Disclaimer: I am not a lawyer. This post does not replace seeking legal advice.
The Privacy Shield stated that the US Data Privacy Protection Laws matched the EU’s data privacy laws standard. Hence, no special precautions were necessary when transferring data between the EU and the US.
The Data Privacy Shield, however, was “dismissed” by the EU’s supreme court in its remarkable Schrems-II ruling.
That was embarrassing as the 2nd agreement was nullified by the high court (Privacy Shield was the successor of Safe Harbour, which was nullified in the Schrems-I ruling). A 3rd attempt is (was) underway but was blocked by the EU parliament end of 2022.
In practice that means that precautions must be made when transferring data from the EU to the US (due to the above considered as a 3rd party nation with insufficient Data Privacy Standards). Such precautions can be based on the SCCs, the standard contract clauses (contract clauses “pre-verified” by the EU commission). Those clauses were renewed in the Schrems-II ruling and my understanding is that WordFence has integrated them into their TOS end of 2021.
That is not a 100% guarantee that everything is safe, as -according to lawyers- it is not sufficient to agree on those clause but one has to verify on a regular basis (monthly), that the SCCs are followed-up. Practically that would mean to fly over to the US, visit WordFence offices and ensure that they stick to the SCCs. Frankly, that is not possible, as not every individual user can go there and verify that. We can only trust WordFence.
Meanwhile, Schrems-II was recognized in the daily legal practice; MailChimp was ruled to violate GDPR and the same applies for Google Analytics.
However, that is only one part of the story. On the other hand, the GDPR demands TOMs (Technical-Organizational-Measures) to insure Data Privacy, including security.
In other words, a web host has to ensure that he/she ensures state of the art data protection.
Webfence is one of the market leaders, so by choosing it, one can justify a vital interest in doing so (security for one’s own sake and one’s web visitors).
Precautions must be taken. With the SCCs in the TOS, Wordfence has already done a lot (not 100% bulletproof, though). Additionally, webmasters must check the Wordfence settings and ensure that they are set to maximize GDPR compliance, i.e., reduce transmission of user data (such as IP addresses) to the US.
Furthermore, the usage of Wordfence must be mentioned in the websites data privacy statement, and it must be ensured that users consent to it (e.g. Wordfence cookies) before any data transmission takes place that would reveal their identity (IP address) or track their behaviour.
The latter is critical and demands a regular assessment whether the same level of security could be achieved with a plugin that avoids transmitting personal data to the US; as far as I can judge, that is currently not the case.
Taken together, there are good reasons for using Wordfence. In case of a complaint, the other party should explain its concerns exactly and what kind of disadvantage happened after executing all available rights.
Considering all that you should have strong arguments to justify the usage of Wordfence, as long as you take according precautions and as long as an according assessment holds true.
By now, I am not aware of a case targeting the use of Wordfence. Instead, I find articles on GDPR related sites that quote security issues identified and published by Wordfence.
As I said, I am not a lawyer, therefore this post is no legal advice. I would suggest you seek for legal advice and then make an informed decision about using the Wordfence plugin.
