Identity & Security
Google Cloud’s Commitment to EU International Data Transfers and the CJEU Ruling
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a ruling invalidating the EU US Privacy Shield Framework, but upholding the validity of EU Model Contract Clauses (MCCs), also known as Standard Contractual Clauses. Both of these mechanisms were created for the lawful transfer of personal data from the European Union (EU) to countries outside of the EU under the EU Directive, and then the EU’s General Data Protection Regulation (GDPR). Given the CJEU has upheld the MCCs, it is important to know that your use of G Suite and Google Cloud Platform meets GDPR’s standards for transfer of personal data outside of the EU.
Google Cloud has always been committed to compliance with EU privacy legislation since we began offering our first Google Cloud services in 2006. We have ensured our products and services are built with the highest standards of security and privacy, enabling not only our customers in Europe—but all of our customers—to meet regulatory and compliance frameworks, even as legislation evolves. Millions of organizations rely on our cloud services to run their businesses, and we’re committed to helping them directly address global privacy and data protection requirements by offering industry-leading security, third-party audits and certifications, legal commitments, and products and services to support compliance needs.
Beginning in 2012, Google Cloud began offering MCCs as a data transfer mechanism, and in 2017, the Article 29 Working Party, the predecessor of the European Data Protection Board, concluded that Google’s agreements for international transfers of data for G Suite and Google Cloud Platform are in alignment with the European Commission’s MCCs. Our customers have been able to rely on Google Cloud MCCs for the international transfer of their data, and this continues today.
Regardless of the location of the data, data protection remains a priority for Google. We will continue to follow and be certified against internationally-recognized privacy standards such as ISO 27018 and ISO 27701.
We have been closely monitoring the developments around the evolution of the international data transfer mechanisms permitted under GDPR. We are currently studying the ruling, as well as related developments, and will keep you updated as things evolve.