5 minute read
12.1 Transfer of special, sensitive, secret and confidential data to the USA
processes these data in its role as processor, as well as in its role as joint data controller.
The technical research in this DPIA shows that Google also collects Customer Data in sentences and words from the Enhanced Spellingchecker in telemetry data from the Chrome browser.
Advertisement
Government organisations should therefore take account of the general prohibition on the processing of special categories of personal data from articles 9 and 10 of the GDPR if they are joint controllers with Google. There is no exception for the processing of these personal data by Google for its own 33 purposes. The only general useful exception in Article 9 GDPR is if the data subject has given explicit consent. However, valid consent is not an option as explained in sections 11.1.1 and 11.2.1 of this DPIA. Article 10 of the GDPR completely prohibits the processing of personal data relating to criminal convictions and offences, if not under the control of official authority or when authorized by Union or member law.
12.1 Transfer of special, sensitive, secret and confidential data to the USA
In G Suite Enterprise admins can elect to store Customer Data from certain Core Services only in data centres in the European Union. This choice is not available for the Customer Data from other Core Services, the Google Account, the Additional Services, Support Data and any Diagnostic Data. Those data may therefore be stored anywhere where Google maintains facilities. With regard to the transfer of personal data in Customer Data to the USA, customers can accept the SCC, as described in Section 7. At the time of completion of this DPIA report, all other transfers of personal data outside of the EEA generally relied on the EU-US Privacy Shield.
The transfer and storage of personal data in the USA carries a risk of unlawful further processing of personal data (i) through interception or silent orders from USA law enforcement authorities, security agencies and secret services, (ii) through rogue administrators at Google and at subprocessors (only for the Technical Support Services), and (iii) by hostile state actors. The likelihood and impact of these risks are assessed in Section 16.2.12 of this report.
To mitigate some of these risks, government organisations can create policy rules to prevent that very confidential or state secret data are processed through cloud services. They could also draft a policy to prohibit the use of directly identifying personal or confidential data in file and path names. Google does not offer separate encryption possibilities for data stored in Drive, but customers may apply their own encryption from other companies before uploading sensitive data to Drive.277 In a whitepaper about encryption, Google explains that data on disks and backup media belonging to customers are always encrypted. Google has a distinct approach to encryption for each system, to mitigate the specific security risks.
Google automatically encrypts Customer Data stored on disks in the G Suite product family as it is written to disk with a per-chunk encryption key that is associated with a specific Access Control List. This means that different chunks are encrypted with different encryption keys, even if they belong to the same customer. 278
Technically, this works as follows: “Each chunk key is encrypted by another key known as the wrapping key, which is managed by a Google-wide key management
277 In the G Suite Marketplace, different third-party encryption tools are available, URL: https://gsuite.google.com/marketplace/search/encrypt 278 How Google Uses Encryption to Protect Your Data, G Suite Encryption Whitepaper, URL: https://storage.googleapis.com/gfw-touched-accountspdfs/google-encryption-whitepaper-gsuite.pdf
service (KMS). The result is a “wrapped” (encrypted) chunk key, which is stored alongside the encrypted data. The wrapping keys, needed to decrypt wrapped chunk keys, and therefore to decrypt the chunk, are known only to the KMS and are never stored at rest in unencrypted form Data cannot be decrypted without both the wrapping key and the wrapped chunk key Google has built a system to manage key rotation. (…) Chunk encryption keys and wrapping keys are rotated or replaced regularly.”279
Additionally, Google describes it has rigorous procedures for assigning and removing access to the keys, and logging employee access to the keys and data.
These measures lower the risks of interception or unauthorised access to Customer Data, but do not eliminate them. These measures are not applied to Diagnostic Data.
13. Purpose limitation
The principle of purpose limitation is that data may only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes” (Article 5 (1) (b) GDPR). Essentially, this means that the data controller must have a specified purpose for which personal data is collected, and can only process these data for purposes compatible with that original purpose.
Data controllers must be able to prove based on Article 5(2) of the GDPR that they comply with this principle (accountability). As explained in section 5.3 of this report, only data controllers may take decisions about the purposes, including purposes for further processing of the personal data. As a result, a data processor may not determine the purposes of the processing, nor what further processing it deems compatible with those original purposes.
Purpose limitation is the most difficult principle to comply with in big data processing, because it is precisely invented to gain new insights by combining data in a different way.
As described in the Sections 11.1 and 11.2 of this report, currently nor Google
nor the government organisations have a legal ground for any processing
through G Suite Enterprise. This is often caused by a lack of purpose limitation. In addition, the lack of an exhaustive list of specific and explicit purposes in the G Suite DPA leads to the qualification of government organisations and Google as joint controllers.
Note: After completion of this report, on 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes.280The consequences of this publication are described in the new assessment of the risks added to the summary and conclusion of this report in January 2021.
As joint data controller for the Diagnostic Data, Google does not specify for what specific purposes it processes which personal data. As described in Section 4.3, Google mentions 33 purposes for data processing in its (consumer) Privacy Policy. Some purposes are so general (such as, for example, Performing Research, and Combining information among all services and across devices to improve Google’s
279 Idem. 280 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice
