Verification research Google Workspace for Education: known high risks resolved

On behalf of the two Dutch collaborative organisations for ICT in education and research (SIVON and SURF),  Privacy Company has investigated the data processing by Google Workspace for Education. New verification research shows that Google has taken the agreed measures. The concurrent Data Transfer Impact Assessment shows that there are also no known high risks resulting from the data transfers to countries outside of the EU, with the exception of videoconferences in which special categories of data exchanged about, for example, illness or faith. If educational institutions take the recommended measures, there are no longer any known high privacy risks for users of the services.

We publish this blog about the findings with permission from SIVON and SURF. See the press releases on the websites of SIVON (in Dutch only) and SURF.

Verification reports

Since July 2021, Google has become a data processor for the Dutch public sector for key personal data processed by Google Workspace (the Core Services). This means, in a nutshell, that Google may only process personal data from and about the use of the services for a list of agreed purposes, when the processing is necessary.

In August 2021, SURF and SIVON published an update DPIA summarising the risks and measures promised by Google. See also this blog by Privacy Company for a summary.

In June 2023, Privacy Company completed the first verification report. This showed that Google had made all agreed privacy improvements, especially by publishing much more information about the personal data Google collects about the use of its cloud services. These metadata are called Diagnostic Data and include the Telemetry Data Google collects via the browsers of end users. Google has also built a viewing tool so that system administrators can see the Telemetry Data.

Transfer risks and DTIA

Two privacy risks remained, related to access to Dutch personal data by Google employees in seven so-called 'third' countries outside of the EU, countries without an adequate data protection level.

SURF and SIVON have analysed these data transfer risks in a separate project with Google. This has resulted in a separate DTIA for the use of the video conferencing tool Meet (one of Workspace's Core Services).

The DTIA analyses the likelihood of foreign government agencies (law enforcement or intelligence services) compelling (or hacking) Google to provide access to data of Dutch public sector organisations. If that were to happen, it could have serious consequences for the affected children, students and employees. The DTIA consists of six tabs, for the six types of personal data that Google processes:

1. Content Data
2. Account Data (such as e-mail address, name and password)
3. Support Data (contacts with the Google helpdesk),
4. Diagnostic Data (on individual use of Workspace, including Telemetry Data)
5. Security data and data related to complaints processed by Google in the USA, and
6. Website Data (such as cookies).

The DTIA concludes that there are no major risks for the transfer of personal data via Meet, because Google has taken all kinds of measures that make the likelihood of occurrence of the risk very low. Google has also explained it has not provided any personal data relating to Dutch public sector users to any government agency in the past two years.

The Dutch central government, through Strategic Supplier Management Microsoft, Google Cloud and Amazon Web Services (SLM Rijk) has commissioned simultaneous DPIAs, and achieved the same results. For more information on this, see:

• Letter to Lower House (in Dutch only)
• DTIA on Google Meet
• Updated verification report Workspace
• New findings verification review Google Workspace Enterprise

Measures schools must take

However, there are still two important measures that educational institutions themselves need to take to reduce transfer risks.

1. Choose to store Content Data in the EU (this requires a paid version of Workspace for Education).
2. If institutions expect users to exchange special categories of personal data via Meet, they should apply Client Side Encryption, with local key management, to completely eliminate the risk of unauthorised access to these data in the 7 third countries.

Other important measures to be taken by Dutch educational institutions are:

• Choose the K-12 (age) setting to benefit from the most privacy-friendly default settings.
• Centrally block access to so-called Additional Services such as YouTube and Search. Google remains an independent data controller for all data processing via these services, and therefore permits itself to process these data for all commercial purposes from its general privacy statement.
• Turn on extra access security on personal data, do not submit help requests outside of EU office hours, and refuse help from Google employees in countries outside the EU.
• Conduct an in-house DPIA on the data processing via Google Workspace, fill in the chosen settings, the specific personal data the institution processes and its own legal grounds, especially in relation to children. The umbrella DPIA and verification reports are a good start, but cannot replace the own responsibility of schools to perform a DPIA. SIVON provides a model DPIA (in Dutch only) to help schools with this exercise.

The complete results (including resolved data transfer risks) have been published in a verification report and in a report new findings. SURF and SIVON also publish useful manuals for system admins, for universities and for schools.

Previous DPIAs and new Chrome investigation

Privacy Company has repeatedly conducted technical and legal investigations in recent years into the personal data Google processes when schools use Google Workspace on mobiles running the iOS and Android operating systems, on Chromebooks running ChromeOS, on Macbooks and on laptops running Windows 10/11. The first DPIAs from 2019/2020 concluded that there were 8 high risks. Following an intervention by the Dutch Data Protection Authority in the spring of 2021, Google agreed to a data processing agreement, and an action plan to have all mitigating measures in place by June 2023.

Privacy Company also investigated the privacy risks of using Chromebooks in education. SURF and SIVON achieved that Google has developed a separate privacy-friendly version of the Chrome operating system for the Dutch education sector. Read a summary of the findings in this blog.