Google is like the One Ring of Sauron.

On December 14th, for about an hour, the most famous broker of behavioral advertising did not allow the world population to give it monetizable data, due to technical problems.

This is how Paolo Vecchi rightfully described the Google outage happened three days ago. What is important is what the outage demonstrates.

One Google to authenticate them all

Says the same article that Google itself confirmed that problems with their authentication system that prevented access to most of its services were caused by an incorrect configuration of a storage system and not by cyber attacks.

But this confirms, to every European citizen, or public school, still believing he was using services dedicated to European users, that the credentials of all users of their services are managed by one, single authentication platform located in the United States.

Nobody read the small print, of course

The documentation and contracts proposed by Google clearly indicate that personal data “could” be transferred to the United States but several digitally challenged privacy officers in public institutions, including the italian Ministry of Education, have promoted services by Gooogle and Microsoft, believing that data and services would remain in Europe.

Given the judgment in the Schrems II case, which invalidated the so-called Privacy Shield Framework, and thus confirmed that United States do not comply with the minimum measures necessary to protect the personal data of European citizens, [it would seem that] contracts signed with Google, and other Cloud service providers, are void, because not compliant with the european General Data Protection Regulation (GDPR).

This fact, continues Vecchi, should have been clear to anyone who has read their contracts, the ruling of the European Court of Justice and the relevant recommendations of the EDPB (European Data Protection Board).

So, what did Europe learn (or should have) on December 14th, 2020?

The authentication problems simultaneously encountered by users all over the world should finally prove to everyone that there is no differentiation in the processing of data between users officially “protected” by regulations like GDPR, and others less fortunate. And it is incredible that the Ministry of Education continues to promote Google products as suitable for schools.

A slightly geekier explanation

(what follows is my synthesis from a discussion of Vecchi’s article that took place on the italian Nexa mailing list

If that outage was an internal storage problem that occurred simultaneously in all Google data centers on the planet (as well as the correction, applied 45 minutes later) this means that all of these storage are integrated into one system, with distributed storage, but centralized control, and therefore access.

In that case, the place where the data is physically stored becomes irrelevant: wherever the bits are, they remain completely accessible from the United States, that is also from the US government.

Until the outage, Google could have denied this, and the italian Data Protection Authority could have pretended to believe it.

This is not possible anymore.

Now, it is no longer possible to pretend that Google Ireland is independent of Google LLC, because they share the same logical storage. And it is clear that Google has been violating the GDPR, despite the Shrems II ruling.