Dutch education IT crisis averted as Google agrees to 'major privacy improvements'

Google has agreed to "major privacy improvements" following a threat to ban the use of Google Workspace in education by the Dutch Data Protection Authority (DPA).

In March, Privacy Company concluded that eight out of 10 high privacy risks in Google's productivity suite, Workspace, remained. The Dutch educational institutions then asked the Dutch DPA for advice. At the end of May the DPA warned schools and universities to stop using Google Workspace for Education before the start of the new school year.

Now, after what Privacy Company, a data consultancy employed by Dutch education IT cooperatives, called Google's "intense negotiations with representatives of the schools and higher education institutions in the Netherlands," the Chocolate Factory has apparently agreed to mitigate these risks, averting "possible enforcement by the Dutch Data Protection Authority."

The impact of such enforcement could have been considerable, since according to the report Workspace is used by 52 per cent of primary schools, 36 per cent of secondary schools, and some faculties at four universities. The Dutch DPA had warned these facilities would have "to stop using Google Workspace before the start of the school year" this Autumn, which "would have required schools and their admins … to switch to new software over their summer holiday."

What has Google actually agreed to? In an email to the press, Privacy Company said that "Google, like Microsoft, will become a processor for Diagnostic Data. This means that Google may only process this data about the individual use of the services for the purposes approved by the schools.

"There are three of these purposes, namely providing and securing the services, as well as keeping them up to date. So Google is not allowed to process the pupils' and students' personal data for advertising, marketing, profiling or big data analytics. Google will also develop a data processor version of the Chromebooks and the Chrome browser for business and educational customers."

• Dutch government: Did we say 10 'high data protection risks' in Google Workspace block adoption? Make that 8
• The kids are all right... for Google: Web giant talks up 40 new Chromebook models, school-focused ChromeOS
• Dutch watchdog fines Booking.com €475k after it kept customer data thefts quiet for more than 3 weeks
• Microsoft claims to have 200 million education users as it pushes new hardware and updated Classroom Pen

In the EU's GDPR (General Data Protection Regulation), a data processor is distinct from a data controller, and it is the controller which "determines the purposes and means of the processing of personal data" (Chapter 1.4.7).

Exactly what will be different in these special versions of Chrome OS and Chrome, and will they be available beyond Dutch educational establishments? We have asked Google since this is not entirely clear.

However this detailed report contains assurances including that machine learning for spelling and grammar is limited to "within the customer's own enterprise domain;" that the default setting for ads personalization will be off for new users; and that there will be an inspection tool to allow admins to view customer data in diagnostic data. There will also be a "new warning to end users in the feedback form not to share sensitive data with Google."

According to the Privacy Company, "The full adaptation of the data processor role requires significant technical and organizational changes to Google’s systems and processes and can therefore not be implemented overnight. However, the high risks will be mitigated before the start of the new school year."

Details, details

There are some caveats. One of the key concerns of the Dutch DPA is the intermingling of Workspace applications with what it calls "additional services" such as YouTube, Search, Scholar, Photos and Maps. If a user logged into Workspace then visits YouTube or performs a search, this falls outside the terms of Workspace, yet from Google's perspective it is the same logged-in user, so how does this impact privacy and in particular the responsibilities of the educational establishments to protect the personal data of their children and students?

According to Privacy Company, Search is not so bad since children and students "are automatically signed out when they visit Search" so they are treated as anonymous users - though we have noticed that even anonymous users have to click through an intimidating agreement in order to use Search, with only partial opt-out available.

In the case of the other additional services, though, "Google does not offer this privacy protective measure." Therefore, "schools and universities must use the option to technically prohibit end users from accessing the Additional Services," the Dutch consultants report.

Users who still wish to access them may do so, but only after creating a second, private Google account, thereby we presume lifting the responsibility from the school or university. Embedded use of YouTube videos in slides or Google Classroom is allowed, with Google stating that cookies in embedded videos will comply with the "agreed measures" by the beginning of the school year.

Further caveats are that Dutch educational establishments must sign up to a contract with Google that has the "new privacy amendment," and that schools must conduct their own data protection investigations.

"Every school and university is responsible, and can be held accountable, to evaluate possible additional risks for the rights and freedoms of the pupils/students and employees, and to determine if the factual use of Workspace for Education is GDPR-compliant," Privacy Company said.

"Google has agreed to become more transparent," according to Privacy Company, at least in respect of documenting the personal data it collects.

The stakes here are high, in that what happens in the Netherlands may well extend to the entire EU, and Google will be concerned to keep its foothold in education, as it no doubt hopes that young people will become familiar with its services and want to continue with them in business. Will Google change its data grabbing ways though? Perhaps a bit, in this narrow context.

The Dutch experience does show though that regulation can be effective in moderating the behaviour of big tech – though another relevant question is the extent to which IT departments in Dutch schools and universities will be able to comply with these privacy requirements at short notice, considering all the other demands on their services. ®