• If you install this plugin on a european website, you may risk an expensive warning from a lawyer. Still not clear if Wordfence is DSGVO/GDPR compliant

    • This topic was modified 1 year, 4 months ago by vbueschken.
    • This topic was modified 1 year, 4 months ago by vbueschken.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Thanks for your thoughts about Wordfence but you are mistaken.

    Wordfence is compliant with GDPR. You can read more about it here:
    If a lawyer contacted you regarding this then you should point them to that for clarification. If you (or they) have further questions you can email us at privacy [at] wordfence [dot] com.


    Thread Starter vbueschken


    Is the EU-US Privacy Shield still valid?

    As a result of the Schrems II decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.11.01.2023


    • This reply was modified 1 year, 4 months ago by vbueschken.


    From the link you posted:
    It is important to note that the CJEU’s Schrems II decision was focused solely on government access to data. The CJEU did not question the protections that the EU-U.S. Privacy Shield offered EU individuals in the commercial sphere. The U.S. commitments under the EU-U.S. DPF regarding signals intelligence are included in the Executive Order and regulations governing the new DPRC. 

    It seems a bit extreme to rate a plugin 1 star in the hopes of warning off everyone in the EU from ever installing it again because of a legal decision that happened 2 months ago that (and I must emphasize that I am not a lawyer) does not seem to apply to this particular circumstance.

    If you have been contacted by a lawyer about this and asked to pay fees, you may wish to consider the possibility that this was an opportunistic move on their part. Seeking a second legal opinion from someone who specializes in these types of cases might be an additional cost but is highly recommended.

    (Disclosure: I do work for Wordfence, and we make a considerable effort to maintain compliance with data protection regulations in the regions where we do business, which includes regularly reviewing the current state of these regulations)

    Thread Starter vbueschken


    If I search the “Privacy Shield Network” you mentioned in your response, I can see that Defiant Inc. does NOT participate in the Privacy Shield Network?


    • This reply was modified 1 year, 4 months ago by vbueschken.

    Hi, thanks for bringing this up. I checked in and that’s correct, Wordfence no longer participates in the Privacy Shield Program, my emphasis was more that the ruling you brought up seems to be specific to government access to data but I included additional context. We now use an updated method to lawfully transfer data between the EU/UK and USA. Our Privacy Policy describes how we collect and handle any information gathered from users of the Service.

    To the extent you are acting as a data controller of personal data subject to the EU or UK General Data Protection Regulation (the “GDPR”), the Standard Contractual Clauses found at https://www.wordfence.com/standard-contractual-clauses and UK International Data Transfer Addendum found at https://www.wordfence.com/uk-international-data-transfer-addendum applies.

    • This reply was modified 1 year, 4 months ago by ramwf.

    Disclaimer: I am not a lawyer. This post does not replace seeking legal advice.

    The Privacy Shield stated that the US Data Privacy Protection Laws matched the EU’s data privacy laws standard. Hence, no special precautions were necessary when transferring data between the EU and the US.

    The Data Privacy Shield, however, was “dismissed” by the EU’s supreme court in its remarkable Schrems-II ruling.

    That was embarrassing as the 2nd agreement was nullified by the high court (Privacy Shield was the successor of Safe Harbour, which was nullified in the Schrems-I ruling). A 3rd attempt is (was) underway but was blocked by the EU parliament end of 2022.

    In practice that means that precautions must be made when transferring data from the EU to the US (due to the above considered as a 3rd party nation with insufficient Data Privacy Standards). Such precautions can be based on the SCCs, the standard contract clauses (contract clauses “pre-verified” by the EU commission). Those clauses were renewed in the Schrems-II ruling and my understanding is that WordFence has integrated them into their TOS end of 2021.

    That is not a 100% guarantee that everything is safe, as -according to lawyers- it is not sufficient to agree on those clause but one has to verify on a regular basis (monthly), that the SCCs are followed-up. Practically that would mean to fly over to the US, visit WordFence offices and ensure that they stick to the SCCs. Frankly, that is not possible, as not every individual user can go there and verify that. We can only trust WordFence.

    Meanwhile, Schrems-II was recognized in the daily legal practice; MailChimp was ruled to violate GDPR and the same applies for Google Analytics.

    However, that is only one part of the story. On the other hand, the GDPR demands TOMs (Technical-Organizational-Measures) to insure Data Privacy, including security.

    In other words, a web host has to ensure that he/she ensures state of the art data protection.

    Webfence is one of the market leaders, so by choosing it, one can justify a vital interest in doing so (security for one’s own sake and one’s web visitors).

    Precautions must be taken. With the SCCs in the TOS, Wordfence has already done a lot (not 100% bulletproof, though). Additionally, webmasters must check the Wordfence settings and ensure that they are set to maximize GDPR compliance, i.e., reduce transmission of user data (such as IP addresses) to the US.

    Furthermore, the usage of Wordfence must be mentioned in the websites data privacy statement, and it must be ensured that users consent to it (e.g. Wordfence cookies) before any data transmission takes place that would reveal their identity (IP address) or track their behaviour.

    The latter is critical and demands a regular assessment whether the same level of security could be achieved with a plugin that avoids transmitting personal data to the US; as far as I can judge, that is currently not the case.

    Taken together, there are good reasons for using Wordfence. In case of a complaint, the other party should explain its concerns exactly and what kind of disadvantage happened after executing all available rights.

    Considering all that you should have strong arguments to justify the usage of Wordfence, as long as you take according precautions and as long as an according assessment holds true.

    By now, I am not aware of a case targeting the use of Wordfence. Instead, I find articles on GDPR related sites that quote security issues identified and published by Wordfence.

    As I said, I am not a lawyer, therefore this post is no legal advice. I would suggest you seek for legal advice and then make an informed decision about using the Wordfence plugin.

    Some points in my answer might be ambiguous, so for the sake of clarity:

    Wordfence (Defiant, Inc.) seems to have done everything they can do on their end to ensure GDPR compliance.

    Room for interpretation (and caution) results from complex legal affairs that are still quite young.

    Furthermore, the vendor can’t discharge webmasters from their obligations regarding Data Privacy.

    Once again: I am not a lawyer, and this post does not resemble seeking legal advice.

    Moderator Steven Stern (sterndata)


    Volunteer Forum Moderator

    This is turning into a learned discourse on GDPR, etc and has strayed far from being a review of WordFence. Closing the topic now.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Is WF compliant to DSGVO / GDPR ?’ is closed to new replies.