Earlier this month, Google announced that the Article 29 Working Party (WP29) has confirmed that Google's terms and conditions for G-Suite (Google Apps) and Google Cloud Platform are consistent with the EU Commission's Standard Contractual Clauses (SCCs) for data transfers outside the EEA.

Google is not the first vendor to get approval for its own terms and conditions. The WP29 approved Microsoft's terms for its cloud services back in April 2014.

Isn't the legality of the Standard Contractual Clauses being challenged?

Yes. At least in relation to transfers of personal data to the United States (though any adverse finding will have wider consequences). A complaint has been made to the Irish Data Protection Commissioner in relation to Facebook's use of the SCCs for transfers of personal data to the US.

The Irish DPC is currently in the Irish courts seeking to refer the question to the Court of Justice of the European Union. Even if the Irish courts do agree to refer the question to the CJEU, we are still some time away from clarity on this. Meantime, the SCCs remain a lawful basis upon which to transfer personal data outside the EEA.

Coincidentally, the review of Google's terms and conditions was led by the Irish Data Protection Commissioner. You can read the Irish DPC's decisions here (G-Suite/Google Apps) and here (GPC).

Isn't Google now certified under Privacy Shield?

Yes, Google Inc is certified under the EU/US Privacy Shield scheme. Given that Privacy Shield was developed in response to the CJEU's decision on the lawfulness of Safe Harbor, and provides certain assurances from the US Government in relation to surveillance and the ongoing challenges to the legality of the SCCs, organisations will likely prefer to rely upon Privacy Shield rather than SCCs when Google is hosting personal data in the US.

Why is Google taking a twin track approach? Looking at the dates in the correspondence between Google and the Irish DPC, it is clear that discussions have been ongoing for some time and pre-date Privacy Shield coming into effect.

Remember also that Privacy Shield applies only to transfers to the US. It would not apply to transfers to Google data centres elsewhere in the world. In contrast, the SCCs (and Google's standard terms) are destination neutral.

What does this mean if I want to use Google's services?

In short, it should simplify the process for EU organisations contracting with Google for cloud based services, where non-EU data centres are being used.

The 29WP is essentially saying that using Google's standard terms falls within the scope of the derogation approved by the European Commission for transfers of personal data under the model controller to processor clauses approved by the EU Commission for international data transfers. In other words, customers using Google's services need not enter into a standalone set of SCCs.

However, the approval of Google's standard terms deals only with the eighth data protection principle (that personal data should not be transferred outside the EEA unless the country ensures an adequate level of protection). The WP29's approval does not deal with the appropriateness of Google's security measures. It remains incumbent upon organisations to review those measures and ensure that they are comfortable with them.

In particular, organisations will want to know which locations are being used to process their data. More generally, they should still consider whether they are comfortably with their data being held in data centres outside the EEA.

Google customers will also need to ensure that the appendices to the terms and conditions (setting out the nature of the data being transferred, the purposes for which it is being processed and the security measures being adopted) are properly reviewed and completed. In certain member states, the contents of those appendices may still need to be approved by the national data protection authority.

Those appendices are not just a case of filling in the blanks - they will require careful review as the data controller (ie the customer) remains responsible for the processing that Google carries out.

Nonetheless, the announcement is welcome step towards simplifying cloud contracts. Expect to see more organisations seeking similar approvals.


Martin Sloan