Helping European education providers navigate privacy assessments
Marc Crandall
Director and Global Head of Privacy, Google Cloud
Every student and educator deserves access to learning tools that are private and secure. Google Workspace for Education and Chromebooks have positively transformed teaching and learning, while creating safe learning environments for more than 170 million students and educators around the world. Our education products are built with data protection at their core, enabling school administrators to demonstrate their privacy compliance when using our services.
Before using the products and services of technology providers like Google, schools in Europe may be required by the EU’s General Data Protection Regulation (GDPR) or similar laws to conduct Data Protection Impact Assessments (DPIAs). A school using Google Workspace for Education is considered a controller1 of the personal data that it and its students submit, store, send or receive via those Core Services. Under the GDPR, a controller is responsible for assessing whether a DPIA is required, and completing one as appropriate.
Navigating the complex DPIA requirements under the GDPR can be challenging for many of our customers, and while only customers, as controllers, can complete DPIAs, we are here to help them meet these compliance obligations. Our Cloud DPIA Resource Center outlines the obligations related to DPIAs that customers may have under the GDPR, and provides information about Google Workspace for Education that our customers (and their lawyers) can use as a starting point for assessing and meeting these legal obligations.
What every parent and teacher should know about Google Workspace for Education
For Google Workspace for Education core services like Gmail, Classroom, Calendar, Groups, Drive, Docs, and similar products, Google only processes data (including personal data) provided by customers and their end users in accordance with each customer’s documented instructions. Data in these core services is never used for advertising purposes, and no ads are shown in core services.
Below are a few examples of how those core services can benefit students and educators:
Google Calendar and Groups help schools streamline their administration by managing personal and team calendars and creating groups;
Google Docs and Drive enable classmates to collaborate in real time;
Google Classroom allows educators to securely and privately provide feedback to students, saving time for both;
Google Classroom also allows educators to factor in grading trends when planning future lessons.
When using Google Workspace for Education core services, schools are in control of their content from start to finish, and the domain administrator of the school’s system can directly manage this data using our privacy and security settings. Domain administrators have flexibility and autonomy to change default settings and use/enable advanced security upgrade options to meet their data protection requirements. There are equivalent controls in Chrome which would guarantee Google does not have access to the data. For example, administrators can turn off Chrome Sync entirely, so that no sync data is sent to Google. Also, our customers can choose to use Google Workspace for Education with a variety of browsers and operating systems. In addition, they can use Google’s sophisticated encryption technology, which is not currently matched by any other cloud provider, to ensure that Google personnel cannot decrypt customer data related to key services2 without the customer’s explicit permission.
We share the same goals as the schools that use our products: keeping educators and students safe, while supporting learning. As schools evaluate their technology needs and undertake risk assessments, we’ll work with them to help answer any questions they may have along the way. Google has cooperated with numerous customers across Europe who conduct DPIAs and we regularly engage with customers, regulators, policymakers, and other stakeholders to provide transparency into our operations, policies, and practices - this is core to who we are and encapsulates our ongoing commitment to privacy compliance.
In one recent example of this type of collaboration, the Dutch government conducted a DPIA into Google Workspace for Education to facilitate cloud adoption by schools in the Netherlands. As a result of that engagement, Google announced our intention to offer new contractual privacy commitments for service data that align with the commitments we offer for customer data. Once those new commitments become generally available, we will process service data as a processor under customers’ instructions, except for limited processing3 that we will continue to undertake as a controller. We are confident that these changes will address the requirements of our customers and regulators in Europe.
You may also be aware of the Danish DPA’s recent decision about the DPIA conducted by the local municipality of Helsingør in relation to Google Workspace for Education and Chromebooks. Although this decision affects only Helsingør Municipality, we know this ruling has raised questions in many European countries, and led to some misconceptions about the privacy and security of Google Workspace for Education and Chromebooks when used in schools. The Danish DPA has clearly communicated - including in the national media - that the underlying reason for their decision is not a deficiency of privacy, security or GDPR compliance in Google Workspace for Education, and that they have not banned the use of Google Workspace for Education in Denmark. Google is working with Helsingør Municipality to answer questions, review technical settings in their Workspace for Education Admin Console, and share best practices from other European customers who have undertaken a data protection impact assessment.
At Google, we recognise the utmost importance of schools assessing the risks that apply to their data when using any technology platform or online service to process student data. We hope that our Cloud DPIA Resource Center helps our customers complete these assessments for Google Workspace for Education, in compliance with the GDPR, and we’ll continue to provide the tools, resources, and support our customers need to ensure appropriate protection of student data.
For more information about what data we collect and how it is used, please see the Google Workspace for Education Privacy Notice.
1. According to the GDPR, the controller determines the purposes and means of processing of personal data.
2. Google’s CSE encryption is currently available for Google Drive, Docs, Other key services currently covered are Sheets and Slides and Google plans to extend the functionality to Gmail, Google Calendar, and Meet by the end of 2022.
3. For example, billing and account management, capacity planning and forecast modeling, detecting, preventing and responding to security risks and technical issues.