5 minute read
15.3 Right to access
processing. Although Google clearly tries to use plain language in its (consumer) Privacy Policy, the wording of the purposes is not explicit, and the explanations accompanying the purposes omit crucial information regarding what personal data will be processed for what specific purposes.
At the time of completion of this DPIA, Google did not publish documentation about the contents of the Diagnostic Data it collects on its own cloud servers (other than the audit logs it makes available for admins), nor about the contents of the telemetry data (Diagnostic Data) from ChromeOS, the Chrome browser, Android devices and apps.
Advertisement
As a result of the lack of information Google provides to government organisations, they are unable to provide data subjects adequate information about the processing of their personal data. The documentation published by Google also does not meet the standards set by the GDPR with regard to the right to information.
First of all, data subjects have a right to information. This means that data controllers must provide people with easily accessible, comprehensible and concise information in clear language about, inter alia, their identity as data controller, the purposes of the data processing, the intended duration of the storage and the rights of data subjects.
As has been highlighted in previous sections of this report, Google does not make comprehensible information available to data subjects about the processing of personal in the G Suite Enterprise Core Services. Quite the opposite. The G Suite DPA is the richest source of information, and this legal document requires enhanced close reading capacities. Google has refused to provide a limitative list of purposes for the processing of the Customer Data, insisting it only follows customer instructions.
With regard to all the Diagnostic Data, the Google Account Data, the Additional Services and related services such as Feedback, Google also fails to meet the requirements for the quality and accessibility of information about the data processing. Though Google clearly tries to use plain language in its Privacy Policy, the wording of the purposes is never explicit, and the explanations accompanying the purposes omit crucial information what personal data will be processed for what specific purposes.
Google does not publish documentation about the contents of the Diagnostic Data it collects on its own cloud servers, or about the contents of the telemetry data from the Chrome OS and browser, and Android devices.
As a result, the government organisations, as joint data controllers with Google, are unable to determine whether the processing is lawful in order to adequately inform their employees or students.
15.3 Right to access
Data subjects have a right to access their personal data. Upon request, data controllers must inform data subjects whether they are processing personal data about them. If this is the case, data subjects should be provided with a copy of such personal data, together with information about the purposes of processing, recipients to whom the data have been transmitted, the retention period(s), and information about their further rights as data subjects, such as filing a complaint with a Data Protection Authority.
As explained in Section 15.1, for data processing that falls in the scope of the G Suite DPA, Google undertakes to redirect access requests to its customers: "If Google’s
Cloud Data Protection Team receives a request from a data subject in relation to Customer Personal Data, and the request identifies Customer, Google will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.”284
Google provides administrators access to 19 audit log files (Diagnostic Data). These audit log files do not provide a complete overview of all personal data processed by Google about the use of all Core Services and the Google Account. Google also does not provide access to the website and cookie data it collects in the Core Services (Diagnostic Data), or other data such as Support Data, data about the use of the Features and embedded Additional Services such as Maps in the Core Services. As described in Section 1.4.1, different types of Features were used in the test scenarios and underwater traffic to Maps was observed in the intercepted internet traffic evidencing that Google processes such data.
As data controller, Google has pointed to some tools where end users can see some of their usage data. However, Google did not provide the requested overview of all personal data processed by Google in its Additional Services, nor the Diagnostic Data resulting from the use of the Core Services and the Additional Services. Google acknowledges in its reply to the access requests made in the context of this DPIA that some data, such as cookie identifiers, are personal data, but Google states it cannot reliably verify that the person making the data subject access request is the data subject that these data relate to. Google did not accept the offer from the researchers to receive additional information enabling their identification.
This refusal is problematic in view of Article 11 (2) of the GDPR. This provision states: “Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising
his or her rights under those articles, provides additional information
enabling his or her identification.”
Google did not demonstrate that it is not in a position to identify the data subject in the context of the access requests of this DPIA. Since the researchers created the Google Accounts specifically for test purposes, using their real identity, on clean test devices, there is no possibility that the device or user identifiers belonged to another individual or could be confused with other data subjects.
As Recital 57 of the GDPR explains: “the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.”
If Google is able to use the digital credentials of an end user to reliably provide access to the most sensitive content data stored in a user’s Drive or Gmail account, it is not comprehensible why Google would not be able to provide access to Diagnostic Data based on those same credentials, possibly combined with information only an end user can access on his or her own device.
Google is able to create billions of dollars of value in personalised advertising based on Diagnostic Data. This requires a technical capability to track individual behaviour
284 Clause 9.2 G Suite DPA.
