A large number of Google’s products could be greatly affected by the GDPR regulations due to come into effect in May 2018. All of Google’s personalized advertising will require its users to opt-in to extensive tracking. This will be applicable for Google’s own sites, such as Google Maps, Search, and YouTube, its entire G Suite (formerly Google Apps) Google Cloud Platform (GCP), as well as on websites where Google provides advertising.
The fact that a user has signed in to their Google account will not be enough to grant Google a ‘bundled’ consent across all of its services. As a result, Google is focusing on ‘ambient’ rather than ‘bundled’ consent. This means that it will look for users consent while they are using a product. This could operate similarly to how consent for cookies currently works, however, concern does exist around the creation of another interruption for the user.
Google has issued the following statement illustrating its commitment to GDPR compliance:
“We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.”
Processor and Controller:
One of the first hurdles Google has to overcome is the issue surrounding ‘processor’ versus ‘controller.’ As Google can operate as both, they have been busy rolling out new contracts to advertisers, publishers and agencies, informing them whether they themselves are a controller or processor when they engage its services.
International data transfers:
With regards to international data transfers, G Suite and GCP are certified under Privacy Shield. This complies with Data Protection Directive. Although GDPR and the Directive have similar general restrictions on Cross-Border Data Transfers, GDPR does have some notable differences from its predecessor.
For instance, the catalogue of adequacy requirements is more detailed under the GDPR. It is unclear whether further countries will qualify, and whether existing countries will maintain their status, as Adequate Jurisdictions. Google will be aware of this as it develops, and we can expect further evolution of their terms.
Google has recently launched a new website for their customers and partners that explains:
The control that businesses have over the data they share with Google.
- The security of Google’s infrastructure.
- Their commitment to complying with applicable data protection laws.
- Freely available resources and training to help businesses get the most from their data.
Over the next few months, Google will be introducing updated contractual commitments that meet GDPR requirements for their customers and partners. They will continue to evolve their privacy protections and practices to meet the GDPR’s requirements.
Google’s approach to GDPR highlights what is necessary to achieve compliance. There is no magic software available to generate it, no one-click fix. It will take hard work, transparency, and knowledge to become GDPR compliant.
For more information on GDPR compliance, feel free to contact us directly using the form below: