Google Workspace

5 July 2023 - Google has taken measures in recent months to mitigate the remaining risks from the 2021 DPIA as agreed and within the deadline. Based on the agreements with Google and verification by our external privacy partners, SURF and SIVON conclude that institutions can continue to use Google Workspace for the time being. This means that the institution's management does not need to make any changes for now. You can find the updated DPIA report here.

Google keeps agreements

In January 2023, SIVON, SURF and a team of external (privacy) experts and lawyers thoroughly examined and assessed the measures taken by Google following the 2021 DPIA. We shared the results of this interim analysis with Google in February 2023. Subsequent discussions took place on a number of key points that had not yet been resolved. Google confirmed in March that it would still address these remaining issues by 9 June. SURF and SIVON now conclude - in coordination with the Ministry of Education, Culture and Science (OCW) - that Google has sufficiently complied with these agreements and that institutions can continue to use Google Workspace for the time being.

For us, protecting the privacy of pupils, students and staff is paramount. Institutions must be able to keep control of that data at all times. SURF and SIVON therefore welcome the measures Google has taken to mitigate the aforementioned privacy risks.

What does this mean for institutions?

The institution's management is and remains ultimately responsible for the safe use of educational and digital applications; it decides which applications their institution uses and under what conditions. This summer, institutions will receive the full DPIA report with all privacy risks identified in 2021 and the measures taken by Google to cover them. With this report, institutions can make their own trade-offs on the use of Google Workspace.

Please note: in order to continue using Google Workspace for Education securely, institutions must take a number of mitigating measures themselves. An overview of these measures can be found on this page.

Data Transfer Impact Assessment

One of the points arising from the DPIA in 2021 is the transfer of data to the United States. For this point, a separate process, called the Data Transfer Impact Assessment (DTIA), was launched earlier this year. This examines privacy risks of data transfers to countries outside the European Economic Area (EEA). Google is cooperating in this. The DTIA - including the implementation of any resulting measures - is expected to be completed this autumn.

Status of Chromebooks, ChromeOS and Chrome browser

The DPIA on Google Workspace is separate from the DPIA carried out on Chromebooks, ChromeOS and Chrome-browser. In this track, SURF and SIVON reached agreements with Google on a new version of ChromeOS. This updated version will be available to institutions around August this year. You can read more about this on this page. Via a parliamentary letter, the minister informed the Lower House about the state of affairs regarding Google Workspace and the use of Chromebooks.

Continuous monitoring of legitimacy of great importance

SURF and SIVON subscribe to the importance of privacy and do their utmost to embed privacy agreements in contracts with Google and other vendors. We therefore attach great importance to continuously evaluating (cloud) services and assessing their legitimacy. We are alert to changing laws and regulations, periodically testing existing contracts against these and adjusting them where necessary. We monitor proactively and continue to discuss and negotiate with Google and other vendors to ensure that pupils, students and staff can use (digital) education services safely and responsibly.

5 July 2023 - In May 2023, SURF and SIVON reached an agreement with Google on the new Terms of Service (ToS) for the use of Chrome OS and Chrome browser for Chromebooks.

Once the institution's board has accepted this agreement and taken control of the Chromebooks, Google will be a processor and the institution's board will be a processor responsible for the processing of personal data on Chromebooks (running on ChromeOS) and in Chrome browsers (running on Chromebooks). By accepting this agreement and implementing associated measures, you will mitigate privacy risks for students and staff when using Chromebooks running ChromeOS and the Chrome browser.

This agreement has been reviewed - on behalf of SURF and SIVON - and approved by a team of (external) privacy lawyers. Besides accepting this agreement, as an institution you need to take some additional measures to ensure safe use. You will find these measures in brief at the bottom of this article in the comprehensive guide.

Please note: these measures are in addition to the measures Google Workspace users were able to take at an earlier stage. Should you want to read back on these steps, check out this page.

