5 minute read
5.4 Joint controllers
5.4 Joint controllers
Government organisations that use G Suite Enterprise software have a legitimate expectation that Google solely acts as a data processor for the personal data that Google processes through and about the use of G Suite Enterprise. However, in practice they enable Google to collect and process various personal data as a data controller for Google’s own purposes.
Advertisement
As outlined in Sections 5.2 and 5.3.1 to 5.3.7 above, Google qualifies as a data controller for:
1. The Customer Data in the Core Services and content data in the Additional
Services; 2. the Google Account (both when used in the Core Services and in the
Additional Services); 3. the Diagnostic Data of the Core Services and the Additional Services; 4. personal data processed through Feedback; 5. some of the Support Data (not being personal data in Customer Data); 6. the engagement of new subprocessors; and 7. the disclosure of personal data to law enforcement, security agencies, and secret services in case Google is prohibited from redirecting the authorities to the customer.
However, Google cannot be qualified as an independent data controller for the processing with respect to the personal data listed in 1 to 7 above.
According to three judgments of the European Court of Justice parties can factually become joint controllers.216 That is even the case if the roles are unevenly distributed, or if the customer does not have access to the personal data processed by the supplier of the service. This can be the case if (i) the supplier processes the data for its own purposes, and (ii) this processing can only be performed (inextricable link) because the customer enables this data processing by selecting this supplier.
This enabling of processing by the supplier is clearly the case for the Google Account Data, the Diagnostic Data (including the website and telemetry data) and the Support Data. By engaging Google as a data processor for G Suite Enterprise, government organisations enable Google to collect personal data that Google otherwise would not be able to process.
Google operates under the incorrect assumption that it has the discretion to process personal data obtained through use of G Suite Enterprise as an independent data controller for purposes that have not been authorised by the government organisation. Google does so by simply referring to its (consumer) Privacy Policy and limiting all data protection guarantees to the personal data in Customer Data. This is wrong. As enumerated in Section 4.3, in its role as data controller Google contractually permits itself to process personal data for at least 33 purposes. Many of these of purposes are not specific or explicit.
If Google wants to offer functionality or process personal data that are strongly linked to the use of G Suite Enterprise as independent data controller, such processing and such functionalities should be disabled by default. The controls to enable these
216 European Court of Justice, C-40/17, 29 July 2019, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629, C210/16, 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein versus Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388. See in particular par. 38-43. Also see: C-25/17, 10 July 2018, Tietosuojavaltuutettu versus Jehovah’s Witnesses — Religious Community, ECLI:EU:C:2018:551, par. 66-69.
services and functionalities should be accompanied with very clear information what the data protection consequences are when end users and admins opt-in to such functionality. In all circumstances, Google should offer controls for admins to permanently block such processing and functionalities for all end users. Without such measures and controls, there are no clear boundaries between the data processor and the data controller domains.
There is an inextricable link between (i) the use of G Suite Enterprise to create, store, send and seek information, and (ii) the collection of Diagnostic Data by Google about the use of G Suite Enterprise. Clearly, Google cannot collect any Diagnostic Data about Core Services if end users do not use such Core Services. There is a similar inextricable link for the Google Account Data, as the use of the Google Account is mandatory for employees of Dutch government organisations that decide to use G Suite Enterprise. There is only one Google Account for both consumer and enterprise environments, and Google does not yet offer contractual guarantees that it only processes the Google Account as data processor when used inside of the Core Services. Therefore, Google’s role as data processor cannot (yet) be distinguished from its role as data controller.
The Additional Services and Other related services such as Feedback and Chrome’s Enhanced Spellchecker, as well as Ads Personalization are enabled by default for customers outside the education sector, as well as Ads Personalization. As described in Section 3.2.4 of this report, government administrators have no central controls to minimise the collection of Diagnostic Data (including telemetry and website data), cannot centrally block or limit the collection by Google of telemetry data or centrally disable Ads Personalization. These data include personal data such as the local IP address, what apps are used and when, Bluetooth use including the hashed MAC addresses, when biometric authentication is used and the occurrence (not contents) of crashes. As a result the customers of G Suite Enterprise become joint controllers with Google for the resulting data processing by Google outside of its data processor role.
If government organisations do not actively disable the default transfer of location data from the Chrome browser on Android mobile devices to Google Search (as explained in Section 3.2.2), they also become joint controllers for the collection of personal data for general analytic purposes and for personalised advertising aimed at the end user.
In sum, as long as the government organisations are not in a position to determine and exclude the above purposes of the processing, while Google can only collect these personal data in its role as data processor, in practice they become joint controller for these data processing operations with Google. As explained in Sections 4.2 and 4.3 above, Google reserves the right as (joint) data controller to process the personal data for at least 33 purposes set out in its (consumer) Privacy Policy, plus additional specific purposes for the Chrome browser. As a result of being joint controllers, the government organisations can be held accountable for the processing of personal data relating to all kinds of data subjects for these purposes.
The only exceptions, where Google may act as independent controller, are the processing -when proportionate - for Google’s own legitimate business purposes (e.g. invoicing) and disclosures to authorities, but only if Google was legally prohibited from forwarding the request or order to the customer.
