We are creating a Web component that will be available via a self-hosted CDN in Europe.
The idea is to make it as easy as possible for developers to integrate the Web component in a Website.
One of those ways is to publish it on npm. The question now is:
Since the project underlies very strict Data privacy requirements:
Could one make the case that npm is unsafe from the perspective of data privacy?
In other words: Does the act of publishing an npm package cause a data privacy issue for the consuming developer or more specifically Enduser using the Webcomponent in the browser?
Of course, this question excludes issues with the Web Component itself, since they can cause an issue on their own. I am only interested in hosting a package on npm.
Upon some investigating: I am from Germany and data privacy and data protection seem to translate to the same word (Datenschutz). So in this question both is meant.
I would not use StackOverflow to seek advice on complying with data privacy laws or regulations. I am not a lawyer and I doubt very many people on here are. That said, there are some generalities that can be made that may or may not apply to your specific case. Again, I am not a lawyer, and this is not legal advice.
I'm not sure if you are talking about the public npm registry or a private one.
In terms of data privacy, publishing your code to the public npm registry isn't much different from publishing it to GitHub or to a blog. If the code, examples, documentation, and various configuration files do not contain sensitive data, publishing them to the public npm registry won't create issues. If one or more files that you publish do contain sensitive data, then publishing them to the npm registry will pose similar risks to posting them to GitHub or a blog.
If you are using a private npm registry, things might be a lot more complicated and I would not trust an answer on StackOverflow. Get your data security folks talking to your developers and the people who are doing the registry hosting.