The DPIA on Chromebooks, ChromeOS and Chrome browser is separate from the DPIA carried out on Google Workspace. You can read more about this in this article.

The Terms of Service in brief

• Commissioned by SURF and SIVON, Privacy Company conducted a study on privacy risks when using Chromebooks and Chrome browser on Chromebooks. View the full report here.
• Google is developing a processor version of ChromeOS specifically for education. This will be available in August 2023.
• Besides the introduction of the processor version, SURF and SIVON have made additional agreements to eliminate privacy risks. These agreements are in the 'improvement plan'.
• The board of the institution itself also needs to adjust a number of privacy-related settings. You can find these steps in the manual.
• Google will come up with a new processor agreement for all users in the Dutch education sector. Institutions will receive notification from Google about this as soon as possible. The Chrome OS and Chrome browser processor agreement has been checked and approved by SURF, SIVON and privacy lawyers on behalf of SIVON.
• The agreement applies to Chromebooks under management under a Workspace domain. You bring Chromebooks under management with the 'Chrome Education upgrade' licence.
• The processor agreement applies only to 'essential services' (see the annex 'List of Essentials Services').
• Optional services must be turned off by the admin.
• There is no need to install new software on the Chromebooks. The rollout of functionalities to enable the processor version are in Google's software updates.

As an institution board, what should you do yourself?

1. Ensure that all Chromebooks you use are under management within your Workspace domain (called the 'education upgrade').
2. Accept the agreement Google offers you (how/when).
3. Turn off all optional services (see manual).
4. Implement the remaining measures as described in the manual.

Note that de-activating 'optional services' involves switches. All switches will be implemented in August 2023. Existing Workspace users must deactivate 'optional services' themselves with the switches. For new Workspace users, the optional services are off by default ('privacy by design').

20 April 2023 - In December 2022, SIVON and SURF reported that Google has delivered measures to mitigate the risks from the 2021 DPIA within the agreed timeframe. Most of the measures comply with our earlier agreements; Google is now picking up the remaining issues and has indicated it will have them resolved by mid-June.

Institutions will be notified as soon as possible after delivery. They will then also hear whether they may have to make adjustments themselves. Based on the agreements with Google, SIVON and SURF conclude that they do not need to discourage the use of Google Workspace.

Google picks up remaining points

In January, SIVON, SURF and a team of external (privacy) experts and lawyers thoroughly examined and assessed the above measures. We shared the results of our analysis with Google last February. Following this, intensive discussions took place on a number of key issues that have not yet been resolved. Google confirmed in March that they are still resolving these remaining points. SIVON and SURF - in coordination with OCW - have decided that Google will have until mid-June to do so.

What does this mean for institutions?

The board of an institution is ultimately responsible for the safe use of educational and digital applications; it decides which applications their institution uses and under what conditions. In light of the agreements made with Google, SIVON and SURF do not advise against the use of Google Workspace. Institutions will receive a full analysis of all measures as soon as possible after the mid-June delivery date, explaining any actions the board itself can take. The education partners of OCW, SIVON and SURF remain - now and in the future - in close contact with Google to monitor whether Google removes any risks. SIVON and SURF institutions will be informed as soon as there is more news.

Continuous monitoring legality of great importance

SIVON and SURF subscribe to the importance of privacy and strive to embed privacy agreements in contracts with vendors. We therefore attach great importance to continuously evaluating (cloud) services and assessing their legitimacy. We keep an eye on changing laws and regulations, periodically review existing contracts against these and adjust them where necessary. In addition, we are in constant dialogue and negotiation with vendors to ensure that services can be used safely and responsibly.

Informing the Personal Data Authority

On 7 March 2023, the Personal Data Authority (AP) wrote to OCW asking it to remain alert to ensuring privacy when using Google applications. The AP asked OCW to inform it of the state of play by 15 May. Following this letter, OCW has been in contact with the AP. In it, she explained the agreements made between SIVON, SURF and Google and explained that institutions will receive clarity on Workspace for Education by mid-June at the latest.

