Data Protection Officers and Firebase Under the GDPR

Data Protection Officers and Firebase Under the GDPR

Data Protection Officers (DPO's) are a new concept under the GDPR. Some companies and organizations will be required to have a DPO depending on their data collection and data processing practices.

The Data Protection Officer requirement comes from Article 37 of the GDPR.

One question we keep hearing is whether or not companies who use Firebase are required to appoint a Data Protection Officer based upon their practices and capabilities.

The answer is maybe, but we will dig deeper into the following topics within this article:

  • Does my company need a Data Protection Officer?
  • Why or why not?
  • Do I need to comply with the GDPR if I use Firebase?
  • Do I need a Data Protection Officer if I use Firebase?

Some of these questions have simple answers, while others are more complex and dependant on a number of different variables.

For starters, let's talk about the GDPR and Data Protection Officers.


The GDPR and Data Protection Officers

In short, the GDPR is perhaps the largest and most important privacy law update in the last 20 years. The GDPR will effectively replace the 1995 EU Data Protection Directive as of May 25th, 2018.

This new set of privacy laws is intended to cover the entirety of the EU with a central, cohesive set of regulations. The GDPR leaves less gray areas and is more strict regarding several aspects of privacy rights in the European Union.

Among these bolstered rights are a number of failsafes and protective measures to ensure that citizens' personal information is being collected with consent and used responsibly by the entities entrusted with it.

Data Protection Officers are one of these failsafes.

The role of the DPO is to monitor data collection and processing systems to ensure personal information is being handled responsibly and within the guidelines set forth by the GDPR.

While requiring a DPO may seem like a burden at first, having one will ultimately make for a smoother experience with GDPR compliance.

The goal here is to consolidate responsibility and knowledge of the various facets of the GDPR and other privacy laws into one single expert - the DPO - who can assist the organization more effectively than different departments each containing a separate piece of the puzzle.

When is a Data Protection Officer required

The qualifications for being required to appoint a Data Protection Officer under the GDPR are as follows, from Article 37:

GDPR Article 37: Designation of the data protection officer - section 1

If you do not meet these standards, you are not legally required to appoint a Data Protection Officer.

In other words, you don't need a DPO if:

  • You're not a public authority
  • You don't systematically monitor or process large amounts of data (think Facebook, Instagram, etc.)
  • You don't process special categories of data (see Article 9) or data relating to criminal offences or convictions (see Article 10)

However, you may want to consider appointing one anyway as a DPO can be a valuable resource when questions arise about compliance with the GDPR.

In addition, if your company is growing and expanding, you may not need a Data Protection Officer currently, but appointing one now at the onset of the GDPR enforcement may be easier than waiting until later when you reach a point that you do require one.

So what exactly does a Data Protection Officer do?

The duties of a Data Protection Officer

The GDPR covers precisely what a Data Protection Officer's duties are, as well as the duties of the company the DPO works for.

Under the GDPR, the responsibilities of a DPO are at least the following:

  • To inform and advise a business/organization about obligations under the GDPR
  • To monitor compliance, raise awareness and train staff
  • To give advice for conducting a data protection impact assessment
  • To work with the supervisory authority
  • To act as a consultant and point of contact for the supervisory authority
  • Regard the risks, scope, nature, purpose and context for all data processing activities

Below is an excerpt from Article 39 regarding the responsibilities of a Data Protection Officer that shows this:

GDPR Article 39: Tasks of the Data Protection Officer

Article 38 of the GDPR covers the responsibilities of the company regarding its Data Protection Officer:

GDPR Article 38: Position of the data protection officer

A knowledgeable and qualified Data Protection Officer is a valuable asset for any company, especially during this transitional period as the GDPR begins to be enforced. The company should provide the means and freedom for the Data Protection Officer to effectively complete the necessary duties, for the good of both the company and its customers/clients.

Firebase

Logo of Firebase

Firebase is an ever-growing host of tools and services provided by Google. It was acquired in 2014 and continues to grow with the addition of new services.

Current services include Firebase Analytics, Firebase Cloud Messaging, Firebase Cloud Storage, Firebase Performance Monitoring, Firebase Authentication, Firebase Invites and others. Firebase also allows integration with Adwords, AdMob and other popular services.

Many of these services could be regulated by the GDPR, and could require an appointed Data Protection Officer.

Here are some examples of how:

Firebase Analytics

As with any analytics software, the data collected by Firebase Analytics would fall under the jurisdiction of the GDPR if used to track residents of the EU.

Firebase Analytics offers a host of options to measure events taken within your app and set up parameters based on the activity of specific users.

As with Google Analytics and other similar services, Firebase Analytics collects data from users to track their behaviors. These tools are valuable for determining how users of your app behave, what they click on, and which pages receive the most activity.

Screenshot of Firebase Analytics Overview page with stats

Firebase Analytics gives the option to turn off analytics collection of certain devices (setAnalyticsCollectionEnabled - boolean enabled) which could be used to disallow tracking of residents of the EU in order to avoid regulation from the GDPR.

If you do decide to disable the collection of data via Firebase, make sure you also disable it for other analytics tools you're using, such as Google Analytics.

This is because it doesn't matter if the tool you use for analytics purposes is Firebase or something else. The GDPR will apply in the case of any analytics that collect data.

Data Protection Officers are required in cases of large-scale monitoring of residents of the EU, and analytics services such as Firebase Analytics often fall into this category as they track and monitor the behavior of virtually all of your users.

