US PRIVACY SHIELD Defunct What now?

It would definitely be appreciated to be kept up to date about anything you and your legal team are doing. We are now more or less bound to mention we are working on a solution to safely transfer data between EU and US but practically speaking our hands are tied… So any tidbit of information would be highly welcome!

As for a solution, this could be found in Standard Contractual Clauses (SCC). These are in principle still valid but at the same time cannot prevent the NSA from still accessing said data. This basically makes these clauses invalid.

Another solution would be to create a Bubble subsidiary in EU but there is something called CLOUD Act which allows US security agencies still access to this data. Again not perfectly valid.

Then there is the option of creating a local EU subsidiary with local data center which falls out side of US jurisdiction. However, the cost of this could be pretty substantial and not something I see Bubble investing in.

Additionally, to what extend would the fact that data is stored encrypted (also in transit?) make a difference to GDPR compliancy? If no authority can access the data because of encryption, does it still matter it’s stored in a US location?

Apart from that, I wonder if the core Bubble engine is something that could be deployed decentralized easily. Because storing data outside US is one thing, the processing seems to still happen through the US. Could @allenyang @Bubble shed some light on this mechanism in relation to dedicated servers?

I think it’s important to stress that this is not just impacting EU Bubblers but basically every Bubbler. If you are dealing with EU users (and how do you know you are?) this impacts your application.

Hi all,

Another update here given the new week.

Short summary: what we are hearing is that various regulatory bodies and the legal industry are still figuring out what the best way to proceed is.

Longer update:

Different regulatory bodies in the EU and US have made statements suggesting that they are very keen to figure out a cohesive framework for data transfers to continue. I also saw the article from @reger-alexander quoting that there is no grace period in this decision. However, two points in response to that. One is that that does not seem to be a widely repeated / emphasized fact stemming from the ruling, so it’s a bit of a head-scratcher as to why (since, as you all are noting, this is an important question to have clarity on!). Second (and you should not constitute this as legal advice), given the flux that everything is in right now, it would be a bit astounding if there is no explicit or effective period of time given to companies to figure out their responses to this pretty substantial and surprising ruling.

That being said, we are working with our lawyers to figure out the most effective and expedient way forward. The risk of acting too soon on unsubstantiated evidence is that we implement a solution that, a few weeks or months later, is judged to be inadequate. And, of course, we are doing all in our power not to act too slowly here as well.

The course we are currently investigating with our lawyers is to implement Model Clauses (Standard Contractual Clauses). From what I understand, these were not explicitly invalidated by the recent ruling, which is why people think there’s a chance they are the solution - BUT, it is not absolutely certain that they are sufficient.

@vincent56 brings up some other interesting ideas, but 1) I will not be speculating on their effectiveness / legality until we have a legal expert weigh in and 2) please understand that some of these ideas would themselves be significant undertakings for us to implement. The bigger the implementation cost, the more we want to make sure it will actually solve the issue before we decide to go for it.

Also, note that for now we are continuing all our pre-existing policies from before the ruling - most notably, we are still a part of the Privacy Shield program for now.

Here are some additional articles I’ve read recently that have given additional color, although none have a definite answer yet.

We understand this is an important question and are also impatiently waiting to learn what a proper solution here is. We are just as eager as you are to resolve this so that business can continue without this uncertainty hanging over all our heads.

Thanks for your patience here, and I’ll continue updating this thread.

Allen

Many thanks @allenyang , this update is clear, and appreciated.

Hi all,

A mid-week update!

Per guidance from our lawyers, we are beginning the process of adding the Model Clauses to our Terms. The first step here, which we’re in the middle of, is to check the Terms of all our sub-processors to see if they’ve implemented Model Clauses as well; if they have, this makes it easier for us, if not, there’s a bit more work to do. From there, our lawyers will help us make the necessary updates to our Terms.

The consequences of the court’s decision are still in flux. We have not heard either way about the existence or lack thereof a grace period, but we are taking the above action now and hope it will be completed expediently.

I will note (and again, I Am Not A Lawyer), that implementing the Model Clauses is not a slam-dunk, absolutely-future-proof solution. They have held up so far, and the recent court ruling did not invalidate this as a valid data transfer mechanism. However, I have seen analysis out there in the industry hedging whether this is a fully ironclad transfer mechanism. In other words, implementing these Clauses seems to be the most sensible path for now, but given how the regulatory landscape is changing, I don’t think people would be shocked if further decisions in the future change the validity of the Model Clauses as well.

