If you're an EU company considering using Vercel (a US-based company) for production data, there are some important legal issues to keep in mind.
The EU's General Data Protection Regulation (GDPR) sets high standards for protecting personal data of EU residents, which includes getting explicit consent from individuals and using adequate security measures. However, the US has a different legal framework for data protection, with various state and federal laws that may not align with GDPR requirements.
One potential challenge is the conflict between GDPR and US surveillance laws, such as the Foreign Intelligence Surveillance Act (FISA 702),
What is FISA 702?
FISA 702 is a law allows the US government uses to collect information about individuals and organizations who are believed to be overseas, when signals pass through the United States.
Under this law, the NSA can order vendors to reveal information about foreign users. For example, Google could be ordered to share email transcribes and search queries.
FISA 702 is up for reauthorization this year (2023) and is subject to criticism. For a more in-depth explanation, see this summary from the New York Times.
To summarise, this can limit the ability of EU companies to comply with GDPR and EU data legalisation, as the vendor in the US could be compelled to reveal information.
Privacy Shield and Schrems
To help address these concerns, the EU and US created cross-border data transfer mechanisms like the Privacy Shield and Standard Contractual Clauses (SCCs).
Privacy Shield is an agreement between the EU and the US that allows companies to transfer personal data between the two regions.
However, Privacy Shield faced significant challenges in balancing the interests of EU citizens' privacy rights and national security concerns:
- Inadequate protection for EU citizens' data: Privacy Shield doesn't give EU citizens the same rights as US citizens, and it allows US authorities to access personal data in ways that would be illegal in the EU.
- Lack of oversight: There's no independent supervisory authority to ensure that US companies are complying with the agreement's requirements, and there's no effective remedy for EU citizens whose data has been misused
- Bypassing EU laws: Some critics argue that Privacy Shield is essentially a way for the US to circumvent EU data protection laws. By relying on an agreement rather than complying with EU regulations, US companies may be able to avoid stricter privacy requirements and legal challenges.
For these reasons among others, on July 2020, the European Court of Justice issued the Schrems II judgement. This invalidated the EU-US Privacy Shield and cast doubt over the extent transfers can be legitimised by the SCCs for personal data transfers to the US and globally.
Vercel EU Alternatives
This leads to some EU companies trying skip all this tricky legal stuff and find alternatives to US-based vendors, including Vercel.
Sadly your options are limited, though I will revisit and update this post as I discover more options. Here's a quick list of alternatives:
- Self Host: NextJS can be self-hosted with some limitations. Projects like OpenNext are trying to address these
- AWS: If you consider EU regions on AWS compliant, you can use SST to deploy
- Contact Vercel: Vercel offer support on reaching your security and legal requirements
Best of both worlds?
It's also possible to get the development benefits of Vercel with the protections of EU data residency.
At indyRiot, we use Vercel to support our development work and our engineering team love it. Vercel offers unmatched git workflows, instant preview URLs with comments and rapid deployments, so we can iterate quickly and get feedback quickly from stakeholders.
Once the work is approved, the production build is deployed to our own cloud, keeping customer data safely in the EU.
Thanks for Reading!
I always appreciate feedback or suggestions for future blog posts. You can find me on Twitter or if you want to improve the article to help future readers, please feel free to submit a PR.