“For us, everything started originally in 1995 with the EU data protection directive,” says Marc Crandall at Google Cloud.
Google Cloud has detailed how its privacy and data handling has been bolstered by Europe’s recently enforced general data protection regulation (GRPR), which came into effect earlier this year.
Marc Crandall, director for data protection and compliance at Google Cloud, said at the company’s Next 2018 event in London on Wednesday that data processing terms and amendments were not something the company “did from scratch” in the run-up to May 25 this year.
Google Cloud started offering these amendments in about 2012, around four to five years after it started offering Google Cloud services, based on feedback from data regulators. These were then updated with GDPR-specific terms last year, he said, ahead of GDPR taking effect.
“The creation of this separate data processing amendment, the genesis of that was really based on regulatory feedback from European data protection authorities, who suggested having a separate amendment, just dealing with data protection.
“So not only did we deploy this with our cloud contracts generally, it’s now available to anyone in the world, based on European guidance. It helped set the stage for how we set these contracts up globally.”
While some aspects of GDPR compliance were not new and others needed tweaking, things like greater fines, recording of processing, and detailed contractual provisions all needed to be taken on board.
Data processing terms for Google Cloud now include strict data incident notification, certifications, subprocessors, audits and reports processes, processing limitations, and data deletion, and being able to show customers that once their data is deleted, it’s gone for good.
Google Cloud: Our GDPR Compliance Stems From EU Data Protection Directive in 1995
However, for Google Cloud, data compliance in Europe began with the EU’s data protection directive back in 1995, Crandall said.
“Everything started originally in 1995 with the EU data protection directive, which created very strict obligations on data processors, data controllers with respect to the protection of EU data subjects; restrictions on how the data could be used, how long the data could be stored, right to correction.
However, 20 years after the data protection was passed there were “only a handful” of countries that maintained adequate privacy protections as it didn’t have direct force of law, resulting in a “hodge podge” of how countries were enforcing the directive, Crandall said.
To accommodate an increased reliance on the internet, the European Commission created lawful means of data transfer to allow data to be stored globally or internationally, including the Safe Harbour provision in 2000.
“For Google, probably around 2010, 2011, we got the sense that some of the data protection authorities weren’t that thrilled with safe harbour. We were using it, all of Google was using it, and all the major cloud providers were using it.”
Many companies had been relying on Safe Harbour up until it being overturned by the European Court of Justice in 2015. Google, meanwhile, had already had model clauses for a couple of years, as well as a privacy shield and an “alternative transfer solution” to stay a step ahead.
“These data transfer mechanisms, privacy shields, and model clauses are still recognised under GDPR, but things may change,” Crandall concluded. “Of course we have legal policy staff, engineering people, compliance personnel; they’re constantly evaluating this and updating our services appropriately.”
Crandall urged cloud customers, regardless of country or industry, to “think like a regulator” when making sure they’re GDPR-compliant, touting the company’s GDPR resource centre.
“You need to familiarise yourself with GDPR, obviously you’re going to talk with your council – they’re the ones who can advise you what you need to do. You should be reviewing controls, reviewing security capabilities, product capabilities, create an inventory of the personal data that you can handle. And of course monitor updates of regulatory guidance.
“You must conduct your due diligence; you must evaluate very carefully the capabilities of your cloud provider before you just dump your very important information to the cloud.”