US PRIVACY SHIELD Defunct What now?

Hi all,

We have completed the above workstreams, i.e. we have just pushed an update to our DPA to implement the Standard Contractual Clauses there.

This should resolve the issue that this thread is about. We are happy to answer any questions you might have at legal@bubble.io, but note that in many cases, if your question is very specific to your business, we will probably ask you to consult your legal counsel.

Cheers,
Allen

got that in email

image1687×787 83 KB

Hi
Thanks a lot for dealing with it. That’s good news.

This is all very technical. Could you provide us a simple general overview of what this changes means, regarding our europeans users’ datas ? (Technical changes ? data transferred changes ? Gdpr full compliance ? Our app data security ? Availability to Us Gov regarding SCC & Cloud act)

Also, what we, as bubblers, have to do ? Should we make some changes in our privacy policy ? It would be great to have, if doable, a pre-written paragraph to include in our policy.

Of course we and our lawyers can/have to dive into it, but I believe it is often a nightmare for all of us to go deep in that subject.

Thanks a lot, and thanks for the quick resolution regarding this unexpected Privacy shield news

I agree with @banbimmo, would be nice if Bubble (@allenyang) can provide a simple explanation of what this means for anyone building an app on Bubble with European user data and if there are any necessary basic steps we need to take.

Regards

The very short summary is that Bubble again complies with GDPR. Previously we were relying on Privacy Shield as part of our GDPR compliance, but Privacy Shield was struck down by the EU courts. We have now implemented the Standard Contractual Clauses, which “covers” the part that Privacy Shield previously covered for us. In slightly more legal terms, the Standard Contractual Clauses are the legal mechanism for transferring data out of the EU (in this case, to the US, since Bubble is a US-based company).

As a Bubble user, if you accept our new DPA which now has the Standard Contractual Clauses, you should be good to go, just as before (and, if you don’t, that means you don’t accept our Terms which means you should stop your use of Bubble).

Note that as part of our change here, it also means we’ve checked that all our sub-processors have the Standard Contractual Clauses as well.

With this, we think Bubble users should now be fine to use Bubble from a GDPR standpoint. But, ultimately, while we have worked closely with our lawyers on this, we are not your lawyers, so if this is a concern to you, you should consult your own legal counsel

Congrats on the management of this issue. No other free to use service that i know has been so quick and expressive to deal (explain the updates) with this. Just a couple of days after google cloud. Congrats @allenyang

Big applause and huge thanks to you @ Bubble (and your lawyers!) for managing tmso quickly this issue. You’ve always been transparent with us, proactive and efficient. I’m glad to be part of the Bubble world!

Thanks for the explanation @allenyang. Really appreciate it.

Regards

Am I understanding correctly that this ensures bubble complies with GDPR with respect to their own users (app makers), but doesn’t cover any GDPR requirements for users of the apps located in the EU that bubble makers produce? For that, you would still need a dedicated server?

Not quite.

This thread has some historical background that’s relevant here - it’s back from when GDPR first came out. Some of the messages in the thread provide more color.

A couple points to address your question:

• You’re right that the measures in this thread mean that Bubble complies with GDPR with respect to our own users (app makers; for them, Bubble is the “data controller”).
• Note that Bubble being GDPR compliant is necessary but not sufficient for Bubble’s users’ apps to be GDPR compliant themselves
• “necessary”: For your apps, Bubble is a “data processor”, so Bubble is effectively a sub-processor for you, so we would need to be GDPR compliant for you to be
• “but not sufficient”: Ultimately you still need to consider and pay attention to GDPR compliance for your own app as well. Even if Bubble is GDPR compliant, your app could do things to violate GDPR. As a silly example, your app could immediately transfer all the private info about one of your app’s users to a foreign government as soon as they sign up without your end-user’s knowledge - that would not be GDPR-compliant.

I will emphasize the following points because they are common misconceptions:
You do not need to be on a dedicated server in order to be GDPR compliant.
Being on a dedicated server in Europe does not in itself ensure GDPR compliance.

Thanks for adding this clarification. I think it is helpful for everyone to understand this. It takes a lot of work to be GDPR Compliant and CCPA Compliant. I wish there was an easier way to do this.

