WordPress.org

Make WordPress Core

Opened 9 months ago

Closed 9 months ago

Last modified 6 weeks ago

#49592 closed feature request (invalid)

GDPR - Article 30 - Records of Processing Activities

Reported by: arena Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Privacy Keywords:
Focuses: Cc:

Description

I tried to find the "Records of Processing Activites" on WordPress core and could not find anyone online.

This document is required by GDPR - Article 30.

GDPR applies for/to any E.U. citizen.

In Article 83 - General conditions for imposing administrative fines, some fines may apply if your site or activity is not compliant with the GDPR, up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover.

Thank you for your answers.

Regards

I am expecting a legal answer, not a technical one.

2nd anniversary of GDPR is in may !

=========

It is important to separate

WordPress as a software (core) using external software components and external services
wordpress.org AND w.org as a service provider for wordpress core.

In this "Records of Processing Activites", the processes activated by these lines of code should be described.

wp54rc\wp-admin\includes\file.php
   1086: $signed_hostnames       = apply_filters( 'wp_signature_hosts', array( 'wordpress.org', 'downloads.wordpress.org', 's.w.org' ) );
wp54rc\wp-includes\formatting.php
   5634: 'baseUrl' => apply_filters( 'emoji_url', 'https://s.w.org/images/core/emoji/12.0.0-1/72x72/' ),
   5652: 'svgUrl'  => apply_filters( 'emoji_svg_url', 'https://s.w.org/images/core/emoji/12.0.0-1/svg/' ),
   5768: $cdn_url  = apply_filters( 'emoji_url', 'https://s.w.org/images/core/emoji/12.0.0-1/72x72/' );
wp54rc\wp-includes\general-template.php
   3207: $hints['dns-prefetch'][] = apply_filters( 'emoji_svg_url', 'https://s.w.org/images/core/emoji/12.0.0-1/svg/' );

source : wp 5.4 RC

GDPR : https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

Change History (9)

#1 @carike
9 months ago

  • Resolution set to invalid
  • Status changed from new to closed

I am expecting a legal answer, not a technical one.

WordPress.org is staffed by volunteers.
While some volunteers may have a legal background, no one will provide legal advice.
If you need legal advice, please contact a licensed professional in the appropriate jurisdiction, with experience in matters of the GDPR / CCPA / other relevant privacy legislation.

You are welcome to join the #core-privacy on Slack. Office hours are 19:00 UCT on Wednesdays.

If you would like to open a ticket that proposes the creation of a new file within the WordPress core, that is something that definitely can be discussed.
Please note that actionable tickets are usually implemented faster, so a specific suggestion for a description for each line of code is much more likely to receive traction.

#2 @arena
9 months ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

I am not expecting a legal advice.

GDPR Chapter IV and particularly articles 24 and 28 are explicit.

I just want to comply to GDPR as wordpress.com and microsoft might do !
Aren't they using wordpress core for their blogging activities ?

This is called exterritoriality of law.

It applies on some US laws as well as EU ones.

Regards

#3 @carike
9 months ago

I am not expecting a legal advice.

I am expecting a legal answer, not a technical one.

Could you please describe what you consider as a "legal answer", as opposed to a "technical answer"?

WordPress core does not guarantee compliance with the laws of any particular jurisdiction.

Don't get me wrong, we do have multiple projects dedicated to trying to make it easier for site admins / owners to meet their various obligations. It is not a matter of simply not caring. But the onus of compliance is still on the site owner / admin.

Could you please describe exactly what it is that you need / want from this ticket?
What is the outcome that you are hoping to see?

This ticket was mentioned in Slack in #meta by carike. View the logs.


9 months ago

#5 @johnbillion
9 months ago

I believe Arena is asking about the record processing of personal data collected by wordpress.org when using the WordPress core software. WordPress installations communicate with wordpress.org for update checks, browser checks, the credits API, etc.

#6 @johnbillion
9 months ago

This should probably be moved to meta.trac.wordpress.org.

#7 @Otto42
9 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

The s.w.org site is our static CDN, for serving static resources from WordPress.org faster. It has no data collection system at all, we only use it for serving static resources.

For all information about data collected by wordpress.org, you can refer to https://wordpress.org/about/privacy/

The WordPress core software collects no data of this type, whatsoever. Only what you put into it. It's software, it runs on your own hosting and servers, not ours.

#8 @arena
8 months ago

  • Focuses privacy added

As any citizen around the world, volonteers or not, we are above all citizens and must comply to the laws (for the luckiest of us, this is why we have constitutional rights).

I will not go on slack because the day i will be in front of a judge, he/she will read "the book", not slack !

I am still asking : what Microsoft or WordPress.com would provide as their "Records of Processing Activities" to my local (which represents France on this topic) or any E.U. Data Protection Agencies or a judge for their blogging activities in E.U. or for their E.U. customers wherever they are located in the world (exterritoriality of law) ?

This ticket is still opened for me and for all E.U. citizens using WordPress, typing on a WordPress blog (admin), reading a WordPress blog (visitor)

For the record,

1) Me, because i am a european citizen, writing on trac.wordpress.org, GDPR applies on trac.wordpress.org ! i can ask all personnal information i left on that site as well as my comments on wordpress.org blog ...

2) all my plugins readme.txt have a Privacy section to describe what they do in order to comply with
GDPR
Chapter IV - Controller and processor -
Section 1 - General obligations -
article 30 - Records of processing activities -

https://core.trac.wordpress.org/ticket/49602#comment:4

3) 1/3rd of the internet can now add custom maps in a few clicks

  • are they collecting personnal data ?
  • is there any privacy information to provide ?
  • can i discard this feature ?

https://blog.mapbox.com/wordpress-adds-map-block-74a75dbcb22d

Last edited 8 months ago by arena (previous) (diff)

#9 @garrett-eclipse
6 weeks ago

  • Focuses privacy removed

Dropping privacy focus as it's already in the Privacy component.

Note: See TracTickets for help on using tickets.