Author Archives: Marc Crandall

The Spanish Data Protection Authority (AEPD) confirms compliance of Google Cloud commitments for international data flows

Millions of organizations use Google Cloud services every day, relying on Google to provide world-class privacy and security protections. Data protection is central to our mission, and we're always looking at ways to facilitate our customers’ compliance journey.

Today we’re pleased to announce that the Spanish Data Protection Agency (“Agencia Española de Protección de Datos” or “AEPD”) has issued a decision confirming that the guarantees established by the contractual commitments provided by Google for the international transfers of data to U.S. connected to its G Suite and Google Cloud Platform (GCP) services are adequate. Therefore, the international transfers to U.S. under such contractual commitments are deemed authorized by the AEPD provided the conditions established by the AEPD’s decision are met.

This authorization benefits all of our G Suite and GCP customers in Spain, who don’t need to pursue it individually. Rather, customers need to opt in to the relevant model contract clauses (via the online processes described on our Help Centers for G Suite and GCP services, respectively) and notify their relevant transfer to the AEPD’s registry. For more details, please see the AEPD’s decision.

The EU’s Data Protection Authorities had already confirmed earlier this year that Google Cloud services’ contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world in accordance with the EU Data Protection Directive 95/46/EC.  

This authorization is an important milestone for Google and its Spanish customers, as it reaffirms that the legal protections underpinning G Suite and GCP international data flows meet European and Spanish regulatory requirements. Furthermore, our customers can count on the fact that Google is committed to comply with the General Data Protection Regulation (GDPR) across G Suite and Google Cloud Platform services.


What does this mean for our customers in the Spanish jurisdiction?

G Suite and GCP customers may benefit from a simplified process with regard to international data transfers via our services provided the conditions established by the AEPD’s decision are met.


What are the key aspects of the authorization from the Spanish data protection authority?

Customers in the Spanish jurisdiction can benefit from the authorization as long as the international transfer of personal data remains in the scope of the authorization. You can read the full authorization here. Customers will still be required to notify the AEPD and may need to comply with additional legal requirements. Please consult a lawyer to obtain legal advice specifically applicable to your business circumstances.


How can customers make use of Google’s authorization?

Customers must sign a contract. The contractual arrangements shall include the Data Processing Amendment (DPA) for G Suite / Data Processing and Security Terms (DPST) for GCP and the EU Model Contractual Clauses (MCCs). Our customers can enter into the applicable relevant model contract clauses via the online processes described here for G Suite services and here for GCP services.


Source: Google Cloud


The Spanish Data Protection Authority (AEPD) confirms compliance of Google Cloud commitments for international data flows

Millions of organizations use Google Cloud services every day, relying on Google to provide world-class privacy and security protections. Data protection is central to our mission, and we're always looking at ways to facilitate our customers’ compliance journey.

Today we’re pleased to announce that the Spanish Data Protection Agency (“Agencia Española de Protección de Datos” or “AEPD”) has issued a decision confirming that the guarantees established by the contractual commitments provided by Google for the international transfers of data to U.S. connected to its G Suite and Google Cloud Platform (GCP) services are adequate. Therefore, the international transfers to U.S. under such contractual commitments are deemed authorized by the AEPD provided the conditions established by the AEPD’s decision are met.

This authorization benefits all of our G Suite and GCP customers in Spain, who don’t need to pursue it individually. Rather, customers need to opt in to the relevant model contract clauses (via the online processes described on our Help Centers for G Suite and GCP services, respectively) and notify their relevant transfer to the AEPD’s registry. For more details, please see the AEPD’s decision.

The EU’s Data Protection Authorities had already confirmed earlier this year that Google Cloud services’ contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world in accordance with the EU Data Protection Directive 95/46/EC.  

This authorization is an important milestone for Google and its Spanish customers, as it reaffirms that the legal protections underpinning G Suite and GCP international data flows meet European and Spanish regulatory requirements. Furthermore, our customers can count on the fact that Google is committed to comply with the General Data Protection Regulation (GDPR) across G Suite and Google Cloud Platform services.


What does this mean for our customers in the Spanish jurisdiction?

G Suite and GCP customers may benefit from a simplified process with regard to international data transfers via our services provided the conditions established by the AEPD’s decision are met.


What are the key aspects of the authorization from the Spanish data protection authority?

Customers in the Spanish jurisdiction can benefit from the authorization as long as the international transfer of personal data remains in the scope of the authorization. You can read the full authorization here. Customers will still be required to notify the AEPD and may need to comply with additional legal requirements. Please consult a lawyer to obtain legal advice specifically applicable to your business circumstances.


How can customers make use of Google’s authorization?

Customers must sign a contract. The contractual arrangements shall include the Data Processing Amendment (DPA) for G Suite / Data Processing and Security Terms (DPST) for GCP and the EU Model Contractual Clauses (MCCs). Our customers can enter into the applicable relevant model contract clauses via the online processes described here for G Suite services and here for GCP services.


EU data protection authorities confirm compliance of Google Cloud commitments for international data flows

Today we're pleased to announce that the European Union’s Data Protection Authorities have confirmed that Google Cloud services’ contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world, in accordance with EU Data Protection Directive 95/46/EC.

The authorities have concluded that Google’s agreements for international transfers of data for G Suite and Google Cloud Platform (GCP) are in line with the European Commission’s “model contract clauses” and should therefore not be considered "ad hoc" clauses. In practice, this compliance finding will enable our customers in most EU countries to rely on Google Cloud model contract clauses for the international transfer of data without further authorizations, and will simplify the processing of national authorizations in other countries, where required. It will also help to facilitate our customers’ data protection risk assessments.

The review process was conducted in accordance with Working Paper (WP) 226 of the Article 29 Working Party. The Irish Data Protection Authority acted as the lead authority and the Spanish and Hamburg authorities as co-reviewers.

Successful completion of the review process marks an important milestone for Google and its customers, as it confirms that the legal protections underpinning the Google Cloud international data flows meet European regulatory requirements.

For more detail, please see the respective decisions for G Suite and Google Cloud Platform. Our customers subject to the relevant regulatory requirements can enter into the applicable model contract clauses via the online processes described here for G Suite services and here for GCP services.


FAQs

What is the Data Protection Directive 95/46/EC?

It's the European Union’s directive, which was adopted in 1995 and which regulates the protection of individuals with regard to the processing of personal data and the free movement of such data.

What are the “model contract clauses” (MCCs)?

The Standard Contractual Clauses (also known as "model contract clauses", “model clauses” or “MCCs”) are a set of European Commission approved standard provisions that can be used to achieve compliance with legal requirements pertaining to the transfer of personal data outside of the European Economic Area.

What is the Common Opinion Procedure?

It's a process adopted by the Article 29 Working Party enabling companies to make use of contractual clauses based on model contract clauses (with some divergences such as additional clauses) in order to frame international transfers of data from different EU Member States. The process was established to enable the competent data protection authorities to reach a coordinated position as to whether the proposed contract conforms with the model contract clauses

What is the Article 29 Working Party?

It's a privacy working group comprised of data protection authorities from each EU Member State, the European Data Protection Supervisor, and the European Commission.

What are "ad hoc" clauses in this context?

They're clauses created for a particular service that substantially differ from the European Commission’s “model contract clauses” and therefore don't have the same legal value.

Source: Google Cloud