An update on Google Cloud’s commitments to E.U. businesses in light of the new E.U.-U.S. data transfer framework
Director and Global Head of Privacy, Google Cloud
Head of Privacy Regulatory Strategy & Compliance, Google Cloud
Last week, the European Commission and U.S. Government agreed on a new E.U.-U.S. data transfer framework. Earlier today, Google shared that it welcomes these efforts by the U.S. government to enhance privacy protections for E.U. data and facilitate trusted transatlantic data flows. For our Google Cloud customers, we intend to make the protections offered by this new framework available once it is implemented.
Last year, we reaffirmed our commitment to E.U. businesses after the European Data Protection Board (EDPB) issued its Recommendations on Supplementary Measures, following Europe’s top court ruling invalidating the E.U.-U.S. Privacy Shield Framework and upholding the E.U. Standard Contractual Clauses (SCCs).
Since then, we've continued to help our customers meet stringent data protection requirements by offering industry-leading technical controls, contractual commitments, and risk assessment resources. We've also continued our advocacy to create more legal certainty around transatlantic data flows.
Today, we would like to provide an update to our customers on this work.
A customer-controlled cloud
Google Cloud1 continues to be a leading provider of technical and security controls to help meet customers’ data protection requirements, as well as their increasing data sovereignty expectations.
We are committed to building our Cloud on Europe's terms, including by offering customer-managed encryption and data localization for a growing list of key products and collaborating with local partners to provide the highest levels of sovereignty, all while enabling the next wave of growth and transformation for Europe’s businesses and organizations.
Google Cloud Platform
We recently announced the general availability of Assured Workloads for the E.U. This product helps Google Cloud Platform (GCP) customers protect their data by allowing them to:
Store their data in their choice of E.U. Google Cloud region(s)
Ensure that only E.U. persons – located in the E.U. – have access to the data and provide customer support
Deploy cryptographic control for data access, including customer-managed encryption keys
Cloud External Key Manager (EKM) enables customers to encrypt data in a variety of services with keys that are stored and managed in a third-party key management system deployed outside of Google’s infrastructure. Google Cloud continues to be the only cloud provider to enable customers to store and manage encryption keys for cloud-resident data outside the provider's infrastructure with customer’s control over decryption based on specific justifications, including government access requests.
Key Access Justifications greatly advances the control that GCP customers have over their data by giving customers a justification every time their externally hosted keys have to be used to decrypt data. Signed Access Approval (SAA) adds a layer of extra assurance that requires explicit customer consent for any administrative access to customer data or configurations.
Google Cloud’s Confidential Computing portfolio is a breakthrough technology that allows customers to encrypt their most sensitive data in the cloud while in-use. Ubiquitous Data Encryption further extends data protection by providing cryptographic protection for this data at-rest, in-transit, and in-use. The keys used to encrypt customer data outside of GCP using Cloud EKM are securely shared with applications operating within Confidential environments.
Our Google Workspace (including Workspace for Education) customers can choose to store their covered data in Europe. Additionally, with Client-Side Encryption, we offer customers direct control of encryption keys and the identity service they choose to access those keys. With Client-Side Encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally. Client-Side Encryption is currently available in Public Beta for Google Drive, Docs, Sheets, and Slides, and we plan to extend it to Gmail, Calendar and Meet. Additionally, customers can also benefit by choosing third party solutions that offer similar encryption capabilities with select Google Workspace services.
Legal Basis for International Data Transfers
We updated our data processing terms for GCP and Google Workspace and Cloud Identity to reflect various modules of the new E.U. Standard Contractual Clauses (SCCs) approved by the European Commission on June 4, 2021, as well as separate U.K. SCCs.
Google Cloud plans to adopt the new E.U.-U.S. data transfer framework and offer it as a transfer solution to our cloud customers, as further detailed in our data processing terms.
Advocacy and Additional Helpful Resources
We have adopted the Trusted Cloud Principles with industry peers to demonstrate our commitments to protect the rights of our Google Cloud customers. We will continue to support the ongoing work of the Organisation for Economic Co-operation and Development on government access to data and the negotiation of CLOUD Act Agreements — including between the U.S. and E.U. — as vehicles for surveillance reform.
We will continue to publish additional materials on our Cloud Privacy Resource Center, such as our whitepaper on safeguards for international data transfers with Google Cloud.
Millions of organizations with users in Europe rely on our cloud services to run their businesses every day, and we remain steadfastly committed to helping them meet their regulatory requirements by maintaining a diverse set of compliance tools.
1. Google Cloud: Google Workspace (including Google Workspace for Education) and Google Cloud Platform (GCP)