Google has officially adopted the United States and European Union's Privacy Shield framework governing the transfer of personal data from the EU to the United States during the course of international commerce.
The company this week submitted certification to the U.S. Department of Commerce confirming its commitment to applying Privacy Shield requirements when handling and storing personal data belonging to residents of the 28 member states of the EU.
"This is a significant milestone for the protection of Europeans' personal data and promotes trust in the digital economy," Mark Crandall, head of global compliance at Google for Work, wrote in a blog post. In addition to Privacy Shield, Google will also use so-called Model Contract Clauses to guarantee its compliance with EU regulations pertaining to personal data privacy, Crandall said.
With millions of organizations worldwide using Google's cloud service, the company is "committed to helping them meet their regulatory requirements by maintaining a diverse set of compliance tools," he added.
The EU-U.S. Privacy Shield is a framework for ensuring that American companies handling personal data belonging to European Union residents do so in a manner that complies with EU privacy requirements.
The framework was born out of concerns stemming from former National Security Agency contractor Edward Snowden's leaks about the U.S. government's surveillance programs and of its access of customer data stored by U.S. cloud companies under the aegis of national security.
The Privacy Shield framework replaces the previous Safe Harbor agreement that governed transatlantic data transfers for 15 years. The Court of Justice for the EU invalidated Safe Harbor in October 2015 saying it did not offer enough privacy protections for EU residents.
The Privacy Shield is an attempt to address that shortcoming by, among other things, introducing stronger data privacy obligations for companies like Google, Microsoft, Facebook and the hundreds of other U.S. companies that handle personal data belonging to EU residents. The Privacy Shield introduces new supervision and enforcement mechanisms for companies that commit to following the framework.
With the Privacy Shield, the U.S. government also has provided written assurances to EU authorities that any access to customer data stored with U.S. internet companies will be subject to clear legal limitations. The U.S. government has agreed to oversight mechanisms and safeguards to ensure there will be no generalized access to customer data and to provide a redress mechanism for EU individuals who think their privacy rights may have been violated.
U.S. companies are not required to sign up for the Privacy Shield. However, it is considered an effective mechanism for them to prove their safeguards are in line with EU requirements for consumer data privacy.
Back in July, when the European Commission formally approved the Privacy Shield, Google was among the many U.S. companies that welcomed the pact. "Ever since the European Court of Justice invalidated the EU-U.S. Safe Harbor Agreement in October 2015, businesses on both sides of the Atlantic have faced confusion about the future of transatlantic data transfers," Google had noted at the time.
The Privacy Shield lifts that confusion and adds new legal certainty to transatlantic data flows, Google had said.