We have completed the above workstreams, i.e. we have just pushed an update to our DPA to implement the Standard Contractual Clauses there.
This should resolve the issue that this thread is about. We are happy to answer any questions you might have at legal@bubble.io, but note that in many cases, if your question is very specific to your business, we will probably ask you to consult your legal counsel.
Hi
Thanks a lot for dealing with it. Thatâs good news.
This is all very technical. Could you provide us a simple general overview of what this changes means, regarding our europeans usersâ datas ? (Technical changes ? data transferred changes ? Gdpr full compliance ? Our app data security ? Availability to Us Gov regarding SCC & Cloud act)
Also, what we, as bubblers, have to do ? Should we make some changes in our privacy policy ? It would be great to have, if doable, a pre-written paragraph to include in our policy.
Of course we and our lawyers can/have to dive into it, but I believe it is often a nightmare for all of us to go deep in that subject.
Thanks a lot, and thanks for the quick resolution regarding this unexpected Privacy shield news
I agree with @banbimmo, would be nice if Bubble (@allenyang) can provide a simple explanation of what this means for anyone building an app on Bubble with European user data and if there are any necessary basic steps we need to take.
The very short summary is that Bubble again complies with GDPR. Previously we were relying on Privacy Shield as part of our GDPR compliance, but Privacy Shield was struck down by the EU courts. We have now implemented the Standard Contractual Clauses, which âcoversâ the part that Privacy Shield previously covered for us. In slightly more legal terms, the Standard Contractual Clauses are the legal mechanism for transferring data out of the EU (in this case, to the US, since Bubble is a US-based company).
As a Bubble user, if you accept our new DPA which now has the Standard Contractual Clauses, you should be good to go, just as before (and, if you donât, that means you donât accept our Terms which means you should stop your use of Bubble).
Note that as part of our change here, it also means weâve checked that all our sub-processors have the Standard Contractual Clauses as well.
With this, we think Bubble users should now be fine to use Bubble from a GDPR standpoint. But, ultimately, while we have worked closely with our lawyers on this, we are not your lawyers, so if this is a concern to you, you should consult your own legal counsel
Congrats on the management of this issue. No other free to use service that i know has been so quick and expressive to deal (explain the updates) with this. Just a couple of days after google cloud. Congrats @allenyang
Big applause and huge thanks to you @ Bubble (and your lawyers!) for managing tmso quickly this issue. Youâve always been transparent with us, proactive and efficient. Iâm glad to be part of the Bubble world!
Am I understanding correctly that this ensures bubble complies with GDPR with respect to their own users (app makers), but doesnât cover any GDPR requirements for users of the apps located in the EU that bubble makers produce? For that, you would still need a dedicated server?
This thread has some historical background thatâs relevant here - itâs back from when GDPR first came out. Some of the messages in the thread provide more color.
A couple points to address your question:
Youâre right that the measures in this thread mean that Bubble complies with GDPR with respect to our own users (app makers; for them, Bubble is the âdata controllerâ).
Note that Bubble being GDPR compliant is necessary but not sufficient for Bubbleâs usersâ apps to be GDPR compliant themselves
ânecessaryâ: For your apps, Bubble is a âdata processorâ, so Bubble is effectively a sub-processor for you, so we would need to be GDPR compliant for you to be
âbut not sufficientâ: Ultimately you still need to consider and pay attention to GDPR compliance for your own app as well. Even if Bubble is GDPR compliant, your app could do things to violate GDPR. As a silly example, your app could immediately transfer all the private info about one of your appâs users to a foreign government as soon as they sign up without your end-userâs knowledge - that would not be GDPR-compliant.
I will emphasize the following points because they are common misconceptions: You do not need to be on a dedicated server in order to be GDPR compliant. Being on a dedicated server in Europe does not in itself ensure GDPR compliance.
Thanks for adding this clarification. I think it is helpful for everyone to understand this. It takes a lot of work to be GDPR Compliant and CCPA Compliant. I wish there was an easier way to do this.
Are you aware that your Data Processing Agreement Addendum Document (28 Aug, 20) has been updated to take into account the CJEU ruling whereby the Privacy Shield has been invalidated, however, in your Privacy & Cookie Policy (28 Aug 20) you still state that âBubble complies with the EU-US Privacy Shield FrameworkâŚâ
The advice I have been given by my lawyer is that I should be looking to move away from US ASAP, which currently means moving away from Bubble which I donât really want to do.
The advice I have been given is that Standard Contractual Clauses provides coverage, however US law and US Domestic law over powers this therefore still gives US the right to access any of the data in the US at any point, for whatever reason they deem fit, therefore pretty much negating the protection provided by Standard Contractual Clauses.
I have been advised that the only way to ensure compliance is to have data in a country outside of US and one this is within GDPR regs.
Has anyone else similar/conflicting advice from their lawyers? It would be good to hear what others experience is. I find it bizarre that Privacy Shield is now unlawful, but Standard Contractual Clauses arenât (yet), despite them not (as I have understood it) providing no further protection that Privacy Shield?
@allenyang is this situation closed from a Bubble perspective? And, is there a 0% chance of consideration for a European data centre?
What a nightmare⌠I read somewhere that a compromise could be found between UE and US, and that a Privacy Shield v2 should come in the coming weeks or monthsâŚ
This is not our understanding of the situation - though usual disclaimer that I am not a lawyer and in particular not your lawyer looking at your particular appâs situation.
The recent EU court case did strike down Privacy Shield as a transfer mechanism of EU data, but it specifically did not strike down the Standard Contractual Clauses (see articles I linked to in earlier messages in this thread, or hereâs another one).
Note also that if what youâre hearing is true, that would strike out many US web companies, including many popular SaaS companies which would be sub-processors to many other companies.
Barring we hear more developments or updated counsel from our lawyers, we do consider this situation currently resolved. We are not considering a European data center for now - not only is it a very significant infrastructure project for us, I am also not certain it would actually solve everybodyâs GDPR concerns in one go (not least because of the sub-processors mentioned previously).
Thanks Allen, I do appreciate the prompt response.
This really is a can of worms and confusing for all, and a significant amount of business could âbreakâ as a result of this. I sincerely hope that an agreement between US and EU can be made.
Thanks for pointing this out! Yes, indeed, this needs to be updated. Weâll work with our lawyers on this, but the update to our DPA should be the main work needed to replace Privacy Shield.
Update on @patriciaâs question: Our lawyers have helpfully explained why our Privacy Policy is actually still accurate despite recent developments. Primarily, the point is that the Privacy Shield framework still exists.
Upon joining Privacy Shield, Bubble made a variety of commitments, and it is not actually something that we can simply remove ourselves from easily - thereâs a process involved there.
It is true that the recent EU court decision invalidated the Privacy Shield as a legal transfer mechanism, but the authorities behind the Privacy Shield are reportedly working on changes to Privacy Shield to possibly address the concerns of the EU courts. So, the general advice weâre getting from our lawyers (reminder - this should not be construed as legal advice to you) is that we should stay in the program for now to see what happens.
That being said, we did also implement the Standard Contractual Clauses to replace Privacy Shield as the legal transfer mechanism in our Terms / DPA, as per my earlier posts. Weâll stay in Privacy Shield for now (so the clause that Patricia pointed out in our Privacy Policy is staying), and reassess as more details unfold about the (potential) future Privacy Shield. To avoid future confusion, weâre considering adding a couple new sentences to our Privacy Policy clarifying the situation (i.e. what Iâm describing in this post), but our PP should not be materially changing.