European GDPR - Any news? [UPDATED July 2023]

It started.

Schermata 2020-12-06 alle 11.26.321586×754 55.2 KB

This is how more and more non-European sites appear to us who surf the internet from Europe.

Large companies that do not want or cannot host their sites on European servers or that do not want to give up tracking tools such as Google Analytics have no other option than to block access to European visitors to avoid incurring fines.

It’s getting very hard to promote Webflow to our European clients.

Is there any news from Webflow for a possible hosting option on exclusively European servers? (They said they were trying to offer this in this article about the invalidation of the Privacy Shield)

Schermata 2020-12-06 alle 21.56.10902×648 186 KB

UPDATE 17th January, 2021
I wrote an email to the Webflow Privacy department and they replied. I’m very satisfied with their explanation. Even if they cannot give legal advice, at least they explained in a clear manner and in one place all the details of the current situation.

I’ll include a screenshot (to let you see it’s a real email) and the transcription if you want to comment or copy the link he provided.

2021-01-17-15-03-mail.google.com1920×969 195 KB

Hello there,

My name is David, thanks for contacting the Webflow Customer Support Team.

Thanks for reaching out with the GDPR questions with data transfers for EU to US, I am here to help with some information for your research into data processing and storage.

Webflow uses hosting servers around the world for the CDN to enable sites to load quickly and closer to the users. Webflow uses Fastly and AWS Cloudfront.

There is not currently any option to have content only on specific servers or location. If your site needs to host only on specific location then an option is to create on Webflow and then export the website files so you can upload to a specific hosting server.

Our servers/sites are located/stored globally and all Webflow-hosted sites are Privacy Shield compliant - Privacy Shield

We anonymize all IP addresses and server logs in compliance with GDPR. For more thorough information I recommend reading through the Webflow Terms of Service and Privacy policy - Terms of Service | Webflow.

Ever since European Commission invalidated Privacy Shield as a mechanism to transfer data between EU and US, we’ve amended our standard DPA and and have been using Standard Contractual Clauses (SCCs) as the basis for the transfer mechanism. The latest version of our DPA has SCCs, and makes no reference to the Privacy Shield, even though we continue to be Privacy Shield compliant and are awaiting further guidance on the process, or updated SCCs as a result of that decision, which should come out in the next few months.

We are working very closely with outside privacy law experts on staying fully compliant with all GDPR regulations. We appreciate your attention to this.

Here is some more information:

• Webflow has a Data Processing Agreement available for individuals and businesses that rely on Webflow to process personal information, such as form submissions - Webflow Data Protection Agreement Request.
• We’ve updated our Global Privacy Policy 7 and our EU & Swiss Privacy Policy 15 to take into account the invalidation of the Privacy Shield as a mechanism for exporting data out of the EU.
• We continue to comply with our obligations to individuals under the Swiss-U.S. Privacy Shield Framework (which still is a sufficient mechanism for transfers from Switzerland, according to the Swiss Data Protection and Information Commissioner 4).

On a related note, Webflow does not yet have a built-in cookie management feature. However, it is possible to create a basic cookie consent using third-party services that exist specifically to ensure a site is compliant with cookie policy for their own site visitors. A typical service like this is listed below.

You can find some other cookie consent/legal consent solutions on our integrations page at the link below.

https://university.webflow.com/integration-type/legal-compliance-solutions

Privacy laws are complex and differ widely from client to client. Webflow cannot provide any legal advice. Our recommendation is to contact a legal professional who can help advise the requirements to help decide on the toolset used.

There have been some recent changes to EU privacy and the privacy shield, please continue to see the information from Webflow for any updates at Webflow, your EU customers need a statement (Privacy Shield) - #28 by WebflowCommunityTeam.

Best,
David

[UPDATE 2023]

New Privacy Shield!!!

This status message is more informative and transparent than what we see from one of our US partners when we want to access their company website. And this has been the case for all of Europe since the EU GDPR came into effect last May. No matter if you are a member of the EU or not…

I am a big fan of Webflow and am very happy that I could develop our web presence with this tool and finally have control over our most important information and advertising tool again.

I would have loved to create our webshop/ordering tool with it as well. I try to look at the whole thing a bit more differentiated and avoid customer data on US servers (that was a great joke just now, wasn’t it?) and, therefore, my Webflow project as “Information only” page. Illusory, I know. As a consequence of the legal uncertainties, I did NOT realize our new webshop with Webflow, but with a compliant tool hosted in the EU.

A compliant hosting in Europe would let many of us sleep better at night, @webflowcommunityteam. And because we are used to paying more for everything over here (yes, Apple, I am looking at you… I just paid you 20% more for my MacBook Pro, tax-adjusted, than in the US store… Why do you only love our money? We have one of the highest Mac, iPhone, iPad densities worldwide in Switzerland, and we buy everything from you like crazy :-).

So @webflow, I am willing to pay you 20% more if you don’t forget us in the old world. What do the forum participants think?

screenshot-refusal1250×498 55 KB

Thanks for posting this.

