Special version of Chromebooks for Dutch education sector: no more known high risks

June 28, 2024

Commissioned by the two Dutch collaborative organisations for ICT in education and research (SIVON and SURF), Privacy Company conducted a two-phase investigation into the privacy risks of using Chromebooks in education in 2023. In May 2023, SURF and SIVON negotiated better privacy terms, and in August 2023, Google launched new versions of the Chrome operating system and Chrome browser specifically for Dutch schools and universities. Thereafter, Privacy Company conducted a technical investigation of the data processing. The investigation report shows that Google has taken the agreed measures. If schools take the recommended measures, there are no longer any known high risks for children, students and staff.

We publish this blog about the findings with permission from SIVON and SURF. See the press releases on the websites of SIVON (in Dutch only) and SURF.

Two reports on Chromebooks

In late March 2023, SURF and SIVON reached an agreement with Google on new privacy terms for the use of ChromeOS and the Chrome browser. Privacy Company completed the first report on 29 June 2023, assessing the impact of the new terms on the privacy risks of using the managed Chromebooks. This first report concluded that many high risks had been resolved because Google had become a data processor for many processing operations. Google still had to take a number of technical improvement measures to reduce privacy risks, for example by providing more personal data in reply to a data subject access request, but also, by developing a new version of ChromeOS and the Chrome browser.

In February 2024, Privacy Company completed the second report based on a technical investigation of the data processing in the new (Dutch education) Chrome versions. This report shows that Google has fulfilled its commitments and made it much easier for system administrators to request access to personal data on behalf of a pupil, student or employee. Google has also become more transparent about the nature of data processing, publishing information about the Telemetry events it collects about the individual use of the Chromebooks. System administrators can effectively enforce privacy-friendly settings.

Google has not made commitments on all points, for example when it comes to Google's role for so-called 'Optional Services' such as Google Play and the Chrome Webstore. Educational institutions can ensure that this does not lead to high risks by centrally blocking access to the Optional Services. SURF and SIVON have created detailed manuals for the system administrators of schools and educational institutions. If institutions follow those manuals closely, there are no longer any high risks for Chromebook users. The measures are summarised in a table below.

Privacy Company has also investigated the privacy risks of the use of Google Workspace for Education, including on Chromebooks. SURF and SIVON have negotiated sharp privacy terms with Google for Workspace for Education. Read a summary of the findings in this blog.

Table 1: Resolved high-risks Chromebooks