DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
It is difficult to argue that 6 month old Diagnostic Data, or 18 months old data in the case of cookies, are necessary, adequate and relevant for the 22 or 33 purposes for which Google processes the Diagnostic Data as joint controller with the government organisations. The processing of the Diagnostic Data through the Core Services and Additional Services, including the telemetry data and website data, does not meet the proportionality requirements. This is due to the lack of transparency, the privacy unfriendly default settings, the absence of technical opt-outs and the risk of unauthorised further processing of personal data in Customer Data by Google.
14.3
Assessment of the subsidiarity When making an assessment of subsidiarity, the key question is whether government organisations can reach the same objectives (of using secure, bug free, modern communication and productivity software), with less intrusive means. Google takes the view that end users of its G Suite Enterprise services voluntarily provide their consent to, or enter into a contract with, Google, (also) for the purpose of using consumer services. However, Google does not seem to take into account that the processing occurs in the context of an employment relationship. As assessed in Sections 11.2.1 and 11.2.2 of this report, employees are not free to give consent or enter into a contract with Google. There is no evidence that the specific contract with the data subject cannot be performed if the specific processing of the personal data in question does not occur. Reliance on either of these two legal grounds requires adequate purpose limitation to ensure that the personal data will not be processed for other purposes for which no legal grounds are available. The consumer Terms of Service, and the (consumer) Privacy Policy apply to all the Additional Services (as well as Additional Product Terms), including the Chrome OS and the Chrome browser, to the use of the Google Account in these Additional Services and to all Diagnostic Data. These terms allow Google to process personal data for 33 broad purposes. Government organisations can choose an alternative software provider and use a different browser. They can decide to use Microsoft Office 365 as an alternative, or open-source software. SLM Rijk has published several DPIAs on Microsoft 365. Regardless of a choice for an alternative software provider, government organisations must identify the privacy and security risks of any software or cloud service they plan to use, and assess whether the software offers the necessary functionalities.
p. 126/162