Finally: state of play on Google Chromebooks, ChromeOS and Chrome browser

It is worth noting that the above DPIA on Google Workspace is separate from the DPIA conducted on Chromebooks, ChromeOS and Chrome browser. During this separate process, SIVON and SURF reached agreements with Google on a new version of ChromeOS. This updated version will be ready around August this year. Institutions will be informed about this separately.

5 October 2022 - In July 2021, SURF and Google reached an important agreement on the use of Google Workspace for Education by educational institutions. It involves a set of contractual, organisational and technical measures.

Since this agreement, we have been in close contact with Google to ensure that they honour our agreements and discuss related issues such as Google ChromeOS and the Chrome browser. In this article, we inform you as an advocate about the current state of affairs.

At the time, Google promised us that it would complete all the steps to be taken to minimise high privacy risks before the end of 2022. With three months to go, we are hopeful that this will succeed and that schools can continue to use Workspace for Education safely.

International attention

Several European countries and governments are benefiting from the privacy agreements SURF has reached with Google. This breakthrough has led to Google stating in March 2022 that it will improve privacy protection worldwide.

DTIA: research data sharing with Google in the US

When using Workspace for Education, some European data is exchanged with Google in the US. One of the requirements of the General Data Protection Regulation (GDPR) is that the use of personal data outside the EU must meet the same level of protection as if this data were used within the EU. SURF is investigating the transfer of data outside the EU through a Data Transfer Impact Assessment (DTIA) for Google Workspace for Education. This assesses which personal data is exchanged with a country outside the European Economic Area (EEA) and whether there are sufficient appropriate safeguards. These safeguards include, for example, technical measures such as encryption or the use of Standard Contractual Clauses (SCCs) prescribed by the European Commission. If necessary, additional arrangements will be made with Google so that the use of Workspace for Education can continue. This DTIA is conducted in cooperation with education partner SIVON and SLM Rijk (Ministry of Justice and Security). Recently, Microsoft Teams, SharePoint and OneDrive and ZOOM were examined where a similar DTIA was part of the DPIA. The results of the DTIA on Workspace (for Education) are expected to follow in early 2023.

Processing versions Google ChromeOS and Chrome browser

In early 2022, SIVON and SURF launched an investigation into potential privacy issues within ChromeOS and the Chrome browser. Google has since stated in a public statement that it will develop a processor version. With this important change of direction, organisations such as educational institutions retain full control over the personal data processed by Google within ChromeOS. It is important to note that the processor version of ChromeOS is only available for Chromebooks that are centrally managed via a Workspace account. The processor version is therefore not applicable to Chromebooks that are not managed via a Workspace account, nor for Chrome browsers installed on Windows or Apple devices.

SURF expects to offer its educational institutions a new processor agreement ('terms of service') for ChromeOS and Chrome browser during the fourth quarter of 2022. SURF and Google are laying down the changes within ChromeOS in a so-called commitment plan. Developing a processor version for ChromeOS requires Google to make a lot of adjustments to the existing software/code. We expect a (first) version around August 2023. This version is sufficient as a risk-mitigating measure.

Local DPIA by schools

The agreements made by SIVON, SURF and SLM Rijk with Google only apply if educational institutions themselves accept these agreements. Last year, schools received an amended agreement from Google. At the end of this year, schools will also receive an adapted agreement ('terms of service') for ChromeOS and Chrome browser. In addition, it is important that educational institutions themselves carry out an institution-specific ('local') DPIA. In it, institutions assess for themselves whether their use of Workspace for Education (Plus) - and soon ChromeOS and Chrome browser - adequately addresses the protection of personal data in accordance with the GDPR. SURF and SIVON have provided educational institutions with a complete set of documents for Workspace for Education for this purpose. For ChromeOS and Chrome browser, this will be published next year.

