DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
subjects are not overriding, taking into account the reasonable expectations of data subjects based on their relationship with the controller” (Recital 47 GDPR). In sum, as Google does not enable government organisations to comply with their obligations under the principle of purpose limitation, government organisations currently do not have any legal ground for the processing of personal data in Customer Data from the Core Services, the Features and the Google Account.
11.2
Personal data in Additional Services, Other related services, Technical Support Services and all Diagnostic Data As explained above, the processing of personal data in the context of G Suite Enterprise currently does not comply with the principle of purpose limitation. The G Suite DPA does not cover the processing of personal data in the Additional Services, the Google Account (when not used in conjunction with a Google Account), the Technical Support Services273 and the Other related services. The contractual guarantees equally do not apply to any Diagnostic Data. Google does not make clear and comprehensive information available with respect to the processing of these personal data in an enterprise context. Google states that its (consumer) Privacy Policy applies to the majority of these data. In its Privacy Policy Google qualifies itself as a data controller. However, as analysed in Section 5.4, Google and the government organisations are joint controllers. As explained in Sections 4.2 and 4.3 of this report, the (consumer) Privacy Policy contains a non-limitative list of 33 purposes that are not specific nor explicit, plus additional specific purposes for the Chrome OS and Chrome browser. Without a specific purpose or specific purposes, it is impossible for government organisations to identify any appropriate legal ground. After completion of this report, On 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes for the Diagnostic Data.274
11.2.1
Consent As explained above, government organisations can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of consent. Section 11.1.1 above explains why Google cannot rely on the legal ground of consent for the processing of personal data through the Core Services, the Features and the Google Account. The same analysis also applies to the processing of personal data in the Additional Services, the Technical Support Services, the Other related services and all Diagnostic Data. As described in Section 3.2 of this report, the Additional Services are all switched On by default for G Suite Enterprise customers. It thus requires an active intervention from admins or end users to block access to these services. As analysed in Section 5.3.3, with the use of these default settings Google benefits from cognitive limitations that prevent admins and end users from making any changes to the default settings, even if those settings do not match their privacy interests. The failure to actively object against these settings cannot be construed as ‘consent.’
Google calls this ‘Support Data’ in the Technical Support Services Guidelines. According to the G Suite DPA, Google processes the Customer Data in the Technical Support Services as data processor. However, the G Suite DPA does not apply to Customer Data when they are provided as Support Data to Google in the context of the Technical Support Services. See Sections 1.4.4 and 5.3.5. 274 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice 273
p. 116/162
