The very short summary is that Bubble again complies with GDPR. Previously we were relying on Privacy Shield as part of our GDPR compliance, but Privacy Shield was struck down by the EU courts. We have now implemented the Standard Contractual Clauses, which “covers” the part that Privacy Shield previously covered for us. In slightly more legal terms, the Standard Contractual Clauses are the legal mechanism for transferring data out of the EU (in this case, to the US, since Bubble is a US-based company).
As a Bubble user, if you accept our new DPA which now has the Standard Contractual Clauses, you should be good to go, just as before (and, if you don’t, that means you don’t accept our Terms which means you should stop your use of Bubble).
Note that as part of our change here, it also means we’ve checked that all our sub-processors have the Standard Contractual Clauses as well.
With this, we think Bubble users should now be fine to use Bubble from a GDPR standpoint. But, ultimately, while we have worked closely with our lawyers on this, we are not your lawyers, so if this is a concern to you, you should consult your own legal counsel
Congrats on the management of this issue. No other free to use service that i know has been so quick and expressive to deal (explain the updates) with this. Just a couple of days after google cloud. Congrats @allenyang
Thanks for the explanation @allenyang. Really appreciate it.
Am I understanding correctly that this ensures bubble complies with GDPR with respect to their own users (app makers), but doesn’t cover any GDPR requirements for users of the apps located in the EU that bubble makers produce? For that, you would still need a dedicated server?
This thread has some historical background that’s relevant here - it’s back from when GDPR first came out. Some of the messages in the thread provide more color.
A couple points to address your question:
- You’re right that the measures in this thread mean that Bubble complies with GDPR with respect to our own users (app makers; for them, Bubble is the “data controller”).
- Note that Bubble being GDPR compliant is necessary but not sufficient for Bubble’s users’ apps to be GDPR compliant themselves
- “necessary”: For your apps, Bubble is a “data processor”, so Bubble is effectively a sub-processor for you, so we would need to be GDPR compliant for you to be
- “but not sufficient”: Ultimately you still need to consider and pay attention to GDPR compliance for your own app as well. Even if Bubble is GDPR compliant, your app could do things to violate GDPR. As a silly example, your app could immediately transfer all the private info about one of your app’s users to a foreign government as soon as they sign up without your end-user’s knowledge - that would not be GDPR-compliant.
I will emphasize the following points because they are common misconceptions:
You do not need to be on a dedicated server in order to be GDPR compliant.
Being on a dedicated server in Europe does not in itself ensure GDPR compliance.
Thanks for adding this clarification. I think it is helpful for everyone to understand this. It takes a lot of work to be GDPR Compliant and CCPA Compliant. I wish there was an easier way to do this.
The advice I have been given by my lawyer is that I should be looking to move away from US ASAP, which currently means moving away from Bubble which I don’t really want to do.
The advice I have been given is that Standard Contractual Clauses provides coverage, however US law and US Domestic law over powers this therefore still gives US the right to access any of the data in the US at any point, for whatever reason they deem fit, therefore pretty much negating the protection provided by Standard Contractual Clauses.
I have been advised that the only way to ensure compliance is to have data in a country outside of US and one this is within GDPR regs.
Has anyone else similar/conflicting advice from their lawyers? It would be good to hear what others experience is. I find it bizarre that Privacy Shield is now unlawful, but Standard Contractual Clauses aren’t (yet), despite them not (as I have understood it) providing no further protection that Privacy Shield?
@allenyang is this situation closed from a Bubble perspective? And, is there a 0% chance of consideration for a European data centre?
What a nightmare… I read somewhere that a compromise could be found between UE and US, and that a Privacy Shield v2 should come in the coming weeks or months…
This is not our understanding of the situation - though usual disclaimer that I am not a lawyer and in particular not your lawyer looking at your particular app’s situation.
The recent EU court case did strike down Privacy Shield as a transfer mechanism of EU data, but it specifically did not strike down the Standard Contractual Clauses (see articles I linked to in earlier messages in this thread, or here’s another one).
