5 minute read
all Diagnostic Data
subjects are not overriding, taking into account the reasonable expectations of data subjects based on their relationship with the controller” (Recital 47 GDPR).
In sum, as Google does not enable government organisations to comply with their obligations under the principle of purpose limitation, government organisations currently do not have any legal ground for the processing of personal data in Customer Data from the Core Services, the Features and the Google Account.
Advertisement
11.2 Personal data in Additional Services, Other related services, Technical Support Services and all Diagnostic Data
As explained above, the processing of personal data in the context of G Suite Enterprise currently does not comply with the principle of purpose limitation. The G Suite DPA does not cover the processing of personal data in the Additional Services, the Google Account (when not used in conjunction with a Google Account), the Technical Support Services273 and the Other related services. The contractual guarantees equally do not apply to any Diagnostic Data.
Google does not make clear and comprehensive information available with respect to the processing of these personal data in an enterprise context. Google states that its (consumer) Privacy Policy applies to the majority of these data. In its Privacy Policy Google qualifies itself as a data controller. However, as analysed in Section 5.4, Google and the government organisations are joint controllers.
As explained in Sections 4.2 and 4.3 of this report, the (consumer) Privacy Policy contains a non-limitative list of 33 purposes that are not specific nor explicit, plus additional specific purposes for the Chrome OS and Chrome browser. Without a specific purpose or specific purposes, it is impossible for government organisations to identify any appropriate legal ground. After completion of this report, On 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes for the Diagnostic Data.274
11.2.1 Consent As explained above, government organisations can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of consent.
Section 11.1.1 above explains why Google cannot rely on the legal ground of consent for the processing of personal data through the Core Services, the Features and the Google Account. The same analysis also applies to the processing of personal data in the Additional Services, the Technical Support Services, the Other related services and all Diagnostic Data.
As described in Section 3.2 of this report, the Additional Services are all switched On by default for G Suite Enterprise customers. It thus requires an active intervention from admins or end users to block access to these services. As analysed in Section 5.3.3, with the use of these default settings Google benefits from cognitive limitations that prevent admins and end users from making any changes to the default settings, even if those settings do not match their privacy interests. The failure to actively object against these settings cannot be construed as ‘consent.’
273 Google calls this ‘Support Data’ in the Technical Support Services Guidelines. According to the G Suite DPA, Google processes the Customer Data in the Technical Support Services as data processor. However, the G Suite DPA does not apply to Customer Data when they are provided as Support Data to Google in the context of the Technical Support Services. See Sections 1.4.4 and 5.3.5. 274 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice
Google’s failure to obtain valid consent for the Diagnostic Data is especially problematic in relation to the collection of information from end user devises through telemetry data and cookies. As explained in Section 9 of this report, article 11.7a of the Dutch Telecommunications Act (based on the ePrivacy Directive) in principle obliges website owners to obtain valid informed consent prior to retrieving or placing information on an end user device, such as cookies in a browser. However, consent is not required if the cookies (or similar information) are necessary for the technical operation of a site or online service, or if the cookies do not infringe on users’ privacy rights, or only to a very limited extent.
The applicability of the GDPR does not exclude applicability of the Dutch Telecommunications Act with regard to cookies and similar technologies. As described in Section 2.3, Google collects personal data from Android devices, the Chrome OS and the Chrome browser in the form of unique end user and device information, combined with potentially sensitive Customer Data (for example a sentence in the Enhanced Spellcheck) and behavioural information such as app usage and the use of biometric authentication with timestamps. Google does not inform data subjects about the collection of these data, and does not obtain separate consent. Because these telemetry data are not strictly necessary to operate its services, and does infringe on the fundamental rights of data subjects, Google fails to obtain the legally required consent
As joint controllers, Google and the government organisations cannot rely on consent, even though such consent is required by the Dutch Telecommunications Act when these personal data are processed for commercial communication, personalised marketing and tracking purposes. Google does not ask for consent for the retrieval of unique identifiers from the Chrome OS and the Chrome browser, nor for the reading of telemetry data (Diagnostic Data).
11.2.2 Contract As explained above, government organisations can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of performance of a contract.
As explained in Section 11.1.2, government organisations can base processing on the legal ground ‘performance of a contract’ when they have a (labour) contract with the relevant data subject and the processing is necessary to perform their obligations in relation to each data subject. Processing for the purpose of technically providing the Core Services can likely be based on this legal ground. This can also be the case for the Technical Support Services and services that provide essential functionality, such as Features. This includes the processing of both Customer Data and Diagnostic Data, but only if the processing is necessary for the execution of the contract with each individual data subject.
Reliance on the legal ground of ‘performance of a contract’ requires adequate purpose limitation to ensure that the personal data will not be processed for other purposes for which no legal grounds are available. Without purpose limitation, it remains impossible to ascertain what the purposes of processing are, and thus whether a legal ground can apply with respect to all purposes.
11.2.3 Public interest As explained above, government organisations can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of ‘public interest’.
As a side note, as described in Section 3.1.5, Google has used the location history of end users that have turned on the Additional Service ‘Location History’ to