Hello dear D1strict-Members,
we disable hCaptcha!
Why are we disabling hCaptcha?
The reason is quite simple: the legal situation is currently uncertain, for example regarding the EU-Privacy Shield. Since hCapcha is also not a legally secure solution/alternative to reCaptcha, we have decided to disable captchas completely. We don't want to have a long discussion about this. We know ourselves that the EU Privacy Shield does not apply (yet).
A good article has been written by the plugin developer of the CMS "WoltLab Suite™", which also provides reasons for our actions (translate from german):
For data transfers to third countries outside the EU, the GDPR requires appropriate safeguards. Possible safeguards are:
- Adequacy decisions of the EU Commission (the Commission decides the data security for data transfers to a specific country)
- Data protection agreements between the EU and third countries (such as with the US the now invalid Privacy Shield)
- Standard data protection clauses based on EU template between data importer (in third country) and data exporter (in EU)
Most US service providers previously based processing of EU data from US servers on Privacy Shield certification. Due to the now judicially decided invalidity of this shield, it falls away as a "guarantee" for data transfers to the US. Providers who previously relied only on the Privacy Shield now no longer have a basis under data protection law for data processing on US servers. Website operators who transfer data to these services run the risk of unlawfully initiating international data transfers.
The existence of data protection safeguards is an objective prerequisite for the permissibility of international data transfers. Only when this requirement is met does the lawfulness of the processing depend on a justification under the GDPR (consent, legitimate interests, etc.). Consent can replace a missing international guarantee only in individual cases (Art. 49 GDPR).
Web site operators should definitely ask for other suitable guarantees, esp. standard data protection clauses, for services that are affected by the discontinuation of the Privacy Shield. If these are available in a suitable manner, data transfers to the USA would once again be possible in a legally secure manner.
If services with processing activities in the USA continue to be used without suitable guarantees after the Privacy Shield ceases to apply, there is a risk for the website operator. However, in the opinion of many lawyers, this is manageable because it is usually not pursued by the authorities.
In the case of Google, it is probably so that they now also use standard contractual clauses, but this is probably not sufficient. See also https://www.it-recht-kanzlei.d...ragsklauseln-was-nun.html
In the end, everyone must know for himself what he does. For my part, I don't use Google services on my websites until further notice. neither does hCaptcha, by the way - we even removed the product from our store due to the unclear legal situation.
But to be clear: I have no problem with Google and their services. I use them myself in my daily work. I just want to avoid that someone gets the idea to believe that you don't have to pay attention to anything when using Google services, especially when transferring data, because Google certainly complies with applicable law worldwide. I would also like to avoid viewing Google services as having no alternative. Because there are alternatives, be it for Analytics or for reCaptcha. Whether they are legally better, or technically worse, is another matter
Will there be more spam on our sites as a result?
It's not possible to say exactly at the moment. However, our regulations are very strict about new users.
For example, a new user can not immediately publish new posts, comments for 2 days, but must first wait for an activation on the part of the moderation. So it can be seen in advance whether the respective user has registered with evil intent or not.