Reaffirming Google Cloud’s commitments to EU businesses in light of the EDPB’s Recommendations

From retail companies to auto manufacturers and financial services institutions, organizations across Europe rely on our cloud services to run their businesses. We are committed to helping our customers meet stringent data protection requirements by offering industry-leading technical controls, contractual commitments, and continued transparency to support their risk assessments and compliance needs. 

On June 21, 2021, the European Data Protection Board (EDPB) published its final Recommendations on supplementary measures following the Court of Justice of the European Union's ruling, which invalidated the EU-US Privacy Shield Framework and upheld the validity of the EU Standard Contractual Clauses (SCCs). The EDPB’s guidance is important to help organizations address international data transfers. Many of the Board's recommendations align with our long-standing practices. 

In the light of the above, we want to reaffirm our commitment to GDPR compliance and to help Google Cloud customers meet their compliance objectives when using our services. In particular:

A customer-controlled cloud

Our customers own their data and we believe they should have the strongest levels of control over data stored in the cloud.  Our public cloud provides customers with world-class levels of visibility and control over their data through our services.   

With the capabilities we offer, Google Cloud Platform customers can store data in the European region, ensure customer data is not moved outside of Europe, and prevent users and administrators outside of Europe from accessing their data. They can exercise control over who accesses their data by managing their own encryption keys, ensuring the keys are stored in a European region, and storing them outside Google Cloud’s infrastructure. Customers can also require detailed justification and approval each time a key is requested to decrypt data using External Key Manager, and deny Google the ability to decrypt their data for any reason using Key Access Justifications, which is now in General Availability. You can learn more by reading our blog on advancing control and visibility in the cloud. For insight into what this commitment means to customers from a technical perspective, please see our post on options for data residency, operational transparency and control. Google Cloud was the first and is currently the only cloud provider to offer the ability for customers to store and manage encryption keys for cloud-resident data outside the provider's infrastructure with programmatic control over decryption based on specific justifications, including government access requests.

Our Google Workspace (formerly G Suite) customers can opt to store their covered data in Europe. Additionally, we’re taking encryption a step further in Workspace by giving customers direct control of encryption keys and the identity service they choose to access those keys. With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally. This capability is currently available in Public Beta for Google Drive, Docs, Sheets, and Slides with plans to extend it to other Workspace services. Customers can also benefit from third party solutions that offer end-to-end encryption for Gmail. With these solutions, customers can keep keys in their preferred geo-location and manage access to covered content.

Google Cloud will continue to invest in capabilities that ensure that our customers control the location of and access to their data.

New Standard Contractual Clauses 

The European Commission has published new Standard Contractual Clauses to help safeguard European personal data. Google Cloud plans to implement the new SCCs to help protect our customers’ data and meet the requirements of European privacy legislation. Like the previous SCCs, these clauses can be used to facilitate lawful transfers of data.

Transparency to help your risk-based assessment

The EDPB’s recommendations introduce a risk-based approach under which data exporters should assess the level of risk to fundamental rights that a certain transfer would entail in practice.

Our Transparency Report discloses the number of requests made by law enforcement agencies and government bodies for Enterprise Cloud customer information. The historical numbers show that the number of Enterprise Cloud-related requests is extremely low compared to our Enterprise Cloud customer base. For example, our report shows that we didn’t produce any Google Cloud Platform Enterprise customer data in response to government requests for the last reporting period. The likelihood of Enterprise Cloud customer information data being affected by these types of requests is therefore low.

We also work hard to help our customers conduct a meaningful assessment by giving a clear and detailed understanding of our process for responding to government requests for Cloud customer data in rare cases where they do happen.

Accountability

We are always looking at ways to increase our accountability and compliance support for our customers. Recently we announced our adherence to the EU GDPR Code of Conduct.  Codes of conduct are effective collaboration instruments among industry players and data protection authorities where state-of-the-art industry practices can be tailored to meet stringent data protection requirements. We believe that this Code provides a robust basis to build an international data transfer tool for cloud services and will continue to support industry efforts in this regard.  

We also continue to follow and be certified against internationally-recognized privacy and security standards such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO/IEC 27701. Certifications provide independent validation of our ongoing dedication to world-class security and privacy. 

Strong policy advocacy

We will continue to advocate for the principles we believe should guide access requests by government authorities for enterprise data anywhere in the world. Government engagement on a bilateral and multilateral level is critical for modernizing laws and establishing rules for the production of electronic evidence across borders in a manner that respects international norms and resolves any potential conflicts of law. Google has long supported these efforts, including work to find a successor to the US-E.U. Privacy Shield to restore legal certainty around trans-Atlantic personal data flows and develop common global principles on government access to data at the Organisation for Economic Co-operation and Development (OECD) level. We will continue to support these efforts while protecting the privacy and security of our customers. 

Millions of organisations with users in Europe rely on our cloud services to run their businesses every day, and we remain steadfastly committed to helping them meet their regulatory requirements by maintaining a diverse set of compliance tools in light of EDPB’s recommendations.