Introduction and summary
We use Google Cloud to host the data that is required to run Book Creator. Currently, we use Google Cloud servers in the USA and rely on UK and EU-approved standard contractual clauses (SCCs) to legitimise these transfers.
We know that, following the Schrems II judgment of the Court of Justice of the European Union (CJEU) on 16 July 2020, our clients are likely to have questions about the storage of data in the US. We have carried out a full data transfer impact assessment (DTIA) to assess the risks of these transfers and the need for any supplementary measures.
The full DTIA is available here, but we have put together these FAQs as a quick and easy reference point for our clients to answer any questions they may have about the judgment and its impact on Book Creator and our use of Google Cloud in the US.
In brief, our DTIA has enabled us to conclude that, in accordance with regulatory guidance and best practice, our storage of data with Google Cloud in the US can continue. This is on the basis that:
the practical risk of any third party gaining access to the data held in the US is extremely low;
even if third party access were to occur, the risk of harm to relevant individuals would be extremely low; and
Google implements a number of strong safeguards to further reduce the risk of third party access to data and to ensure that we retain visibility and control over such access.
We have set out more detail on how we have reached this conclusion below.
1. What are the issues?
On 16 July 2020, the CJEU handed down a ruling that had an impact on international transfers of personal data from the EU to “third countries” (i.e. other countries which the EU has not declared have an adequate level of protection of personal data under their laws). Transfers from the UK are also affected because the judgment happened during the Brexit transition period and therefore is incorporated into UK law.
The judgment declared the EU-US “Privacy Shield” arrangement invalid. This was a self-certification mechanism that allowed transfers of personal data to US organisations that certified adherence to certain data protection principles. The main concerns that led to Privacy Shield being invalidated were to do with the US government’s fairly wide-ranging powers to compel certain US organisations to provide information about non-US citizens. This caused concerns that EU citizens’ personal data was not subject to sufficient protections when transferred to the US, as those laws would override the Privacy Shield principles.
The invalidation of Privacy Shield did not directly affect our use of Google Cloud, as Google Cloud has, for many years, relied on EU-approved standard contractual clauses (SCCs) as an additional mechanism for legitimising transfers of personal data to the US.
However, the other thing that the judgment did was to hold that, whilst SCCs remain a valid transfer mechanism to send personal data to third countries, it is still incumbent upon organisations in the EU/UK to ensure that the SCCs allow for an adequate level of protection of personal data.
This means that any organisation in the UK or the EU relying on SCCs to transfer personal data to a third country must assess the data protection and associated laws, rules and practices of that country to determine if they provide an adequate level of protection, taking into account the nature of the transfers in question. If they do not, supplementary measures may need to be put in place to ensure that data is appropriately protected.
2. Why do we still use US storage and are we planning to move away from this?
As the Schrems II judgment focussed on US data protection laws and invalidated Privacy Shield on the basis that those laws were not held to provide adequate protection, some organisations have stopped storing personal data in the US altogether. This is not a requirement of the judgment nor of any other laws or regulations. Regulatory guidance has confirmed that transfers to any third country, even those with concerning laws and practices, can proceed or continue provided that a DTIA is carried out and concludes that there is a low risk to individuals.
However, we do appreciate that there are now more difficulties than there were previously with transfers of personal data to the US in particular. As such, we are looking to provide a version of Book Creator that maintains data in the UK or EU in the future. Our business model has always been built on the use of Google Cloud storage in the US and this will take some time to move away from, but we will update all our clients when this move has happened.
3. What data is held in the US?
The Book Creator application is stored within Google Cloud. This means that all data that flows into and through the application is stored in the US. The data is broadly split into two categories:
Account data: This is the data that users provide to set up an account. This is limited to name, email address, password and school.
Book data: This is the data that is input into books that users create. This information is generally unlikely to contain personal data, however given that users can put whatever information they like into a book, there is a chance that it could do so. For example, teachers could ask students to create an “All About Me” book which could then include quite extensive personal information about the user and others (such as family members and friends). We have no control over what personal data is included, if any, within book data.
4. What is Book Creator’s role with regard to that data?
In relation to account data, we are the data controller. This is because we determine what information is required in order to set up accounts and we are responsible for the management of accounts. This means that Google is our processor and we are fully responsible for ensuring that transfers of personal data to Google as a processor are compliant with all aspects of data protection legislation.
In relation to any book data that constitutes personal data, the school is the data controller and we are a data processor. This is because we have no control over what personal data will be uploaded/input into the application in this context. The school (or the teacher, acting as part of the school) decides the topic and content of books and therefore, by implication, whether books may or may not contain personal data. In this instance, Google is a sub-processor engaged by Book Creator.
5. What have we done in the wake of the Schrems II judgment?
Following the Schrems II judgment, we have carried out a thorough and detailed DTIA which looks at the relevant US laws and their applicability to Google in this context. It then goes on to consider the practical risks of the transfers carried out by Book Creator, including by looking at the nature and purpose of the transfers, the likelihood of any theoretical risks arising and other safeguards that are currently in place. We have followed regulatory guidance and best practice in completing the DTIA.
