Google Cloud’s Data Center in KSA raises data privacy concerns in the region

In a decision to expand their global network with new cloud regions, Google announced in December 2020 that Google Cloud will deploy and operate a Cloud region in the Kingdom of Saudi Arabia (KSA). This decision is a result of an agreement between Aramco (Saudi Petroleum giant) and Google, after two years of discussions. They issued an initial memorandum of understanding in 2018. Aramco will facilitate Google Cloud Data Center’s establishment in KSA while a new company forms to supply cloud solutions and services to enterprises in the region. 

The project raises serious privacy concerns due to Saudi Arabia’s poor human rights record and its lack of strong data protection legislation that meets international standards. 

The demand for cloud computing is on the rise in the Middle East and North Africa (MENA) region thanks to an increase in smartphone and internet usage. The coronavirus pandemic, which led to a surge in distance learning and the number of people working from home has further pushed the need for cloud computing. And with that, legislation for cloud computing is also on the rise in the region. For example, Saudi Arabia adopted a framework to regulate cloud computing in 2018. Bahrain issued its cloud computing law in 2018, and Qatar in 2016.

This increase in demand is attractive to cloud providers seeking to expand in the region and specifically promising markets like that of Saudi Arabia where the cloud computing market size is expected to amount to 10 billion USD by 2030.

Such expansion, however, presents multiple risks for human rights and privacy, as evidenced,  by Google’s cloud project in Saudi Arabia, where the tech giant is failing to seriously take  the multiple human rights concerns related to the autocratic Kingdom and the potential implications of its cloud operations there

KSA’s poor Human Rights record and abuses in recent years including:  

  • The extrajudicial killing of dissident Jamal Khashoggi by agents of the Saudi government. The killing was ordered by Crown Prince Mohammed Bin Salman
  • Detention and torture of women’s rights activists 
  • Unlawful surveillance targeting dissidents and critics, including the use of spyware to monitor the activities and communications of activists and dissidents and an espionage campaign targeting around 6000 Twitter accounts between late 2014 and early 2015 including accounts of Omar Abdulaziz, a dissident journalist close to Khashoggi 
  • Silencing opponents, human rights activists, including through arrests and prosecutions. 

The company has not been transparent with the public and its users about any measures it took to assess and address potential human risks from its cloud operations in Saudi Arabia.

This lack of transparency reflects Google’s poor performance on human rights due diligence in the 2020 Ranking Digital Rights Corporate Accountability Index. The company  lacked evidence of conducting robust human rights due diligence and impact assessments on important aspects of its operations. 

After receiving an open letter from AccesNow about its KSA cloud project, Google answered that “an independent human rights assessment was conducted for the Google Cloud Region in Saudi Arabia, and Google took steps to address matters identified as part of that review.” 

This response is unsatisfactory as it remains unclear what measures Google took to address the identified risks. 

Moreover, The user community deserves to hear from Google, a founding member of the Global Network Initiative (GNI, an initiative that helps companies respect freedom of expression and privacy rights when faced with pressure from governments to hand over data, remove content or restrict communications), about whether the company can meet its GNI commitments while operating in KSA.

What’s also concerning about Google’s cloud region plans in Saudi Arabia is the lack of a strong data protection framework in the country.

While Saudi Arabia has a cloud computing regulatory framework, it still lacks comprehensive data protection legislation that affords strong data privacy protections to users. In addition, while the cloud computing framework meets in certain aspects internationally recognized standards, it also contains problematic provisions. 

Under KSA’s Cloud Computing Regulatory Framework cloud service providers ‘’exercising direct or effective control over data centers or other critical cloud system infrastructure’’ hosted in the country must all be registered with Saudi Arabia’s telecommunications regulator, the Communications & Information Technology Commission (CITC).

This Framework includes some provisions that are in line with the international standards and the European GDRP such as security breach notification while others, are specific to KSA and could constitute a threat to data privacy. 

For example, cloud service providers must disclose to the CITC the locations and main features of their data centers in Saudi Arabia and foreign countries in which they would process the data from Saudi-based cloud customers. Also, they are required to remove or block any unlawful content and infringing content if directed to do so by the CITC (or other relevant authority) if any of their customer’s content on their cloud systems could violate the Anti-Cyber Crime Law of 2007. The draconian law criminalizes peaceful speech under vague and broad provisions. 

The data, accessible in Saudi Arabia through Google Cloud’s data center coupled with a poor human rights record is a huge point of concern. The level of risk for human rights would depend on what kind of businesses will have the data of their clients and users hosted in KSA but it could constitute a higher risk for social media/email service providers. 

We, at SMEX, sent questions directly to Google asking about the fate of our data within the new data center in KSA. Google has still not responded to our questions. In our unanswered correspondence with the company, we expressed our concerns about which data protection policy will apply to data hosted in KSA, which Saudi parties will have access to the data, and the circumstances under which Google may share data with the authorities, what kind of encryption will be used to encrypt the data and what measures (if any) the company has in place to address any potential abuse from the Saudi government. 

On a more technical level, we ask ourselves, will all the Middle East’s data be stored in KSA’s data center? 

In a Cloud, data is your data, but not really. This is subject to many criteria. Data is somewhere and everywhere at the same time and we can’t know for sure where our data is located since redundancy of schemes is available among various data centers for a cloud provider. For example, your data could be in Saudi Arabia and backed up in Europe and vice versa.

So data is stored and duplicated all over the place, and usually, data is saved on the nearest data center, so in the case of the Google Cloud data center in KSA, most of the MENA cloud customers’ data will end up in the KSA center. The European data being stored in the KSA raises questions when it comes to the GDPR. 

What about data governance? The data is subject to the law of the geographical hosting country. For example, data held in the EU is subject to the European General Data Protection Regulation (GDPR). The lack of data transparency makes it very complicated to locate our data, its backups, the metadata that could be stored and who owns it, how it’s being used and capitalized on. Depending on each country’s laws and regulations, data can be accessible to different third parties (such as to law enforcement under the U.S. Patriot Act). Data locality in the cloud is extremely unclear and the nature of this ambiguous and instantaneous data flow across borders can make privacy laws difficult to enforce. 

When it comes to ownership, we own our data but the Cloud service provider and the physical container of our data have the ultimate control over it. Our control over our data is limited and data theft/misuse is a continuous threat. Cloud computing is a shared environment so it uses shared resources and infrastructure. In the Google Cloud Saudi case, the infrastructure will be shared with Aramco. The data may face a risk of disclosure or unauthorized access. 

In conclusion, it is still unclear to us what will be stored on the KSA Google Cloud data center. The current policies of Google on government requests for user data state compliance under “appropriate laws”. The appropriate laws could be forced on Google Cloud in case they go on with their plan of building a center in KSA and could jeopardize privacy for the citizens and residents of the whole region, especially with a regime as oppressive as the Saudi government. 

We call on Google to act responsibly and implement the following: 

  • Take a step back from establishing and operating a cloud region in the Kingdom of Saudi Arabia due to its poor human rights record and potential risks for users’ privacy and rights as explained above. 

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Avatar photo

Marianne Rahme

Marianne is a legal researcher in digital law. She joined SMEX as Head of the Legal Unit in 2020. Her research primarily focuses on the intersectionality of law and technology. Marianne holds an LLB in public law from the Saint Joseph University of Beirut. She is currently pursuing a Master’s in Digital Law, e-Governments and Open Governments at the University of Paris 1.