Update: Fabric, among, other things have changed in the meantime.
Update: we’ve published a post that covers the basics of the development in EU-US data transfer negotiations
We’re very close to something that promises to bring some massive changes with it: we were promised some guidelines and further thoughts on how to handle data processing from outside of Europe, and most importantly, from Europe to the US. Next week we’ll see the coming together of the Article 29 Working Group to discuss, among other things, Safe Harbor-Consequences of the Schrems Judgment. We will also see many national data protection agencies publish further guidance and thoughts on the matter as they all named the end of January as a deadline. In the meantime some services have already started to prepare themselves and their users to the consequences of the above. From this we can start to guess what’s to come and how these processes and requirements will shape privacy disclousures, eg. privacy policies.
Early movers: Twitter’s Fabric, Crashlytics, Answers.io
Yesterday Twitter’s Fabric started informing their users of the upcoming changes and the changes they had made to their own services and terms. Long story short, basically they added:
- a duty for their users to have consent from their respective users for the sharing into the United States
- a consent clause for their users that allows them to transfer all the data into the US
Here’s an outtake from communication to developers (emphasis added):
Consent from Users and Developers to Data Processing and Transfer
Given the global nature of the developer ecosystem and our services, we’ve updated the Crashlytics Agreement, Answers Agreement, Twitter Kit Agreement, and Fabric Labs Program Agreement to clarify the consents that developers must get from their end users. Specifically, developers must get consent from end users in the E.U. for the transfer, storage, and use of their information in the the United States and other countries where Twitter and/or Crashlytics (as applicable) operate. (For those of you using Beta by Crashlytics, we also updated the Standard Beta tester EULA in the Crashlytics Agreement to reflect such consent from Beta testers.)
Let’s look at the new clauses more deeply. Here are the links to the terms by Twitter Kit, Fabric.io
Twitter Fabric, Answers.io and Crashlytics. We’re using Fabric as an example of the above two new duties in these terms:
For Developer’s users in the European Union, Developer shall provide such users with clear notice of, and obtain such users’consent to, the transfer, storage, and use of their information in the United States and any other country where Twitter operates, and shall further notify such users that the privacy and data protection laws in some of these countries may vary from the laws in the country where such users live.
Here Fabric makes sure that you, as their user, provide clear notice and obtain consent for the transfer of data into the United States.
Irrespective of which country Developer is based in, Developer authorizes Twitter to use its information in, and as a result to transfer it to and store it in, the United States and any other country where Twitter, or any third-party service providers acting on its behalf, operates. Privacy and data protection laws in some of these countries may vary from the laws in the country where Developer is based.
In this second clause, Fabric is making sure that you, as a developer and their user, give them your consent to transfer your data into the US and any other country where Twitter is operating.
How to give and seek consent to transfer data to the US
This is the big question and the jury is still out on it. It will largely depend on the solutions suggested by national data protection agencies and we’ll see how much this will be synced across Europe. Some of the questions we’ll attempt to answer soon:
- How do you get proper consent by the user?
Let’s see where this goes.