Schrems II and Iinvoiceninja - Possible data protection breach

ITSAW · July 26, 2022, 2:42pm

Hello all,

Unfortunately, I had to find out today that Verion 5 is pretty much against the GDPR and the rulings that apply in Europe.

With a self-hosted Invoiceninja the server tries to load data from Apple, Google, Microsoft, etc. and would therefore also transfer data there (judgment Schrems II https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62018CJ0311&from=DE).

Thus, a data protection compliant use of Invoiceninja in Germany and probably also the rest of the EU is no longer possible.

Actually, I wanted to finally convert my v4, however, the new version will be denied me here and I have to look around again for a European solution, since v4 is probably no longer supported.

Alternatively, a version would have to come from you, which has exactly these CDNs, fonts and authoptions NOT integrated.

How do the developers see this problem and also the other European users?

Translated with www.DeepL.com/Translator (free version)

hillel · July 26, 2022, 2:01pm

Hi,

Not sure I agree that loading fonts from Google is a breach of GDPR, it’s certainly not an “Extreme data protection breach”.

That said we may change this in the future, the work can be tracked here:

Correction: looks like it isn’t allowed, we’ll look into it.

Google Fonts & GDPR – How You Can Stay Compliant.

strider27 · July 26, 2022, 2:27pm

Wouldn’t it be enough to notify the client of all the third party stuff, the data that is collected, and the reason for it, when they visit the portal, with a user consent pop up. Just make sure nothing of that is loaded before they accept it. If the don’t accept it, do not allow access.

The reason that case won is because it was done without user consent.

The only thing I can think of, that may be an issues is phantomjs cloud and hosted pdf. As those can be used before the user interacts with the app or has a chance to consent.

Although I’m all for hosting as much as possible locally.

hillel · July 26, 2022, 2:28pm

Maybe, @david any thoughts?

We’re happy to do what we can to prevent IPs from being shared if possible. The framework we use only recently made it possible to host these files locally, if we’re in violation of GDPR we’ll obviously prioritize the work.

ITSAW · July 26, 2022, 2:31pm

Hi,
it’s not only about the fonts but also the CDN from Apple and the Auth from Microsoft.

A warning is not enough, a tool that holds all my customer data should not connect to other services unless I want to integrate them.

I am well aware that the topic of data protection is a huge challenge for many developers, especially outside the EU. Unfortunately, we need to have this topic on the screen.

strider27 · July 26, 2022, 2:35pm

Is any data sent to apple/Microsoft if they are not enabled in .env?

ITSAW · July 26, 2022, 2:38pm

So at least Javascript is loaded with corresponding connections, which can already represent a violation since personal data is already transmitted here.

hillel · July 26, 2022, 2:41pm

This should be fixable, we’ll work on it…

Thanks for reporting this!

ITSAW · July 26, 2022, 2:44pm

Thank you very much.
If you have any further questions about data protection, please do not hesitate to contact me.

hillel · August 2, 2022, 12:12pm

This should be corrected in the latest release of the app

ITSAW · August 2, 2022, 12:47pm

Hello,

the new version is installed and the security addons currently do not find foreign links anymore.

I will then take a closer look and hope that everything fits under the hood.

Thanks for the quick response

hillel · August 2, 2022, 1:05pm

Glad to hear it, thanks for the update!

strider27 · August 2, 2022, 4:01pm

Might also want to add a warning for people using phantom cloud or hosted pdf generation? As that sends customer data to a third party for processing.