Google has announced a package of additional controls for users of its productivity suite, Google Workspace (neé G Suite), in Europe — which it’s rolling out by the end of this year and next.
It says these extra control will enable organizations — both public and private sector — to “control, limit, and monitor transfers of data to and from the EU starting at the end of 2022”, announcing the incoming capabilities in a blog post.
The move looks intended to respond to heightened legal risk around exports of personal data — following a landmark EU legal ruling in July 2020 — which risks putting a dampener on regional use of US cloud services.
Earlier this year, a number of data protection agencies kicked off a coordinated enforcement action focused on public sector bodies’ use of cloud services — with the goal of investigating whether adequate data protection measures are applied, including when data is exported out of the bloc. And the European Data Protection Board (EDPB), which is steering the action, is due to publish a ‘state of play’ report before the end of 2022 — matching Google’s timeline for rolling out (some of) the new controls.
There have also, in recent months, been decisions by data protection agencies finding certain uses of tools like Google Analytics to be incompatible with the bloc’s privacy laws.
Google is referring to the incoming extra capabilities users in Europe will gain as “Sovereign Controls for Google Workspace” — in what also sounds like a conscious echo of a concept that EU lawmakers like to refer to as “digital sovereignty”.
EU lawmakers use that phrasing to talk about the region gaining autonomy over digital infrastructure — much of which is supplied by US tech firms. But, here, Google looks to be trying to spin an alternative version of ‘sovereignty’ by suggesting that technical measures and user configurations alone can provide enough autonomy for the EU, regardless of the tech itself still being supplied by a US giant, in the hopes that customers in the bloc keep buying its tools.
“European organizations are moving their operations and data to the cloud in increasing numbers to enable collaboration, drive business value, and transition to hybrid work. However, the cloud solutions that underpin these powerful capabilities must meet an organization’s critical requirements for security, privacy, and digital sovereignty. We often hear from European Union policymakers and business leaders that ensuring the sovereignty of their cloud data, through regionalization and additional controls over administrative access, is crucial in this evolving landscape,” it writes in the blog post.
“Today, we’re announcing Sovereign Controls for Google Workspace, which will provide digital sovereignty capabilities for organizations, both in the public and private sector, to control, limit, and monitor transfers of data to and from the EU starting at the end of 2022, with additional capabilities delivered throughout 2023. This commitment builds on our existing Client-side encryption, Data regions, and Access Controls capabilities.”
What extra capabilities has Google announced now? In the near term, there looks to be an expansion of the client-side encryption which Google announced for Workspace last summer.
“Organizations can choose to use Client-side encryption pervasively across all their users, or create rules that apply to specific users, organizational units, or shared drives,” says Google. “Client-side encryption is now generally available for Google Drive, Docs, Sheets, and Slides, with plans to extend the functionality to Gmail, Google Calendar, and Meet by the end of 2022.”
Google is also announcing an expansion of data location controls — although its timeframe for this capability enhancement is slower, slated as coming “by the end of 2023”.
“Data regions already allow our customers to control the storage location of their covered data at-rest,” it writes, adding: “We will enhance this capability by the end of 2023 through expanded coverage of data storage and processing in-region along with an in-country copy.”
There will also be more access controls — to meet what Google couches as “evolving digital sovereignty standards”.
It says these incoming access controls will enable customers to:
- Restrict and/or approve Google support access through Access Approvals;
- Limit customer support to EU-based support staff through Access Management;
- Ensure round-the-clock support from Google Engineering staff, when needed, with remote-in virtual desktop infrastructure;
- Generate “comprehensive” log reports on data access and actions through the Access Transparency function.
But, again, these extra controls are not coming until the end of 2023.
Google is not starting from scratch here — having trailed incoming “data sovereignty controls” for EU users last fall, when it also talked about offering cloud services on “Europe’s terms“.
Although it will, of course, be for the bloc’s regulators to judge whether what it offers meets the required legal standard for the data flows in question to, er, legally flow.
Google generally argues that hybrid working complicates a legal requirement to “retain control of data wherever it resides” — before suggesting its approach, of “cloud-native architecture” (it specifies that Google Workspace “functions fully within a browser, without requiring caches or installed software on employee devices”) combined with a context-aware (“zero-trust”) approach to security which works by geofencing users and devices, plus controls for admins to let them set sharing boundaries and define rules that govern user communication, can help its customers navigate these choppy legal waters while still allowing the software’s core collaborative functions to work.
