Make Ghost fully GDPR compatible?
I wonder if a self-hosted Ghost blog can be fully operated from my own server (if I do not embed third-party content like YouTube Videos)?
Ghost relies – like many websites – on some scripts like jquery which are delivered through a CDN. You can copy those scripts to your server. At least this is what this blog post (in German) states. I'm not into the details, but could it be possible to integrate that in the self-hosted version of Ghost that comes with Cloudron?
This wasn't in the question but I think use of CDN alone doesn't mean your website is not GDPR compliant. It's possible to use a CDN and be compliant. See https://www.cloudflare.com/trust-hub/gdpr/ for example.
If you want to remove the CDN, we will have to take it up with Ghost to make the assets be self-hostable.
There is / was some - over excessive, in my humble lawyer opinion - court ruling in Germany that use of a CDN without proper data protection agreements in place (usually US providers) is not GDPR compliant, see for "Google Fonts" over a CDN https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/
The decision, by Landgericht München's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR).
The university was obliged to terminate the integration of the cookie service on its website, as this was accompanied by the unlawful transmission of personal data of the website users - the IP address - and thus in particular of the applicant. The cookie service processes the complete IP address of the end users due to the use of Akamai's Content Delivery Network on servers of a group of companies whose parent company was located in the USA. Whether the data actually reached the USA or remained on a server in the EU and whether Cybot's contractual partner was the US parent or a German subsidiary was irrelevant; the above questions could therefore apparently not be conclusively clarified in the proceedings.
It's based on the - again, overly excessive - interpretation of GDPR that a mere IP is "personal data"; it's further based on the view that US companies are inter alia subject to the "Cloud Act" which allows US authorities more or less unlimited access to such data (if this still holds true now after the agreement on the EU-US-Data-Privacy-Framework is doubtful).
Don't get me wrong, an argument can be made for the protection of IP addresses as e.g. abortion websites in the US may have aided prosecutions by selling data such as IP-addresses, see https://ldi.upenn.edu/our-work/research-updates/abortion-clinic-websites-may-unwittingly-aid-patient-prosecutions/
More than 99% of abortion clinic web pages studied in May included widely used code that transferred user data to a median of nine external entities, which in turn could sell the data or provide it to law enforcement, according to the team’s Research Letter, which appears Sept. 8 in JAMA Internal Medicine. The clinics may not even be aware that visitors’ data is being disseminated since the practice is so standard across the web.
If you want to remove the CDN, we will have to take it up with Ghost to make the assets be self-hostable
I guess that would be the best option.
As @necrevistonnezr mentioned, there are some overly strict rules set in Germany. It's quite complicated to understand what's allowed for whom and how to achieve the level of data protection that's required. Especially if you don't have a background in law or aren't a trained web developer who knows exactly how to tell your server what to store/retrieve and how.
This unsettles ambitious amateurs (like me), so I'd rather be overly cautious than run into an open knife.