Is Netlify part of EU-U.S. Privacy Shield Program?

david-szabo97 · July 16, 2019, 7:33am

Is Netlify part of EU-U.S. Privacy Shield Program?
Can’t find the company in the privacy shield list.

perry · July 17, 2019, 4:11pm

hey @david-szabo97 the information I have on this is that we applied to be on the list about ~18 months ago, and we have received confirmation that our application was received, and that we have not been rejected or informed that we are not compliant in any way since we applied. We have not been added to the list (I do not have information on when it was last updated or how often they update the list) and we are acting in accordance with guidelines as if we were added to the list in all applicable areas.

Hope this helps…

geewee · December 19, 2019, 9:11pm

I’ve just had a look at the list and Netlify is still not on it. Are there any updates on this?

Dennis · December 23, 2019, 2:33pm

We don’t have an update yet. Our status is still the same – applied, not rejected and still awaiting an update from the program. We did apply to be added to the list before GDPR was went in to effect and we’ll look into why we aren’t on the list shortly.

simonme · February 8, 2020, 1:04pm

Hi, any update on this? We love Netlify but this is currently a dealbreaker for our customer.

Chuck · February 12, 2020, 6:48pm

Hello @simonme

Our Privacy Shield application is currently under review by the Department of Commerce. Once it has been approved, it will be listed publicly here: https://www.privacyshield.gov/list

jen · February 13, 2020, 5:06pm

Exciting update @simonme @geewee @david-szabo97: as of 02/13/2020, Netlify is now Privacy Shield certified. Our certification is listed in US DoC site:
https://www.privacyshield.gov/participant?id=a2zt00000008RhTAAU&status=Active

Cesco · August 11, 2020, 12:34pm

Hello, I just received this email from Google:

We are writing to inform you of changes we’ve made to the G Suite/Cloud Identity Data Processing Amendment (DPA) in response to a Court of Justice of the European Union (CJEU) ruling on July 16, 2020. The CJEU ruling invalidated the EU-US Privacy Shield Framework but did not invalidate EU Model Contract Clauses (MCCs, also known as Standard Contractual Clauses) as a lawful transfer mechanism for personal data transferred outside of the EU, Switzerland or the UK (as applicable).

Since Netlify is also part of this (invalidated) privacy shield, what will it mean for us european users now?
Nothing will change, or maybe we’ll have to sign a new agreement to keep our websites on Netlify, or will the use of Netlify may become “illegal” and we’ll be forced to move our websites to other providers?

Scott · August 11, 2020, 12:36pm

Hey @Cesco,

Our response on this matter is currently as follows:

No, Netlify can still hold such data. Netlify Data Processing Agreement (DPA) contains Standard Contractual Contract (SCC) languages that were provided by the EU commission to transfer data to establishment outside of the EU or European Economic Area. The SCC applies for both data controllers and processors. If you have signed a DPA with Netlify, no further action is required from you.

Cesco · August 11, 2020, 12:40pm

Thank you very much!