Safeguards for international data transfers with Google Workspace and Workspace for Education Disclaimer The content contained herein is correct as of August 2021, and represents the status quo as of the time it was written. Google Cloud's security policies and systems may change going forward, as we continually improve protection for our customers. Introduction This whitepaper explains some of the safeguards and supplementary commitments that Google Cloud offers to protect and enhance your1 control of your customer data in Google Workspace and Google Workspace for Education. We are providing this information to assist you with The CJEU’s Schrems II ruling invalidated the any assessment of Google Cloud data transfers you European Commission’s Decision underlying the may need to complete in light of the European Data EU-U.S. Privacy Shield Framework but did not Protection Board (EDPB) Recommendations on invalidate EU Standard Contractual Clauses (SCCs, Supplementary Measures issued following the Court also known as Model Contractual Clauses), a of Justice of the European Union's (CJEU) ruling mechanism by which personal data can be known as Schrems II. We have also included transferred to so-called “third countries”outside of information about United States laws to aid you with the EEA2 in compliance with the strict requirements any such assessment. imposed by EU data protection law regarding international data transfers. 1. In this whitepaper, “You/your” refers to Google Workspace for Education / Google Workspace customers 2. Equivalent mechanisms exist under the UK GDPR and the Swiss Federal Data Protection Act for transfers to third countries outside the UK and Switzerland respectively. In the Schrems II case, the CJEU ruled that anyone The EDPB’s Recommendations on Supplementary transferring (i.e. exporting) personal data out of the Measures align with our long standing practices and EU to a third country (i.e. the country of import) in we are glad to reaffirm our commitment to continue reliance on SCCs should assess whether that third to invest in critical areas and to help Google Cloud country provides protection essentially equivalent to customers protect their data and navigate their that guaranteed by EU law in order to determine compliance journey when using our services and in whether the SCCs can ensure an adequate level of light of the EDPB's Recommendations. Our protection in practice. In other words, in order to customers own their data and we believe they should transfer personal data based on SCCs, the data have the strongest levels of control over data stored exporter and importer should assess whether the in the cloud. Our public cloud empowers customers laws in the relevant third country provide the with world-class levels of visibility and control over adequate level of protection otherwise provided by their data through our services. This includes the SCCs. Although it is uncertain whether in specific thorough technical safeguards and other offerings, circumstances SCCs alone will ensure the protection such as the ability to store certain data in the required by EU law, the CJEU indicated that European region and manage access to content, “supplementary measures”, when used with SCCs, encryption keys, and transparency to actions taken could establish an adequate level of protection. by Google staff, to name a few. This whitepaper provides information on the tools and resources offered by Google Cloud to help Google Cloud customers assess their compliance needs related to transfers of their EU personal data. However, please note that, as a provider of cloud services, we are not in a position to provide our customers with legal advice - this is something only legal counsel can provide. 1 Technical safeguards Encrypting data in transit and at rest We believe increased adoption of TLS is so important for the industry that we report TLS progress in our Encryption is an important piece of the Google Email Encryption Transparency Report. We also Workspace for Education / Google Workspace improved email security in transit by developing and security strategy, helping to protect your emails, supporting the MTA-STS standard allowing receiving chats, video meetings, files, and other data. First, we domains to require transport confidentiality and encrypt certain data as described in our Google integrity protection for emails. Workspace Encryption whitepaper while it is stored “at rest” — stored on a disk (including solid-state Google Workspace customers also have the extra drives) or backup media. Even if an attacker or ability to only permit email to be transmitted to someone with physical access obtains the storage specific domains and email addresses if those equipment containing your data, they won’t be able domains and addresses are covered by TLS. This can to read it because they don’t have the necessary be managed through the TLS compliance setting. encryption keys. Second, we encrypt all customer For further information on encryption, please see our data while it is “in transit” — traveling over the Google Workspace Encryption whitepaper. Internet and across the Google network between data centers. Should an attacker intercept such transmissions, they will only be able to capture encrypted data. We’ll take a detailed look at how we encrypt data stored at rest and data in transit below. Google has led the industry in using Transport Layer Security (TLS) for email routing, which allows Google and non-Google servers to communicate in an encrypted manner. When you send email from Google to a non-Google server that supports TLS, the traffic will be encrypted, preventing passive eavesdropping. Access control Google Workspace / Google Workspace for Education has implemented several types of controls designed to ensure that each of the data access pathways functions as