After the EU invalidated the EU-US Privacy Shield Framework and upheld the validity of the EU Standard Contractual Clauses (SCC) last month, the European Data Protection Board published its final recommendations on additional measures.
Google saw this as an opportunity to once again explain how it protects EU citizens’ data that resides in its cloud, as well as how it plans to remain compliant.
In a blog post written by Google Cloud executives Marc Crandall and Nathaly Rey, it was said that “Google Cloud plans to implement the new SCCs to help protect our customers’ data and meet the requirements of European privacy legislation”.
Furthermore, Crandall and Rey explained that Google’s customers “own their data”, as they can store it in the European region, make sure it doesn’t move outside that jurisdiction, and prevent users and admins outside the EU from accessing that data.
They get to manage their own encryption keys, and require detailed justification and approval each time a key is requested to decrypt data using External Key Manager. Finally, they can deny Google the ability to decrypt the data using Key Access Justification, now in General Availability.
“We will continue to advocate for the principles we believe should guide access requests by government authorities for enterprise data anywhere in the world,” the blog states.
“Government engagement on a bilateral and multilateral level is critical for modernizing laws and establishing rules for the production of electronic evidence across borders in a manner that respects international norms and resolves any potential conflicts of law. Google has long supported these efforts, including work to find a successor to the US-EU Privacy Shield to restore legal certainty around trans-Atlantic personal data flows and develop common global principles on government access to data at the Organisation for Economic Co-operation and Development (OECD) level.”
“We will continue to support these efforts while protecting the privacy and security of our customers.”