Are you aware that your Data Processing Agreement Addendum Document (28 Aug, 20) has been updated to take into account the CJEU ruling whereby the Privacy Shield has been invalidated, however, in your Privacy & Cookie Policy (28 Aug 20) you still state that “Bubble complies with the EU-US Privacy Shield Framework…”

The advice I have been given by my lawyer is that I should be looking to move away from US ASAP, which currently means moving away from Bubble which I don’t really want to do.

The advice I have been given is that Standard Contractual Clauses provides coverage, however US law and US Domestic law over powers this therefore still gives US the right to access any of the data in the US at any point, for whatever reason they deem fit, therefore pretty much negating the protection provided by Standard Contractual Clauses.

I have been advised that the only way to ensure compliance is to have data in a country outside of US and one this is within GDPR regs.

Has anyone else similar/conflicting advice from their lawyers? It would be good to hear what others experience is. I find it bizarre that Privacy Shield is now unlawful, but Standard Contractual Clauses aren’t (yet), despite them not (as I have understood it) providing no further protection that Privacy Shield?

@allenyang is this situation closed from a Bubble perspective? And, is there a 0% chance of consideration for a European data centre?

What a nightmare… I read somewhere that a compromise could be found between UE and US, and that a Privacy Shield v2 should come in the coming weeks or months…

This is not our understanding of the situation - though usual disclaimer that I am not a lawyer and in particular not your lawyer looking at your particular app’s situation.

The recent EU court case did strike down Privacy Shield as a transfer mechanism of EU data, but it specifically did not strike down the Standard Contractual Clauses (see articles I linked to in earlier messages in this thread, or here’s another one).

Note also that if what you’re hearing is true, that would strike out many US web companies, including many popular SaaS companies which would be sub-processors to many other companies.

Barring we hear more developments or updated counsel from our lawyers, we do consider this situation currently resolved. We are not considering a European data center for now - not only is it a very significant infrastructure project for us, I am also not certain it would actually solve everybody’s GDPR concerns in one go (not least because of the sub-processors mentioned previously).

Thanks Allen, I do appreciate the prompt response.

This really is a can of worms and confusing for all, and a significant amount of business could ‘break’ as a result of this. I sincerely hope that an agreement between US and EU can be made.

Thanks for pointing this out! Yes, indeed, this needs to be updated. We’ll work with our lawyers on this, but the update to our DPA should be the main work needed to replace Privacy Shield.

Update on @patricia’s question: Our lawyers have helpfully explained why our Privacy Policy is actually still accurate despite recent developments. Primarily, the point is that the Privacy Shield framework still exists.

Upon joining Privacy Shield, Bubble made a variety of commitments, and it is not actually something that we can simply remove ourselves from easily - there’s a process involved there.

It is true that the recent EU court decision invalidated the Privacy Shield as a legal transfer mechanism, but the authorities behind the Privacy Shield are reportedly working on changes to Privacy Shield to possibly address the concerns of the EU courts. So, the general advice we’re getting from our lawyers (reminder - this should not be construed as legal advice to you) is that we should stay in the program for now to see what happens.

That being said, we did also implement the Standard Contractual Clauses to replace Privacy Shield as the legal transfer mechanism in our Terms / DPA, as per my earlier posts. We’ll stay in Privacy Shield for now (so the clause that Patricia pointed out in our Privacy Policy is staying), and reassess as more details unfold about the (potential) future Privacy Shield. To avoid future confusion, we’re considering adding a couple new sentences to our Privacy Policy clarifying the situation (i.e. what I’m describing in this post), but our PP should not be materially changing.

@allenyang Flagging you up on a potential problem. It appears contractual clauses may not be sufficient in regards to Privacy Shield. The Irish Data Protection Commissioner is seen as the key data protection officer in Europe because 48 of the US top 50 IT companies have their European bases here. This story appears to indicate that the EU will not accept contractual clauses. https://www.independent.ie/business/technology/irish-data-regulator-orders-facebook-to-stop-sending-personal-data-to-the-us-39518775.html

Patricia

Here we go again EU - US nightmare … Thanks for the info @patricia!