Google mitigates 8 high privacy risks for Workspace for Education

Google has agreed to major privacy improvements for its Google Workspace for Education services for schools and universities in the Netherlands. After intense negotiations with representatives of the schools and higher education institutions in the Netherlands, Google has agreed to mitigate the high data protection resulting from the use of Google Workspace for Education. These risks were identified in a DPIA conducted by Privacy Company for two universities.

Thanks to the positive outcome of the negotiations, possible enforcement by the Dutch Data Protection Authority was averted.  In response to a request for advice from SIVON and SURF, cooperatives that assist schools and higher education institutions with IT procurement, the Dutch DPA warned schools and advised the responsible two ministers of Education on 31 May 2021 to stop using Google Workspace before the start of the new school year, if the problems could not be solved. 

Majority of primary schools use Google Workspace

In the Netherlands, 52% of primary schools and 36% of secondary schools use Google Workspace, as well as some faculties at 4 of the 14 universities, and 4 of the 36 government-funded universities of applied sciences, according to questionnaires from SURF and SIVON. In practice, this advice from the Dutch DPA would have required schools and their admins, already overstressed due to an intense year of online teaching, to switch to new software over their summer holiday.

Google will mitigate the risks through a number of measures. The risks will be mitigated for both the free (Fundamental) and the paid (Standard and Plus) versions of the services. The only two privacy relevant differences between the free and the paid version is that paying customers can choose to store content data for certain core services in data centres in the EU, and have access to more security features, such as device management. In parallel, negotiations were conducted by the supplier management office for the Dutch central government (SLM Rijk). 

Mitigating measures Google

Google’s contractual, organizational and technical measures to lower the 8 high data protection risks are described in detail in the Update DPIA report for SURF and SIVON and summarised in a table at the end of the Update report. Four highlights are:

1. Google has agreed to act as data processor for the Diagnostic Data about the individual use of the services. In a role as data processor Google may only process the personal data for the three (fixed) purposes authorised by the schools and universities, in stead of the current 17 dynamic purposes. Google will only process Customer Personal Data and the Google Account Data in the Core Services as data processor, for the three purposes mentioned below, and only when necessary: 

1. to provide, maintain and improve the Services and Technical Support Services subscribed to by Customer;

2. to identify, address and fix security threats, risks, bugs and other anomalies

3. to develop, deliver and install updates to the Services subscribed to by Customer (including new functionality related to the Services subscribed to by Customer).

This improvement lowers three of the high known data protection risks: 

(i) loss of control over the Diagnostic Data, because Google’s purposes were unspecific and vague, and could be changed anytime, 

(ii) lack of purpose limitation of the Diagnostic Data, because schools and universities could not instruct Google to only process for purposes they allowed, plus Google reserved the right to ask pupils and students for consent for unknown new purposes;

(iii) the lack of a legal ground, because schools cannot obtain valid freely given consent from the (parents of the) children, and prior to the negotiations, legally the schools and universities were joint controllers with Google, but nor Google nor the institutions could base the data processing on a different legal ground from consent.

The full adaptation of the data processor role requires significant technical and organizational changes to Google’s systems and processes and can therefore not be implemented overnight. However, the high risks will be mitigated before the start of the new school year.

2. Until Google offers a processor-version of the Chromebooks and the Chrome browser
schools and universities can take risk-mitigating technical measures as listed at the end of this blog post. That Google will develop a processor version, is an important commitment, in particular for primary schools in the Netherlands, as many of them use Chromebooks in school, and many parents have bought Chromebooks at home during the pandemic. As data controller Google permits itself to process the personal data processed on the Chromebook and collected through the browser about the web surfing behaviour from children, students and teachers for 33 broad commercial purposes, including many marketing purposes, behavioural advertising, business development and research.

3. Google remains a data controller for the services it calls Additional Services such as YouTube, Search, Scholar, Photos and Maps. As mentioned above, a data controller Google permits itself to process the personal data for 33 broad commercial purposes. Google does protect children and students when they use Search: they are automatically signed-out when they visit Search when they are logged-in with their Google Workspace for Education account. This means Google treats those data as if they were from an anonymous user, and Google cannot use the data for behavioural advertising. Unfortunately, Google does not offer this privacy protective measure for YouTube, Photos, Scholar or Maps. That is why schools and universities must use the option to technically prohibit end users from accessing the Additional Services. Children and students can still use Search after such blocking, but if  they want to use other Additional Services, they have to create a separate (private) Google account. Schools can only continue to use YouTube if they embed selected videos in the Core Services, such as Classroom or Slides. Google confirmed that any cookies in such embedded videos comply with the agreed measures ultimately by the beginning of the new school year.  

