Firebase Authentication for EU
Currently, Firebase Auth is US only. Because the EU-US-Privacy-Shield is not valid anymore, transferring data to the US is for EU companies not allowed. Therefore, Firebase is not GDPR complaint. Allowing us to choose the storage location (like you can weigh Firestore or Cloud Storage) to use a data center in the EU (like europe-west1, europe-west3 or europe-west4, etc.) would make Firebase much more GDPR complaint (beside the Cloud-Act).
Nils Reichardt
shared this idea
We are nearly ready to accept developers who are interested in custom authentication (external identity provider). Please fill out https://forms.gle/pLLYMFhGcrziqT1N8 and we can notify you if you're selected to join the private preview.
Please note that full regionalization for Firebase Authentication is separate, and is still expected to reach preview in Q4 this year.
-
Dennis Kugelmann commented
@jamshaid ali, This is a complicated topic with no clear-cut answer.
First of all, I'm not a lawyer, so this is not a legal consultation. We have been in conversations with lawyers and GDPR experts.--
Why is Firebase Auth an issue:
Firebase Auth stores user data in the US. GDPR prevents data transfer of European user data to countries without the same level of data protection.
The EU publishes a list of safe third countries [1], one of them being Israel, the US NOT being one of them.
There have been attempts to make the EU-US data transfer legal (which have been invalidated multiple times by the EU courts) and there are measures you can take to make it safe (encrypt data before uploading to Firebase, anonymize, ...).
However, those measures would make Firebase Auth unusable as you can just use an anonymous/generated email in Firebase Auth or only with great difficulties.--
Specifically to your question, aren't Google Sign-In, etc. an issue, technically yes, but the fact that the user sign-in up for a Google account is NOT the application developers legal issue but Google's.
What you as application developer need to care about is what you do with the data you receive from Google / Apple and if you upload the data to Firebase Auth (meaning transfer the data to the US) it's your legal issue as the application developer.
--
I hope that clarifies, why we as Firebase customers need a solution to restrict the data storage and processing to the EU.
-
jamshaid ali commented
I asked developers on twitter. Most are not even aware of it.
-
If one uses google sign in and apple sigin from firebase auth lib. Is that also not gdpr compliant. Or non compliance applies to phone , email n others.
its confusing it seems alot of people use firebase auth in europe. But its not clear if as an independant developer can one use it or not. Can u clarify . Thanks
-
Valentin Gensthaler commented
Totally agree, would make things a lot easier in the EU.
-
Rebar commented
We cannot use it in Germany until this is fixed!!! Please help!
-
@Dominic Bartl yes this applies also to Identity Platform!
Identity Platform is like an extension to Firebase Auth (like a Premium tier) and thus the data there is also hosted in the US. -
José Guerra commented
Critical for any company with business in the EU
-
-
Dominic Bartl commented
Does this also affect the Identity Platform? I haven't found any info where the data of this service is stored.