6. Did we identify any risks or challenges with storing personal data with Google Cloud in the US?
Given the focus of the Schrems II judgment, it is inevitable that any assessment of US data protection and national security/surveillance laws will raise theoretical challenges. The main issue is a piece of legislation called “FISA” (the Foreign Intelligence Surveillance Act). Under most US laws, if a public authority wants to access personal data, they have to obtain a warrant from a court to do so. This ensures that requests to access personal data are properly scrutinised and balanced.
However, Section 702 of FISA enables a specialist, independent court to authorise the US government (on an annual certification basis) to issue orders requiring electronic communications service providers in the US to disclose communications data relating to specified non-US individuals located outside the US, in order to obtain foreign intelligence information.
As Google is an “electronic communications service provider”, Google may receive requests under Section 702 FISA. Indeed, Google publishes a regular transparency report that details the number of FISA requests received in each six-month period.
FISA has protections against unjustified or disproportionate use of the powers built into it, including:
Government agencies have to be certified annually by the Foreign Intelligence Surveillance Court (FISC). This involves a thorough review of the agency’s querying procedures, targeting procedures and minimisation procedures.
Agencies have to record their reasons for targeting a specific person, meaning that they are not able to issue requests arbitrarily without any cause.
Agencies have to maintain Privacy and Civil Liberties Officers, whose job it is to advise on privacy issues and ensure that there are adequate procedures to receive, investigate and redress complaints from individuals.
Individuals have redress for violations of Section 702 FISA. They can seek compensation is their communications are used or disclosed unlawfully.
7. What impact does the nature of the personal data and the transfers have on the likelihood of any issues arising in practice?
Regulatory guidance confirms that transfers to third countries with concerning laws can proceed if the likelihood of data being accessed by third parties in practice is low and/or if the risk of harm to individuals arising out of any potential access is low.
The nature of the personal data and the transfers to the US for the purposes of using Google Cloud storage on US servers means that, although FISA Section 702 theoretically applies to Google, the chances of Google receiving a request for either account data or book data of Book Creator users are exceptionally low. US government agencies are very unlikely to be interested in this type of data relating to teachers and schoolchildren in EU countries and the UK. This is not likely to be useful for foreign surveillance activities and therefore we do not envisage Google receiving a request that covers this data.
Furthermore, even in the highly unlikely scenario that Google did receive a request for data from a US agency and did disclose data in response, the risk of harm to the relevant individuals would be extremely low. Account data is limited to very basic user details which would not cause substantive harm to individuals if shared with third parties. Users are fully in control of what book data they submit so are able to ensure that data is only submitted if they are comfortable with doing so.
It is worth noting that in relation to account data, as Book Creator is the controller, the school has no responsibility or accountability under the GDPR for ensuring that transfers of account data to the US are compliant. Schools’ main concern is book data, as the school will be the controller of this data. It is even less likely that US government agencies will be interested in book data as Book Creator is purely an educational tool and the risk of book data containing anything of use to US agencies is negligible.
8. What other mitigations and safeguards are in place to protect personal data from access by US government agencies?
As well as the restrictions and safeguards on the exercise of FISA Section 702 right, the following measures are in place, or can easily be put in place by schools, to protect personal data stored on Google Cloud servers in the US from access by US government agencies:
Schools are in control of what data can be submitted as book data. We recommend in all cases that schools and individual teachers carefully consider the topics suggested for books and whether these topics lend themselves to the inclusion of personal data. Teachers should make classes aware of what information they should be including in their books and should make sure that they have visibility of what book data is being uploaded as far as possible so that they can manage minimisation of personal data.
Google encrypts data at rest and in transit.
Access transparency: Google provides logs of actions taken by Google staff when accessing user data, so we have visibility of access by Google. Government requests for data are identified within the access log (unless Google is legally prohibited from notifying us of requests).
Access approval: This allows us to explicitly approve access to data before it takes place (subject to exceptions where legally required).
Processes for dealing with government access requests: If Google receives a request for book data or account data, generally Google will inform the agency to request it directly from Book Creator. If the government refuses to do so, Google is clear that it reviews the request carefully and thoroughly to verify that it is lawful and proportionate. Google will notify us wherever possible of the request and will take into account any objections we raise to such a request.
SCCs: Google has SCCs in place that apply automatically and these will be updated to reflect the new EU SCCs in due course, as well as the new UK SCCs as and when these are released and approved. These will impose additional contractual safeguards and obligations on Google with regard to government access requests.
9. Can Book Creator continue to store personal data with Google Cloud in the US in light of the Schrems II judgment?
Yes. Our view is that, taking into account the nature of the transfers and in particular the extremely low likelihood of FISA Section 702 requests being received by Google in respect of account data and/or book data, together with the additional technical safeguards that Google has in place, the SCCs ensure an adequate level of protection of personal data stored on Google Cloud servers in the US.