Google announces to increase its controls relating to company data, access, encryption and location. This functionality should be extended to all the services of the Workspace suite by the end of 2022. In question, the pressure from European legislators.
The two European directives, DSA (Digital Services Act) and DMA (Digital Markets Act), are echoed by the web giants. Google is today announcing a “sovereign controls” feature for Workspace, aimed at providing digital sovereignty capabilities to organizations, both in the public and private sectors, to control, limit and monitor data transfers to and from the EU . Available from the end of the year, this service will be equipped with additional capabilities throughout 2023. This commitment is based on client-side encryption, data regions and data access controls.
In fact, Google Workspace already uses the latest cryptographic standards to encrypt all data stored so-called “at rest” and in transit between its facilities. The recommendations of the European Data Protection Board (EDPB) include encryption among the additional protection measures. Workspace, a suite of cloud-based productivity tools and software, currently guarantees client-side encryption, complete privacy and control over their data. This allows users to hold encryption keys on-premises, within a country’s borders, or within any other boundaries they define. Google specifies that it never has access to the keys or to the keyholders, which means that the stored information is indecipherable for the firm and the latter adds that it has “no technical capacity to access it”.
Increased means of control for customers
Javier Soltero, General Manager and Vice President of Google Workspace, explains that “Enterprises can choose to use client-side encryption across the board for all their users, or create rules that apply to specific users, units organizational or specific shared drives”. Client-side encryption is now available for Google Drive, Docs, Sheets, and Slides, with plans to expand this feature to Gmail, Google Calendar, and Meet by the end of 2022.
Google Workspace notably offers a dashboard to manage user accounts and strengthen data protection. (Credit: Google)
In addition, Google plans to increase controls over data location. Data regions currently allow customers to control their storage location, with a choice of US or Europe. By the end of 2023, a series of additional measures will be implemented, enabling customers to: restrict and/or approve access to Google Support through access approvals, limit customer support to EU-based support staff through access management, ensure around-the-clock support from Google engineering staff, when needed, through remote virtual desktop infrastructure. Finally, it will be possible for users to generate comprehensive log reports on data access and actions thanks to access transparency.
A step towards digital sovereignty?
“Sovereign Controls for Google Workspace will ensure digital sovereignty through a comprehensive set of capabilities for organizations working in and across EU regions,” said Javier Soltero. At the same time, Google Cloud will continue to provide customers with legal mechanisms for international data transfer, including making available the protections offered by the new EU data transfer framework upon implementation. Recall that on April 23, the European Parliament and the Council reached a provisional political agreement on the Digital Services Act (DSA).
“With the Digital Markets Legislation (DMA), the DSA will set standards for years to come for a safer and more open digital space for users, and a level playing field for businesses,” Parliament said. in a press release. The text will need to be technically finalized and verified. Once the procedure is completed, it will enter into force 20 days after its publication in the Official Journal of the EU, and the rules will start applying 15 months later. Furthermore, from May 23 to 27, a delegation from Parliament’s Internal Market Committee is scheduled to visit several company headquarters (Meta, Google, Apple, etc.) in Silicon Valley in order to discuss the legislative package on digital markets and other legislation in preparation.