If you use Firebase and meet any of the following, you'll need a DPO:

  • You are a public authority that carries out data processing,
  • One of your core activities requires regular and systematic processing of data subjects on a large scale (such as with Firebase Analytics), or
  • One of your core activities requires the processing of sensitive data or data relating to criminal convictions/offenses, and you do this on a large scale

In most cases regarding analytics suites, if your service is open to users in the EU, you will likely need to have a DPO (based on DPO requirements list) and be compliant with the GDPR.

Firebase Cloud Messaging

Firebase Cloud Messaging (or FCM) is a cross-platform messaging service which can be used to send notifications to users.

This form of communication would fall under the jurisdiction of the GDPR if you message users in the EU. This is because in order to send messages, you'd be collecting personal information from users.

The GDPR requires that you get consent from users before contacting them in such a way. You're also required to provide a way for users to opt-out after consent has been given (as per the Right of Erasure and the Right to be Forgotten).

There have been several high-profile cases where companies have sent emails or other forms of communication to individuals who have removed their consent to be contacted and opted-out of such lines of communication, resulting in hefty fines to the company.

The GDPR has further strengthened the rights of individuals to have their personal information erased, allowing them to opt-out of avenues of communication such as notifications from Firebase Cloud Messaging.

Be sure those you are contacting through Firebase Cloud Messaging have given their consent to be contacted and have not since opted-out.

If you use Firebase Cloud Messaging in conjunction with a large contact list of users in the EU, that may be enough to require an appointed Data Protection Officer.

Firebase Cloud Storage

Firebase Storage offers a cloud-based storage solution for storing user-generated content such as photos, videos, and more.

As with other types of data provided by users, user-generated content including photos and videos could be considered personal information.

For example, if someone uploads a profile picture of themself to your website, that photo is obviously tied to that person. Especially in the modern age of computers, programs exist that can identify a person simply from a digital photograph. If this photograph is used as a profile picture, that profile could be tied to a real person.

In this case the photograph would definitely be considered personal information under the GDPR and regulated by its laws.

Of course, if your app or website provides cloud storage for user-generated content, you are almost certainly collecting other forms of personal information from those users to create their profile, even if that is simply an email address.

As such, using Firebase Storage in conjunction with EU users would suggest the need to be fully compliant with the GDPR.

If your app or website collects a vast amount of user-generated content, or has a large user base, you probably meet the qualifications to require a Data Protection Officer.

Firebase Authentication

This one is pretty simple: Firebase Authentication essentially provides the means for users to log in to an account from multiple devices. Using information such as passwords and phone numbers, users can access their account from multiple devices and enjoy a seamless experience.

While this is very convenient for your users, it also requires the use of personal data which is regulated under the GDPR.

Essentially, Firebase Authentication allows users to prove their identities by the use of identifying information. You don't get a much clearer example of personally identifiable information than that!

A common method is to use a phone number or email address in conjunction with a password. When creating an account, an individual would provide their email address or phone number as an identifier and perhaps a line of communication (say to recover a lost password). That user can then access their account from any device by providing these credentials.

Therefore, those credentials are tied to a real life person, making the credentials personally identifying information, which is regulated by the GDPR.

So, if you use Firebase Authentication and have users in the EU, you will need to be compliant with the GDPR.

If Firebase Authentication is used with a large population of users in the EU, it may be enough to require a Data Protection Officer.

Firebase and the GDPR

Using Firebase in an EU market almost certainly dictates that you comply fully with the GDPR.

This is because Firebase includes a variety of functions that can be used to collect or process information that could be considered protected personal information under the GDPR, and the scope of the GDPR applies to any company that collects or processes the personal data of residents of the EU, even if that company is not located within the Union.

In short, if you use Firebase services and have users in the EU, you should comply with the GDPR.

Firebase and Data Protection Officers

Depending on your practices in and out of Firebase, it is possible that your company will be required to appoint a Data Protection Officer.

Because Firebase has functionality that could constitute the requirement for a Data Protection Officer, it actually gives project managers the option to input a Data Protection Officer from the Firebase console. This is a handy way to stay organized and compliant.

In short, the use of Firebase services in conjunction with users in the EU almost certainly requires GDPR compliance.

The GDPR stipulates that a Data Protection Officer is needed in cases of large-scale monitoring and data handling. This is essentially where the answer to this question lies.

If you use Firebase and have users in the EU, you will need to appoint a Data Protection Officer if you take part in large-scale monitoring or data handling of data subjects as described by the GDPR.

While this distinction isn't overly clear, you will have to determine the status of your data collection and monitoring systems to decide if they qualify. If you are uncertain, appoint a Data Protection Officer to be safe.

Conclusion

As you can see, many of the services provided under the Firebase umbrella collect and process data in a way that would be under the jurisdiction of the GDPR. If you have users in the EU and are wondering about compliance with the GDPR, the answer is yes, the use of Firebase services almost certainly means you are collecting or processing data that is regulated by the GDPR.

As for Data Protection Officers, the GDPR states that a DPO is required in cases where large-scale monitoring or data collection takes place.

The GDPR is not overly specific about where the line is that separates large-scale monitoring from small-scale monitoring, nor large quantities of personal data compared to small quantities, so you are forced to use common sense and consider how enforcement officials would view your company.

If uncertainty exists, the safest option is to designate a Data Protection Officer. Even if it is not absolutely required, it is not a bad idea to have someone knowledgeable about the GDPR who can answer questions and ensure your operations in and out of Firebase are compliant.

Appointing a Data Protection Officer now could also save you the hassle of doing it in the future as your company expands.

However, if you are certain that you are using a relatively small amount of user tracking and data handling services through Firebase, you likely are not required by law to appoint a Data Protection Officer.

Ross B.

Ross B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.