Use in the EU of cloud services from US-based companies has been shrouded in legal uncertainty for a number of years — most recently since July 2020 when the bloc’s top court struck down the flagship EU-US Privacy Shield data transfer agreement over a fatal clash between US surveillance law and EU privacy rights.
For the four years it stood, Privacy Shield simplified EU to US data exports with a self-certification system to authorize exports of Europeans’ personal data. But that regime ended with the July 2020 CJEU strike down.
And while the court did not outlaw data exports entirely, it did crank up the complexity of using other transfer mechanisms (such as standard contractual clauses) — making it clear that regional data protection agencies have a duty to step in and suspend data transfers if they believe European’s information is flowing to a destination where it’s at risk. (The EDPB subsequently put out guidance on so-called ‘supplementary measures’ that may help raise the standard of protection, such as robust encryption.)
The fact of the EU-US Privacy Shield being struck down by the CJEU made it plain that the US is a risky destination for EU data — hence US-based cloud services have been in the frame ever since.
And while the court ruling was not immediately followed by orders to cease data flows, EU agencies have been stepping up action and enforcements on the data transfers issue in recent months. The European Data Protection Supervisor gave the European Parliament a smackdown at the start of this year over a COVID-19 testing booking website (which used Google Analytics and included code for Stripe), for example.
Other subsequent decisions from data supervisors have similarly taken issue with use of certain Google’s tools.
The CJEU ruling followed the 2013 Snowden disclosures by NSA whistleblower Edward Snowden — who published details of US government mass surveillance programs tapping commercial digital services — revelations which also led to the prior EU-US data transfer deal, Safe Harbor, being struck down in 2015 by an earlier legal challenge.
So, while the EU and the US announced reaching a political agreement on a replacement for Privacy Shield this March, a third attempt to bridge the same legal schism will undoubtedly face a fresh court challenge. And the odds that Privacy Shield 2.0 survives the CJEU’s assessment look fairly slender, failing substantial reform of US surveillance law (which does not appear to be on the table).
All of which makes Google’s strategy — of offering its customers in the EU an expanding bundle of technical and organizational measures (such as client-side encryption, data localization and other bespoke controls like EU-based tech support) — look like a reasoned attempt to find a way to securing and future-proofing critical business data flows in the eyes of EU regulators, regardless of any political deal on paper. (Although its blog post also notes that Google Cloud will be “making the protections” offered by the new EU data transfer framework available “once it is implemented” (an event still likely multiple months away).)
“We remain committed to equipping our customers in Europe and across the globe with powerful technical solutions that help them adapt to, and stay on top of, a rapidly evolving regulatory landscape. We’ve designed and built Google Workspace to operate on a secure foundation, providing capabilities to keep our users safe, their data secure, and their information private. Digital sovereignty is core to our ongoing mission in Europe and elsewhere, and a guiding principle that customers can rely on now and into the future,” Google adds.
Discussing the tech giant’s announcement, Dr Lukasz Olejnik, an independent cybersecurity researcher and consultant based in Europe, describes the latest development as “an interesting evolution of a product and service” which he assesses as almost certainly motivated by EU law and policy.
“It appears to support directly the recommendations of EDPB, which also reflect my previous analysis. Specifically the support for using specific technical and organisational setup,” he suggests. “As for the technical side, the processing is to be supported by client-side encryption, in ways that keys never leave the premises of an EU-located company. Client-side encryption capability is already offered by Workspace. Today, it could still be seen as a bit cumbersome — and it is unclear if the new controls would make anything easier. Let’s hope so. Still, it appears that what’s new is this all-in-one control.”
“The expansion of in-country data centres is an expected development but an additional one that would support the ECJ judgment,” he also tells us, adding: “What’s still lacking is an easy-to-use and usable management of access to data. Like the data in Google Docs. For example, today it is far from simple to easily list all the shared documents, to remove some sharing configuration. To expect people to do this file-after-file, for individual files, is far from usable at a scale. This should be simplified, not on an individual file basis. It seems that — maybe! — the new Access Control capability may offer help here? How it works in practice remains to be seen.”