Google Undergoes a Data Protection Change

September 22, 2021

If you use Google to support your business (who doesn’t?!) you’ve probably received a notification from them that explains they’ll be making some changes. We totally get the terminology in the email may make you want to A) press delete B) wonder what they’re actually talking about and if it’ll really impact you.

So we thought we’d help out!

Why did you get the email?

You’re an existing Google customer based in either the European Union or the United Kingdom. As part of the services Google provide to you, there’ll be personal data going back and forth between different countries. The rules for these transfers were updated recently, which means Google also needs to update their contractual terms.

What is Google saying?

Whenever an organisation sends or receives people’s information from different territories, European and UK law says you need to have certain safety mechanisms in place to make sure that the information is getting the same (or at least similar) legal protection. This is regardless of the country the information lands in.

The safety mechanism you are required to have depends on which countries the information is being transferred between. One of these mechanisms is the Standard Contractual Clauses (known lovingly to those in data protection as SCCs). These are template clauses that you’re not allowed to change, other than to input your business details and what information you’ll be sending and what it is used for. You’ll usually see them added as an appendix or schedule to a main agreement.

Since Brexit, there are two versions of the SCCs – the European SCCs and the UK SCCs. The European ones were recently updated and there is a cut-off deadline to switch from the old version to the new version. Here is a blog on the most recent update to the SCCs if you’re interested!

Technically, if you’re already signed up to Google terms, neither yourself or Google need to sign up the new version until 27 December 2022. However, Google is being very proactive and asking their customers to agree to the new version by the 27 September 2021 (which is the deadline for any new contractual relationships which require the parties involved to transfer personal data internationally*).

Anything for you to do?

Even if you don’t accept in the meantime, all Google customers will be signed up their new terms by 27 October 2021 regardless. So you don’t really need to do anything immediately, but this might be a useful prompt to start thinking about any other international data transfers. E.g., do you have the safety mechanism in place for them?

Not sure where to start? We're on hand to help.

*you don’t always need the SCCs for this – but let’s not get bogged down by that right now. Check out our EU SCCs flowchart if you’d like to know more!

 We’re the experts in getting data on your good side. Find out more about our data protection offering here.

Receive our insights directly to your inbox by signing up to our newsletter

Recommended content