DPIA Google G Suite Enterprise for SLM Rijk | 9 July 2020, with update 12 February 2021
Privacy Company has had lengthy discussions with Google about different options to inspect the contents of the telemetry data. Google allowed Privacy Company to view (not capture or document) an example of telemetry traffic collected by Google in a test account from an engineer during a meeting, but did not provide any documentation about the entire path of the data collection or show any results of specific actions requested by Privacy Company. In reply to this DPIA, Google points to the export possibility in Vault. This functionality allows administrators to export emails (contents, headers and folders) from Gmail and documents from Drive. The exports from Drive contain the created and modified dates for each file, with document types and titles.111 However, this export only provides a very limited view on the Diagnostic Data Google collects about every user activity in its Core Services on its servers. The export does not include any information about the type of device and unique identifiers collected by Google about the user in telemetry and website data, nor does this export provide information about the use of Features, and whether Google collects fragments of content of documents stored in Drive. Other information also misses, as defined in Article 14(2), subsections a to g of the GDPR. Additionally, Google noted in its response that end users can view certain Diagnostic Data like Drive or Gmail search queries112 and review Diagnostic Data through the Drive activity dashboards.113 However, the first option does not yield results if an end user has chosen privacy friendly settings. In that case, the user can no longer see the registration by Google of activities, but that doesn’t mean Google has deleted the data.114 Google explains that the activity data are no longer used when a user deletes activity from the dashboard.115 The second option (Drive activity dashboards) only shows what other end users have viewed a file an end user has actively shared. This does not constitute detailed information about the collection of Diagnostic Data. Because of the lack of transparency, Privacy Company cannot determine the contents of the telemetry data. The telemetry that Privacy Company was able to analyse, contained personal data and sensitive content from files (in the Enhanced Spellcheck in Chrome, and in telemetry data about app usage). It cannot be ruled out that some, or all telemetry data contain (1) personal data in the form of unique end user and device information (2) information about app usage with timestamps, and (3) in some cases (sensitive) content that Google obtained as a data processor for Customer Data. 2.4
Results access requests Google explains in its G Suite DPA that it is the customer’s responsibility to answer data subject access requests. “...if Google’s Cloud Data Protection Team receives a request from a data subject in relation to Customer Personal Data, and the request identifies Customer, Google will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.”116
https://support.google.com/vault/answer/6099459 https://myactivity.google.com/ . 113 Google, View the activity on your Google Docs, Sheets & Slides, URL: https://support.google.com/docs/answer/7378739 114 Google, How Google helps you manage data with My Activity, URL: https://support.google.com/accounts/answer/9784401 Google writes: “If you delete activity, it’s no longer used to personalize your Google experience.” 115 Idem. 116 Google G Suite DPA, Sections 9.2.1 and 9.2.2. 111 112
p. 48/162
