Privacy risks Google Workspace for Education sufficiently resolved

Privacyrisico's uit DPIA van 2021 Google Workspace

Google has taken steps in recent months to mitigate the remaining risks from the 2021 DPIA as agreed and within the deadline. The privacy risks from Google Workspace for Education have thus been sufficiently resolved

Based on the agreements with Google and the verification by our external privacy partners, SURF and SIVON conclude that institutions can continue to use Google Workspace for the time being. This means that the institution's administration does not need to make any changes for now. You can find the updated DPIA report here.

Google sticks to agreements

In January 2023, SIVON, SURF and a team of external (privacy) experts and lawyers thoroughly examined and assessed the measures taken by Google following the 2021 DPIA. We shared the results of this interim analysis with Google in February 2023. Subsequent discussions took place on a number of important points that had not yet been resolved. Google confirmed in March that it would address these remaining issues by June 9. SURF and SIVON now conclude - in coordination with the Ministry of Education, Culture and Science (OCW) - that Google has sufficiently complied with these agreements and that institutions can continue to use Google Workspace for the time being.

For us, protecting the privacy of pupils, students and staff is paramount. Institutions must be able to maintain control over that data at all times. SURF and SIVON are therefore pleased with the measures Google has taken to mitigate the aforementioned privacy risks.

What does this mean for institutions?

The institution's management is and remains ultimately responsible for the safe use of educational and digital applications; they decide which applications their institution uses and under what conditions. Institutions will receive the full DPIA report this summer with all the privacy risks identified in 2021 and the measures taken by Google to cover them. With this report, institutions can make their own trade-offs about using Google Workspace.

Please note: to continue using Google Workspace for Education securely, institutions must take a number of mitigating measures themselves. An overview of these measures can be found on this page.

Data Transfer Impact Assessment.

One of the items resulting from the DPIA in 2021 is the shipment of data to the United States. For this issue, a separate track, called the Data Transfer Impact Assessment (DTIA), was launched earlier this year. This examines privacy risks of transferring data to countries outside the European Economic Area (EEA). Google is cooperating in this process. The DTIA - including the implementation of any resulting measures - is expected to be completed this fall.

Status of Chromebooks, ChromeOS and Chrome browser

The DPIA on Google Workspace is separate from the DPIA conducted on Chromebooks, ChromeOS and Chrome-browser. In this process, SURF and SIVON made agreements with Google on a new version of ChromeOS. This updated version will be available to institutions around August of this year. You can read more about this on this page. Via a parliamentary letter, the minister informed the Lower House about the status of Google Workspace and the use of Chromebooks.

Continuous monitoring of legality of great importance

SURF and SIVON endorse the importance of privacy and make every effort to embed privacy agreements in contracts with Google and other vendors. We therefore attach great importance to the continuous evaluation of (cloud) services and assessing their legitimacy. We are alert to changing laws and regulations, periodically testing existing contracts against these and adjusting them where necessary. We monitor proactively and remain in discussion and negotiation with Google and other vendors to ensure that pupils, students and employees can make safe and responsible use of (digital) educational services.