The Autoriteit Persoonsgegevens advises educational institutions and the Ministry of Justice and Security not to use Google's e-mail and cloud services. This is because the services do not comply with European privacy laws. In a response, the search engine giant says it appreciates the regulator's feedback. This is evident from two confidential reports from the Autoriteit Persoonsgegevens, which are in the hands of the Financieele Dagblad.
Many elementary schools, universities, businesses and even government agencies make full use of Google's online services. For example, they use Gmail to send emails, Google Meet to have online conversations, and Sheets and Docs to create and share presentations and text files. All of these services are combined in Google Workspace, formerly called Google G Suite Enterprise/Education.
Google's services provide the solution for a variety of scenarios. According to the Autoriteit Persoonsgegevens , however, a major problem lurks in the services: educational institutions that use them do not know how and where personal data about pupils and students are processed, for what purpose this is done and on what basis it is done. "Therefore, this processing cannot take place lawfully," the regulator concludes.
Outgoing Minister Ingrid van Engelshoven of Education, Culture and Science and Minister Arie Slob for Primary and Secondary Education and Media warned in early March that there were privacy risks associated with Google G Suite for Education. In a letter to the House of Representatives, the ministers wrote that educational institutions had "no or insufficient grip" on the processing of metadata. Metadata is information about how a student or student uses a program. It says something about when someone logs in, how long someone stays logged in, on what type of device, with what settings, what programs they use and what searches they perform.
Like Van Engelshoven and Slob, outgoing Minister of Justice and Security Ferd Grapperhaus commissioned a Data Protection Impact Assessment (DPIA) on Google G Suite Enterprise. This revealed ten high data protection risks. After several calls from Google, eight risks remained. "The high risks relate to a lack of purpose limitation, lack of transparency, lack of correct basis, missing possibilities for privacy-friendly settings, lack of control over sub-processors and lack of the right of access for data subjects in the context of the intended processing operations when using the Google services under investigation," Minister Grapperhaus wrote to the House of Representatives.
The ministers asked the Autoriteit Persoonsgegevens for its opinion. Officials at the Ministry of Justice and Security do not yet use Google's online services, but were negotiating about it. In confidential reports, the regulator advises against starting this because of "fundamental questions that need to be answered first." Insiders say that the AP's advice has caused other ministries to have doubts about engaging with Google.
For Google, opinions are a setback. Het Financieele Dagblad highlights that the American technology company is trying to get a foot in the office software market, a market currently dominated by Microsoft. This also puts educational institutions in an awkward situation. After all, they have been using Google's online services for years to consult with parents, record students' school performance and teach online. So simply moving away from Google Workspace is not as easy as it sounds.
A government spokesman told the Financieele Dagblad that ministries, education umbrellas and the IT umbrella for academics are in discussions with Google on the issue. They say they are "making an urgent appeal to Google's social responsibility to eliminate the risks and ensure privacy of pupils and students so that schools can use Google products safely.
Google announced in a response that it appreciates the "feedback" from the Autoriteit Persoonsgegevens . The tech company expects to fix the shortcomings soon.
Not only educational institutions are violating the rules of European privacy legislation. The CIO Platform warned in April that many companies are not complying with the AVG rules because it is unclear how cloud providers handle data from Dutch and European companies. On the one hand, tech companies are not open and honest about what they do with customer data. On the other hand, the AVG states that the user is responsible for ensuring that the software they use complies with the law. However, customers are typically not given this option. Arthur Govaert, president of the CIO Platform, called this a "flaw" in the AVG.