Will continue updating this thread as this workstream progresses.

Thanks for the update Allen. Seems SCC is a bandaid solution but so was safe harbor and privacy shield and there are no alternatives. So if you can make that work, that would be great for now.

Could you maybe answer my question about a see dedicated Bubble instance? Apart from sub processors, would a dedicated instance keep data from being stored and processed in the US?

Our initial assessment was that doing something like a big dedicated server in the EU for all EU apps would not necessarily fulfill GDPR by itself, but we’d have to do a deeper dive. Doing that kind of move would itself be a pretty big project, plus we’d want to make extra sure we covered all the requirements of GDPR. And that’s not even thinking about the subprocessors question involved yet.

I understand, and I agree for a big operation. But I mean if an individual would purchase a dedicated instance on AWS Europe, would that mean no data is processed in the US? Meaning you get a full Bubble instance, including the core Bubble API?

To put it explicitly - no, a dedicated instance in AWS Europe does not alone guarantee that from a regulatory point of view you will satisfy the data processing requirements of GDPR. (Also, don’t forget subprocessors!)

Hi @allenyang,

Thanks for the update. Could you explain in a simpler fashion (for dummies) what this means for EU or even non EU Bubble customers? Can we still be GDPR compliant? Can we still have EU users who use our apps and be compliant? Do we need to do anything specific on our end?

Going back to the original first message in this thread, can you advise Bubble App owners?

Thanks

In short - Bubble and thus Bubble apps were GDPR compliant in part because of our use of the Privacy Shield program, which has now been deemed invalid by the EU courts. Because the regulatory bodies have not really come out with a firm statement about what’s a fool-proof, specific substitute, we are working with our lawyers to implement the best available solution, the “Model Clauses”, so that we will again be GDPR compliant.

Regulatory bodies have not put any timeline on when they will be announcing something definitive. Regardless, we have kicked off the process for the Model Clause solution already, so that we and our customers will be in a better situation with regard to GDPR.

You don’t need to do anything on your end in order to benefit from our Model Clause work. I can’t really give you legal advice on how to proceed, but I can share that from our experience so far, nobody really knows the ‘right’ answer at this time, so we’re acting quickly to get the ‘most reasonable current’ answer in place.

Thanks for the clarification @allenyang.

Thanks @allenyang for your commitment and being in touch with us, but I have to say I’m still skeptical where this is going.

Having another bandaid solution - while it should be a standard nowadays for an international SaaS to have US and EU data centers - feels like a huge business risk.

Maybe I don’t understand your answer right, but this topic is about the Privacy Shield and not the GDPR in general. If we don’t transfer any data outside of the EU there’s no need for the missing Privacy Shield - other GDPR regulatory frameworks aside, no?

Because of cloud act. Usa companies have to provide their government all data. Even if its located in the EU. That is against GDPR by because it allows usa to spy on eu citizens

I cannot re-emphasise this enough.

If your data is in the EU it does not mean it is a GDPR compliant.

If your data is in the US (or almost anywhere else) it does not mean you are automatically NON GDPR compliant.

That is not to say that an EU server would not be very welcome.

I don’t get why we talk about GDPR here?

Privacy Shield != GDPR

This topic is about the Privacy Shield.

• When using Bubble and having customers from the EU, we have to transfer EU citizen data to the US (unless we have a dedicated EU Bubble server)
• The legal basis to do this was the Privacy Shield, which is now defunct

now we have two options

=> use a bandaid solution like SCC which is likely a temporary solution as the US still has very inadequate data protection laws
=> eliminate the need for a Privacy Shield replacement at all by not transfering any EU citizen data to the US - which of course doesn’t mean, that we’re automatically GDPR compliant.

I sorry but, a dedicated EU Bubble server wil not be “THE” solution because of the excistens of the CLOUD act.

Problem is that as soon as we need a user email to log in your app, you manage personal data… Unless your app is public with no user account?

The legal basis for doing so without their express permission was the Privacy Shield.

If your User directly consents to their data being sent elsewhere then that is also a legal basis.

Hi Allen,

I believe this can be solved easily by integrating Firebase as a built-in function. It will allow us to host our data in Europe without using Bubble’s database.

I really need to know about this urgently, this could be make or break for my business. @Bubble please keep us informed! Thanks.