Agreement with Google on privacy risks

Agreement with Google on privacy risks

After intense discussions over the last weeks, agreement has been reached with Google regarding the mitigation of high data protection risks relating to the use of Workspace for Education Plus (previously G Suite Education for Enterprise) and Workspace for Education Fundamentals (the free of charge offering, previously G Suite for Education) by educational institutions in the Netherlands that were identified during a data protection impact assessment (DPIA) carried out in 2020 – 2021. Following the results of this DPIA, SURF and SIVON asked the Dutch Data Protection Authority (Dutch DPA) for advice. In its advice of 31 May, the Dutch DPA instructed that all high data protection risks must be sufficiently mitigated ultimately by the beginning of the school year 2021/2022, or otherwise schools should stop using Workspace for Education.

SURF and SIVON are happy to report that agreement has been reached with Google on an extensive set of contractual, organizational and technical measures. These measures sufficiently mitigate all high risks identified in the DPIA.

Chrome OS, Google Cloud Platform and other Google services

Most of the agreed measures apply only to the core services in Workspace for Education (e.g. Classroom and Gmail). However, Google has committed itself to continue the discussions with SURF and SIVON about other Google services regularly used in the education sector such as Google Cloud Platform and Chrome OS (the operating system for the Chromebooks).

Next steps

In the coming two weeks, SURF and SIVON will continue discussions with Google to finetune the negotiated results and agree upon the way in which existing contracts will be amended or migrated to the new arrangements. Our goal is to finalize these discussions in the first week of August. SURF and SIVON will provide educational institutions with instructions on how they can make sure this amendment applies to their contracts before the beginning of the next school year.

In addition to the measures implemented by Google, mitigation of the high data protection risks requires education institutions to apply the appropriate admin settings and certain organizational measures. SURF and SIVON will provide the necessary documentation for Workspace-administrators to be able to take those measures.

SURF and SIVON will provide the educational institutions with a complete package of all documents and information they need to assess if the use of Workspace for Education (Enterprise) - taking their specific implementation and use of Workspace for Education (Enterprise) into account – adequately implements the protection of personal data in accordance with the GDPR. More news is expected to follow in the first week of August.

SURF and SIVON continue to work with Google

Looking at the risks and issues raised during the DPIA and actions taken or announced by Google, SURF and SIVON can confirm that Google is addressing these topics. Given the importance of the use of Google services in educational institutions, SURF and SIVON will continue to monitor and talk to Google on privacy issues on behalf of the educational sector. For example, a DPIA on Chrome browser and Chrome OS will be carried out and the results will be discussed with Google in a similar way as has been done for Workspace (Enterprise) for Education.

More information

A full list of news items can be found on this page.