SURF and SIVON discuss privacy risks with Google

22 February 2021 - In the education sector, personal and other privacy-sensitive data are digitally stored and exchanged at an increasing rate. It is important this is done in a safe and responsible manner. An investigation commissioned by the RUG and the HvA has shown there are privacy risks associated with the use of Google G-suite*.

Man werkend in kantoor achter glas met bedrukking van woorden in categorie security

These risks are associated with the so-called metadata Google collects. SURF and SIVON have supported this investigation into privacy risks and are currently, on behalf of the education sector, in negotiations with Google to ensure these privacy risks are eliminated.

The privacy risks were revealed by a so-called Data Protection Impact Assessment (DPIA) on Google’s G Suite. A DPIA provides insights into the way data is collected, what is done with it, and what risks are associated with collection. The Dutch Ministry of Justice and Security had the DPIA carried out for the G Suite Enterprise version, the RUG and HvA had an investigation carried out on G Suite Education.

Metadata

Google collects metadata, for example, about the use of Google G Suite. With this data, Google can see what users click on most often, how long they are logged in for, what internet pages are used most, and what search queries are carried out most. This is, therefore, not a case of individual learning results or user’s address data.

The collection of metadata does not have to be a problem if this data is used to enable digital products to be used properly and safely, and to make them work better. However, it is important that this data is not used for other purposes. Also, no more metadata than necessary should be collected. Educational institutions must also retain control over the use of metadata. They must therefore be able to determine for what (other) purposes metadata may be used.

Risks

Google regards itself a data controller rather than a processor. This means Google considers itself entitled to determine the purpose of the collection of metadata and the manner in which this is done. Moreover, Google states in their privacy agreements that they may unilaterally change the conditions surrounding the collection of metadata, without asking for [users’] permission. 

For applications in educational institutions, we find it undesirable that the ownership and responsibility for this data lies with Google. As a result, educational institutions using Google G Suite have little to no control over what happens with their data. Google specifically states that it will not use metadata and other personal information in Workspace for advertising or profiling purposes. However, Google may unilaterally change the terms and conditions so this statement does not provide any guarantees for the future.

Follow-up steps

Currently, there is no agreement with Google in place surrounding the practices on collecting metadata and we are still discussing the indicated improvement points with them. We will also be submitting a request for advice about these privacy risks to the Dutch Data Protection Authority. We assume Google will make changes so the identified risks will be removed and education institutions can continue to use G Suite for Education safely.

More information

A full list of news items can be found on this page.

* G Suite for Education was recently renamed Google Workspace for Education. Google Workspace for Education includes Classroom, Meet, Gmail, Calendar, Drive, Docs, Sheets, Slides and more.