It’s a complicated matter, as often for legal things…
First of all : it’s not OVER for us europeans to use Webflow, but some aspects are legally more complicated since the Privacy Shield was deemed invalid.
From my understanding, the main issue is about personal and sensitive data. So I’d say that if your site handles personal data (like Facebook for examples) then you’ll need to ensure that this data is handled within EU following EU regulations.
For a Webflow site I imagine, this will mostly affect you for contact forms, and the usage of Cookies
Otherwise , the problem is more with 3rd parties like Memberstack who’s core business is to handle this sensitive data.
So what I’d say should be done:
You need to check what data your site has access to and how it handles it
If you’re suspicious about something, try to change it (better be safe than sorry)
Webflow is a US company but has servers in EU thanks to AWS. So they need to ensure the data processed within EU is treated according to EU regulations. This needs to be done via a specific contract between them, AWS and whatever other provider they use.
Webflow should really give transparency on this, I agree with you here.
Hope that the new Privacy Shield the govs are working on will address this and that we can go back to work without having to worry about this
Good response.
I have actually messaged a few creators regarding this and it seems that most of them do not understand the legislation and don’t really care either. They are working under the assumption that the odds of having an issue are slim and that clients who handle a lot of user data are likely to have their own legal teams that you can trust this stuff to, so they just aren’t worrying about it.
Not to judge those creators as this is working out for them just fine it seems, but for me this feels irresponsible. I am happy to leave the actual website legalities to the clients but as far as the tools and plugins I am using and recommending, I need to be able to understand their legal status at least in brief.
Some transparency would be great. I have searched Webflows support and all I can find is an article about preparing for GDPR and in that a sentence stating they are seeking GDPR certification, nothing stating their current status.
Same for me. I stopped using Webflow and painfully went back to Wordpress.
I know this laws are kind of crazy but I agree that silence is not the most professional response from Webflow.
The problem is huge and involves Google Analytics, Memberstack, Zapier and all those extensions/integration that are USA based.
A friend of mine is a Privacy Consultant and just attended a course about this new situation. He sent me some material to study, the point is, there is no shortcut or way around it.
If Webflow and the other services will give us an EU based option we can use them, otherwise we can’t. That’s it.
@Pasint I agree with your reply here. If you use the contact form just like you would use an email and use only general cookies, there’s no reason to worry about.
So according to that article site should just make sure to include something like “your data will be sent to the US servers” in addition to the usual cookie opt-in popup and that’ll be enough.
So just to add a bit more. Here s what European Data Protection Board says on a subject of transferring of user data to non-EU servers:
Article 49 (1) (a) states that a transfer of personal data to a third country or an international organization may be made in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, on the condition that ‘the data subject has explicitly consented to the proposed transfer,after having been informed of the possible risks of such transfers for the data subject due to the absence of anadequacy decision and appropriate safeguards’.
Note that this is an old document from 2018, but it is still valid for the current changed policy as far as I can tell (the change here is at the time of that old doc US had the proper “adequacy” with their privacy shield, now it doesn’t)
edit: also to add
In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided “appropriate safeguards,” which may include:
Approved Codes of Conduct or Approved Certification Mechanisms
Binding Corporate Rules
Standard Contractual Clauses
Webflow uses standard contractual clauses part to allow the transfer of data (this is where the DPA that was posted a few times by WF team comes into play).
That is from August 10 - it’s October now, are there any updates on this item?
We are considering additional technical and organizational safeguards we can offer, beyond contractual language, including an EU-hosted version of our service. We do not have an announcement to make on that front at this time. We are also in touch with our sub-processors as part of this process.
This would solve the whole thing if it could be served for EU customers on AWS Europe. Are you still exploring that as an option? how might it work, when might it be live etc etc ?
Hi again, so I am convinced a client (in Europe) of mine to switch to webflow incl. hosting since we like to use the CMS features. I am quite confused now what the situation is regarding all this US/EU Data privacy subject. It would be great if @WebflowCommunityTeam could provide something like a checklist (if possible) under what circumstances it’s safe to move forward with webflow for European creators/clients.
Maybe there is one already and I missed it in which case I am sorry, but I am looking for something like…
No form data upload
Correct Disclaimer / Opt-out incl Webflow
… and so on
This would really help, since we don’t want to get into legal trouble. Would that be possible? thanks in advance, alx
It’s fine to use Webflow without contact forms yea - or ECommerce. Trackers are completely separate and you will just need standard cookie consent form if you are tracking people.
@WebflowCommunityTeam any updates on this - I don’t need to know anything concrete but just a general plan? If you don’t plan on having an EU hosted version of Webflow at some point it would be better for me to know. sooner rather than later.
There’s been an update on this. The CNIL and other privacy law enforcement agencies across Europe recommend encrypting the personal data. As long as any Webflow employee or data processors can’t see or collect plain non-encrypted data. Webflow should be GRPD compliant.
I Don’t think that’s enough @ColibriMedia? A DPO (Data Protection officer) that I am working with on a project, is insisting on hosting in the EU which rules out Webflow for this job as things stand unfortunatly.
My business partner will not use Webflow currently because she doesn’t know if the system is future-proofed for EU users in this way.
The radio silence about Webflow’s plans is really worrying at this stage. I don’t need anything concrete now - but a hint as to whether the european data center option is a possibility or not would be reassuring.