Danish data protection agency ruling no impact on Dutch education

In July, the Danish privacy regulator ruled that a Danish municipality may no longer use Google Workspace and Chromebooks. In the ruling, the regulator found that the municipality did not meet the required conditions, so it must stop using Google Workspace and Chromebooks. Google must destroy the users' data. This ruling has no implications for Dutch educational institutions.

Violations

In previous years, the Danish regulator found several violations of the GDPR. The municipality was ordered to carry out a risk assessment and bring Google usage in line with the GDPR. According to the regulator, in the context of a (pre-)DPIA, the Danish municipality did not assess any concrete risks but made an assessment that there were no high risks when using Google Workspace. The DPIA carried out is simply not good (enough). The Danish AP further believes that data that can be transferred to third countries (read: the US) must be adequately secured. Google should not have access to the data, or have the keys that give access to encrypted data. Google must be transparent about the purposes of processing personal data. Before purchasing Google Workspace and Chromebooks, the municipality should have done technical research, and (better) negotiated with Google about the (verifiability of the) role of controller. In addition, there is much ambiguity about Google Workspace's additional services.

The Netherlands as an example

The ruling does not affect Dutch educational institutions. Indeed, good agreements have been made with Google that limit or eliminate the privacy risks mentioned. In addition, a thorough DPIA has been carried out. In a recent interview, one of the Danish researchers explicitly refers as an example to the Workspace for Education study conducted in the Netherlands, which can be taken as an example. A study on the data transfer of student data with the US (data transfer impact assessment; DTIA) is also being conducted. With regard to ChromeOS, agreements have been reached with Google on a 'processor version' for managed Chromebooks. The conclusions of the Danish regulator are and will therefore not apply to the Dutch situation.

Google has published a separate article in response to the situation in Denmark with reference to the situation in the Netherlands.

ACM investigation into cloud services

Recently, the Consumer and Market Authority published a market study on cloud services. It turns out that it is difficult for users of (business) cloud services to switch providers, and cloud services from different providers are not easy to combine. As a result, there are risks to the price, quality and innovation of cloud services. The investigation does not focus on privacy and security, but it does touch on it because of the market position of these cloud providers.

The ACM's investigation points to two risks:

1. lock-in of users: switching cloud services is difficult. This is reinforced by behaviour of cloud providers and functionalities of services.
2. Cloud products limit competition because cloud providers direct users only to their own services. Privacy and security are relevant choice parameters here, though, which (may) affect competition in the market.

The European Commission has proposed a law, the Data Act. This act will make it easier and more secure to share data while maintaining full control over it. The aim of the Data Act is to create a fair digital environment, make data more accessible to all, and enable data-driven innovations. In the study, the ACM suggests embracing this Act and improving (expanding) obligations around interoperability between cloud services. Cloud services should be easier to combine (also called interoperability). Furthermore, the ACM is conducting follow-up research to determine whether and to what extent switching barriers cause competition problems in practice and whether these can already be addressed now.

11 November 2021 - It was agreed with Google in July 2021 that an education-specific version will be available for ChromeOS and Chrome browser. Institutions will thus remain in control of data when using ChromeOS and Chrome browser on (institution-managed) student and staff Chromebooks.

Where are we now (November 2021)?

In July 2021, it was agreed with Google that an education-specific version will be available for ChromeOS and Chrome browser. Institutions thus remain in control of the data when using ChromeOS and Chrome browser on (institution-managed) Chromebooks of students and staff.

In the coming period, SURF and SIVON (in collaboration with SLM Rijk) will enter into discussions with Google on a version of:

1. ChromeOS on Chromebooks and
2. Chrome browser where Google is the processor.

The agreements reached around Workspace for Education form the basis for this. Parallel to the talks, a technical and legal investigation is being conducted into the current version of ChromeOS and the Chrome browser. We informed institutions about this earlier. We will include the results of this study in the negotiations with Google. This will allow us to provide clarity on the use of ChromeOS and the Chrome browser within institutions sooner.

