Euro the amounts of the fines suffered in 2019 by SMEs, Individual Firms, Freelancers, and Companies not complying with the GDPR. Here is a concise list of the injunction measures of pecuniary administrative sanctions, issued by the Guarantor for the Protection of Personal Data (Privacy Guarantor - Italian Supervisory Authority), both on the basis of EU Regulation 2016/679, and on the basis of the Italian Privacy Code (Legislative Decree 196/2003, amended by Legislative Decree 101/2018).
To say that they happen often therefore could be inaccurate, but they certainly have and can happen.
The most frequent case is that of the assessment by the Privacy Guarantor following reporting (even anonymous) of individuals, dissatisfied employees, competitors.
In fact, it is sufficient to send an email (or rather PEC) to the address of the Privacy Guarantor to be able to see the request registered and to give input to a request for assessment which, if founded, can lead to a sanction.
So what to do if you have a site in a hosting that does not comply with the GDPR?
Our advice is to verify that the provider is compliant with the GDPR and the final hosting resides on European servers (within the borders) and managed by European companies.
For example, we who are a European company, we source from another European company that has Datacenter in Germany and Finland (European countries).
We have European VAT, the datacenter company from which we are colocation has European VAT, the physical location of the servers is on European territory.
For greater protection, we provide the proving legal documentation and related documentation on the management of Cookies, of the GDPR and even the Programmatic Document on security, no longer mandatory but still with added value.
If this is not the case and from careful analysis (we always advise you to have the verification carried out by someone currently not involved, not a supplier for example) it comes to light that the site is not compliant with the GDPR you will have to quickly evaluate an equivalent alternative or better in terms of features, performance and functionality than what you are currently using.
We can assist you in this process by offering you high performance solutions and a software stack compatible with those indicated above as well as ensuring full and total compliance with the GDPR regulation.
Specifically, our software stack is based on NGINX, PHP-FPM, Varnish, ElasticSearch, REDIS and Memcache and is able to replace all the non-GDPR compliant suppliers listed above with greater performance.
It will therefore be necessary following the migration to our systems review all privacy notices, in order to enter more information about the data that can be transferred abroad, the place where they are transferred and the guarantees of protection they enjoy. The same must then be brought to the attention of the interested parties. Also the registers of the owner or manager of the treatment they will have to be updated accordingly.