EU data protection authorities confirm compliance of Google Cloud commitments for international data flows
Today we're pleased to announce that the European Union’s Data Protection Authorities have confirmed that Google Cloud services’ contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world, in accordance with EU Data Protection Directive 95/46/EC.
The authorities have concluded that Google’s agreements for international transfers of data for G Suite and Google Cloud Platform (GCP) are in line with the European Commission’s “model contract clauses” and should therefore not be considered "ad hoc" clauses. In practice, this compliance finding will enable our customers in most EU countries to rely on Google Cloud model contract clauses for the international transfer of data without further authorizations, and will simplify the processing of national authorizations in other countries, where required. It will also help to facilitate our customers’ data protection risk assessments.
The review process was conducted in accordance with Working Paper (WP) 226of the Article 29 Working Party. The Irish Data Protection Authority acted as the lead authority and the Spanish and Hamburg authorities as co-reviewers.
Successful completion of the review process marks an important milestone for Google and its customers, as it confirms that the legal protections underpinning the Google Cloud international data flows meet European regulatory requirements.
For more details, please visit the EU Data Protection Directive page to find respective decisions for G Suite and Google Cloud Platform. Our customers subject to the relevant regulatory requirements can enter into the applicable model contract clauses via the online processes described here for G Suite services and here for GCP services.
What is the Data Protection Directive 95/46/EC?
It's the European Union’s directive, which was adopted in 1995 and which regulates the protection of individuals with regard to the processing of personal data and the free movement of such data.
What are the “model contract clauses” (MCCs)?
The Standard Contractual Clauses (also known as "model contract clauses", “model clauses” or “MCCs”) are a set of European Commission approved standard provisions that can be used to achieve compliance with legal requirements pertaining to the transfer of personal data outside of the European Economic Area.
What is the Common Opinion Procedure?
It's a process adopted by the Article 29 Working Party enabling companies to make use of contractual clauses based on model contract clauses (with some divergences such as additional clauses) in order to frame international transfers of data from different EU Member States. The process was established to enable the competent data protection authorities to reach a coordinated position as to whether the proposed contract conforms with the model contract clauses
What is the Article 29 Working Party?
It's a privacy working group comprised of data protection authorities from each EU Member State, the European Data Protection Supervisor, and the European Commission.
What are "ad hoc" clauses in this context?
They're clauses created for a particular service that substantially differ from the European Commission’s “model contract clauses” and therefore don't have the same legal value.
Written by Marc Crandall (HEAD OF GLOBAL COMPLIANCE GOOGLE CLOUD) and Matthew O’Connor (HEAD OF SECURITY AND COMPLIANCE GOOGLE CLOUD PLATFORM)