How is the process progressing?

Earlier, the intention was to complete the full DPIA, publish it and then engage with Google. However, this would take more time. Now that the agreements around Workspace and the role as processor are starting points, we expect to be able to reach agreements more quickly. As a result, we hope to announce both the results of the investigation and any necessary corrective measures and agreements we have made with Google early next year.

SURF and SIVON consider it important to provide institutions with clarity on the use of ChromeOS and the Chrome browser on devices they manage as soon as possible. Therefore, we choose to bring the results of the technical legal investigation directly into the discussions with Google. This way, we expect to present the results of the negotiations to institutions sooner.

As with Workspace, we will also provide tools and information for implementation. If possible, we will still communicate the (preliminary) results of our talks with Google this calendar year.

2 August 2021 - As we previously reported, an agreement was reached on 8 July with Google on the measures aimed at the previously identified privacy risks at Google Workspace for Education.

This means that institutions can continue to use Google Workspace for Education (Plus), provided they also implement some actions themselves. SURF, SIVON and Kennisnet have created a support package for this, which you can find here from now on.

• Information on how your institution needs to accept the custom agreement (Workspace for Education Online agreement) with Google. See all the information in the article 'Keep using Google Workspace for Education? Perform these actions first'.
• Technical guide for Google Workspace for Education: allows your own system administrator to make the necessary technical adjustments to the Workspace for Education environment.
• Guide for education-specific DPIA Google Workspace for Education: allows you to carry out a DPIA for your own educational institution based on the results negotiated by SURF and SIVON.
• Update DPIA report Google Workspace for Education: information on the technical, legal and organisational changes that mitigate high privacy risks for Workspace for Education users.
• Adopt Google Workspace's recommended security settings as described in this recommendations guide (prepared by SIVON).
• Based on the updated DPIA verification report (date 24 July 2023), institutions can make their own consideration on the use of Google Workspace.

With the aforementioned information and tools, determine for your own institution whether - before the start of the new academic year - you can safely continue to use Google Workspace for Education (Plus).

9 July 2021 - On 8 July, an agreement was reached with Google on measures aimed at the previously identified privacy risks at Google Workspace for Education. This means schools can continue to use Google Workspace for Education, provided they implement some actions themselves.

On 8 July, an agreement was reached with Google on measures aimed at the previously identified privacy risks at Google Workspace for Education. This means that schools can continue to use Google Workspace for Education, provided they also implement some actions themselves. This is the result of intensive discussions SURF, SIVON and the Strategic Supplier Management Rijk (SLM-Rijk), partly at the request of the PO-raad and VO-raad, had with Google.

The agreements include a comprehensive set of contractual, organisational and technical measures. These adequately cover the high privacy risks identified by the Personal Data Authority on 31 May 2021.

This statement by SURF and SIVON describes this achieved result. Google will start working on technical adjustments but schools will also have to carry out some actions themselves to (continue to) use Google securely. SIVON and SURF will provide support in this regard through a manual.

Actions for institutions

• Adjust settings: in addition to automatic changes in the application, your own system administrator will also have to adjust some settings in the Workspace environment. A manual for this will be available in the first week of August.
• Supplement instructions: secure use also requires explanation to users. Not everything can be arranged technically but will have to be done via user instructions. These will also be made available centrally in the first week of August.
• Adjust contract: information on how to accept the adjusted privacy conditions with Google will follow no later than the first week of August. This too is a one-off activity.
• Do its own impact analysis: the institution remains responsible for assessing whether the way Google Workspace for Education (Plus) is used is secure. A pack containing everything needed to do such an assessment will follow no later than the first week of August.

The amount of work per institution will depend on how many Google applications an institution has in use, but is expected to take between 1 and several half-days.

DPIA on Chrome browser

Together with SIVON, we are still working on an impact analysis (DPIA) on the Chrome browser and the system running on the Chromebooks. At the moment, there is no definite word on this. Information on this will follow later.

