Google has agreed to major privacy improvements for its Google Workspace for Education services for schools and universities in the Netherlands. After intense negotiations with representatives of the schools and higher education institutions in the Netherlands, Google has agreed to mitigate the high data protection resulting from the use of Google Workspace for Education. These risks were identified in a DPIA conducted by Privacy Company for two universities.
Thanks to the positive outcome of the negotiations, possible enforcement by the Dutch Data Protection Authority was averted. In response to a request for advice from SIVON and SURF, cooperatives that assist schools and higher education institutions with IT procurement, the Dutch DPA warned schools and advised the responsible two ministers of Education on 31 May 2021 to stop using Google Workspace before the start of the new school year, if the problems could not be solved.
In the Netherlands, 52% of primary schools and 36% of secondary schools use Google Workspace, as well as some faculties at 4 of the 14 universities, and 4 of the 36 government-funded universities of applied sciences, according to questionnaires from SURF and SIVON. In practice, this advice from the Dutch DPA would have required schools and their admins, already overstressed due to an intense year of online teaching, to switch to new software over their summer holiday.
Google will mitigate the risks through a number of measures. The risks will be mitigated for both the free (Fundamental) and the paid (Standard and Plus) versions of the services. The only two privacy relevant differences between the free and the paid version is that paying customers can choose to store content data for certain core services in data centres in the EU, and have access to more security features, such as device management. In parallel, negotiations were conducted by the supplier management office for the Dutch central government (SLM Rijk).
Google’s contractual, organizational and technical measures to lower the 8 high data protection risks are described in detail in the Update DPIA report for SURF and SIVON and summarised in a table at the end of the Update report. Four highlights are:
1. Google has agreed to act as data processor for the Diagnostic Data about the individual use of the services. In a role as data processor Google may only process the personal data for the three (fixed) purposes authorised by the schools and universities, in stead of the current 17 dynamic purposes. Google will only process Customer Personal Data and the Google Account Data in the Core Services as data processor, for the three purposes mentioned below, and only when necessary:
1. to provide, maintain and improve the Services and Technical Support Services subscribed to by Customer;
2. to identify, address and fix security threats, risks, bugs and other anomalies
3. to develop, deliver and install updates to the Services subscribed to by Customer (including new functionality related to the Services subscribed to by Customer).
This improvement lowers three of the high known data protection risks:
(i) loss of control over the Diagnostic Data, because Google’s purposes were unspecific and vague, and could be changed anytime,
(ii) lack of purpose limitation of the Diagnostic Data, because schools and universities could not instruct Google to only process for purposes they allowed, plus Google reserved the right to ask pupils and students for consent for unknown new purposes;
(iii) the lack of a legal ground, because schools cannot obtain valid freely given consent from the (parents of the) children, and prior to the negotiations, legally the schools and universities were joint controllers with Google, but nor Google nor the institutions could base the data processing on a different legal ground from consent.
The full adaptation of the data processor role requires significant technical and organizational changes to Google’s systems and processes and can therefore not be implemented overnight. However, the high risks will be mitigated before the start of the new school year.
2. Until Google offers a processor-version of the Chromebooks and the Chrome browser
schools and universities can take risk-mitigating technical measures as listed at the end of this blog post. That Google will develop a processor version, is an important commitment, in particular for primary schools in the Netherlands, as many of them use Chromebooks in school, and many parents have bought Chromebooks at home during the pandemic. As data controller Google permits itself to process the personal data processed on the Chromebook and collected through the browser about the web surfing behaviour from children, students and teachers for 33 broad commercial purposes, including many marketing purposes, behavioural advertising, business development and research.
3. Google remains a data controller for the services it calls Additional Services such as YouTube, Search, Scholar, Photos and Maps. As mentioned above, a data controller Google permits itself to process the personal data for 33 broad commercial purposes. Google does protect children and students when they use Search: they are automatically signed-out when they visit Search when they are logged-in with their Google Workspace for Education account. This means Google treats those data as if they were from an anonymous user, and Google cannot use the data for behavioural advertising. Unfortunately, Google does not offer this privacy protective measure for YouTube, Photos, Scholar or Maps. That is why schools and universities must use the option to technically prohibit end users from accessing the Additional Services. Children and students can still use Search after such blocking, but if they want to use other Additional Services, they have to create a separate (private) Google account. Schools can only continue to use YouTube if they embed selected videos in the Core Services, such as Classroom or Slides. Google confirmed that any cookies in such embedded videos comply with the agreed measures ultimately by the beginning of the new school year.
4. Google has agreed to become more transparent. Google will publish significantly more documentation about the different kinds of personal data it collects about the individual use of its services (the Diagnostic Data), develop a data inspection tool for admins to compare the documentation with the data actually stored by Google, make it easier for system administrators to comply with data subject access requests from pupils and students and provide detailed information about the subprocessors for the Diagnostic Data.
Google has agreed to a much longer list of detailed measures. These are described in detail in the Update DPIA report. Together these measures mitigate all known high privacy risks identified in the original DPIA, but only if schools and universities sign up for the contract with the new privacy amendment, implement the recommended (technical and organisational) measures at the end of this blog post, and assess if there are specific additional risks related to their type of school and deployment.
The original DPIA was completed in June 2020, and updated in March 2021 after a first round of negotiations with Google. These negotiations only led to the mitigation of 2 of the 10 identified high risks. Because of these remaining high risks, SURF and SIVON requested advice from the Dutch DPA. See the previous blog about this topic: Privacy assessment Google Workspace (G Suite) Enterprise : Dutch government consults Dutch Data Protection Authority on high privacy risks. Google has since renamed these services in Workspace for Education Fundamentals (the free of charge version) and the paid versions Workspace for Education Standard and Workspace for Education Plus.
The Dutch DPA advises the schools and the two Ministers of Education to take a number of measures, including assessing the specific risks for children. This group of data subjects was not part of the original DPIA (for the two universities), but as the Dutch DPA notes, careful analysis of the specific risks for children is required, as well as the impact these risks have on children of different ages. The Update DPIA report contains a separate section about the risks for three age groups of children in more detail (ages 6-9, 9-12 and 13-16), and describes how schools and universities can mitigate the remaining risks.
The Dutch DPA emphasises that schools have their own DPIA-obligation. They cannot suffice with a reference to the initial DPIA for the two universities and the analysis in the Update report. Every school and university is responsible, and can be held accountable, to evaluate possible additional risks for the rights and freedoms of the pupils/students and employees, and to determine if the factual use of Workspace for Education is GDPR-compliant. SURF and SIVON have developed tools for the educational institutions to help them comply with this obligation.
In principle, the measures listed below should be taken by system administrators of both schools and universities. The term ‘schools’ includes schools in primary and secondary education in the Netherlands, including special schools. Google uses the US American term K-12, with which Google defines schools with pupils under 18. When the recommended measures differ, for example because Google uses some more privacy friendly settings in the K-12 version of Workspace for Education, the responsibility is allocated by underlining the word ‘schools’ or ‘universities’.
Chromebooks and Chrome browser
Control over subprocessors
Risks with regard to data transfer to the USA