Full Report
Around the world, companies in every industry rely on our cloud services to run their businesses, and we take that responsibility seriously. That’s why we’re focused on providing industry-leading security and product capabilities, certifications, and commitments, along with transparency and visibility into when and how customer data is accessed. Today, we’re expanding on these commitments and sharing an update on our latest work in this area. Commitment to privacy Our Google Cloud Enterprise Privacy Commitments outline how we protect the privacy of customers whenever they use Google Workspace, Google Workspace for Education and Google Cloud . There are two distinct types of data that we consider across both of these platforms—customer data and service data: Customer data: We start from the fundamental premise that, as a Google Cloud customer, you own your customer data. We implement stringent security measures to safeguard that data, and provide you with tools to control it on your terms. Customer data is the data you, including your organization and your users, provide to Google when you access Google Workspace, Google Workspace for Education and Google Cloud, and the data you create using those services. Service data: We also secure any service data—the information Google Cloud collects or generates while providing and administering Google Workspace, Google Workspace for Education, and Google Cloud — which is critical to help ensure the security and availability of our services. Service data does not include customer data — it includes information about security settings, operational details, and billing information. We process service data for the purposes that are detailed in our Google Cloud Privacy Notice (newly launched to provide more specific information about how we process service data, and effective November 27, 2020), such as making recommendations to optimize your use of Google Workspace and Google Cloud, and improving performance and functionality. When you use Google Cloud services, you can be confident that: You control your data. Customer data is your data, not Google Cloud’s. We only process your data according to your agreement(s). We never use your data for ads targeting. We do not process your customer data or service data to create ads profiles or improve Google Ads products. We are transparent about data collection and use. We’re committed to transparency, compliance with regulations like the GDPR, and privacy best practices. We never sell customer data or service data. We never sell customer data or service data to third parties. Security and privacy are primary design criteria for all of our products. Prioritizing the privacy of our customers means protecting the data you trust us with. We build the strongest security technologies into our products. These commitments are backed by the strong contractual privacy commitments we make available to our customers for Google Workspace, Google Workspace for Education and Google Cloud. Enhanced customer controls and new third party certifications We recently released new capabilities that further improve visibility and control over how data in our cloud is accessed and processed. In 2018, we were the first major cloud provider to bring Access Transparency to our customers, providing you with near real-time logs of the rare occasions Google Cloud administrators access your content. To give you even more visibility and control, we’ve made Access Approval for Google Cloud generally available to let you approve or dismiss requests for access by Google employees working to support your service. Our Transparency & Control Center is also now generally available as part of the Google Cloud Console. It gives you the ability to enable and disable data processing that supports features such as recommendations and insights at the organization and project level. It also allows you to export personal data that may be used to generate recommendations and insights. For Google Workspace, in addition to providing granular audit logs, we offer organization admins and users the ability to download a copy of their data via the data export tool and Google Takeout. These are just some of the ways we help support data portability requirements under privacy regulations such as the EU’s GDPR and the California Consumer Privacy Act (CCPA). We continue to reinforce our commitment to privacy by meeting the requirements of internationally-recognized privacy laws, regulations, and standards. This summer we announced that we are the first major cloud provider and productivity suite to receive accredited ISO/IEC 27701 certification as a data processor. Our accredited ISO/IEC 27701 certifications for Google Workspace and Google Cloud provide customers with benefits including simplified audit processes, universal privacy controls and greater clarity around privacy-related roles and responsibilities. Certifications provide independent validation of our ongoing dedication to world-class security and privacy, and we look forward to obtaining additional certifications in the future. Continued innovation to support customer needs As the global privacy landscape and our customers’ needs change, Google Cloud will continue to work diligently to maintain our commitments to privacy, control and transparency. To learn more about our efforts, visit our Trust and Security center.
Analysis Summary
# Regulation/Compliance: Google Cloud Enterprise Privacy Commitments and Data Rights Compliance
## Overview
This summary outlines the data privacy commitments, security measures, and compliance posture taken by Google Cloud concerning customer data and service data across Google Workspace, Google Workspace for Education, and Google Cloud services. The focus is on user control, transparency, non-use of data for advertising, and adherence to major global privacy regulations.
## Key Details
- Issuing Authority: Google Cloud (Contractual Commitments); Referenced Regulatory Bodies (GDPR, CCPA)
- Effective Date: Commitments are ongoing; Specific Privacy Notice effective November 27, 2020.
- Jurisdiction: Global (Applies to customers using Google Cloud services worldwide).
- Status: In Effect (Contractual commitments and ongoing compliance efforts).
## Requirements
### Mandatory Requirements (Contractual Commitments/Regulatory Alignment)
1. **Data Ownership Confirmation:** Customer data must be treated as the customer's property, not Google Cloud's.
