The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
Google’s website makes a very clear statement about GDPR: “You can count on the fact that Google is committed to GDPR compliance across Google Cloud services.
It also goes on to say: “To help you with compliance and reporting, we share information, best practices and easy access to documentation. Our products regularly undergo independent verification of security, privacy and compliance controls, achieving certifications against global standards to earn your trust. We’re constantly working to expand our coverage.
Adding: “Google is committed to complying with the EU General Data Protection (GDPR) for G Suite and Google Cloud Platform services. We’ve created this reference page and the GDPR Resource Center for Google Cloud customers who are required to comply with the GDPR.”
Data Controller and Data Processor
Under the GDPR, Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics.
With Google as your Data Processor, they have obligations to conform to the EU GDPR. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
Google was fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU’s data protection rules.
CNIL said it had levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation“.
The regulator said it judged that people were “not sufficiently informed” about how Google collected data to personalise advertising.
Complaints against Google were filed in May 2018 by two privacy rights groups: noyb and La Quadrature du Net (LQDN).
The groups claimed Google did not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR.
The first complaint under the GDPR was filed on 25 May 2018, the day the legislation took effect.
The regulator said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”.
“The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” the regulator said.
“Users are not able to fully understand the extent of the processing operations carried out by Google.”
Just after the GDPR was implemented, Google and the other Tech giants came under fire after analysis of their privacy policies by pan-European consumer group BEUC.
They found that Google, Facebook and Amazon didn’t fully meet the requirements of GDPR.
An analysis of policies from 14 of the largest internet companies showed they use unclear language, claim “potentially problematic” rights, and provide insufficient information for users to judge what they are agreeing to.
They also said they had added new graphics and video explanations and structured the Policy so that users could explore it more easily, and embedded controls to allow users to access relevant privacy settings directly
Google offer an option to delete customer data, when it is no longer needed, via the functionality of the G Suite or Google Cloud Platform services, at any time.
Google’s website says: “When Google receives a complete deletion instruction from you (such as when an email you have deleted can no longer be recovered from your “trash”), Google will delete the relevant customer data from all of its systems within a maximum period of 180 days unless retention obligations apply”