intended: 1. Client Side Encryption 4. Service Access We’re taking encryption a step further in Google uses technologies like Binary Workspace by giving customers direct control of Authorization to ensure the provenance and encryption keys and the identity service they integrity of software allowed to access choose to access those keys. With client-side customer data. encryption, customer data is indecipherable to Google, while users can continue to take In addition to the above controls, Google advantage of Google’s native cloud-based Workspace for Education Standard and collaboration, access content on mobile Education Plus editions / Google devices, and share encrypted files externally. Workspace customers can use This capability is currently available in Public Context-Aware Access4 to create granular Beta for Google Drive, Docs, Sheets, and Slides access control policies to apps based on with plans to extend it to other Workspace attributes such as user, location, device services. Customers can also benefit from security status, and IP address. Based on third-party solutions that offer end-to-end the BeyondCorp security model developed client side encryption for Gmail. by Google, users can access web applications and infrastructure resources 2. Direct Customer Access from virtually any device, anywhere, without All authentication sessions to Google utilising remote-access VPN gateways while Workspace are encrypted and users can only administrators can establish controls over access the services enabled by their Domain the device. Access decisions are not based Administrator. solely on static credentials or whether they originate from a corporate intranet. The 3. Internal Google access complete context of a request (user by authorized individuals identity, location, device ownership and Google implements strict access controls to configuration, and fine-grained access ensure the person accessing the data is policies) is evaluated to determine its authorized to do so and validates that a validity and guard against phishing business justification for access is provided. The attempts and credential-stealing malware. justification is made visible to the customer through Access Transparency Logs3. 3. For those services integrated with Access Transparency. Access Transparency is available to Google Workspace for Education Standard or Education Plus edition license 4. Using context-aware access capabilities to protect access to Google Workspace apps requires a Cloud Identity Premium, Enterprise Standard, or Enterprise Plus license. State of the Art Security Google commits to implementing and maintaining technical and organisational measures providing a Understanding our Security Infrastructure Design specified level of security that is approved by the may facilitate any compliance assessment you need customer. We will continue to innovate to provide to complete of Google Workspace for Education / customers with the best technology to protect the Google Workspace services. Google has a global security and privacy of their information, including scale technical infrastructure designed to provide technical solutions that give customers greater security through Google’s entire information control of their own data, and to support legal processing life cycle. Specifically, this infrastructure reforms that promote rather than undermine such is designed to provide secure deployment of innovation. In line with our Trust Principles, we never services, secure storage of data with end user give any government "backdoor" access. privacy safeguards, secure communications between services, secure and private Google guarantees that its technical measures will communication with customers over the internet, include measures to encrypt personal data; to help and safe operation by administrators. ensure ongoing confidentiality, integrity, availability and resilience of Google’s systems and services; to The security of the infrastructure is designed in help restore timely access to personal data following progressive layers starting from the physical an incident; and for regular testing of effectiveness. security of data centers, continuing on to the Google further commits to notifying customers of security of the hardware and software that underlie any data incidents without undue delay. the infrastructure, and finally, the technical constraints and processes in place to support Google exceeds GDPR requirements by committing operational security. to offer additional security controls which customers can use as they determine. These controls include At Google, all employees are required to think an admin console, encryption capabilities, logging "security first". Google employs many full-time and monitoring capabilities, identity and access security and privacy professionals, including some management, security scanning, and firewalls. For of the world’s leading experts in information, details, see the “Technical safeguards” section of application, and network security. To ensure Google this whitepaper above. stays protected, we incorporate security into our entire software development process. This can Google also exceeds GDPR requirements by include having security professionals analyze committing to maintain various rigorous third-party proposed architectures and perform code reviews certifications as well as detailed third party audit to uncover security vulnerabilities and better reports. For more information, see the “Third party understand the different attack models for a new certifications and compliance offerings” section of product or feature. this whitepaper below. Data Residency Our customers who wish to have more control over For Google Workspace for Education / Google the geolocation of their data can use Data Regions. Workspace’s data location commitments, please Data Regions for Google Workspace for Education see our Service Specific Terms. Additionally, with Standard and Education Plus editions, and Google the advent of client-side encryption (see Access Workspace Enterprise provide control over the Controls section, above), customers can now keep geolocation for storage of email messages, keys in their preferred geo-location for the documents, and other Google Workspace for products in scope. 