Jump to Content
Productivity & Collaboration

Google Workspace expands data privacy controls to Gmail and Calendar with client-side encryption

February 28, 2023
https://storage.googleapis.com/gweb-cloudblog-publish/images/GWS_Blog_header_Digital_sovereignty_title..max-2600x2600.jpg
Andy Wen

Director of Product Management, Google Workspace

Ganesh Chilakapati

Group Product Manager, Google Workspace

Editor's note: This post originally appeared on the Google Workspace blog.


We consistently hear from our customers that the privacy of their data is top of mind, which is why we’ve built state-of-the-art security and privacy-preserving technologies into our products — to keep customer data private and secure. We’ve put Google AI to work on behalf of our customers to automatically stop the majority of online threats before they emerge. Gmail, for example, automatically blocks more than 99.9% of spam, phishing, and malware. These defenses, together with our unique encryption capabilities like client-side encryption (CSE), help our customers such as Groupe Le Monde, PwC, and Verizon, meet their security, privacy, compliance, and digital sovereignty requirements. 

Last year, we enabled CSE for Drive, Docs, Slides, Sheets, and Meet, and today we’re excited to share that CSE is generally available for Gmail and Calendar, enabling even more organizations to become arbiters of their own data and the sole party deciding who has access to it. We recognize sovereign controls are important to customers and have accelerated delivery of these encryption capabilities to support our customers in maintaining control over their data and meeting their regulatory compliance needs. 

Guarantee complete control of your data for the most challenging regulations

The expansion of CSE capabilities across Google Workspace helps to significantly reduce the burden of compliance for enterprises and public sector organizations. It gives organizations higher confidence that any third party, including Google and foreign governments, cannot access their confidential data. Workspace already encrypts data at rest and in transit by using secure-by-design cryptographic libraries. Client-side encryption takes this encryption capability to the next level by ensuring that customers have sole control over their encryption keys — and thus complete control over all access to their data. Starting today, users can send and receive emails or create meeting events with internal colleagues and external parties, knowing that their sensitive data (including inline images and attachments) has been encrypted before it reaches Google servers. 

Users can continue to collaborate across other essential apps in Google Workspace while IT and security teams can ensure that sensitive data stays compliant with regulations. As customers retain control over the encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities.

One key use case for CSE in this context centers on helping organizations subject to regulatory requirements, such as PwC, remain compliant, by meeting the need for the highest levels of encryption for certain types of communication.

“We have been searching for the capability to guarantee that our encrypted communications remain inaccessible to third-parties, including our technology providers, for some time. Google appears to be uniquely positioned with client-side encryption in providing us with complete control over our sensitive data, ensuring that we remain compliant as an organization in the ever changing world of data regulation. These features now being available across Google Workspace represent a pivotal moment for us. We're enthusiastic about the ability to continue to benefit from the efficiency in working that Workspace provides us with, whilst at the same time maintaining trust with our customers that their confidential data will stay private and compliant," said Shaun Bookham, UK Operations & Technology Director at PwC.

One of our global telecommunications customers, Verizon, is leveraging CSE to gain complete control over their sensitive data, ensuring that they remain compliant as an organization while supporting customers in highly regulated industries. This opens doors for the company to deliver an exceptional experience for its customers, by extending the level of data protection and privacy to their clients. 

“At Verizon, we adhere to governance requirements related to access of our sensitive data while also providing the best experience coupled with deep trust. We have worked alongside Google to develop new encryption solutions and are excited to explore their utilization,” said Russell Leader, Director Collaboration and Mobility at Verizon.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/Kapture_2023-02-15_at_21.06.11_gGG3Ejk.gif
Client-side encryption in action in Gmail

Protecting an organization’s most important assets

The regulatory requirements for separation between an organization’s data and their cloud provider’s environment has resulted in important use cases for client-side encryption — from keeping sensitive R&D data extremely private, even from an organization’s SaaS provider, to scenarios where confidentiality is paramount to the success or failure of a mission-critical operation. 

Customers, such as media giant Groupe Le Monde, rely on client-side encryption to protect their most crucial assets. By leveraging client-side encryption across Workspace, Groupe Le Monde can be assured that their communications, appointments, and files will not be subject to leaks, thus helping to keep their journalists safe.

"Client-side encryption gives us the next level of privacy, to ensure integrity within the journalistic process. This allows us to guarantee a higher level of security for our journalists, and to protect our sensitive content," said Sacha Morard, Chief Technology Officer at Groupe Le Monde. 

Another industry-leading Google Workspace enterprise customer uses client-side encryption to protect their most sensitive projects. For these projects, the customer is the sole owner of their encryption keys, thereby protecting their critical intellectual property and maintaining their data sovereignty requirements.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/Calendar_animation_CoOcFlM.gif
Client-side encryption in action in Calendar.

While each customer’s digital transformation journey is different, with all essential Google Workspace apps now being covered by CSE, companies of all sizes in all industries can benefit from these protections.

Starting today, client-side encryption is available globally to customers with Workspace Enterprise Plus, Education Standard, and Education Plus. To learn more about client-side encryption and how to get started today, watch our presentation from Google Cloud Next ’22 and check out the documentation.

Posted in