Note also that if what you’re hearing is true, that would strike out many US web companies, including many popular SaaS companies which would be sub-processors to many other companies.
Barring we hear more developments or updated counsel from our lawyers, we do consider this situation currently resolved. We are not considering a European data center for now - not only is it a very significant infrastructure project for us, I am also not certain it would actually solve everybody’s GDPR concerns in one go (not least because of the sub-processors mentioned previously).
Thanks Allen, I do appreciate the prompt response.
This really is a can of worms and confusing for all, and a significant amount of business could ‘break’ as a result of this. I sincerely hope that an agreement between US and EU can be made.
Thanks for pointing this out! Yes, indeed, this needs to be updated. We’ll work with our lawyers on this, but the update to our DPA should be the main work needed to replace Privacy Shield.
Upon joining Privacy Shield, Bubble made a variety of commitments, and it is not actually something that we can simply remove ourselves from easily - there’s a process involved there.
It is true that the recent EU court decision invalidated the Privacy Shield as a legal transfer mechanism, but the authorities behind the Privacy Shield are reportedly working on changes to Privacy Shield to possibly address the concerns of the EU courts. So, the general advice we’re getting from our lawyers (reminder - this should not be construed as legal advice to you) is that we should stay in the program for now to see what happens.
@allenyang Flagging you up on a potential problem. It appears contractual clauses may not be sufficient in regards to Privacy Shield. The Irish Data Protection Commissioner is seen as the key data protection officer in Europe because 48 of the US top 50 IT companies have their European bases here. This story appears to indicate that the EU will not accept contractual clauses. https://www.independent.ie/business/technology/irish-data-regulator-orders-facebook-to-stop-sending-personal-data-to-the-us-39518775.html
Here we go again EU - US nightmare … Thanks for the info @patricia!
That is why I really hoped for a EU data center
While SCC have not been invalidated in general, it highly depends on the country you’re applying them to - it needs to have comparable privacy standards as the EU, which is not the case for the US.
(Usual caveat that I am not a lawyer, nor am I your lawyer)
Thanks for flagging @patricia. While this is indeed another development in the regulatory landscape, this one seems to still be in development, and not as strong a definitive event as when the ECJ overturned Privacy Shield a few weeks ago.
We’ll keep an eye on this, but reminder that this is a pretty volatile area of regulation (Privacy Shield was only established in 2016!). It is also in a lot of parties’ interests to figure out a way for US companies to legally be able to handle EU data, so one thing I do feel confident about is that if the SCCs are struck down as well, there will be a lot of movement in the industry and governments to figure out what a reasonable replacement is.
(Fun historical context: in October 2015, the ECJ declared the precursor to Privacy Shield invalid, which kicked off talks between the EU and US, resulting in the creation of Privacy Shield in February 2016. It’s impressive that such a framework was developed that quickly; then again, it only survived for 4 years…)
If further concrete developments occur, we’ll work with our lawyers to figure out what the options are and make a decision on what’s known about regulation at that time. It’s too early to commit for or against any particular solution, but I will again reiterate that spinning up an EU data center is neither an easy / straightforward thing for Bubble to do, nor is it likely that it alone would solve this problem anyways. (Now, I’m not a lawyer, but if all our subprocessors simultaneously spun up EU data centers and implemented relevant infrastructure changes, that might get us another step closer…)
Hi There, thanks @allenyang for the great work on this unnecessary acting here in Europe.
So, some funny thing in all this mess is, that our fellow Austrian “Lawyer” Mr. Max Schrems was the driving force, I think he wants to make himself famous, and make app companies a hard time here in Europe, instead of working as a serious lawyer in Vienna. One question to @allenyang to adapt my own terms in my app instantly: Do you have any standard text for us to adapt terms for EC customers of bubble.io with that “Standard Contractual…” things?
We don’t provide any templates along these lines. Good idea for when Bubble is a much bigger company, but right now we don’t really want to get into the legal details of providing templates