Android: our commitment to the GDPR for enterprise and education deployments

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last 20 years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that individuals have over their data and seeking to unify data protection laws across Europe. Google has already publicly committed to comply with GDPR for all products offered in Europe in a recent blog post.

GDPR compliance is especially important to our enterprise and education customers because they may have obligations to their employees and students respectively. Our enterprise and education customers can count on Google’s GDPR compliance efforts across Android. Ahead of the May 25 deadline, we are making important updates to our contractual commitments to customers and partners that directly address GDPR requirements, together with corresponding product changes.

Our stance

The GDPR defines that a data controller determines the purposes and means of processing of personal data and a data processor processes personal data on behalf and only on the instructions of a data controller. We’re clarifying Google’s role as data processor, with corresponding contractual commitments, for the enterprise /education-specific services of an Android deployment, and as data controller for others. Here’s a summary:

For the Android Operating System itself, in so far as it is executed exclusively within the mobile device, Google does not receive any data.

Services for which Google will be Data Controller

  • Google Play Services is bundled with most (but not all) Android devices. Google Play Services offers APIs and security services to the Android developer ecosystem. An example is Google Play Protect, which helps keep the Android ecosystem safe from malware. Google acts as a data controller for any personal data processed in Google Play Services, and offers user notices and consents about our use of personal data in the service’s user interface in Android.
  • Google apps on Android: Apps built by Google, whether included with Android in the factory image or installed from the Google Play Store, are each separately subject to terms and conditions. Typically these are Google’s Terms of Service and Privacy Policy, accepted by the individual user, but each app may have additional terms. This model is similar to how users contract with third party app developers for the use of apps installed from the Google Play Store.

Services for which Google will be Data Processor

  • For managed Google Play and the Android Management API, Google will act as a data processor. Data processing clauses will be added to the terms governing these products in the coming months. Strong data protection commitments between service providers and customers are fundamental to compliance. Our data processing terms for managed Google Play, specifically written with GDPR in mind, will clearly articulate our privacy commitments to customers.

Data export: The GDPR includes certain requirements for the export of personal data. Managed Google Play and the Android Management API provide organizations with access to the data they provide via these services at any time via their APIs. Apps and services provided by Google as a data controller will support data portability for end users directly where required.

Incident notifications: When we publish the new terms, including data processing clauses, they will include contractual obligations around incident notification. We have and will continue to invest in our security, incident response, threat detection and prevention capabilities to enable these notifications.

Recommendations

As a current or future customer or partner of Android, now is a great time for you to begin preparing for the GDPR. Consider the following:

  • Familiarize yourself with the provisions of the new regulation, particularly how they may differ from your current data protection obligations. Be aware that new requirements may require new agreements with service providers or completely new solutions to meet the stringent requirements ahead.
  • How does your organization ensure user transparency and control around data use?
  • Are you sure that your organization has the right consents in place where these are needed under the GDPR?
  • Does your organization have the right systems to record user preferences and consents?
  • How might you demonstrate to regulators and partners that you meet the principles of the GDPR and are an accountable organization?

What’s next

The Android team is working to make the necessary changes, and will collaborate closely with our customers, partners and regulatory authorities throughout this process. We have a global team of regulatory compliance specialists, product managers, engineers, counsel and public policy specialists who continue to carefully monitor GDPR implementation guidance, and will update our contractual commitments accordingly. We’ll make our updated terms of service available to our customers soon. We’re also producing additional materials to assist customers with their due diligence efforts as they prepare for GDPR.