A Dutch government report identifying "10 high data protection risks" for users of Google Workspace, formerly known as G Suite, has been revised after Google's response, and now says eight high risk issues still remain.
The study (available in English) was conducted by the Dutch Ministry of Justice and Security together with SLM Microsoft Rijk (Strategic Vendor Management Microsoft).
Despite the name, this is not an offshoot of Google's Redmond-based rival, but a government department which manages vendor relations with the company, and which undertook to assess the risks of deploying Google Workspace instead of Office 365, in a process called a DPIA (Data Protection Impact Assessment). It has conducted similar studies into privacy risks with Microsoft's services.
The DPIA, first published in July 2020, came up with a number of recommendations, some of which Google has now adopted or undertaken to adopt. For example, Google said it will enable admins to block the use of consumer Google accounts in the Workspace environment, according to the report, and to provide a clear visual indicator to users showing whether or not they are in the enterprise environment.
Despite these assurances, at the time of writing, the DPIA still considers that there are legal obstacles to adopting Google Workspace around the roles and obligations of data processors and data controllers under the EU's General Data Protection Regulation (GDPR).
“The use of Google Workspace as offered under the privacy amendment of the Dutch government, still leads to 8 high risks for the different categories of data subjects involved (not just employees, but all kinds of other data subjects that may interact with the Dutch government),” said the report as updated.
Why exactly are you collecting data?
The GDPR distinguishes between data controllers, which determine the purpose and means of data processing, and data processors, which carry out processing on behalf of the controller. An organisation administering a Google Workspace has a measure of control over what data is collected and how it is used, and is therefore a data controller. Google is a data processor, but also a data controller, since it also determines how data is used, although the scope of its role as data controller is (to nobody’s surprise) complicated.
Lack of detail over the purposes for which Google collects data is an obstacle to the legal obligations of organisations using Workspace. The Netherlands government and Google are joint controllers of data processed through Google Workspace, but the report said that, “due to the lack of purpose limitation and transparency, Google and the government organisations currently don’t have a legal ground for any of the data processing.”
A consultancy called Privacy Company, which assisted with the report, summarised the state of play here, where it said that while Google has improved its description of purposes, “it does not solve the problem that the State loses control over the personal data of its employees if the State allows Google to process these data for its own commercial purposes.”
Other issues are that purposes “are broad and unclear” and that “Google can change the purposes for the processing of the Service Data at will, by amending the privacy statement,” subject to certain prohibited purposes.
Multiple agreements, huge complexity
A user signing in to a Google Workspace account has to agree separately to the Core Services under their organisation’s terms, and Additional Services under Google’s terms. Which is used when? It’s complicated...
Google has said this is because users may use the Additional Services while logged in with the enterprise account, which “requires a direct contractual relationship with end users of products not sold under the G Suite Enterprise terms.”
An enterprise admin may attempt to turn off one of the Additional Services but if so “the end user is silently signed out from the Google Account, and can visit the service as end user without Google Account.”
A complication is that a user may be signed in simultaneously with both a Workspace and a personal account. In this case, they may use an Additional Service under the terms of their personal account. This interweaving makes policies hard to enforce.
Does the user know whether they are using Core Services or Additional Services? The DPIA looked at the spellchecker feature in Chrome. In answer to enquiries, Google said there are three kinds of spellchecker: a spelling and grammar feature, a basic local spellchecker, and an enhanced spellchecker. The spelling and grammar feature is defined as part of the Core Services, the enhanced spellchecker (which processes data differently) is an Additional Service. Both are accessed by a right-click.
“For the end-user, the difference with the G Suite Feature Spelling and grammar is not obvious. When checking the spelling of a document, the end user can use all three spellcheckers, without any clear distinction of its origin, part of a Core Service or part of the Additional Service,” said the DPIA.
There is a way of disabling enhanced spell check, but only via Chrome Enterprise policies, which on Windows can be enforced through Group Policy after installing the Chrome Enterprise Bundle. “Chrome Enterprise is not included in the G Suite Enterprise contract, and is therefore out of scope of this DPIA,” said the report.
Another head-spinning entanglement was with Google Maps. Calendar is a Core Service and Maps an Additional Service, but “In Calendar traffic to Google Maps takes place when working with Calendar items that contain a location,” said the report. “In reply to this DPIA, Google explained that the traffic to Maps was not traffic to an Additional Service, but an embedded processing within the Core Services.”
Data subject access requests denied
The DPIA went into detail about how it conducted its investigation. That said, it noted: “Because G Suite Enterprise is a remote, cloud-based service, data processing takes place on Google’s cloud servers. As a result, it is not possible to inspect via traffic interception how Google processes Diagnostic Data in its system generated logs about the use of the Core Services, the Additional Services, or the Google Account.”
The Dutch researchers discovered that Google does not provide all the personal data it holds when asked to do so under the GDPR provisions for the right to request access to this. “Google … explains that it does not provide certain personal data in reply to a data subject access request, because (i) it is impossible to reliably verify the identity of the data subject as that of the requester and (ii) in some cases such transparency would hurt Google’s efforts to protect the security of its systems,” said the report. Similarly, if users "delete activity" from a Google service, it may not actually be deleted.
Google's cloud services lost $14.6bn over three years – and CEO Sundar Pichai likes that trajectoryREAD MORE
In respect of YouTube activity, for example, Google said “if you delete activity, it’s no longer used to personalise your Google experience … for business or legal compliance purposes Google must retain certain types of data for an extended period of time.”
The Dutch researchers responded by offering Google “multiple ways to verify their identity,” even including copies of passports, but “Google has refused all these options.”
Measures the report suggested to the Dutch government include prohibiting the use of Chrome OS and the Chrome browser, and not using Workspace Enterprise until data processing “can be based on one or more legal grounds.”
Google Cloud veep for EMEA Samuel Bonamigo, in response to the updated report, posted about privacy and security in Workspace.
Bonamigo said that “we never use customer data or service data (such as usage activity) for ads targeting” and that “we only process Cloud customer data according to instructions set out in our customers’ agreements.”
He added: “We will continue to discuss the findings with the Dutch government in the next few months, with the goal of reaching an agreement.” ®