Support from SURF

To help you make the necessary adjustments, we offer the following support:

• For the boards of institutions, an information package will be made available no later than the first week of August to help you make the adjustments.

8 July 2021 - After intensive discussions in recent weeks, an agreement has been reached with Google on mitigating high privacy risks related to the use of Workspace for Education Plus and Workspace Education Fundamentals by educational institutions in the Netherlands.

After intensive discussions in recent weeks, an agreement has been reached with Google on mitigating high privacy risks related to the use of Workspace for Education Plus (formerly G Suite Education for Enterprise) and Workspace Education Fundamentals (the free variant, formerly G Suite for Education) by educational institutions in the Netherlands. These high risks were revealed in a Data Protection Impact Assessment (DPIA) conducted in 2020 - 2021. Following the results of this DPIA, SURF and SIVON asked the Personal Data Authority (AP) for advice. In its 31 May advice, the AP stated that all high data protection risks must be sufficiently mitigated by the start of the 2021/2022 school year at the latest, otherwise schools will have to stop using Workspace for Education.

SURF and SIVON are pleased to announce that agreement has been reached with Google on a comprehensive set of contractual, organisational and technical measures. These measures sufficiently mitigate all the high privacy risks identified in the DPIA.

ChromeOS, Google Cloud Platform and other Google services

Most of the agreed measures apply to the core services in Workspace for Education (e.g. Classroom and Gmail). Google commits to continue discussions with SURF and SIVON on other Google services regularly used in education, such as Google Cloud Platform and ChromeOS (the operating system for Chromebooks).

Follow-up steps

Over the next 2 weeks, SURF and SIVON will engage further with Google to refine the negotiation results and agree on how existing contracts will be amended or migrated to the new arrangements. Our aim is to finalise this by the first week of August at the latest. SURF and SIVON will provide educational institutions with instructions on how to ensure these changes apply to their contracts before the start of the next school year.

In addition to the measures Google has implemented, mitigating the high data protection risks also requires educational institutions to implement appropriate administrator settings and certain organisational measures. SURF and SIVON provide the necessary documentation for Workplace Administrators (administrators) to implement those measures.

SURF and SIVON will provide educational institutions with a complete package of all the documents and information they need to assess whether the use of Workspace for Education (Plus) - taking into account their specific interpretation and use of Workspace for Education (Plus) - sufficiently fulfils the protection of personal data in accordance with the GDPR. We expect more news on this by the first week of August at the latest.

SURF and SIVON continue to cooperate with Google

Looking at the risks and issues raised during the DPIA and the actions Google has taken or announced, SURF and SIVON can confirm that Google is addressing these issues. Given the importance of using Google services in educational institutions, SURF and SIVON will continue to monitor Google on behalf of the education sector and discuss privacy issues with Google. Thus, a DPIA on Chrome browser and Chrome OS will be conducted and these results will be discussed with Google in a similar way to Workspace for Education (Plus).

8 June 2021 - The Personal Data Authority (AP) says it is unclear whether personal data in Google Workspace (formerly Google Suite for Education) is adequately protected.

Education organisations are urgently appealing to Google's corporate social responsibility to properly safeguard pupils' and students' privacy and immediately initiate the removal of the risks.

Conclusions confirm DPIA results

In early March 2021, SURF and SIVON, also on behalf of PO/VO/MBO council, Kennisnet, the VH and VSNU, asked the AP for advice on Google Workspace, after concerns were insufficiently addressed in the discussions they had had with Google up to that point. The AP's conclusions confirm that there are currently too many privacy risks associated with the use of Google Workspace. Those risks came to light during research commissioned by the University of Groningen (RUG) and the Hogeschool van Amsterdam (HvA) and the DPIA of the Strategic Supplier Management Rijksoverheid (SLM Rijk).

