DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
For the avoidance of doubt, the Diagnostic Data streams mentioned above are separate from, and in addition to, Customer Data that end users provide to Google.
8.1
Anonymisation According to the guidance from the Data Protection Authorities in the EU, anonymisation is a complex and dynamic form of data processing. 244 Often, organisations still possess original data, or continue to collect pseudonymised data. As long as there is a realistic possibility to re-identify individuals based on data that are masked, scrubbed from obvious identifiers or otherwise de-identified, such data cannot be considered anonymous and the organisation must still comply with all GDPR requirements with regard to the processing of personal data. Furthermore, the process of anonymization constitutes processing of personal data and is therefore subject to the GDPR. Google provides a public explanation of two of its anonymisation techniques.245 As quoted in Section 1.4.3 of this report, Google applies anonymisation to Diagnostic Data and Customer Data when an Additional Service is included as a ‘Feature’ of a Core Service, such as the use of Maps and Translate. Google did not provide specific information about the anonymisation techniques it applies in this case, and did not show any examples to the researchers. Google provided a general explanation what key techniques it may use to anonymise data. [CONFIDENTIAL] Key techniques used by Google to anonymize data include: • the computation of aggregate values across a population, or the grouping of individuals such that values are shared; • sampling: the computation of aggregate data based on a sample that includes a small portion of the overall population • generalizing the data (see WP216, p. 12 and 16): there are certain data elements that are more easily connected to certain individuals. In order to protect those individuals, Google uses generalization to remove a portion of the data or replace some part of it with a common value. For example, Google may use generalization to replace segments of all area codes or phone numbers with the same sequence of numbers; and adding noise to data (see WP216, p. 12): • differential privacy (see WP216, p. 15) describes a technique for adding mathematical noise to data. With differential privacy, it is difficult to ascertain whether any one individual is part of a data set because the output of a given algorithm will appear the same, regardless of whether any one individual’s information is included or omitted. In most circumstances Google will implement a combination of these techniques to effectively anonymize identifiable end user data. In any case, there is no single method of anonymisation that is effective under all circumstances. When anonymizing data, Google will assess the circumstances on a case-by-case basis (see WP216 p. 24) and develop a method of anonymisation such that the data cannot be attributed, directly or indirectly, to an individual, including consideration of the following factors: Anonymisation Guidelines from the Article 29 Working Party, WP216, Opinion 05-2014 on Anonymisation Techniques, URL: http://ec.europa.eu/justice/Article29/documentation/opinion-recommendation/files/2014/wp216_en.pdf. 245 Google, How google anonymizes data, URL: https://policies.google.com/technologies/anonymization 244
p. 98/162