Google has announced that the EU data protection authorities have reviewed and confirmed its Google Cloud services’ contractual commitments as fully compliant with the EU requirements for transferring personal data to third countries outside the European Economic Area (“EEA”).
Model contract clauses
The review was carried out in line with Working Paper 226 (‘WP 226’). WP 226 outlines the procedure where data protection authorities can decide whether an organisation’s contracts comply with the European Commission’s model contract clauses, in line with Decision 2010/87/EU.
The data protection authorities (including the Irish data protection authority as the lead, and Spanish and Hamburg authorities as co-reviewers) confirmed that Google’s agreements for international transfers of personal data for Google Apps (now ‘G Suite’) and for its Google Cloud Platform align with the European Commission’s model contract clauses.
The EU model contract clauses are standard contractual clauses used in agreements to ensure any personal data leaving the EEA will be transferred in compliance with the Data Protection Directive 95/46/EC.
The WP 226 procedure
WP 226 requires that the data protection authorities from the relevant Member States review the clauses, and that they are managed by the lead authority. The lead authority is either selected by the applicant organisation based on set criteria in WP 226 – for example, the location where the clauses are decided and elaborated, where most decisions around purposes and means of processing will take place, the ‘best’ location in terms of management and administration. Alternatively, the other data protection authorities involved in the review may appoint the most appropriate authority to take the lead.
The initial decision as to conformity with the model contract clauses is taken by the lead data protection authority, who must then forward a draft decision letter to all other authorities involved so that they may conduct their own review (within one month). The lead authority then invites comments from the co-reviewers before signing the letter on behalf of all the relevant data protection authorities and notifying the applicant.
More certainty for data transfers?
Well, a success for Google, but this is still a particularly challenging time for organisations that are trying to ensure international data transfers are compliant with data protection laws. Of course, the model contract clauses are still the subject of challenge in the EU. The Irish Data Protection Commissioner commenced proceedings in the Irish High Court following a complaint by Max Schrems against Facebook Ireland Limited’s use of the model contract clauses. The hearing started on 7 February 2017, where the High Court is to determine whether it should make a referral to the CJEU. We await the outcome of the hearing and whether the future status of the model contract clauses will be resolved or referred to the CJEU to decide.