2. **Processing Limitation:** Data processing must strictly adhere to the terms of the customer agreement(s).
3. **Ad Targeting Prohibition:** Neither Customer Data nor Service Data can be used to create advertising profiles or improve Google Ads products.
4. **Data Sale Prohibition:** Customer Data and Service Data must never be sold to third parties.
5. **Data Portability Support:** Provide tools (e.g., data export tools, Google Takeout) to support data portability requirements mandated by regulations like GDPR and CCPA.
6. **Transparency and Control:** Provide mechanisms for transparency into data access and control over data processing activities.
7. **Security Integration:** Security and privacy must be primary design criteria for all products.
### Recommended Practices (Controls for Enhanced Compliance)
1. **Access Transparency Utilization:** Enable and review near real-time logs of rare instances when Google Cloud administrators access customer content (via Access Transparency).
2. **Access Approval Implementation:** Utilize Access Approval to actively approve or dismiss requests for access by Google employees supporting the service.
3. **Control Center Configuration:** Use the Transparency & Control Center to enable/disable data processing that supports features like recommendations and insights at the organization and project level.
4. **Data Export Procedure:** Regularly utilize data export tools to exercise data portability rights when necessary.
## Affected Organizations
- Industries: Every industry relying on Google Cloud services, Google Workspace, or Google Workspace for Education.
- Organization Size: Not strictly delineated, applies to all organizational customers.
- Geographic Scope: Global, with specific attention paid to compliance mandates like GDPR (EU) and CCPA (California).
## Compliance Timeline
- 2018: Implementation of Access Transparency.
- November 27, 2020: Effectiveness of the new Google Cloud Privacy Notice detailing Service Data processing.
- Summer (Prior to post date): Achieved accredited ISO/IEC 27701 certification as a data processor for Google Workspace and Google Cloud.
- Ongoing: Continuous work to maintain commitments as the global privacy landscape evolves.
## Implementation Guidance
### Assessment Phase
- Review existing contractual agreements (Data Processing Terms) against the Google Cloud Enterprise Privacy Commitments.
- Identify which data types (Customer Data vs. Service Data) are in use and how they are processed.
### Implementation Phase
- Enable and configure Access Transparency and Access Approval features for enhanced visibility and control over administrator access.
- Utilize the Transparency & Control Center to manage organizational-level data processing settings for recommendations and insights.
- Ensure operational procedures align with the data export and portability capabilities provided.
### Validation Phase
- Conduct regular audits of Access Transparency logs.
- Leverage accredited third-party certifications (like ISO/IEC 27701) to validate the provider's commitment during internal or external audits.
## Technical Requirements
1. **Access Transparency Logs:** Near real-time logging of rare administrator access to customer content.
2. **Access Approval Mechanism:** Functionality allowing customers to approve or deny specific data access requests from Google employees.
3. **Data Export Tools:** Availability of tools for exporting customer and user data (e.g., Google Takeout, data export tool for Workspace).
4. **Granular Audit Logs:** Providing detailed logs for activity within Google Workspace environments.
## Penalties & Enforcement
The article emphasizes the provider's commitment to compliance, particularly regarding regulations like GDPR. Penalties are implied to stem from non-compliance with these binding regulations:
- Fines: Not specified directly, but non-compliance with GDPR can result in significant statutory fines imposed by supervisory authorities.
- Other Consequences: Contractual liability based on breaches of the Google Cloud Enterprise Privacy Commitments.
- Enforcement: Enforcement pathways are dictated by the respective laws (e.g., EU Data Protection Authorities for GDPR) and contract law governing the provider-customer relationship.
## Related Standards
- **GDPR (General Data Protection Regulation):** Explicitly mentioned as a regulation the provider is committed to complying with, particularly concerning data portability.
- **CCPA (California Consumer Privacy Act):** Mentioned regarding support for data portability requirements.
- **ISO/IEC 27701:** Achieved accredited certification as a data processor, validating privacy management practices.
## Resources
- Official Documentation: Google Cloud Enterprise Privacy Commitments ([cloud.google.com/privacy](https://cloud.google.com/privacy))
- Guidance Documents: Google Cloud Privacy Notice (Effective Nov 27, 2020)
- Tools: Access Transparency, Access Approval, Transparency & Control Center, Data Export Tool/Google Takeout.
## Practical Recommendations
1. **Review Control Adoption:** Immediately review and activate Access Transparency and Access Approval across the cloud environment for maximum governance.
2. **Document Data Flows:** Map how Customer Data and Service Data are used and ensure internal processes align with the "no selling/no ad profiling" commitment.
3. **Leverage Certifications:** Use the provider's ISO/IEC 27701 certification to simplify elements of your own entity's privacy auditing process.
4. **Prepare for Portability:** Maintain up-to-date procedures for using the provided export tools to meet potential data subject access requests under regulatory mandates.