Risks when using Google Workspace

The risks lie in the collection of so-called metadata by Google. In doing so, Google sees itself as a data controller rather than a processor. This means that Google considers that it may decide for what purpose it collects data and in what way. Google has also included in its privacy agreements that it may unilaterally change the conditions around metadata, without asking the user's consent again. According to the AP, it should always be clear what data is involved. If not, this violates the GDPR. Under the current circumstances, educational institutions may no longer use Google Workspace from next school year, the AP reports.

In talks with Google

In a letter to the House of Representatives today, the Ministry of Education, Culture and Science indicated that it assumes Google will have resolved the identified issues before the start of the 2021/2022 school year. SIVON and SURF, together with SLM Rijk, are currently talking to Google to quickly clarify how Google will implement the necessary adjustments as soon as possible.

Social responsibility Google

We make an urgent appeal to Google's corporate social responsibility to properly safeguard pupils' and students' privacy and initiate the removal of the risks without delay. This responsibility is especially great in the case of (young) children, because children at this age are (or may be) insufficiently aware of privacy risks.

Consequences for educational institutions

In a response to the advisory, Google announced that they are committed to the GDPR and said they will resolve the shortcomings. Until then, we advise educational institutions considering starting with Google Workspace to discontinue those plans until further notice, and educational institutions that have a good alternative available, to use it. Want to know what you can do yourself in the short term to improve the security of using Google Workspace? Then read this article on kennisnet.nl.

More information

• You can find a full list of news items on this page.
• DPIA on the use of Google G Suite (Enterprise) for Education (March 2021, pdf)
• Personal Data Authority (AP) advice to SURF and SIVON on Google G Suite for Education (June 2021)

22 February 2021 - In education, more and more (personal) data is being stored and exchanged digitally. It is important that this is done in a safe and responsible way. Research commissioned by the RUG and HvA shows that there are privacy risks in using Google G-suite*.

The risks are in Google's collection of so-called metadata. SURF and SIVON supported this research and are in talks with Google on behalf of the education sector to ensure that Google removes these privacy risks.

The privacy risks came to light through a so-called Data Protection Impact Assessment (DPIA) to Google G-suite. A DPIA provides insight into how data is collected, what is done with it and what the risks are. The Ministry of Justice and Security commissioned the DPIA to the Google G-suite Enterprise version, and the RUG and HvA commissioned research on Google G-suite Education.

Metadata

Google collects metadata. This is data about the use of Google G-suite, for example. This allows Google to see, among other things, what users click on the most, how long they are logged in and which internet pages and searches are used the most. So this does not involve individual learning results or users' address data.

The collection of metadata need not be a problem if this data is used to make digital products work properly and securely and work better. However, it is important that this data is not used for other purposes. Also, no more metadata should be collected than necessary. Educational institutions should also retain control over the use of metadata. They must therefore be able to determine for which (other) purposes that metadata may be used.

Risks

Google sees itself as a data controller rather than a processor. This means that Google believes it may determine for what purpose they collect metadata and in what way. Google has also included in its privacy agreements that it may unilaterally change the terms around metadata, without asking for consent.

For applications at educational institutions, we find it undesirable that the ownership and responsibility for that data lies with Google. As a result, educational institutions using Google G-suite can exercise little or no control over what happens to this data. Google explicitly states that it does not use metadata and other personal data in Workspace for Education for advertising purposes or the creation of advertising profiles. However, Google may change the terms unilaterally, so this statement provides no guarantees for the future.

Follow-up steps

At the moment, there is no agreement with Google on the indicated areas for improvement and we are still in discussion. We are also submitting a request for an opinion on these privacy risks to the Personal Data Authority. We assume that Google will make adjustments so that the identified risks are removed and G Suite for Education can be used safely.

More information

A full list of news releases can be found on this page.

* G Suite for Education is now called Google Workspace for Education. Google Workspace for Education includes Classroom, Meet, Gmail, Calendar, Drive, Docs, Sheets, Slides and more.