Skip links

DPIA: Not Possible To Use Google Workspace Legally

Not only the Norwegian data privacy authority has raised the red flag against Google Workspace. Also the Dutch authorities are strugling with lack of compliance from the tech giant. A report made to the Dutch government actually makes it impossible for it to use Google Workspace (former name: G Suit) legally.

“Due to the lack of purpose limitation and transparency, Google and the government organisations currently don’t have a legal ground for any of the data processing.” Such is the conclusion according to the Register, who described the privacy assessment report of Google Workspace as it was published earlier this year.

Commissioned by the Dutch Ministry of Justice and Security, Privacy Company investigated the privacy risks of G Suite Enterprise, with work and communication apps such as Gmail, Chat, Meet, Forms, Docs and Slides. Meanwhile, Google has renamed these services into Google Workspace.

It is the same set of Google services that more and more schools all over the world are using. And late last year, the Norwegian DPA stated the use of it was not legal.

“It is very hard to get a full overview of all elements in an agreement with Google. They refer to websites inside the agreement, who then refer to other agreements, and Google is also changing name to Workspace and thus sometimes uses ‘G Suite’, other times ‘Workspace’,” the Norwegian DPA stated and then it listed 14  links, which Google refers to in its agreements.

The Dutch Data Protection Impact Assessment (DPIA) of Google Workspace points to a central problem with schools and public authorities using the service. It is very hard for users to distinct between “Core Services”, such as Docs, Sheets, Meet and Calendar, which you can get a data processing agreement with Google regarding, and “Additional Services” including YouTube, Maps, Assistant and Search, which you cannot get a data processing agreement on and thus you have to agree to Googles general tracking and profiling of its users. The Register asks whether the users understand the difference?

The DPIA also warns against using Google’s browser, Chrome (used by 90%+ Europeans) but points to the fact that it can be hard to avoid:

The use of Chrome browser also poses a privacy risk. Google uses its own product terms for Chrome, in addition to the 33 purposes of the general (consumer) privacy policy, while in practice it is very difficult (or complicated) to prohibit its use (certainly on Android mobile phones and Chromebooks).

The Norwegian DPA raised the same warnings against Chrome:

“It is worth noticing that the Google Chrome is not part of GSFE but of Chrome OS. This means that the pupils can be profiled and served advertising when they surf the web,” according to the guidance.

While European authorities still ponder about what to do with a non-compliant giant, the very same giant is conquering workplaces and schools all over the continent.