5 Education/ Google Workspace content . Customers can choose to store their covered data in the United States or Europe or globally, and can customize this for groups within their organization. 5. Refer to this guidance for a list of data and services covered by Data Regions. 2 Legal safeguards Google Cloud’s data protection terms offer ● Processing in accordance with instructions. strong legal protections: Google commits to processing customer data as instructed by the customer and consistent ● New SCCs. with our obligations under applicable law. On 4 June 2021, the European Commission ● Security commitments. issued modernized SCCs for transfers of Google commits to implementing and personal data under the GDPR, and from late maintaining technical and organizational September 2021 Google introduced these measures providing a specified level of into its compliance offering, along with security that is approved by the customer. separate UK SCCs, for all new and existing Google guarantees that those measures will Google Workspace customers (ahead of the include measures to encrypt personal data; to 27 December 2022 deadline set by the help ensure ongoing confidentiality, integrity, Commission for transitioning existing availability and resilience of Google’s systems customers to the new EU SCCs). Learn more and services; to help restore timely access to in the Google Cloud’s Approach to the New personal data following an incident; and for EU Standard Contractual Clauses regular testing of effectiveness. Google whitepaper. further commits to notifying customers of any ● Compliant data transfers. data incidents without undue delay. Under Google’s updated Data Processing ● Additional security controls. Amendment for Google Workspace, and for Google exceeds GDPR requirements by as long as no alternative transfer solution is committing to offer additional security available: controls which customers can use as they ○ customers in the EEA, UK and Switzerland can determine. These controls include an admin rely on Google to legitimize transfers of their console, encryption capabilities, logging and customer data by entering (and publishing) monitoring capabilities, identity and access SCCs with subprocessors, meaning those management, security scanning and firewalls. customers do not enter SCCs themselves; For details, see the “Technical safeguards” ○ other customers in Europe, the Middle East section of this whitepaper above. and Africa (EMEA) will automatically enter the appropriate SCCs; and ● Certifications and audit reports. Google also exceeds GDPR requirements by ○ customers outside EMEA whose use of Google committing to maintain various rigorous Cloud services is subject to the GDPR, the UK third-party certifications as well as onerous GDPR or Swiss Federal Data Protection Act will third-party audit reports. For details, see the enter the appropriate SCCs once they certify “Third-party certifications and compliance via the admin console that they are subject to offerings” section of this whitepaper below. these laws. Respect for the privacy and security 1 1 3 Organizational of data you store with Google safeguards When we receive a government request for customer data, our team reviews it to make sure it satisfies applicable legal requirements - including under the new Government Requests for Data EU SCCs - and Google's policies. Generally speaking, The EDPB’s recommendations introduce a for us to produce any data, the request must be made risk-based approach under which data exporters in writing, signed by an authorized official of the should assess the level of risk to fundamental rights requesting agency and issued under an appropriate that a certain transfer would entail in practice. law. If we believe a request is overly broad, we'll seek to narrow it. Our Transparency Report discloses, where permitted by the applicable laws, the number of requests made by law enforcement agencies and Customer notification 2 government bodies for Enterprise Cloud customer information. The historical numbers disclosed in our We will notify the customer before any of their report for Enterprise Cloud requests for customer information is disclosed unless such notification is information show that the number of Enterprise prohibited by law or the request involves an emergency, Cloud-related requests is extremely low compared such as an imminent threat to life. We will provide to our Enterprise Cloud customer base and delayed notice to the customers if a legal prohibition on therefore, that the likelihood of Enterprise Cloud prior notification is lifted, such as when a statutory or customer information data being affected by these court ordered disclosure prohibition period has expired. types of requests is low. This notification typically goes to the Google Cloud We also work hard to give our customers a clear customer’s point of contact. and detailed understanding of our process for responding to government requests for Cloud customer data in rare cases where they do happen. Consideration of customer objections. 