News

AP advice: Google Workspace in education poses too many risks

The Dutch Personal Data Authority (Autoriteit Persoonsgegevens, AP) has stated that it is unclear whether personal data in Google Workspace (formerly Google Suite for Education) is sufficiently protected.
Videobellen in vergaderzaal

Educational organisations are urging Google to take its social responsibility seriously in order to ensure the privacy of pupils and students and to remove the risks without delay. 

At the beginning of March 2021, SURF and SIVON, also on behalf of the PO/VO/MBO council, Kennisnet, the VH and VSNU, asked the AP for advice about Google Workspace after the concerns they had had with Google up to that point had not been sufficiently addressed. The AP's conclusions confirm that there are currently too many privacy risks associated with the use of Google Workspace. These risks came to light during research commissioned by the University of Groningen (RUG) and the Hogeschool van Amsterdam (HvA) and the DPIA of the Strategic Supplier Management Rijksoverheid (SLM Rijk). The risks lie in the collection of so-called metadata by Google. In this respect, Google considers itself to be a data controller instead of a processor. This means that Google thinks it is allowed to determine for which purpose it collects data and in which way this is done. Google has also included in its privacy agreements that it may unilaterally change the conditions surrounding metadata, without having to ask the user for permission again. According to the AP, it should always be clear what data is involved. If not, this is in conflict with the GDPR. Under the current circumstances, educational institutions may no longer use Google Workspace as of next school year, according to the AP.

 In a letter to the House of Representatives today, the Ministry of Education, Culture and Science said it expects Google to resolve the issues identified before the start of the 2021/2022 school year. SIVON and SURF, together with SLM Rijk, are currently in talks with Google to clarify how Google will implement the necessary adjustments as quickly as possible. We urge Google to take its social responsibility to ensure the privacy of pupils and students seriously and to take immediate action to remove the risks. This responsibility is particularly great in the case of (young) children, because children at this age are insufficiently aware of the privacy risks. 

Consequences for educational institutions

In a reaction to the advice, Google has stated its commitment to the GDPR and its intention to resolve the shortcomings. Until then, we advise educational institutions that are considering starting with Google Workspace to discontinue those plans until further notice, and educational institutions that have a good alternative available to use it. Educational institutions that wish to know what they can do themselves in the short term to improve security should also refer to the article from March on the Kennisnet website

Read more