That is why I really hoped for a EU data center
While SCC have not been invalidated in general, it highly depends on the country you’re applying them to - it needs to have comparable privacy standards as the EU, which is not the case for the US.
That is why I really hoped for a EU data center
(Usual caveat that I am not a lawyer, nor am I your lawyer)
Thanks for flagging @patricia. While this is indeed another development in the regulatory landscape, this one seems to still be in development, and not as strong a definitive event as when the ECJ overturned Privacy Shield a few weeks ago.
We’ll keep an eye on this, but reminder that this is a pretty volatile area of regulation (Privacy Shield was only established in 2016!). It is also in a lot of parties’ interests to figure out a way for US companies to legally be able to handle EU data, so one thing I do feel confident about is that if the SCCs are struck down as well, there will be a lot of movement in the industry and governments to figure out what a reasonable replacement is.
(Fun historical context: in October 2015, the ECJ declared the precursor to Privacy Shield invalid, which kicked off talks between the EU and US, resulting in the creation of Privacy Shield in February 2016. It’s impressive that such a framework was developed that quickly; then again, it only survived for 4 years…)
If further concrete developments occur, we’ll work with our lawyers to figure out what the options are and make a decision on what’s known about regulation at that time. It’s too early to commit for or against any particular solution, but I will again reiterate that spinning up an EU data center is neither an easy / straightforward thing for Bubble to do, nor is it likely that it alone would solve this problem anyways. (Now, I’m not a lawyer, but if all our subprocessors simultaneously spun up EU data centers and implemented relevant infrastructure changes, that might get us another step closer…)
Hi There, thanks @allenyang for the great work on this unnecessary acting here in Europe.
So, some funny thing in all this mess is, that our fellow Austrian “Lawyer” Mr. Max Schrems was the driving force, I think he wants to make himself famous, and make app companies a hard time here in Europe, instead of working as a serious lawyer in Vienna. One question to @allenyang to adapt my own terms in my app instantly: Do you have any standard text for us to adapt terms for EC customers of bubble.io with that “Standard Contractual…” things?
We don’t provide any templates along these lines. Good idea for when Bubble is a much bigger company, but right now we don’t really want to get into the legal details of providing templates
Interesting article about Facebook and Data regulation between EU and US.
Thanks for all of this, @allenyang
I’ve just read this article, which is giving a bunch of good explanation about SCCs : Using Standard Contractual Clauses - TermsFeed
The main thing I notice, is SCCs are not enough to answer the “Schrems II” controversy.
SCCs are just replacing the “framework” previously offered by Privacy Shield. They cover most of the GDPR principles, but they’re not offering a protection against US laws (FISA 702 & EO 12333) : additional actions have to be taken to cover this.
So, to ensure our Bubble apps are GDPR-compliant, it exists 2 possibilities :
- you’re not concerned by FISA 702 & EO 12333 (and you have to explain us why)
- or you set up protections against these laws (end2end encryption, contractual clauses stronger than US regulation - if possible - …)
What’s the situation for Bubble, as data processor ? I mean, on top of the SCCs, do you have any protection against FISA 702 & EO 12333 ? Or are the data could be accessible to US Government & agencies ?
If you’re not fully compliant, I think there is only one remaining solution for us : article 49 exception (consent, contract or legitimate interests).
We previously relied on the Privacy Shield framework, and implemented the SCCs after the big EU court decision last year; this was based on advice from our legal counsel and following their professional opinion / understanding of the current regulatory landscape. That being said, as we saw last year with the court decision, the regulatory landscape does occasionally change.
I can’t make any firm comments about US laws or US government capabilities because, frankly, we don’t know anything for certain about the extent of US government capabilities. Again, all the steps we take are as advised by our legal counsel.
Could you discuss with your legal counsels about these specific requirements ? Because, as EU contractors, we have now to ensure all our data processors are having additional safeguards on top of SCCs. All the details can be found in the followinf document part : Using Standard Contractual Clauses - TermsFeed
I’m happy to ask our legal counsel if there have been any recent updates, but taking a look at the document you cite:
- It is from a blog, not a judicial or legislative body
- It quotes a lot of recommendations given by an organization called the European Centre for Digital Rights, which is a non-governmental organization created by Schrems (i.e. the person who initiated the Schrems II lawsuit), so this organization’s guidance is not binding law
That all being said, we encourage you to consult your own legal counsel about your app’s / company’s privacy stance, and if you have specific questions relating to your particular situation, feel free to email us at [email protected]
Indeed, it’s nothing new, but it was almost an “understandable” reading of what the original arrest says ( https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf ) :
Validity [of the SCCs (Decision 2010/87)] depends on whether the decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. […]
The Court points out, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.
So that’s what I’m trying to achieve here : get a clear answer on that point. But I’ve also taken the time to re-read your SCCs and annexes ( DPA | Bubble ), and there are clauses talking about the prevalence of “data export” country laws, notification mechanisms in case of legal requests …
So I think I should, indeed, ask a lawyer to challenge these SCCs
Thanks for you answers !
EU Cloud Code of Conduct
Just saw this today and thought I’d share with everyone.
After a bit of looking around I found that Microsoft has 140 Azure services already approved under this code of conduct.
Unknown how many AWS services, if any, are approved but it’s surely coming.
I chalk it up in the good news column.
Seems interesting. Any updates on this regarding the use of Bubble and GDPR comoency?
Any update on this?
Due to these recent rulings below, service providers in the US cannot have EU personal data sent as it violates the schrems II decision.
I emailed support about this, they just said they are compliant with GDPR and if I want a EU hosted instance I need to pay several thousands dollars a month. I basically can’t launch my app and unfortunately until resolved will have to pause doing business with bubble.
In my opinion this whole thing is a huge gray area right now. For example, theoretically you wouldn’t be able to use any Microsoft Office product in the EU, at least not the cloud services. But everyone does it anyway, even governmental organizations.
I think the risk for an EU company getting problems for using a US based service are very low. You should however make sure that you are not collecting too much personal data, for example in your tracking setup.
I just noticed I posted my initial response on another account instead of this one. I asked this with Bubble Support and they confirmed that in fact they are not inherently compliant with GDPR as a result of this. I understand it’s a mess for SaaS providers as a result of this, but to state that there isn’t a risk is a bit silly. Ultimately this is going down the road “If everyone is doing it, we can do that”. That advice causes people to collect too much personal data and lead down to the situation we have today.
This mentality of “Oh it’s only a bit of personal data” sets a precedent for companies to start collecting more and then more and more. Then before you know it, Facebook knows what time you got to bed when you don’t even have an account.
It concerns me that in bubbles latest figures, over billions of datapoints of users were created and a lot that could be from EU data subjects on non-dedicated European instances. It’s just a risk I’m not willing to take.