While we’ve enabled people to download data from our services for many years, the GDPR encourages companies to enable direct service-to-service data transfers where feasible, for example from Google Photos to another photo service. To support that aim, we've recently initiated the Data Transfer Project on GitHub, providing early-stage open source code that will, in time, be of use to any developer wanting to offer seamless transfer of data from one service directly into an alternative (or vice versa).

Parental consent and improved tools for children online

Under the new rules, companies must get consent from parents to process their children’s data in certain circumstances. To obtain that consent and to make sure that parents and children have the tools to manage their online experiences, we’re rolling out Family Link—already available in various countries around the world—throughout the EU.

Through Family Link, parents can create a Google Account for their child and are required to provide consent for certain processing of their child’s data. Family Link also allows parents to set certain digital ground rules on their child’s Android device—like approving or blocking apps, keeping an eye on screen time, or remotely locking their child’s device. We plan to evolve Family Link’s functionality over time, working closely with parents and advocacy groups.

Helping our business customers and partners

The GDPR places new obligations on Google, but also on any business providing services to people in the EU. That includes our partners around the globe: advertisers, publishers, developers and cloud customers. We’ve been working with them to prepare for May 25, consulting with regulators, civil society groups, academics, industry groups and others.

For our advertising partners, we’ve clarified how our advertising policies will change when the GDPR takes effect. We already ask publishers to get consent from their users for the use of our ad tech on their sites and apps under existing legislation, but we’ve now updated that requirement in line with GDPR guidance. We’re also working closely with our publisher partners to provide a range of tools to help them gather user consent, and have built a solution for publishers that want to show non-personalized ads, using only contextual information.

For our Google Cloud customers, we’ve updated our data processing terms for G Suite and Google Cloud Platform and provided detailed information to customers about our approach to data portability, data incident notifications, secure infrastructure and third party audits and certifications, among other features. For more information, see this post on Google Cloud.

Strengthening our privacy compliance program

Over the last decade, Google has built a strong global privacy compliance program, taking advice from regulators around the world. Across the company, we have dedicated teams of engineers and compliance experts who work in full-time privacy roles, ensuring that no Google product launches without a comprehensive privacy review. We’ve now further improved our privacy program, enhancing our product launch review processes, and more comprehensively documenting our processing of data, in line with the accountability requirements of the GDPR.

This is a snapshot of things we’ve done to date to be ready for May 25, 2018. But our commitment to compliance with the GDPR, and the rights it gives people, will continue long beyond this date. As we evolve our products over time, we’ll continue to improve our Privacy Program and the protections we offer to users. Our ambition is to have the highest possible standards of data security and privacy, and to put our users and partners in control.