Google Details Its Preparations for Upcoming EU Privacy Regime Change


With a little more than nine months left until the effective date of a new European Union privacy regime, Alphabet Inc.’s Google has launched a website setting out how the search engine and internet giant intends to comply. The site is intended to help businesses understand their options for ensuring they are ready for new stricter customer consent rules, mandatory data breach notice, and the potential for massive fines of up to the greater of 20 million euros ($25.5 million) or 4 percent of a company’s worldwide income.

Google is familiar with EU regulatory oversight and has a lot at stake under the new regulation. Google had $60.6 billion in revenues in fiscal year 2015, Bloomberg data show. A fine of 4 percent means Google could get a bill from the EU exceeding $2.4 billion for a single infraction.

The website brings all of Google’s EU General Data Protection preparation into one place, and covers most of Google’s products including search, Gmail, cloud services, G Suite, and advertising and measurement tools AdWords, AdSense, and DoubleClick. The GDPR takes effect May 25, 2018.

“Google is committed to complying with the GDPR across all of the services that we provide in Europe,” William Malcom, director for privacy legal Europe, Middle East and Asian region at Google, said in a blog post.

Google breaks down its explanations into four categories:  the control businesses have over data they share with Google; the security of Google’s infrastructure; the company’s compliance with data protection laws; and available resources and training for businesses. 

Customized controls allow companies to silo data within individual products, choose to share data with other products, and use Google data for advertising rather than sharing personal data.

Google details the layers of its security infrastructure that ranges from physical security achieved through distributing data across multiple data centers, to the encryption it uses for data moving from devices to the data centers.

Google assures businesses that it obtains audits and certifications such as ISO security standards on information security (ISO 27001), cloud security (ISO 27017), cloud privacy (ISO 27018), and the Privacy Shield Frameworks for the U.S. and the EU and Switzerland. ISO is a certification and auditing program developed by the International Organization for Standardization.

Malcolm said that in the coming months, Google will make available GDPR-compliance contractual commitments and continue to evolve its privacy practices to meet GDPR.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.