Android: our commitment to the GDPR for enterprise and education deployments

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last 20 years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that individuals have over their data and seeking to unify data protection laws across Europe. Google has already publicly committed to comply with GDPR for all products offered in Europe in a recent blog post.

GDPR compliance is especially important to our enterprise and education customers because they may have obligations to their employees and students respectively. Our enterprise and education customers can count on Google’s GDPR compliance efforts across Android. We have made important updates to our contractual commitments to customers and partners that directly address GDPR requirements, together with corresponding product changes.

Our stance

The GDPR defines that a data controller determines the purposes and means of processing of personal data and a data processor processes personal data on behalf and only on the instructions of a data controller. We have clarified Google’s role as data processor, and in certain cases data controller, with corresponding contractual commitments, for the enterprise/education-specific services of an Android deployment. Here’s a summary:

For the Android Operating System itself, in so far as it is executed exclusively within the mobile device, Google does not receive any personal data.

Services for which Google is a Data Controller

  • Google Play Services is bundled with most (but not all) Android devices. Google Play Services offers APIs and security services to the Android developer ecosystem. An example is Google Play Protect, which helps keep the Android ecosystem safe from malware. Google acts as a data controller for any personal data processed in Google Play Services, and offers user notices and consents about our use of personal data in the service’s user interface in Android.
  • Google apps on Android: Apps built by Google, whether included with Android in the factory image or installed from the Google Play Store, are each separately subject to terms and conditions. Typically these are Google’s Terms of Service and Privacy Policy, accepted by the individual user, but each app may have additional terms. This model is similar to how users contract with third party app developers for the use of apps installed from the Google Play Store.
  • Zero-touch enrollment: a quick and easy way to enroll Android devices into fully managed mode through a certified device reseller registering a hardware identifier with Google. The hardware identifier and corresponding management profile applied are processed by Google as a data controller.
  • Android Enterprise Essentials: a lightweight device management service from Google, designed to make it easier for organizations to protect and manage their mobile devices and company data. Device hardware identifiers and associated configuration profiles information used for on-device provisioning of Android Enterprise Essentials and analytics information regarding usage of the Android Enterprise Essentials’ Admin Portal are processed by Google as a data controller.

Services for which Google is a Data Processor

  • Managed Google Play, the enterprise app store and app management platform.
  • Android Management API, used by some EMMs and developers to manage Android devices.
  • Zero-touch reseller and customer portals, used by administrators to allocate devices and configure management profiles for Zero-touch enrollment. Data about the admin users, and their usage of these consoles, is processed by Google as a data processor.
  • Android Enterprise Essentials: a lightweight device management service from Google, designed to make it easier for organizations to protect and manage their mobile devices and company data. Aside from the Android Enterprise Essentials data for which Google is a controller referenced above, other personal data is processed by Google as a data processor.

A data processing agreement exists for the products above in which Google acts as a data processor. Strong data protection commitments between service providers and customers are fundamental to compliance. Our data processing agreement for managed Google Play, specifically written with GDPR in mind, clearly articulates our privacy commitments to customers.

Data export: The GDPR includes certain requirements for the export of personal data. Managed Google Play and the Android Management API provide organizations with access to the data they provide via these services at any time via their APIs. Apps and services provided by Google as a data controller support data portability for end users directly where required.

Incident notifications: The Managed Google Play Agreement and data processing agreement include contractual obligations around incident notification. We have and will continue to invest in our security, incident response, threat detection and prevention capabilities to provide these notifications.

Recommendations

As a current or future customer or partner of Android, you need to ensure that your implementation is prepared for the GDPR. Consider the following:

  • Familiarize yourself with the provisions of the regulation, particularly how they may differ from any previous data protection obligations. Be aware that new requirements may require new agreements with service providers or completely new solutions to meet the stringent requirements ahead.
  • How does your organization ensure user transparency and control around data use?
  • Are you sure that your organization has the right consents in place where these are needed under the GDPR?
  • Does your organization have the right systems to record user preferences and consents?
  • How might you demonstrate to regulators and partners that you meet the principles of the GDPR and are an accountable organization?

What’s next

You should ensure that you have reviewed and accepted, as appropriate, the changes to the agreements governing the use of Android Enterprise. You should also provide contact information for a Data Protection Officer (DPO) and EU representative, if your organization is required to do so under the GDPR.

Beyond the enforcement date of 25 May 2018, we have a global team of regulatory compliance specialists, product managers, engineers, counsel and public policy specialists who continue to carefully monitor GDPR implementation guidance, and will update our contractual commitments if needed.