4 minute read
1 Legal framework and contractual arrangements between government organisations and
account data as processor. Only when end users access Additional Services, such as Search or Youtube, does Google process the Google Account data as data controller.
However, at the time of completion of this DPIA, Google’s role as a data processor for the processing of personal data relating to the Google Account Data and the Features was not contractually guaranteed. Furthermore, Google does not act as a data processor for the Diagnostic Data collected about the use of the Core Services, the Features, the Google Account, the Additional Services and related services such as the Feedback form and the enhanced spellchecker in the Chrome browser.
Advertisement
Google objects against the analysis of its role as a joint controller with its customers for the Diagnostic Data (including the telemetry and the cookie/website data). This objection is reflected in the DPIA, but did not lead to a different analysis (See Section 5.4 of this DPIA).
Purposes Google disagrees with the list of purposes identified in this report, as it considers those purposes to be examples of processing activities, and not purposes. Google states that it only has one purpose for the processing of Customer Data as data processor: “As documented in Section 5.2.1 of the G Suite DPA Google is only contractually permitted to process Customer Personal Data according to the documented instructions of our customer described in that section. This includes an overall instruction to provide the services”. Google refused to provide an exhaustive list of purposes for which it processes the different categories of Diagnostic personal Data on the use of G Suite Enterprise.
At the moment of completion of this DPIA, in July 2020, Google committed to drafting a new Enterprise Privacy Notice that will provide explicit and specific purposes for which Google processes personal data that Google collects or generates that are not personal data in Customer Data. On 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes.14
Google’s interests in the use of Diagnostic Data for personalised advertising Part A describes that Google permits itself in its (consumer) Privacy Policy to use of Diagnostic Data for advertising purposes. In the technical inspection occurrence of a DoubleClick cookie was observed during the log-in to the G Suite Enterprise Core Services. Google disagrees with the conclusion that Google has an interest in the use of Diagnostic Data for advertising purposes, and clarified that the DoubleClick cookie was a bug which since has been fixed.
Outline
This assessment follows the structure of the Model Gegevensbeschermingseffectbeoordeling Rijksdienst (PIA) (September 2017).15 This model uses a structure of four main sections, which are reflected here as “parts”.
1. Description of the factual data processing 2. Assessment of the lawfulness of the data processing 3. Assessment of the risks for data subjects 4. Description of mitigation measures
14 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice 15 The Model Data Protection Impact Assessment federal Dutch government (PIA). For an explanation and examples (in Dutch) see: https://www.rijksoverheid.nl/documenten/ rapporten/2017/09/29/modelgegevensbeschermingseffectbeoordeling-rijksdienst-pia
Part A explains the data processing by the different G Suite Enterprise services on the different platforms (as mobile apps and webbased, accessed via a Chrome Browser on macOS, Windows 10 and on a Chromebook). Part A starts with a technical description of the collection of the data, and describes the categories of personal data and data subjects that may be affected by the processing, the purposes of the processing, the different roles of the parties, the different interests related to the processing, the locations where the data are stored and the retention periods. In this section, factual contributions and intentions from Google are included.
Part B provides an assessment (by Privacy Company, with input from the Ministry of Justice and Security) of the lawfulness of the data processing. This analysis begins with an analysis of the extent of the applicability of the GDPR and the ePrivacy Directive, in relation to the legal qualification of the role of Google as provider of the software and services. Subsequently, part B assesses conformity with the key principles of data processing, including transparency, data minimisation, purpose limitation, and the legal ground for the processing, as well as the necessity and proportionality of the processing. Part B also addresses the legitimacy of transfer of personal data to countries outside of the European Economic Area (EEA), as well as Google’s compliance with the exercise of data subjects’ rights.
Part C assesses the risks for data subjects, in particular with regard to the collection of Diagnostic Data, and the use of the Additional Services.
Part D assesses the measures that can be taken by Google and the individual government organisations to mitigate the risks identified in this DPIA, as well as their impact.