Google is joining Microsoft in its attempts to tackle EU concerns regarding data sovereignty but some privacy experts are yet to be convinced by the move.
Sovereignty concerns where your data lives; a significant issue as companies make their way into the cloud. The thought of EU citizens’ data ending up somewhere subject to the US Cloud Act, and therefore accessible by US lawmakers, has left local policymakers uneasy.
Enter Sovereign Controls for Google Workspace, an attempt to show the EU that its productivity and collaboration tools won’t fall foul of the guidance. The tools are designed to monitor the transfer of data to and from the EU and will be available from the end of 2022 with extra goodies due to be delivered during 2023.
It could be a bit too little, too late for regulators, who are already jumpy about what exactly Google is doing with data either pulled from or input by users.
In the short term, the company is betting on its approach to encryption to deal with worries over sovereignty. “Google Workspace,” the company said, “already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities.”
“Google never has access to the keys or key holders, which means the data is indecipherable to us and we have no technical ability to access it.”
“The European Data Protection Board recommendations include encryption as part of the supplementary measures to protect data.”
Encryption you say? Not enough…
However, encryption alone does not deal fully with sovereignty. The company’s client-side encryption feature means that customers can hold the keys to their data wherever they like, thus “retaining complete confidentiality and control,” but the fact remains that the exact location of that data while processing is not always clear.
While an organization can roll out encryption over specific users or organizational units, and create rules to govern the implementation, only Google Drive, Docs, Sheets, and Slides can take advantage of the functionality, Gmail, Calendar, and Meet won’t get the functionality until the end of 2022.
Customers can control the location of data at rest via the company’s Data Regions functionality. However, it will take until the end of 2023 before Google includes processing in-region with in-country copy.
Google has also stated it will implement a series of new access controls by the end of 2023 that will include the limiting of customer support to EU-based support staff as well as ensuring round-the-clock engineering support from Google engineering staff.
“Sovereign Controls for Google Workspace will deliver digital sovereignty through a comprehensive set of capabilities for organizations working in and across EU regions,” said the search giant.
“In parallel, Google Cloud will continue to provide customers with legal mechanisms for international data transfer, which will include making the protections offered by the new EU data transfer framework available once it is implemented.”
This sounds a lot like the updated successor to the original Privacy Shield.
The Register asked the gang at Mountain View how the encryption approach would square with the EU’s sovereignty needs, but it merely reiterated the comments above.
Dr Michael Veale, associate professor in Digital Rights and Regulation at the Faculty of Laws, University College London, noted that: “If done correctly, client-side encryption is one of the only methods that seems to reliably allow data to be transferred under European law to the United States using ‘standard contractual clauses’.
“Effectively, the Court of Justice of the European Union said in Schrems II that given the NSA’s activities, transfers are only possible with safeguards that undermine these activities – such as ensuring that if the NSA requests data from Google, Google cannot, even if legally required, supply personal data,” he told The Register.
Google’s statement that data is encrypted (via client-side encryption) both in transit and at rest, and that it does not have the technical ability to access it means, according to Veale, that “it has a much better chance of surviving a court challenge.”
“The question of sovereignty is a different one, however, from data transfers,” he said.
“If sovereignty is about escaping the decision-making influence of Google and similar, then what is happening here is Google is working out how to decouple the data transfer debate from the sovereignty debate – effectively, how to make the GDPR less of a data sovereignty tool for EU states.
“This may not satisfy states, who have other strategic reasons for sovereignty. For one thing, if Google runs your services, even encrypted, and you find yourself on the wrong end of US sanctions, then that’s a situation you’d rather not be in.”
It’s worth noting that Google’s Sovereign Controls only applies to its Workspace platform at the moment. Rivals such as Microsoft have their own plans in progress. The Redmond team intends to implement its own EU Data Boundary by the end of 2022, with a promise that customers can store and process their data on EU shores.
Otherwise there are plenty of EU cloud providers more than happy to tick the sovereignty box for customers concerned about their data. ®