Google touts additional Workspace controls for users in Europe

- Advertisement -

Google has announced a package of additional controls for users of its Google Workspace Productivity Suite (née G Suite), in Europe, which will be deployed by the end of this year and next.

- Advertisement -

It says that this additional control will allow organizations – both public and private sectors – to “control, restrict and track data transfers to and from the EU starting in late 2022,” announcing the new capabilities in a blog post.

- Advertisement -

The move appears to be in response to heightened legal risk associated with the export of personal data – following a landmark EU ruling in July 2020 – that could weaken regional use of U.S. cloud services.

Earlier this year, a number of data protection agencies have launched coordinated enforcement efforts aimed at the use of cloud services by public sector entities to ascertain whether adequate data protection measures are in place, including when data is exported outside the block. And the European Data Protection Board (EDPB), which is leading the action, is due to publish a “state of the game” report before the end of 2022, in line with Google’s timetable for rolling out (some) new controls.

- Advertisement -

In addition, data protection agencies have ruled in recent months that certain uses of tools such as Google Analytics are inconsistent with the block’s privacy laws.

Google calls the new additional features that users in Europe will get “sovereign control over Google Workspace” in what also sounds like a conscious echo of what EU legislators like to call “digital sovereignty.”

EU lawmakers use this language to talk about the region gaining autonomy over digital infrastructure, much of which is provided by US tech firms. But here Google seems to be trying to create an alternative version of “sovereignty”, assuming that only technical measures and user configurations can provide sufficient autonomy for the EU, regardless of the fact that the technology itself is still supplied by the American giant in hopes that customers in the block will continue to buy his instruments.

“European organizations are increasingly moving their operations and data to the cloud to enable collaboration, add business value and move towards hybrid work. However, the cloud solutions that underpin these powerful capabilities must meet the organization’s critical requirements for security, privacy, and digital sovereignty. We often hear from politicians and business leaders in the European Union that securing the sovereignty of their cloud data through regionalization and additional control over administrative access is critical in this evolving environment,” the blog post reads.

“Today we are announcing Sovereign Controls for Google Workspace, which will provide organizations in both the public and private sectors with digital sovereignty capabilities to control, restrict and monitor data transfers to and from the EU starting at the end of 2022, with additional capabilities delivered throughout 2023. This commitment is based on our existing client-side encryption, data regions, and access control capabilities.”

What additional features has Google announced now? An expansion of client-side encryption that Google has announced for Workspace is expected in the near future. last summer.

“Organizations can use client-side encryption universally for all of their users, or create rules that apply to specific users, organizational units, or shared drives,” says Google. “Client-side encryption is now publicly available for Google Drive, Docs, Sheets, and Slides, with plans to expand functionality to Gmail, Google Calendar, and Meet by the end of 2022.”

Google is also announcing greater control over data location, although its timeline for expanding this capability is slower and is set for “by the end of 2023.”

“Data regions already allow our customers to control where their stored data is stored at rest,” he writes, adding, “By the end of 2023, we will expand this capability by expanding the scope of data storage and processing in the region along with the in-country copy.”

There will also be more access controls – to meet what Google calls “evolving digital sovereignty standards.”

It states that these inbound access controls will allow clients to:

  • Restrict and/or approve access to Google Support using access approval;
  • Limit customer support to EU help desk personnel with access control;
  • Get 24/7 support from Google engineers when you need it with remote virtual desktop infrastructure;
  • Generate “comprehensive” log reports on data access and activities with Access Transparency.

But, again, these additional controls will not appear until late 2023.

Google isn’t starting from scratch here – by tracking the inbox.”data sovereignty control” to users from the EU last fall, when he also spoke about the provision of cloud services on “European conditions“.

Although, of course, the bloc’s regulators will have to judge whether what it proposes meets the required legal standard for the data streams in question, er, legally.

Google typically argues that hybrid work complicates the legal requirement to “retain control of data wherever it resides” before proposing its “cloud architecture” approach (which points out that Google Workspace “functions entirely in the browser, requiring no caches”). or installed software on employees’ devices”), combined with a context-aware (“zero-trust”) approach to security that works by geofencing users and devices, as well as controls for administrators to set sharing boundaries and define rules, regulating user communications can help its customers navigate these changing legal waters while maintaining the core collaboration features of the software.

The use of U.S. cloud services in the EU has been shrouded in legal uncertainty for a number of years. July 2020 when the bloc’s top court overturned the flagship EU-US privacy treaty over a fatal clash between US surveillance law and EU privacy rights.

For four years, Privacy Shield has made it easier to export data from the EU to the US with a self-certification system to authorize the export of Europeans’ personal data. But this regime ended with the CEU strike in July 2020.

And while the court did not completely ban data exports, it made other transfer mechanisms (such as standard contractual clauses) more difficult to use by making it clear that regional data protection agencies have an obligation to intervene and suspend data transfers if they believe that European information is flowing to its destination. where it is at risk. (Subsequently EDPB released management about so-called “additional measures” that can help increase the level of protection, such as strong encryption.)

The fact that CJEU violated the EU-US Privacy Shield made it clear that the US is a risky place for EU data – hence Since then, cloud services in the US have been in the spotlight..

While the court ruling was not immediately followed by orders to stop data flows, EU agencies have in recent months stepped up actions and measures to enforce data transfer rules. European data protection inspector hit the European Parliament at the beginning of this year for example, through a COVID-19 testing booking website (which used Google Analytics and included code for Stripe).

Another subsequent solutions data controllers also disagree with the use of certain Google tools.

The CJEU ruling follows Snowden’s 2013 disclosure of NSA whistleblower Edward Snowden, who released details of the US government’s mass surveillance programs using commercial digital services — revelations that also caused a previous EU-US data transfer deal, Safe Harbour, was shot down in 2015 on earlier litigation.

So, while the EU and the US announced a political agreement to replace the Privacy Shield in March of this year, a third attempt to bridge the same legal split will no doubt face a new lawsuit. And the chances of Privacy Shield 2.0 passing the CJEU’s assessment look pretty slim unless there’s a major reform of US surveillance law (which doesn’t seem to be on the table).

All of this makes Google’s strategy of offering its customers in the EU an expanding set of technical and organizational measures (such as client-side encryption, data localization, and other ad hoc controls such as EU tech support) look like a reasoned attempt to find a way to protect and protect important business data flows in the eyes of EU regulators, regardless of any political deal on paper. (Although his blog post also notes that Google Cloud will “creation of protection” proposed by the new EU data transfer structure, available “after its implementation” (event probably in a few more months))

“We remain committed to providing our customers in Europe and around the world with powerful technical solutions that help them adapt and stay on top of the rapidly changing regulatory landscape. We designed and built Google Workspace to work on a trusted basis, providing options to keep our users safe, protect their data, and keep their information private. Digital Sovereignty is the foundation of our ongoing mission in Europe and beyond, and a guiding principle that customers can rely on now and in the future,” adds Google.

Discussing the tech giant’s statement, Dr. Lukasz Oleinikan independent researcher and cybersecurity consultant from Europe, describes the latest development as “an interesting evolution of a product and service” that he estimates is almost certainly motivated by EU law and policy.

“This appears to directly support the EDPB recommendations, which also reflect my previous analysis. In particular, support for the use of specific technical and organizational settings,” he suggests. “On the technical side, the processing must be supported by client-side encryption in such a way that the keys never leave the premises of the EU-based company. Ability to encrypt on the client side already suggested by Workspace. Today, it can still seem a little unwieldy – and it’s not clear if the new controls will make anything easier. Will hope. However, it seems that this universal control is new.”

“The expansion of data centers in the country is an expected development, but an additional one that will support the decision of the European Court of Justice,” he also tells us, adding: “What is still missing is easy-to-use and convenient data access control. . Just like the data in Google Docs. For example, today it is far from easy to list all shared documents, remove some sharing settings. Expecting people to do this file by file for individual files is far from applicable at scale. This should be simplified and not based on individual files. It seems that – maybe! – can a new access control feature help here? How this works in practice remains to be seen.”

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox