Enhancing our privacy commitments to customers
Royal Hansen
VP, Engineering for Privacy, Safety, and Security
Around the world, companies in every industry rely on our cloud services to run their businesses, and we take that responsibility seriously. That’s why we’re focused on providing industry-leading security and product capabilities, certifications, and commitments, along with transparency and visibility into when and how customer data is accessed. Today, we’re expanding on these commitments and sharing an update on our latest work in this area.
Commitment to privacy
Our Google Cloud Enterprise Privacy Commitments outline how we protect the privacy of customers whenever they use Google Workspace, G Suite for Education and Google Cloud Platform (GCP). There are two distinct types of data that we consider across both of these platforms—customer data and service data:
Customer data: We start from the fundamental premise that, as a Google Cloud customer, you own your customer data. We implement stringent security measures to safeguard that data, and provide you with tools to control it on your terms. Customer data is the data you, including your organization and your users, provide to Google when you access Google Workspace, G Suite for Education and GCP, and the data you create using those services.
Service data: We also secure any service data—the information Google collects or generates while providing and administering Google Workspace, G Suite for Education and GCP—which is critical to help ensure the security and availability of our services. Service data does not include customer data—it includes information about security settings, operational details, and billing information. We process service data for the purposes that are detailed in our Google Cloud Privacy Notice (newly launched to provide more specific information about how we process service data, and effective November 27, 2020), such as making recommendations to optimize your use of Google Workspace and GCP, and improving performance and functionality.
When you use Google Cloud services, you can be confident that:
You control your data. Customer data is your data, not Google’s. We only process your data according to your agreement(s).
We never use your data for ads targeting. We do not process your customer data or service data to create ads profiles or improve Google Ads products.
We are transparent about data collection and use. We’re committed to transparency, compliance with regulations like the GDPR, and privacy best practices.
We never sell customer data or service data. We never sell customer data or service data to third parties.
Security and privacy are primary design criteria for all of our products. Prioritizing the privacy of our customers means protecting the data you trust us with. We build the strongest security technologies into our products.
These commitments are backed by the strong contractual privacy commitments we make available to our customers for Google Workspace, G Suite for Education and GCP.
Enhanced customer controls and new third party certifications
We recently released new capabilities that further improve visibility and control over how data in our cloud is accessed and processed. In 2018, we were the first major cloud provider to bring Access Transparency to our customers, providing you with near real-time logs of the rare occasions Google Cloud administrators access your content. To give you even more visibility and control, we’ve made Access Approval for GCP generally available to let you approve or dismiss requests for access by Google employees working to support your service.
Our Transparency & Control Center is also now generally available as part of the GCP Console. It gives you the ability to enable and disable data processing that supports features such as recommendations and insights at the organization and project level. It also allows you to export personal data that may be used to generate recommendations and insights. For Google Workspace, in addition to providing granular audit logs, we offer organization admins and users the ability to download a copy of their data via the data export tool and Google Takeout. These are just some of the ways we help support data portability requirements under privacy regulations such as the EU’s GDPR and the California Consumer Privacy Act (CCPA).
We continue to reinforce our commitment to privacy by meeting the requirements of internationally-recognized privacy laws, regulations, and standards. This summer we announced that we are the first major cloud provider and productivity suite to receive accredited ISO/IEC 27701 certification as a data processor. Our accredited ISO/IEC 27701 certifications for Google Workspace and GCP provide customers with benefits including simplified audit processes, universal privacy controls and greater clarity around privacy-related roles and responsibilities. Certifications provide independent validation of our ongoing dedication to world-class security and privacy, and we look forward to obtaining additional certifications in the future.
Continued innovation to support customer needs
As the global privacy landscape and our customers’ needs change, Google Cloud will continue to work diligently to maintain our commitments to privacy, control and transparency. To learn more about our efforts, visit our Trust and Security center.