Wednesday, 8 May 2013

Google Apps - model clauses for personal data export (& data processing amendment)… but what about Analytics?

Summary

Google have introduced optional opt-in model clauses for Google Apps for Business customers (along with a data processing amendment[1]), as heralded by Google in summer 2012. However, it seems that they didn't announce the clauses' availability publicly or directly to Google Apps customers, according to an enterprise Apps customer that I chatted with recently - they just quietly updated their original blog entry, I'm not sure exactly when. So, I'm writing this to publicise the position.

The model clauses option was probably introduced in December 2012, at least according to the lastModified properties of the relevant webpages which I checked using Javascript (I have a bookmarklet for that!). Some other providers already offer the model clauses option, eg Microsoft introduced it for Office 365 in 2011, and Google decided last year that it was sensible to offer them too, to widen the 'palette of EU regulatory compliance options', as Google put it.

What are model clauses?

By way of background, using 'model clauses' as prescribed by the European Commission is one method that a data controller can use to allow it to transfer 'personal data' outside the European Economic Area, eg to store such data in non-EU data centres used by its cloud provider (more on my Venn diagram showing the differences between 'EU', 'EEA' and 'Europe').

How can Google Apps customers be 'data controllers' who process 'personal data' using their Apps accounts? Because stored Gmail email contacts and email addresses, and the bodies of emails, Google Drive spreadsheets and documents etc, might well contain personal data. Also, where the Apps customer is an organisation, the end users of Google Apps will be individuals within the customer's organisation (eg employees or students), or customers of the Apps customer, so the use of Apps by the organisation may involve processing those end users' personal data, too.

If an Apps customer (or its employees etc) uses Apps to store or process any personal data for other than purely personal purposes, then the Apps customer is likely to be a 'controller', and must by law keep that personal data within the EEA (except in certain circumstances).

One of those circumstances is the use of model clauses. These model clauses must be incorporated 'as is' into the contract between the controller, eg Google Apps customer, and the cloud provider, eg Google. They basically put the cloud provider on the hook to its customer to comply with certain privacy and security requirements under EU data protection law.

Safe Harbor

You may well ask, how did Google assure their customers of data protection law compliance before Google provided the option of model clause? The answer is that Google are self-certified under the US Safe Harbor regime (search the Safe Harbor list).

However, many EU regulators are dubious about Safe Harbor, especially in Germany, and especially with cloud computing, even though legally this Safe Harbor arrangement is meant to, well, provide controllers with a safe harbor.

So it seems likely that well-advised EEA-based Google Apps users will adopt the new model clauses if they are data controllers (and, as I explained above, most of those using Google Apps for Business, even if it's for mixed business/personal purposes, will probably be considered to be controllers).

How to adopt Google Apps model clauses?

How can Google Apps customers who are based in the EEA adopt Google's model contract clauses? This involves taking 2 steps after logging in to the Google Apps Control Panel (Domain Settings > General tab), as Google explained:

  1. opt in to the data processing amendment, then
  2. opt in to the model clauses.

Note that these options are only available for non-free Google Apps services, ie Google Apps for Business customers.[2] (I don't know about Google Apps for Education, can anyone who uses that enlighten me as to whether model clauses are now available there?).

Google Analytics model clauses, please…?

Now, what I really really want is for Google to offer model clauses to EEA-based Google Analytics users. I use Google Analytics for my own personal site, and I'm not alone - even the UK data protection regulator, the ICO, uses Google Analytics.

Furthermore, because I use Google's Blogger for this blog, I have no choice - the 'Blogger Stats' feature, ie Google Analytics, is included automatically by Google, and I can't turn that off even if I wanted to. I'd like to think that Google would be therefore be treated as the 'first party' for cookie law purposes, and as the data controller (or at least joint or main data controller) of any personal data collected through Analytics through Blogger / Blogspot,[3] but, in case not, I'd like model clauses for Analytics please, dear Google! I suspect Google won't subject themselves to extra contractual commitments and greater potential legal exposure unless they feel they absolutely have to for legal or market-competitive reasons, but who knows what may transpire?

Notes

[1] Interestingly, this amendment has explicit provisions about Google following 'instructions' (which must be in the contract because of data protection laws, as data protection geeks will know), although some might argue about whether the stated scope of those instructions, while understandable for cloud computing, are sufficient if you apply the laws strictly (see paper on negotiated cloud contracts - issues often negotiated on cloud contracts include the 'instructions' requirement).

The amendment also outlines the scope of processing and, significantly, has detailed provisions relating to security, including information not in the Google Apps Security White Paper published in 2010 (another one, linked to from this page). But there's no information about physical data location, and no link to the information about data centre locations which Google since late 2012 now provide, along with other security and privacy information.

[2] I signed up a while back for Google Apps' free edition, aka Standard Edition, for this domain, most of which I host using Google App Engine PaaS - but the free Google Apps edition was withdrawn, in Dec 2012 (unless you sign up via Google App Engine, which would, at least in Dec 2012, still get you a free Apps account, albeit for one user only). Luckily, existing users of the Standard Edition can continue to use it for free, for now anyway. Also, UK controllers using Google Apps Standard Edition should hopefully nevertheless be able to rely on Safe Harbor, which technically is still legal, and the UK Information Commissioner hasn't officially said you can't.

[3] Whether web analytics data such as IP addresses are 'personal data' is the subject of much fierce, ongoing debate. But, if they are, model clauses would help Analytics users.