Privacy risks from 2021 Google Workspace for Education DPIA sufficiently resolved
5 July 2023 - Google has taken steps in recent months to reduce the remaining risks from the 2021 DPIA as agreed and within the deadline.
Based on the agreements with Google and verification by our external privacy partners, SURF and SIVON conclude that institutions can continue to use Google Workspace for the time being. This means that the institution's management does not need to make any changes for now. You can find the updated DPIA report here.
Google keeps agreements
In January 2023, SIVON, SURF and a team of external (privacy) experts and lawyers thoroughly examined and assessed the measures taken by Google following the 2021 DPIA. We shared the results of this interim analysis with Google in February 2023. Subsequent discussions took place on a number of key points that had not yet been resolved. Google confirmed in March that it would still address these remaining issues by 9 June. SURF and SIVON now conclude - in coordination with the Ministry of Education, Culture and Science (OCW) - that Google has sufficiently complied with these agreements and that institutions can continue to use Google Workspace for the time being.
For us, protecting the privacy of pupils, students and staff is paramount. Institutions must be able to keep control of that data at all times. SURF and SIVON therefore welcome the measures Google has taken to mitigate the aforementioned privacy risks.
What does this mean for institutions?
The institution's management is and remains ultimately responsible for the safe use of educational and digital applications; it decides which applications their institution uses and under what conditions. This summer, institutions will receive the full DPIA report with all privacy risks identified in 2021 and the measures taken by Google to cover them. With this report, institutions can make their own trade-offs on the use of Google Workspace.
Please note: in order to continue using Google Workspace for Education securely, institutions must take a number of mitigating measures themselves. An overview of these measures can be found on this page.
Data Transfer Impact Assessment
One of the points arising from the DPIA in 2021 is the transfer of data to the United States. For this point, a separate process, called the Data Transfer Impact Assessment (DTIA), was launched earlier this year. This examines privacy risks of data transfers to countries outside the European Economic Area (EEA). Google is cooperating in this. The DTIA - including the implementation of any resulting measures - is expected to be completed this autumn.
Status of Chromebooks, ChromeOS and Chrome browser
The DPIA on Google Workspace is separate from the DPIA carried out on Chromebooks, ChromeOS and Chrome-browser. In this track, SURF and SIVON reached agreements with Google on a new version of ChromeOS. This updated version will be available to institutions around August this year. You can read more about this on this page. Via a parliamentary letter, the minister informed the Lower House about the state of affairs regarding Google Workspace and the use of Chromebooks.
Continuous monitoring of legitimacy of great importance
SURF and SIVON subscribe to the importance of privacy and do their utmost to embed privacy agreements in contracts with Google and other suppliers. We therefore attach great importance to continuously evaluating (cloud) services and assessing their legitimacy. We are alert to changing laws and regulations, periodically testing existing contracts against these and adjusting them where necessary. We monitor proactively and continue to discuss and negotiate with Google and other suppliers to ensure that pupils, students and staff can use (digital) education services safely and responsibly.
More information
View the full list of news items.