Can we use Firebase Authentication and be GDPR compliant?

Question

The Firebase Authentication is processing data exclusively in the United States, and is therefore not GDPR compliant. However, they are saying on the same site that:

Firebase has moved to reliance on Standard Contractual Clauses for relevant data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR

They are also saying that:

The European Commission approved new versions of the Standard Contractual Clauses on June 4, 2021

Google Cloud Platform have some Eu Standard Contractual Clauses on their website, and they have announced that they have incorporated various modules of the new EU SCCs. Can we therefore still use Firebase Authentication and be GDPR compliant?

Answer 1

In Updated data processing terms to reflect new EU Standard Contractual Clauses doc, it is mentioned about the new whitepaper

that outlines the European legal rules for data transfers and explains our approach to implementing the new EU SCCs - as well as separate UK SCCs - so that our customers can better understand what our updated terms mean for them and their privacy compliance.

Yes, it will comes under GDPR compliant as mentioned in the [Page No. 12] of new whitepaper which explains about Customers in Adequate or Non-Adequate Countries with Google Service Providers in Non-Adequate Countries as :

Where a Google Cloud customer has a Google service provider in a non-adequate country (such as the United States) and is using Google Cloud services subject to the EU GDPR or Swiss FDPA, then regardless of whether the customer is located in an adequate or non-adequate country, it will need to enter the appropriate module(s) of new EU SCCs with its service provider to legitimize transfers of its Customer Personal Data. The DPST and DPA therefore automatically apply the new SCCs to these customers once they certify.

For example, if a customer in the United States is a controller of Customer Personal Data under the EU GDPR (e.g. because it offers goods to EEA residents), it will need to use the new EU C2P SCCs when transfering Customer Personal Data to its Google service provider in the United States. Similarly, if a US customer is a processor of Customer Personal Data under the EU GDPR (e.g. because its processing activities relate to the offering of goods to EEA residents), it will need to use the new EU P2P SCCs for these transfers (in addition to the new EU C2P SCCs if it is also a controller). The same applies for customers who are controllers and/or processors in adequate countries such as Argentina or Uruguay, because their Google service provider is in the United States. In all cases, these customers need to certify.

Certification :

To ensure that appropriate SCCs are entered as and when required, all customers outside EMEA whose use of Google Cloud services is subject to any European Data Protection Law (e.g. because they offer goods or services to EEA, UK or Swiss residents, or monitor their behaviour, or because their processing activities relate to such offers or monitoring), need to certify, via the admin console, that they are subject to European Data Protection Law. They also need to identify their competent European data protection authority/ies, via the admin console, for the purposes of Clause 13 of the new EU SCCs. Instructions for both steps are here for Google Cloud Platform and here for Google Workspace (including Google Workspace for Education) and Cloud Identity.

For more information, you can also refer to the blog and video which explains that the data collected by Firebase Analytics would fall under the jurisdiction of the GDPR if used to track residents of the EU

Answer 2

No, Firebase Auth is not GDPR compliant. The servers are still located in the US. I reached out to them directly and got a reply stating that they're not GDPR compliant.