The contractual clauses that Google uses to cover international data transfers for European customers of its G Suite applications and its cloud services have been certified as being compliant with European Union data protection requirements.
EU data protection authorities have confirmed that the language in Google’s contracts for EU business customers align with the European Commission’s so-called “model contract clauses,” the company said Monday.
“This compliance finding will enable our customers in most EU countries to rely on Google Cloud model contract clauses,” said Marc Crandall, head of global compliance at Google, and Matthew O’Connor, head of security and compliance at the company in a blog. It gives EU businesses the legal protections needed for international data transfers without further authorizations, the two executives said.
The compliance certification will also make it easier for Google to get similar certifications in other countries that have data protection requirements similar to those in the EU. “It will also help to facilitate our customers’ data protection risk assessments,” Crandall and O’Connor said.
Model contract clauses or standard contract clauses as they are also called are basically a set of standards that organizations use to show compliance with EU requirements for protecting personal data when transferring it outside the European Economic Area.
Companies that agree to abide by the clauses commit legally to things like collecting personal data only for specific and legitimate purposes, providing individuals with the right to access and correct their data and to provide adequate remedies in case anything goes wrong.
The European Commission’s confirmation means that Google’s contractual clauses will no longer be considered as ‘ad hoc’ clauses that are subject to further inspection by EU data protection authorities.
The distinction is an important one for Google. Like every other company that does business in Europe, Google is required to comply with rules pertaining to the handling of personal data belonging to residents of the EU when transferring it overseas.
For several years, such data transfers were covered under a pact known as the US-EU Safe Harbor Agreement. Safe Harbor gave U.S. organizations a set of principles to use when handling personal data belonging to EU residents. It allowed companies to self-certify their adherence to the principles and was used widely by American companies including the likes of Google, Facebook and Microsoft.
The EU’s Court of Justice invalidated Safe Harbor in October 2015 over fears stemming from former NSA contractor Edward Snowden’s leaks about the U.S. government’s data collection and surveillance practices. The court held that Safe Harbor did little to prevent U.S. cloud companies from handing over personal data belonging to EU residents to the government if ordered to do so.
Last year, a new and far more stringent set of requirements was put in place under a framework known as Privacy Shield.
Google quickly committed to using Privacy Shield and provided certification to the U.S. Department of Commerce to that effect. At the time, the company had said it was working on obtaining compliance certification for its model contract clauses as well.