Is it important to "opt in" to G Suite's DPA 2.0?

SteveMcLeod · October 12, 2017, 8:46am

I received a long confusing email from Google today, as did some of you, I guess, if your company is in the EU or Switzerland. The email subject is

[ACTION REQUIRED] Rollout of Data Processing Amendment version 2.0 to reflect the GDPR

Basically it is telling me I must “opt in” to something by some date. But nowhere does it tell me the consequences of not opting in.

Does anyone who received the same email understand the consequences of opting in and not opting in? (I’d ask Google but naturally the email was sent from a “no-reply” address.)

RaimisJ · October 12, 2017, 10:10am

In the email, the following line explains how to get help - “If you have any questions or require assistance, please contact Cloud Data Protection Team.”

As I understand, this is not something Google thought about, it is a directive from EU regarding data protection. So if you won’t “opt in”, you face legal consequences of not meeting this directive as per EU laws.

Anyway, it is best to contact Google about this to clarify that if you really interested.

SteveMcLeod · October 12, 2017, 10:27am

I’ve been conditioned by past experience to expect only an unhelpful template response from any Google support link. I’ll try emailing them now anyway.

Benjamin_Eberlei · October 12, 2017, 9:46pm

The new EU data protection law will go into effect in June 2018, and that means as a company you have to have some kind of data agreement with every company you send personal data too. Google being a non-EU company could either go the EU Privacy Shield way, or as they do, with a special agreement on their own. You must accept it not for Google, but for yourself.

Benjamin_Eberlei · October 13, 2017, 12:24pm

I found a post explaining it a bit roughly by the telegraph: http://www.telegraph.co.uk/connect/small-business/business-networks/bt/data-protection-laws-changing/

Its important to mention that this affects U.S. bootstrappers as well, if they sell to EU customers you really must look into joining the EU Privacy Shield. I had to quit using 2 services in exchange for alternatives with Privacy shield in preparation.

SteveMcLeod · October 13, 2017, 1:27pm

Thanks for finding that. It led me to this helpful PDF prepared by British Telecom explaining how the law affects small and medium enterprises: http://images.connect2.globalservices.bt.com/Web/BTGlobalServices/{9c182b74-4ea8-499e-86ad-9fea3abeb45e}_dealing-with-new-eu-data-protection-regulation.pdf

As a consumer in the EU, I’m very much in favour of this new law.

As a SaaS owner in the EU, I’m sighing deeply. I’m disheartened at the potential increase in work and processes.

asandvig · October 13, 2017, 4:01pm

It’s not a required that a service provider is Privcay Shield-certified, only that they follow the EU/EEC laws and regulations.

You can be compliant by having a privacy policy available on your website detailing how you collect personal information, what information you collect, why you collect it and how you use it. Of course, you must also actually treat the information you collect and store according to the laws (and your privcacy policy).

However, in order for you (or your company) to be compliant, your vendors must also be compliant. If they are not Privacy Shield-certified, you must have a (written) agreement with the provider that they will treat the data you store with them in compliance with the EU/EEC privacy laws. For example, Linode is not certified, but they do offer a custom EU contract for customers who ask for it.

Regardless of GDPR, if you are collecting and storing any personal information from EU/EEC citizens, you already need to be compliant with the EU/EEC laws. For example, if you are logging the IP addresses of your website visitors, this is considered personal information by the EU.

Side note
Unfortunately, I had to read up on these laws recently as I realized I had to create a complete privacy policy for my (static) web site simply because I had a contact form and my web server was logging IP addresses, and when GDPR hits, I actually have to add a “I accept that you collect and store this information according to your privacy policy” check-box on my contact form (which can not be checked by default).

Benjamin_Eberlei · October 13, 2017, 9:26pm

Yes, but privacy shield is a framework that shows you follow EU law: I would image if you do your own thing, then i need to hire a lawyer that checks your privacy policy. Google has its own policy (topic of this thread), but that is verified by many other users. The privacy policy of your small website or service is not. My lawyer explicitly discouraged me to use non privacy shield services.

unboot · October 16, 2017, 10:06pm

I find it a bit ironic that US companies can easily get a “self-certified” Privacy Shield, whereas (small) companies in the EU can’t. As I understand it is much easier to self certify than actually following all the rules in the EU.
As I run an EU company, I see that as an institutionalized competitive advantage for US companies.
My view is, as EU you should either require the same rules for all companies operating/selling in the EU, or don’t make up these rules. (BTW as a citizen I’m happy that the rules exist, and I’d wish that all companies would follow them).

asandvig · November 2, 2017, 8:23pm

If you’re a EU company, why would you need/want to be Privacy Shield-certified? Privacy Shield is meant for non-EU companies. As a EU company you have to follow the EU laws and regulations anyway…

unboot · November 3, 2017, 11:50am

@asandvig
Yes I completely understand that Privacy Shield is for US companies. I also understand that as an EU company I have to follow EU laws and regulations.

The shame is that US companies (which do business in the EU) can get around the EU laws by getting Privacy Shield self-certified. Privacy Shield is a much easier process, and there seems to be no real enforcement. Seen this way, through Privacy Shield, the EU is giving a competitive advantage to US companies.