News

AP advice: Google Workspace in education poses too many risks

The Dutch Personal Data Authority (Autoriteit Persoonsgegevens, AP) has stated that it is unclear whether personal data in Google Workspace (formerly Google Suite for Education) is sufficiently protected.
Videobellen in vergaderzaal

Educational organisations are urging Google to take its social responsibility seriously in order to ensure the privacy of pupils and students and to remove the risks without delay. 

At the beginning of March 2021, SURF and SIVON, also on behalf of the PO/VO/MBO council, Kennisnet, the VH and VSNU, asked the AP for advice about Google Workspace after the concerns they had had with Google up to that point had not been sufficiently addressed. The AP's conclusions confirm that there are currently too many privacy risks associated with the use of Google Workspace. These risks came to light during research commissioned by the University of Groningen (RUG) and the Hogeschool van Amsterdam (HvA) and the DPIA of the Strategic Supplier Management Rijksoverheid (SLM Rijk). The risks lie in the collection of so-called metadata by Google. In this respect, Google considers itself to be a data controller instead of a processor. This means that Google thinks it is allowed to determine for which purpose it collects data and in which way this is done. Google has also included in its privacy agreements that it may unilaterally change the conditions surrounding metadata, without having to ask the user for permission again. According to the AP, it should always be clear what data is involved. If not, this is in conflict with the GDPR. Under the current circumstances, educational institutions may no longer use Google Workspace as of next school year, according to the AP.

 In a letter to the House of Representatives today, the Ministry of Education, Culture and Science said it expects Google to resolve the issues identified before the start of the 2021/2022 school year. SIVON and SURF, together with SLM Rijk, are currently in talks with Google to clarify how Google will implement the necessary adjustments as quickly as possible. We urge Google to take its social responsibility to ensure the privacy of pupils and students seriously and to take immediate action to remove the risks. This responsibility is particularly great in the case of (young) children, because children at this age are insufficiently aware of the privacy risks. 

Consequences for educational institutions

In a reaction to the advice, Google has stated its commitment to the GDPR and its intention to resolve the shortcomings. Until then, we advise educational institutions that are considering starting with Google Workspace to discontinue those plans until further notice, and educational institutions that have a good alternative available to use it. Educational institutions that wish to know what they can do themselves in the short term to improve security should also refer to the article from March on the Kennisnet website

Read more

Frequently asked questions

What happens if Google doesn't implement the necessary adjustments?

In a response, Google said that it expects to resolve the deficiencies soon. We assume that Google will actually implement these changes now that the Dutch Personal Data Authority (AP) has indicated that the use of Google Workspace is in violation of the General Data Protection Regulation (AVG).

Should educational institutions stop using Google Workspace immediately?

The conclusion of the AP is that if the ambiguities and risks of using Google Workspace are not removed, Workspace should no longer be used. Google has let it be known that they want to ensure that the problems are resolved in time.

SURF and SIVON are currently in discussion with Google about how they will implement the necessary changes as quickly as possible.

Where to go from here?

Together with SLM Rijk (Ministry of Justice and Security), SIVON and SURF are in talks with Google on behalf of education about the AP's recommendations and how they will implement the necessary changes as soon as possible.

Can I still use the Chromebooks at my school?

A study is currently being conducted on the privacy risks of using Chromebooks. As soon as more is known about this, it will be shared. Should it turn out after negotiations with Google that Google Workspace should no longer be used, then of course Google Workspace should not be used on Chromebooks either.

The AP recommends discontinuing Google Workspace by August 1. How hard is this deadline?

The AP has said that Google Workspace may no longer be used in the new school year if the ambiguities and privacy risks of using Google Workspace are not removed. Only if the privacy issues surrounding Google Workspace are changed by Google ,educational institutions can continue to use Google Workspace.

What can SURF and SIVON do for us?

It's Google's turn. SURF and SIVON are having talks with Google to clarify as soon as possible whether Google will make the necessary changes. SURF and SIVON are coordinating closely with the sector councils and umbrella organisations. They are also working with Kennisnet on possible exit scenarios.

Why are we talking about Google Workspace now?

Google Suite for Education changed its name to Google Workspace for Education this spring. G Suite Enterprise for Education is now called Google Workspace for Education Plus. In these frequently asked questions, we talk about Google Workspace.

Is there already a plan in place when it becomes apparent that the schools will actually have to stop by August 1?

Kennisnet is working with SURF, SIVON and the sector councils to develop a strategy and tools for stopping using Google Workspace. Information and advice will be shared with educational institutions as soon as possible via surf.nl, sivon.nl and kennisnet.nl.

Questions about the DPIA on Google

What is a DPIA?

DPIA stands for Data Protection Impact Assessment. A DPIA provides insight into how data is collected, what is done with it and what the risks are, so that measures can then be taken to reduce the risks. More information? Read more about DPIAs on the IBP Approach of Kennisnet.

Why has a DPIA of Google G Suite been done?

The DPIA was done to identify the privacy risks of Google G Suite for Education for use by educational institutions. This allows us to identify what measures can be taken to mitigate those risks.

What are the outcomes of the DPIA?

The DPIAs conducted show that there are privacy risks when using Google G Suite (Enterprise) for Education. Google has therefore amended the privacy conditions on a number of points. However, risks still remain.

The DPIA also revealed that so-called metadata is being collected. Metadata remotely measures whether and how a user uses the programs. This data is sent to the supplier of the software. It is, for example, the moment of login by users, which sites are visited, how long they work on a document or how many words are typed.

Google continues to see itself as a data controller of some of the data collected rather than a processor. This means that Google thinks they are allowed to determine for what purpose they collect this metadata and in what way. Google is not sufficiently transparent about this. As a result, educational institutions that use Google G Suite (Enterprise) for Education have no or insufficient control over Google's use of this data.