Dutch education IT crisis averted as Google agrees to 'major privacy improvements'

'Google has agreed to become more transparent' - over optimistic?


Google has agreed to "major privacy improvements" following a threat to ban the use of Google Workspace in education by the Dutch Data Protection Authority (DPA).

In March, Privacy Company concluded that eight out of 10 high privacy risks in Google's productivity suite, Workspace, remained. The Dutch educational institutions then asked the Dutch DPA for advice. At the end of May the DPA warned schools and universities to stop using Google Workspace for Education before the start of the new school year.

Now, after what Privacy Company, a data consultancy employed by Dutch education IT cooperatives, called Google's "intense negotiations with representatives of the schools and higher education institutions in the Netherlands," the Chocolate Factory has apparently agreed to mitigate these risks, averting "possible enforcement by the Dutch Data Protection Authority."

The impact of such enforcement could have been considerable, since according to the report Workspace is used by 52 per cent of primary schools, 36 per cent of secondary schools, and some faculties at four universities. The Dutch DPA had warned these facilities would have "to stop using Google Workspace before the start of the school year" this Autumn, which "would have required schools and their admins … to switch to new software over their summer holiday."

What has Google actually agreed to? In an email to the press, Privacy Company said that "Google, like Microsoft, will become a processor for Diagnostic Data. This means that Google may only process this data about the individual use of the services for the purposes approved by the schools.

"There are three of these purposes, namely providing and securing the services, as well as keeping them up to date. So Google is not allowed to process the pupils' and students' personal data for advertising, marketing, profiling or big data analytics. Google will also develop a data processor version of the Chromebooks and the Chrome browser for business and educational customers."

In the EU's GDPR (General Data Protection Regulation), a data processor is distinct from a data controller, and it is the controller which "determines the purposes and means of the processing of personal data" (Chapter 1.4.7).

Exactly what will be different in these special versions of Chrome OS and Chrome, and will they be available beyond Dutch educational establishments? We have asked Google since this is not entirely clear.

However this detailed report contains assurances including that machine learning for spelling and grammar is limited to "within the customer's own enterprise domain;" that the default setting for ads personalization will be off for new users; and that there will be an inspection tool to allow admins to view customer data in diagnostic data. There will also be a "new warning to end users in the feedback form not to share sensitive data with Google."

Core versus Additional services in Google's offering to education

Core versus Additional services in Google's offering to education

According to the Privacy Company, "The full adaptation of the data processor role requires significant technical and organizational changes to Google’s systems and processes and can therefore not be implemented overnight. However, the high risks will be mitigated before the start of the new school year."

Details, details

There are some caveats. One of the key concerns of the Dutch DPA is the intermingling of Workspace applications with what it calls "additional services" such as YouTube, Search, Scholar, Photos and Maps. If a user logged into Workspace then visits YouTube or performs a search, this falls outside the terms of Workspace, yet from Google's perspective it is the same logged-in user, so how does this impact privacy and in particular the responsibilities of the educational establishments to protect the personal data of their children and students?

According to Privacy Company, Search is not so bad since children and students "are automatically signed out when they visit Search" so they are treated as anonymous users - though we have noticed that even anonymous users have to click through an intimidating agreement in order to use Search, with only partial opt-out available.

The blocking dialogue which confronts anonymous users of Google Search

The blocking dialogue which confronts anonymous users of Google Search

In the case of the other additional services, though, "Google does not offer this privacy protective measure." Therefore, "schools and universities must use the option to technically prohibit end users from accessing the Additional Services," the Dutch consultants report.

Users who still wish to access them may do so, but only after creating a second, private Google account, thereby we presume lifting the responsibility from the school or university. Embedded use of YouTube videos in slides or Google Classroom is allowed, with Google stating that cookies in embedded videos will comply with the "agreed measures" by the beginning of the school year.

Further caveats are that Dutch educational establishments must sign up to a contract with Google that has the "new privacy amendment," and that schools must conduct their own data protection investigations.

"Every school and university is responsible, and can be held accountable, to evaluate possible additional risks for the rights and freedoms of the pupils/students and employees, and to determine if the factual use of Workspace for Education is GDPR-compliant," Privacy Company said.

"Google has agreed to become more transparent," according to Privacy Company, at least in respect of documenting the personal data it collects.

The stakes here are high, in that what happens in the Netherlands may well extend to the entire EU, and Google will be concerned to keep its foothold in education, as it no doubt hopes that young people will become familiar with its services and want to continue with them in business. Will Google change its data grabbing ways though? Perhaps a bit, in this narrow context.

The Dutch experience does show though that regulation can be effective in moderating the behaviour of big tech – though another relevant question is the extent to which IT departments in Dutch schools and universities will be able to comply with these privacy requirements at short notice, considering all the other demands on their services. ®

Similar topics

Broader topics


Other stories you might like

  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading

Biting the hand that feeds IT © 1998–2022