3 This process can be summarized as follows: If a government seeks customer data during the course Google will, to the extent allowed by law and by the of an investigation, Google will typically inform the terms of the government request, comply with a government that it should request the data directly customer’s reasonable requests regarding its efforts to from the customer in question. If the government oppose a request, such as the customer filing an nonetheless compels Google to respond to a objection to the disclosure with the relevant court and request for customer data, a dedicated team of providing a copy of the objection to Google. If Google Google lawyers and specially trained personnel will notifies the customer of a legal request by the US carefully review the request to verify that it is lawful and proportionate, following these guidelines: government and the customer subsequently files an objection to disclosure with the court and provides a copy of the objection to Google, Google will not provide the data in response to the request if the objection is resolved in favor of the customer. Other jurisdictions may have different procedures and are handled on a case-by-case basis. Section 702 Upstream authorizes U.S. authorities to collect data travelling over internet “backbone” infrastructure controlled by electronic communication service providers in the U.S. (e.g. U.S. We also recognize that the Schrems II decision has telecom providers). To the extent any Google Cloud generated uncertainty about the impact of United customer data traverses networks subject to States law on data transfers and on the role of Upstream 702 collection, that data is encrypted in Google LLC, a US company, as the data importer transit as described above. under SCCs entered to protect Google Cloud Section 702 Downstream authorizes U.S. authorities customer data. Many customers have questions to obtain targeted data directly from electronic about the classification of Google Cloud and our communication service providers. To the extent services under US law as well as specific questions Google LLC may receive targeted requests relating around (EO 12333) and Title 50 United States Code to Google Cloud customer data under Downstream (U.S.C.) § 1881a (FISA 702), both of which were 702, we carefully review each request in accordance considered by the CJEU. To address these issues, with the guidelines described above to make sure the we have set out specific information about those request satisfies all applicable legal requirements laws and their application to Google Cloud products and Google’s policies. below. To learn more about how we handle government Specific intelligence activities conducted under EO requests for data, please see our whitepaper 12333 are subject to more specific implementing (Government requests for customer data: controlling procedures (which may be classified) that include access to your data in Google Cloud), our policy safeguards and protections appropriate to that type page (policies.google.com/terms/ of intelligence activity. EO 12333 primarily governs information-requests), and our regularly-updated intelligence activities that occur outside the US. EO Transparency Report (https://transparencyreport. 12333 is understood to permit the US to conduct google.com/user-data/us-national-security?hl=en), electronic surveillance outside the US consistent which was the first report of its kind to be published with US legal requirements; it does not authorise by a cloud provider. electronic surveillance within the US nor does it impose requirements on service providers inside or outside the US. Section 702 is a provision of the FISA Amendments Act of 2008 (FAA) that permits the U.S. government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of “electronic communication service providers” (as defined by 50 U.S.C. § 1881(b)(4). Two programmes authorized under Section 702 of the FAA are referred to as “Upstream” and “Downstream”. 4 Third-party certifications, compliance offerings, and customer commitments Regulations such as GDPR place We’ve also created resource documents and significant emphasis on enterprises mappings against frameworks and laws where formal certifications or attestations may not be knowing how their data is being required or applied. Certifications such as those how security incidents will be managed. as well our SOC 3 Audit Report, may also help customers in meeting requirements of the GDPR. Google Cloud has dedicated teams of engineers and compliance experts who support our For our existing customers who want to learn more customers in meeting their regulatory compliance about Google’s Security, we would be happy to and risk management obligations. Our approach make a detailed SOC 2 report available via the includes collaborating with customers to Compliance Reports Manager. You can see a full understand and address their specific regulatory listing of all of our compliance offerings in our needs. Together with our reports and Compliance Resource Center. For details of some of certifications, we assist our customers in the supplementary commitments we offer beyond documenting an integrated controls and the certifications please visit our Trust Principles governance framework. and Enterprise Privacy Commitments. For customers in certain regions or customers operating in certain regulated verticals, we allow customers to conduct audits to validate Google’s security and compliance controls. Our products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards around the world. Conclusion We are committed to providing and continuing to advance technical, legal, and organizational safeguards that will support any Google Cloud customers assessing the risk of international data transfers. We firmly believe that Google Cloud’s We hope this whitepaper is helpful for SCCs, along with the safeguards and any customers conducting compliance commitments discussed above, provide risk assessments, but encourage all our customers with adequate protection customers to consult with legal counsel for transfers of their data. as this whitepaper should not be used as a substitute for legal advice. © 2021 Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043.