Google touts more Workspace controls for users in Europe

The package of additional controls for users of its productivity suite will be rolled out in Europe by the end of this year and next.

Control, limit, and monitor transfers of data to and from the EU will be given extra control by both the public and private sectors.

Following a landmark EU legal ruling in July 2020, the move looks to respond to heightened legal risk around exports of personal data.

A number of data protection agencies kicked off a coordinated enforcement action focused on public sector bodies use of cloud services with the goal of investigating whether adequate data protection measures are applied, including when data is exported out of the bloc. The European Data Protection Board is due to publish a state of play report by the end of the year.

In the last few months, there have been decisions by data protection agencies finding certain uses of tools like Google Analytics to be incompatible with the bloc's privacy laws.

Public sector bodies’ use of cloud services probed in joint EU data protection enforcement

It sounds like a conscious echo of a concept that EU lawmakers like to refer to as.

Much of the digital infrastructure in the region is supplied by US tech firms. The idea that technical measures and user configurations alone can provide enough autonomy for the EU is something that is being pushed by the internet giant.

European organizations are moving their operations and data to the cloud in increasing numbers to enable collaboration, drive business value, and transition to hybrid work. The cloud solutions that underpin these powerful capabilities must meet an organization's critical requirements for security, privacy, and digital sovereignty. Ensuring the sovereignty of their cloud data, through regionalization and additional controls over administrative access, is crucial in this evolving landscape, and we often hear from European Union policymakers and business leaders.

Digital sovereignty capabilities for organizations, both in the public and private sector, to control, limit, and monitor transfers of data to and from the EU will be provided by the new Sovereign Controls for Google Workspace.

What are the new capabilities that have been announced by Google? There is an expansion of the client-side encryption that was announced by the company last summer.

Organizations can choose to use Client-side encryption pervasively across all their users, or create rules that apply to specific users, organizational units, or shared drives.

The expansion of data location controls is slated to be done by the end of the year, but it is not expected to be complete until 2020.

Data regions already allow our customers to control the storage location of their covered data, and we will enhance this capability by the end of the year.

There will be more access controls to make sure that the standards are up to date.

Incoming access controls will allow customers to:

• Restrict and/or approve Google support access through Access Approvals;
• Limit customer support to EU-based support staff through Access Management;
• Ensure round-the-clock support from Google Engineering staff, when needed, with remote-in virtual desktop infrastructure;
• Generate “comprehensive” log reports on data access and actions through the Access Transparency function.

Extra controls are not coming until the end of the year.

When it talked about offering cloud services in Europe last fall, it was trailed by incoming data sovereignty controls for EU users.

It will be for the bloc's regulators to decide if what it offers meets the legal standard for the data flows in question.

France’s privacy watchdog latest to find Google Analytics breaches GDPR

It specifies that hybrid working complicates a legal requirement to retain control of data wherever it resides.

The EU's top court struck down the flagship EU-US Privacy Shield data transfer agreement over a fatal clash in July of 2020 and has been shrouded in legal uncertainty for a number of years.

Privacy Shield simplified EU to US data exports with a self-certification system to authorize exports of Europeans' personal data. The July 2020 strike down ended that regime.

The court made it clear that regional data protection agencies have a duty to step in and suspend data transfers if they believe European. Guidance on so-called supplemental measures that may help raise the standard of protection was put out by the EDPB.

Since the EU-US Privacy Shield was struck down, US-based cloud services have been in the picture.

EU agencies have stepped up their enforcement of the data transfers issue since the court ruling. At the start of this year, the European Data Protection Supervisor gave the European Parliament a smackdown over a website that used code for Stripe, which was a COVID-19 testing booking website.

Data supervisors have taken issue with the use of certain tools.

The prior EU-US data transfer deal, Safe Harbor, was struck down in 2015, following the publication of details of US government mass surveillance programs.

While the EU and the US announced reaching a political agreement on a replacement for Privacy Shield this March, a third attempt to bridge the legal divide will face a fresh court challenge. The odds that Privacy Shield 2.0 will survive the assessment are fairly slim, failing substantial reform of US surveillance law is not on the table.

The strategy of offering its customers in the EU an expanding bundle of technical and organizational measures is what makes it look like. An event still likely multiple months away is the fact that the new EU data transfer framework will be available once it is implemented by Google Cloud.

We are committed to giving our customers in Europe and across the globe powerful technical solutions that help them adapt to and stay on top of a rapidly evolving regulatory landscape. We have designed and built a secure workspace that allows us to keep our users safe, their data secure and their information private. Digital sovereignty is core to our ongoing mission in Europe and elsewhere, and a guiding principle that customers can rely on now and into the future.

Dr Lukasz Olejnik, an independent cybersecurity researcher and consultant based in Europe, describes the latest development as an interesting evolution of a product and service.

It seems to support the recommendations of the EDPB, which is in line with my previous analysis. He suggests support for specific technical and organizational setup. Workspace has a client-side encryption capability. It is not clear if the new controls would make it easier. Let's hope so. It appears that this all-in-one control is new.

He tells us that the expansion of in-country data centres is an expected development but that an additional one that would support the ECJ judgment is still lacking. Like the data in the internet giant. It is not easy to list all the shared documents and remove the sharing configuration. It's far from usable to expect people to do this for individual files. This should be simplified, not on a file basis. The new Access Control capability may offer help here. It's not clear how it works in practice.

Europe’s top court strikes down flagship EU-US data transfer mechanism

EU puts out final guidance on data transfers to third countries