5 minute read
11.3 Google’s own legitimate business purposes
proactively publish statistics “to help public health officials combat COVID-19.” Google cannot process personal data on the legal ground of public interest, because Google does not carry out any public tasks. Google did not process these location data as processor at the request of government organisations either. Since G Suite Enterprise end users were not made aware of such further processing of their location data prior to enabling this setting, Google cannot base this processing on consent either.
11.2.4 Legitimate interest As explained above, government organisations can currently not rely on any legal ground for the processing of personal data. This includes the legal ground ‘legitimate interest’.
Advertisement
As joint controllers with Google, Dutch government organisations may (instruct Google to) process a limited set of innocent Diagnostic Data on the basis of the necessity for their legitimate interest, if the data processing is not necessary to perform a public task. This can be the case for the following purposes:
• detect and solve new information security risks • process the data according to the settings chosen by the administrators • use Diagnostic Data to provide Technical Support, when an admin asks for this help • keep the service functioning and up-to-date (providing automatic product updates; and • determine the account status and ads personalisation preferences [cookies].
Government organisations may also rely on this legal ground for the (limited) use of some Diagnostic Data for (security) analytics, as long as the rights and freedoms of the end users and other data subjects do not prevail over this interest. However, government organisations may not allow further processing of the Diagnostic Data obtained from devices and browsers for any purpose that involves tracking and profiling of end users and end user behaviour. Such a purpose would require consent based on the ePrivacy Directive, and employees are not free to give such consent.
As mentioned above for the ground of ‘public interest’, reliance on the legal ground of ‘legitimate interest’ requires adequate purpose limitation. Without a specific purpose or specific purposes, it is impossible to identify an appropriate any legal ground, including ‘legitimate interest’.
In sum, as joint controllers for the processing of the personal data in the Additional Services, the Technical Support Services, the Other related services and all Diagnostic Data, nor Google nor the government organisations have a legal basis for the processing under the current circumstances.
11.3 Google’s own legitimate business purposes
In some cases, Google processes personal data as an independent data controller, for example for the processing of the number of accounts and sold licenses for annual financial statements, and the sending of invoices. These purposes for the processing need to be clearly defined in the contract with the Dutch government organisations.
Google may be ordered to hand over personal data to a law enforcement authority, security agency or secret service. It follows from the G Suite DPA that Google will refer disclosure requests with regard to personal data in Customer Data from the Core Services to the government organisation, unless “the law prohibits Google from doing so on important grounds of public interest”. In those circumstances, Google can act as a data processor. When Google refers disclose requests to its customer,
Google acts as a data processor. However, if Google is ordered to disclose data itself, and is prohibited with a gagging order from informing the customer, Google acts as a data controller when it hands over personal data (be it Customer Data or Diagnostic Data).
As explained in Section 5.3.7, government organisations cannot instruct Google as a data processor to comply with legal obligations for which they do not have a legal ground, as this would violate the GDPR. Google’s compliance with a government order from a country with which the Netherlands or the EU do not have a Mutual Legal Assistance Treaty, such as is the case for the USA, would be in violation of the GDPR. Therefore, Google must take its responsibility and take its role as independent data controller for disclosure in these particular circumstances.
12. Special categories of data
Special categories of data are “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” (Article 9 GDPR). In addition, Article 10 of the GDPR prohibits the processing of “personal data relating to criminal convictions and offences or related security measures.”
As explained in Section 2.5.1 of this DPIA, it is up to the individual government organisations to determine if they process special categories of personal data. Government organisations must determine if the specific data protection risks associated with the storing of these data on Google’s cloud computers (for example, storing of documents in Drive, recordings in Google Meet, processing through Gmail) require additional protection measures.
The data protection risks for data subjects are not limited to the processing of special categories of personal data. Similar risks may apply to other categories of personal data of a sensitive nature, classified or secret data. The EDPS explains in its guidelines on the use of cloud computing services by European institutions that special categories of personal data should be interpreted broadly when interpreting the risks for data subjects. The EDPS writes: “Nevertheless, this is not the only factor determining the level of risk. Personal data that do not fall under the mentioned categories might lead to high levels of risk for the rights and freedoms of natural persons under certain circumstances, in particular when the processing operation includes the scoring or evaluation of individuals with an impact on their life such as in a work or financial context, automated decision making with legal effect, or systematic monitoring, e.g. through CCTV.“ 275 The EDPS also refers to the criteria provided by the Article 29 Working Party when a Data Protection Impact Assessment (DPIA) is required. 276
Government organisations must consider the risk that special categories of personal data (or otherwise sensitive data) could end up in file and path names in the Drive Audit log file, in combination with the email address of the employee. Google
275 EDPS, Guidelines on the use of cloud computing services by the European institutions and bodies, 10 March 2018, URL: https://edps.europa.eu/sites/edp/files/publication/18-0316_cloud_computing_guidelines_en.pdf 276 Article 29 Working Party (now: EDPB), WP 248 rev.01, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, URL: http://ec.europa.eu/newsroom/Article29/item-detail.cfm?item_id=611236 .