Hey nice post butwe dont want to pay more webflow is already expensive enough. The tool is full of bugs. Backups get destoyed and you lose months of work. And the support totaly sucks so why pay more for a features that most companies offer for the same price

Sorry, I cannot support or understand any of these points. I have been on the system every day for about six months and I am more than happy. Apart from small hickups, which can have a thousand other reasons, absolutely no problems. The backups are a blessing. Well, if you only like yogurt stirred on the left, then you shouldn’t buy yogurt stirred on the right. In other words, if I had such problems, I would not have invested so many hours of my life in something that makes me unhappy.

Hi Vania. I share your pain here. Some of these checks are a nightmare. We had 6 sites blocked in a similar way last week by a large health service network because it thought the site contain malware - it didn’t, but took days to sort.

I’m intrigued by this one though. We export our Webflow sites and use A2 Hosting (in Europe) to host. You would think that would be all fine, but any check of our site makes it look like it’s in the US. Only running a tracert shows it’s in the Netherlands - so a perfect storm for a false positive.

I read that the error 451 unavailable for legal reasons occurs when using the HTTP protocol. Could you try using HTTPS instead as this should solve? Are your sites HTTP?

Also, where did you get the message? Was it within a closed network or just a regular browser?

Thanks.

Hi!

This is not one of my websites, it’s https://www.heraldbulletin.com/, and as you can see it is HTTPS, regular browser (Chrome). And it happened with other websites, I didn’t save them so I can’t remember their addresses.

I think if you export the code you shouldn’t have any legal problem. With Webflow the data transfer happens because of the hosting and the forms, but I know that when you export the code their forms don’t work anymore so I’m pretty sure you’re not using them. Are you using Google Analytics?

It’s really interesting that those checks show that the site is in the US! I hope the websites I did in the past won’t get blocked

Hi

It looks like this is a page controlled by checks by Herald Bulletin rather than a browser. I guess it simply checking browsing location (and maybe if GA is used) and if it’s outside the EU shows this page?

We stopped using Google Analytics on our sites earlier this year as implied consent is no longer acceptable since 2019, so users would have to actively opt-in via a cookie-popup (or similar), so little chance of getting a full set of data. So we simply use AWSTATS via cPanel which records 100% of visiting info without the need to use cookies. More info on this website about the new cookie law.

Since posting above I’ve found https://hostingchecker.com/ and this does show our hosting is in Amsterdam. I was using Find Location Of Your Website or Domain: Site24x7 Tools which came back with the main A2 server in the US.

I’m pretty sure The Herald Bulletin cut European visitors out because they can’t/don’t want to comply with the new GDPR after the invalidation of the Privacy Shield.

Yes, looks like it. If I switch my VPN to the US (I am in the UK), then I can see the site perfectly.

Meant to say, for forms: Our forms must be secure as most of our sites are in Primary Care. So we use Web-Form-Buddy. Simple to set up in html (just a line of code for the FormID to paste in). Each user has their own login to securely retrieve submissions and are notified etc. (all the usual forms options are there). We have a control login to admin all sites (set up new forms, recipients etc.). We have over 50 sites using this system and have used them successfully for many years. And most importantly their server is UK based which satisfies requirements for our GDPR Data Processing Agreement.

Oh! Thank you so much for this info! Super useful!

I’ve been on Webflow for 6 years.

Very sorry if you experience so many bugs… Maybe there are some local reasons? Because my vie is: occasional bug quickly fixed, not at all full of bugs. Have been blocked by a bug maybe twice for a couple of hours.

Very sorry to hear that, but it seems to be a recurrent things for you? In 6 years, I never had 1 issue with the backups, and I use them all the time.

I can’t let that be said : support answers me everytime in less than 4 days, usually around 48hrs lately. Once in contact they will not stop emailing you until a solution is found. Very sorry if you have experienced otherwise, but if you had multiple bad experiences, that’s very very far from what I witnessed.

I haven’t seen one site that would benefit from the European market adopt this blocking strategy. It’s usually US media only.

I don’t agree with that post either. Seems off topic too. Webflow works very well for me. Except I can’t use it right now because of GDPR problems

As far as I understand, there’s no potential blocking problem with GDPR and sites assets being hosted outside of Europe. It’s all a matter of informing the visitor and getting the appropriate consent.

What’s more sensible is all the trackers, cookies and stuff, that you need to block prior to get consent.

But there’s no situation where a site hosted in USA can’t be seen in Europe because of the law, there are many things to do to solve this while respecting GDPR.

I’d like to have the option to store in Europe though, opening the possibility og having websites without any popup or consent dialog regarding GDPR.

If you look carefully at the content it clearly states that is because of GDPR.

Of course that’s not the European Union blocking the website. They did this on their own website.

What I want to say is:
Even if we pretend that everything is fine it’s not. GDPR exists. Fines exist. Big websites are starting to be aware of this and are taking measures. If Webflow wants European customers, it has to do something about it.

That’s all.

For your example with heraldbulletin? They says what they want, that doesn’t reflect the law. They’re just lazy to develop something that’s not even adressing their audience pool.

I did not.

Nothing prevents you to make GDPR compatible website using Webflow today. GDPR is about users’ data not websites’ data. There are so many services that a US or EU website can use to make its website compliant. Even Google Analytics.

There’s so much more. GDPR is complex. The web is full of resources for you to read to ensure compliance. And the task requires legal professionals often too.

Please tell me how I can use Weblow and be compliant with GDPR.

1. The website cannot be hosted in US
2. Any data transfer from EU to US is forbidden