4. Google has agreed to become more transparent. Google will publish significantly more documentation about the different kinds of personal data it collects about the individual use of its services (the Diagnostic Data), develop a data inspection tool for admins to compare the documentation with the data actually stored by Google, make it easier for system administrators to comply with data subject access requests from pupils and students and provide detailed information about the subprocessors for the Diagnostic Data.

Google has agreed to a much longer list of detailed measures. These are described in detail in the Update DPIA report. Together these measures mitigate all known high privacy risks identified in the original DPIA, but only if schools and universities sign up for the contract with the new privacy amendment, implement the recommended (technical and organisational) measures at the end of this blog post, and assess if there are specific additional risks related to their type of school and deployment.

Advice Dutch DPA

The original DPIA was completed in June 2020, and updated in March 2021 after a first round of negotiations with Google. These negotiations only led to the mitigation of 2 of the 10 identified high risks. Because of these remaining high risks, SURF and SIVON requested advice from the Dutch DPA. See the previous blog about this topic: Privacy assessment Google Workspace (G Suite) Enterprise : Dutch government consults Dutch Data Protection Authority on high privacy risks. Google has since renamed these services in Workspace for Education Fundamentals (the free of charge version) and the paid versions Workspace for Education Standard and Workspace for Education Plus.

The Dutch DPA advises the schools and the two Ministers of Education to take a number of measures, including assessing the specific risks for children. This group of data subjects was not part of the original DPIA (for the two universities), but as the Dutch DPA notes, careful analysis of the specific risks for children is required, as well as the impact these risks have on children of different ages. The Update DPIA report contains a separate section about the risks for three age groups of children in more detail (ages 6-9, 9-12 and 13-16), and describes how schools and universities can mitigate the remaining risks.

Schools must conduct their own DPIAs

The Dutch DPA emphasises that schools have their own DPIA-obligation. They cannot suffice with a reference to the initial DPIA for the two universities and the analysis in the Update report. Every school and university is responsible, and can be held accountable, to evaluate possible additional risks for the rights and freedoms of the pupils/students and employees, and to determine if the factual use of Workspace for Education is GDPR-compliant. SURF and SIVON have developed tools for the educational institutions to help them comply with this obligation.

Checklist: Risk mitigating measures for admins of schools and universities

In principle, the measures listed below should be taken by system administrators of both schools and universities. The term ‘schools’ includes schools in primary and secondary education in the Netherlands, including special schools. Google uses the US American term K-12, with which Google defines schools with pupils under 18. When the recommended measures differ, for example because Google uses some more privacy friendly settings in the K-12 version of Workspace for Education, the responsibility is allocated by underlining the word ‘schools’ or ‘universities’.

General requirements

  • Accept the new privacy amendment in the contract with Google (through a supplier).
  • All customers of Google Workspace for Education should determine if they wish to self-qualify as K-12, and benefit from with the more privacy friendly defaults, or use the standard offering for Workspace for Education. 
  • Schools and universities must conduct their own DPIA on the use of Google Workspace services, Chromebooks and the Chrome browser, based on the original DPIA and the Update DPIA for SIVON and SURF.

Purpose limitation

  • Schools should not enable access to Additional Services (disabled by default in K-12) and on managed devices/managed profiles block the simultaneous use of consumer Google accounts in the Workspace environment. This prevents the risk of spill-over of personal Content Data from the school to the consumer environment (and vice versa). When access is blocked, pupils can still use Search with automatic log-out (in SafeSearch mode). 
  • Instruct teachers how to embed YouTube videos in the Core Workspace Services Classroom and Slides rather than using YouTube directly.
  • Universities must disable access to Additional Services, turn off access to new Additional Services when they appear and on managed devices/managed profiles block the simultaneous use of consumer Google accounts in the Workspace environment. Students can continue to use Search when Additional Services are blocked, as this results in automatic log-out. However, if students elect to use Scholar, YouTube or other Additional Services, they have to sign-up individually with Google for a consumer account. Google, and not the universities, is responsible for obtaining valid consent from students for the data processing in such private Google accounts 
  • Universities must change the default setting of the Marketplace to prevent access by default by third parties to Customer Data. Pupils from K-12 schools cannot install any apps by default.
  • Universities should encourage students to use incognito mode when using Scolar, to prevent joint responsibility with Google for data processing in the Additional Services and data spillage from the educational to the private consumer environment.
  • Universities should advise students and teachers to turn Off Ads personalisation in the Google Account themselves when they use Additional Services ( turned off by default in K-12). Consider choosing the K-12 setting to switch Off Ads Personalization for all existing and future end users.
  • Warn admins not to use Google Support Services until Google becomes a data processor for the support tickets and attachments. Or (create a policy to) only send anonymised requests.
  • Warn pupils, students and teachers not to use the Feedback forms, or not to include sensitive information and personal data in Feedback forms (to compensate for the lack of a central privacy control).

