US PRIVACY SHIELD Defunct What now?

Check out this one:

1 Like

Short weekly update this time: our lawyers are still working on helping us implement the Model Clauses. We’ve looked through the terms of most of our sub-processors, with a few left to go now.

For those curious about why the “dedicated instance / cluster in EU” would not solve the issue, please check our Josh’s monthly update - first couple paragraphs under “Things on our minds”. (I believe the same reasoning applies to the Firebase idea)


I dont really understand what google is doing for GDPR now that privacy shield is defunt

Good Morning, is there any update on Model Clauses, or any alternative solution that has been decided?@allenyang

I need to let my own lawyer know so that we can ensure my company is compliant.

Thank you!

1 Like

This week’s update is that we have 2 workstreams going on in parallel right now:

  • We sent a proposed amended DPA to our one subprocessor that does not already have the Model Clauses implemented. They are open to considering our amendments given the recent regulatory shift, but this will still require review by their lawyers, etc.
  • We are working with our lawyers to finalize changes to our own DPA to implement the Model Clauses. This is under the assumption that the first bullet point will go smoothly.

As a data point i just recieve this from Google Cloud

Hi Lucas,

We are writing to let you know that we are updating the Firebase Data Processing and Security Terms and Crashlytics and App Distribution Data Processing and Security Terms.

What happened?

A recent ruling by the Court of Justice of the European Union invalidated the EU-US Privacy Shield Framework, but did not invalidate Standard Contractual Clauses (SCCs) as a lawful transfer mechanism for personal data transferred outside of the EU, Switzerland or the UK.

We are updating the Firebase Data Processing and Security Terms and Crashlytics and App Distribution Data Processing and Security Terms to add the relevant SCCs as adopted by the European Commission, which, as per the ruling, can continue to be a valid legal mechanism to transfer data outside of the EU, Switzerland or the UK.
If the EU’s General Data Protection Regulation or equivalent legislation in Switzerland or the UK (collectively, the GDPR) applies to your use of Firebase, the updated Data Processing and Security Terms will deem the SCCs to apply automatically. If the GDPR does not apply to your use of Firebase, these updates have no practical impact.

What do you need to do?

No action is required on your part to accept these updates, which apply from August 12, 2020 .

If you are not the right person to review the updated Data Processing and Security Terms or this notice, please forward this notice to the appropriate contact for your organization, such as your legal or compliance team .

If you have any questions or need any assistance, feel free to reach out to us.


Mike, on behalf of the Firebase team


also this

Alternative data transfer mechanisms do exist but data controllers wanting to use an alternative tool, like Standard Contractual Clauses (SCCs), to take EU citizens’ data over the pond are legally required to carry out an assessment of whether US law provides adequate protections. If they cannot guarantee the data’s safety they cannot use SCCs legally either. (And if they go ahead they are [risking costly regulatory intervention](


Hi all,

An end-of-week update this time. Regarding the two workstreams I mentioned in my last post:

  • Our one subprocessor that does not have the Model Clauses implemented in their DPA is in the process of doing so. They informed us they hope to have this done sometime next week.
  • We have an amended version of our DPA with the Model Clauses, which we should be able to implement as soon as the subprocessor above rolls out their new DPA

Have a great weekend!


@allenyang Thanks for the update and your efforts, we really appreciate it. Have a great weekend too!

Very good news.
Have a great weekend and thanks for this follow-up, very appreciated.

Thank you for the update Allen, and keeping us informed.

Is there anything at all that us as Bubble users need to do/change/accommodate to ensure compliance? Or are we simply waiting for you to confirm that Model Clauses are in place, and you have updated your DPA?

Thanks in advance,


After we implement the new version of our DPA, you should generally be fine, but remember that we are not lawyers and cannot offer you legal advice :slight_smile:


Dear Sonja, and others if appropriate, (Sorry if this is slightly off-topic, but I didn’t find a better place.)
I am just starting out and trying to put together my Privacy Notice and Terms of Use and it seems some of you are having a really good overview of this topic.

Is there a chance you could send me your privacy notice including all the specifics you added for the bubble platform?

I will not blindly copy it, of course, but it would be of great help for me to start out and explain to lawyers what the situation is.

Thanks a lot for your help in advance, I’d be super thankful if you could just shoot me a quick message at

This a great question, but lets not mixing those topics. My suggestion would be to make a new topic for your question. And share a link to the new topic in this topic.

Hi Allen,

Thanks for all the updates. I appreciate this.

The question that is still open to me. Are you aware of the fact that te Model Clauses are a temporary solution?

I’m aware of what you’re referring to, but I’m not sure how definitive it is that they are a “temporary” solution, or what “temporary” means in this situation.

This overall topic is an area of active regulatory change - remember that Privacy Shield itself came out of a court case in 2016! That court ruling, in fact, explicitly left the Model Clauses’ validity in place, even though they were also challenged in that case (link to article).

So, as far as we’re aware, implementing the Standard Contractual Clauses (a synonym) will help us restore our GDPR commitments in the present regulatory landscape. If in this case “temporary” means this path will apply for another 4 years, then that still seems like a reasonable step for us to take for now. Here’s hoping that the regulatory landscape gets clearer in the future!


Routine update on this topic: the one subprocessor we were waiting on shared their revised DPA with us today, and we have shared it with our lawyers to review.


Thanks, sounds good!

Hi Kathav,

Every company is different, therefore my policies won’t necessarily work for you. Your lawyer are likely (should) have some kind of awareness of this current situation given the impact it’s having for many companies, and it is probably going to be a lot more comprehensive than my understanding.

I recommend you speak to your lawyers in the first instance.

Sorry I can’t help more, and all the best.


1 Like