DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Google mentions the following Diagnostic Data in a public privacy notice for end users of the G Suite Enterprise for Education: • “device information, such as the hardware model, operating system version, unique device identifiers, and mobile network information including phone number of the end user; • log information, including details of how an end user used our service, device event information, and the end user's Internet protocol (IP) address; • location information, as determined by various technologies including IP address, GPS, and other sensors; • unique application numbers, such as application version number; and • cookies or similar technologies which are used to collect and store information about a browser or device, such as preferred language and other settings.”18 At the moment of completion of this DPIA, in July 2020, Privacy Company was not able to find similar public information for end users of G Suite Enterprise. Google confirmed it had not yet published a similar explanation about the processing of Diagnostic Data in the context of G Suite Enterprise. However, Google has committed to publish a new Enterprise Privacy Notice about the purposes for the processing of data other than the Customer Data.19 On 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes.20 Administrators of G Suite Enterprise have access to 19 different kinds of log files with Diagnostic Data.21 Fourteen of these log files contained information in the scope of this DPIA. The contents of these files are described in Section 2.2 of this report. Google explains why the log files are useful: “As an administrator, you can examine potential security risks, measure end user collaboration, track who signs in and when, analyze administrator activity, and much more. You can view domain-level data alongside granular, user-level details through graphs and tables.”22 As will be explained in Section 1.4.2 of this report, it is mandatory for end users of the G Suite services to create a Google Account. According to its (consumer) Privacy Policy, Google collects the following Diagnostic Data about each Google Account: “We collect information about the apps, browsers, and devices you use to access Google services, which helps us provide features like automatic product updates and dimming your screen if your battery runs low. The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.”23
Functional Data Google G Suite for Education Privacy Notice, Information we collect, URL: https://gsuite.google.com/intl/en/terms/education_privacy.html. 19 From responses provided by representatives of Google to SLM Rijk during the course of this DPIA. 20 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice 21 These log files are: Admin, Login, SAML –out of scope, LDAP –out of scope, Drive, Calendar, Context-Aware Access–out of scope, Devices, Password Vault–out of scope, Token, Groups, Hangouts Chat, Google+, Voice–out of scope, Hangouts Meet, User Accounts, Access Transparency-out of scope, Rules, and Email Log Search. 22 Google, G Suite Admin Help, Monitor usage and security with reports, URL: https://support.google.com/a/answer/6000239?hl=en&ref_topic=9026900 23 Google Privacy Policy, 31 March 2020, URL: https://policies.google.com/privacy?hl=en-US#infocollect] 18
p. 19/162