Transparency

  • Schools must inform pupils and parents that they technically block the use of private Google accounts on school managed devices and profiles, but cannot prevent the use of private Google accounts on private mobile phones. Google, and not the schools, is responsible for obtaining valid consent from children for the data processing in such private Google accounts.
  • Provide high level information to pupils and students about the data processing by Google in Workspace for Education, in particular the privacy risks resulting from the use of Additional Services.
  • Provide end users with information about the spellcheckers included in the Data Protection Implementation Guide.
  • Inform end users that if the profile picture disappears, this means that they have left the privacy protected Workspace for Education environment.
  • Read the Google Workspace for Education Data Protection Implementation Guide.
  • Use the future data inspection tool to compare the documentation in Google’s promised new Help Center Article with the data from this tool. Assess if risks in the DPIA need an update based on the results of the inspection of Diagnostic Data.
  • SURF and SIVON can assess the accuracy of the documentation in an audit together with SLM Rijk. 
  • Access the new audit logs and use the domain wide takeout in response to data subject access requests when available, by 31 December 2022.
  • If a student or pupil complains that the reply to a data subject access request is incomplete, it is up to the Dutch Data Protection Authority to assess whether Google’s arguments are convincing that it cannot identify the user of cookie data, and in other circumstances, can rely on the exceptions in the GDPR to not provide access.

Chromebooks and Chrome browser

  • Until the processor version is available [and has been tested], consider using another default browser (on devices not using ChromeOS)..
  • Apply the mitigating measures in the future DPIA on Chromebooks for Education by Privacy Company for SIVON (Fall of 2021). In the meantime, consider using the following central privacy enhancing options in the Google and Chrome Admin console:
  • Disable Google Search as default search provider
  • Disable Diagnostic Data sharing with Google to improve the Chrome OS
  • Disable sharing of Diagnostic Data from apps and websites with Google to suggest new content
  • Require verified access
  • Centrally select the standard security level for Chromebooks (do not allow end-end users to enable enhanced safe browsing)
  • Prohibit synchronisation of data with the Google account in the Chrome browser (Chrome Sync)
  • Disable data sharing with Google in the Chrome browser to Make searches and browsing better (uploads all visited URLs)
  • Disable data sharing with Google in the Chrome browser through autofill of searches and URLs
  • Disable data sharing with Google to improve features and performance of the Chrome browser
  • Disable data sharing with Google in the Chrome browser through the Enhanced Spellchecker (centrally prohibit users from turning this feature on)
  • Block third party cookies and trackers in the Chrome browser and consider the use of an adblocker

Control over subprocessors

  • Once available, SURF and SIVON will assess the additional information about the subprocessors and may provide educational institutions with guidelines or recommendations based on the outcome of this review. Educational institutions should monitor and follow this guidance.

Risks with regard to data transfer to the USA

  • Accept Google’s new transfer SCCs once available. Conduct a Data Transfer Impact Assessment with the help of input from the Update DPIA report. Data Protection Officers of the schools and universities may contact the special helpdesk of the Dutch DPA to ask for advice about the use of the new transfer SCCs, if they are unsure if they can accept them, since the GDPR may already apply to Google as importer.
  • Choose data storage in the EU where possible – consider to change to Workspace for Education Standard or Plus.
  • Consider using the newly announced Workspace encryption features for special categories and confidential data in relation to possible high risks, once available.
  • Warn pupils, students and teachers not to use directly identifying or confidential names in file and pathnames of files they work on in Google Workspace, to lower possible high risks of data transfer to the USA.


Published on
8/9/2021
By
Sjoera
Google has agreed to major privacy improvements for its Google Workspace for Education services for schools and universities in the Netherlands. After intense negotiations with representatives of the schools and higher education institutions in the Netherlands, Google has agreed to mitigate the high data protection resulting from the use of Google Workspace for Education. These risks were identified in a DPIA conducted by Privacy Company for two universities.