4 minute read
Related services that may send Customer Data to Google, such as the Feedback form and the Enhanced Spellchecker in the Chrome browser.
Privacy unfriendly default settings
One Google Account
Advertisement
Lack of control subprocessors
No access for data subjects
Where possible, change default settings until Google has implemented adequate privacy friendly settings Turn Off Ads Personalization Turn Off access to Additional Services Change the default setting of the Chrome browser and in the Marketplace to prevent access by default [by third parties] to Customer Data. Provide exhaustive and comprehensible information what the data protection consequences are if end users or administrators opt-in to privacy unfriendly settings Allow admins to centrally prevent any opt-in from employees
Advise end users not to sign in with multiple Google Accounts simultaneously
If the Chrome browser is permitted: prohibit end users from signing in with a Google Account different from the enterprise domain
Inform employees about access to the data in the available admin log files When available, use other tools Shield or protect against spill-over from enterprise to consumer environment (and vice versa) Provide clear warnings to end users when they leave the protected enterprise environment Prevent any data processing via the Google Play Store beyond authorised data processor purposes Amend contract to provide guarantees about processing of underwater links from Core Services to Additional Services such as Translate and Maps Amend contract to include meaningful control for customer to object against subprocessors of personal data, whether included in Customer Data, data relating to the Google Account, Support Data and Diagnostic Data or otherwise processed by Google Become data processor for the processing of personal data in Customer Data and Diagnostic Data from the Core Services, the Features, the Additional Services, the Technical Support Services, the Google Account, Other related services that may send Customer Data to Google, such as Feedback and the Enhanced Spellcheck in the Chrome browser and only engage authorised subprocessors Honour data subject access rights, including with respect to all personal data in Diagnostic Data [collected through the Core Services, the Additional Services, the Features, the Google Account, the Technical Support Services and Other related services such as Feedback and the Enhanced Spellcheck in the Chrome browser. Develop tools to allow data subjects access to personal data when they are collected.
There are three low data protection risks. These stem from the lack of transparency, which could make employees think they are constantly being watched, the lack of an effective removal option for historical personal data, and the fact that Google is a cloud provider and processes personal data on servers in the United States.
Three low risks Measures government organisations Measures Google
Chilling effects employee monitoring system Complement internal privacy policy for the processing of employee personal data with rules for what specific purposes specific personal data in the log files may be (further) processed and analysed. This includes listing the specific risks against which the logs will be checked, and which measures the organisations will take to ensure purpose limitation
Impossibility to delete individual Diagnostic Data As soon as technically possible: minimise the collection of Diagnostic Data (including telemetry and website data)
Cloud provider: unlawful access to Customer Data and Diagnostic Data in the USA Follow guidance from SLM Rijk on ECJ Jurisprudence about transfer of personal data to the USA Conduct audits on data minimisation and compliance with retention periods Data minimisation: create a control for individual deletion Diagnostic Data without deleting the Google Account Guarantee that data for which deletion is requested, will not be processed for any other purpose incl. anonymisation Consider the creation of an EU cloud Data minimisation by improving the privacy controls
Conclusions July 2020
This DPIA shows that -at the time of completion of this report on 9 July 2020- there were 10 high and 3 low data protection risks for data subjects when government organisations decide to use G Suite Enterprise. Because of the lack of transparency and purpose limitation, Google currently does not qualify as data processor for the processing of any of the personal data it collects in and about the use of G Suite Enterprise.
As explained in this DPIA, Google and the government organisations are joint controllers, but they cannot successfully claim any legal ground for the processing, as required in Article 6 of the GDPR. Until Google becomes a data processor, not only for the personal data in Customer Data, but also for the personal data in Diagnostic Data and other data described in this report such as personal data relating to the Google Account, government organisations are advised not to use G Suite Enterprise.
Conclusion 12 February 2021
SLM Rijk provided Google with these DPIA findings in July 2020. Between August and December 2020, SLM Rijk and Google discussed measures to mitigate the ten high data protection risks.
Section 17 of this report contains a table with an overview of the measures taken or announced by Google in reply to the 10 high data protection risks. On 12 February 2021 Google’s reply to the final table with remaining risks was added to this conclusion.
However, the use of Google Workspace as offered under the privacy amendment of the Dutch government, still leads to 8 high risks for the different categories of data subjects involved (not just employees, but all kinds of other data subjects that may interact with the Dutch government).
SLM Rijk proceeds by engaging in a prior consultation procedure with the Dutch Data Protection Authority.
