Google Cloud Platform and the EU Data Protection Directive

What is the EU Data Protection Directive?

Many of Google Cloud Platform’s business customers operate in Europe. These businesses often need to comply with the European Union’s Data Protection Directive (the "Directive"), which regulates the processing of personal data. The Directive specifies a number of requirements companies must meet around protecting personal data.

EU-U.S. & Swiss-U.S. Privacy Shield Framework

In July 2016, the European Commission concluded that the EU-U.S. Privacy Shield Framework provides an adequate mechanism to allow EU companies to comply with requirements under the Directive in connection with transfer of personal data from the European Union to the United States. Google Inc. is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

EU Model Contract Clauses

In 2010, the European Commission approved model contract clauses as a means of complying with the requirements of the Directive. The effect of this decision is that by incorporating certain provisions into a contract, personal data can flow in a compliant way from those subject to the Directive to cloud (and other) providers outside the EU or the European Economic Area ("EEA"). By adopting EU model contract clauses, providers outside the EU or the EEA can offer their customers an option for complying with the Directive.

Does Google Cloud Platform offer EU Model Contract Clauses?

Yes, as of December 16, 2015, Google Cloud Platform offers EU model contract clauses for customers subject to the Directive. The European Union's data protection authorities, acting collectively as the Article 29 Working Party, concluded that Google's agreements for G Suite and Google Cloud Platform model contract clauses meet EU regulatory expectations. This confirms that Google Cloud services provide sufficient commitments to frame international data flows from Europe to the rest of the world. For details on the approval of the Google Cloud from the Article 29 Working Party, please see the respective decisions for G Suite and Google Cloud Platform. Customers can review and accept our Data Processing and Security Terms and Model Contract Clauses in the Google Cloud Console. Detailed instructions on how to take this action can be found here.

About the Security of Google Cloud Platform

Google Cloud Platform maintains certification with robust security standards, including:

  • SSAE16 / ISAE 3402 Type II:
  • ISO 27001, one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Cloud Platform. Our ISO 27001 Certificate is here.
  • ISO 27017, Cloud Security, This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services. Our ISO 27017 Certificate is here.
  • ISO 27018, Cloud Privacy, This is an international standard of practice for protection of personally identifiable information (PII) in public clouds services. Our ISO 27018 Certificate is here.
  • FedRAMP ATO for Google App Engine
  • PCI DSS v3.2

Data is most vulnerable to unauthorized access as it travels across the Internet or within networks and securing data in transit is a high priority for Google. For this reason, Google operates its own private global network that spans all of our data centers and our 70+ points of presence, rather than using the public internet for transmission between data centers. Data traveling between a customer’s device and Google is encrypted by default using HTTPS/TLS (Transport Layer Security). In fact, Google was the first major cloud provider to enable HTTPS/TLS by default.

Google has also upgraded all our RSA certificates to 2048-bit keys, making our encryption in transit for all Google services even stronger. Perfect forward secrecy (PFS) minimizes the impact of a compromised key, or a cryptographic breakthrough. It protects network data by using a short term key that lasts only a couple of days and is only held in memory, rather than a key that’s used for years and kept on durable storage. Google was the first major web player to enable perfect forward secrecy by default. Google encrypts all Cloud Platform data as it moves between our data centers on our private network, as well as encrypting all Cloud Platform data at rest.

Can I designate where data will be stored?

We refer to the Google data centers in a particular location as a "Zone," with multiple zones comprising a "Region." Currently Google Cloud Platform maintains regions around the globe, including Asia, Europe, and North America. Within currently available zones and the geographic scope of the services being used, customers may designate where certain customer data will be stored. In cases where no region is selected, or where a particular service does not support a particular location, Google will store and process data in other locations where it (or its agents) maintains or operates facilities. Data location options are clearly identified in the Google Cloud console, and Google observes the data location commitments set forth in the Google Cloud Platform Terms of Service and Service Specific Terms.
View Google Data Center locations

Response to CPU Vulnerabilities

Get information about Spectre and Meltdown

Learn more


Answers to your frequently asked questions

View the FAQ

Security Whitepaper

Read more about Google’s approach to security

View the whitepaper

Contact us

Talk with a Cloud Platform team member about security

Contact us