Google has announced that the EU data protection
authorities have reviewed and confirmed its Google Cloud
services' contractual commitments as fully compliant with the
EU requirements for transferring personal data to third countries
outside the European Economic Area ("EEA").
Model contract clauses
The review was carried out in line with Working Paper 226 ('WP 226'). WP 226
outlines the procedure where data protection authorities can decide
whether an organisation's contracts comply with the European
Commission's model contract clauses, in line with Decision 2010/87/EU.
The data protection authorities (including the Irish data
protection authority as the lead, and Spanish and Hamburg
authorities as co-reviewers) confirmed that Google's agreements
for international transfers of personal data for Google Apps (now
'G Suite') and for its Google Cloud Platform align with the
European Commission's model contract clauses.
The EU model contract clauses are standard contractual clauses
used in agreements to ensure any personal data leaving the EEA will
be transferred in compliance with the Data Protection Directive
The WP 226 procedure
WP 226 requires that the data protection authorities from the
relevant Member States review the clauses, and that they are
managed by the lead authority. The lead authority is either
selected by the applicant organisation based on set criteria in WP
226 – for example, the location where the clauses are decided
and elaborated, where most decisions around purposes and means of
processing will take place, the 'best' location in terms of
management and administration. Alternatively, the other data
protection authorities involved in the review may appoint the most
appropriate authority to take the lead.
The initial decision as to conformity with the model contract
clauses is taken by the lead data protection authority, who must
then forward a draft decision letter to all other authorities
involved so that they may conduct their own review (within one
month). The lead authority then invites comments from the
co-reviewers before signing the letter on behalf of all the
relevant data protection authorities and notifying the
More certainty for data transfers?
Well, a success for Google, but this is still a particularly
challenging time for organisations that are trying to ensure
international data transfers are compliant with data protection
laws. Of course, the model contract clauses are still the subject
of challenge in the EU. The Irish Data Protection Commissioner
commenced proceedings in the Irish High Court following a complaint
by Max Schrems against Facebook Ireland Limited's use of the
model contract clauses. The hearing started on 7 February 2017,
where the High Court is to determine whether it should make a
referral to the CJEU. We await the outcome of the hearing and
whether the future status of the model contract clauses will be
resolved or referred to the CJEU to decide.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).