Our commitment to the privacy and security of Google Workspace customer data

At Google Cloud, we've designed Google Workspace products and solutions, including Google Workspace for Education, to secure and protect the privacy of our customers' data. Our cloud is designed to empower European organizations' strict security and privacy requirements and expectations, which is one reason why customers across Europe trust Google Workspace. 

We also want to support greater choice for public sector organizations and schools across Europe, providing access to innovative solutions, lower costs, better security and greater resiliency. 

We adhere to regulatory and compliance requirements to protect our customers' data. And we believe that it is deeply important for us to be transparent about our products and our practices, which helps to ensure that our customers and stakeholders understand our strong commitment to privacy, security, and compliance. 

We engage closely with European customers, regulators, policymakers, and other stakeholders to provide higher levels of transparency and to build trust. This helps us understand their security and privacy needs, so we can incorporate their feedback into how we build our products and tools. We also use this feedback to improve our public documentation so that customers and users understand how to configure our services to meet their compliance needs or privacy preferences. 

One way of receiving that feedback is through a process called a Data Protection Impact Assessment (DPIA). DPIAs are often a standard part procurement processes for new technology and are conducted by both public and private sector organizations to better understand how their providers process personal data. Today, the Dutch government published a DPIA on Google Workspace, and the Dutch Ministry of Education and Ministry of Justice (MoJ) delivered letters to Parliament summarizing the findings of DPIAs conducted on Google Workspace and Google Workspace for Education. 

We have worked extensively with the Dutch MoJ during the DPIA process and welcome the opportunity to demonstrate our commitment to privacy and security, and to the Dutch public sector.  As a partner to public sector organizations across Europe, we take these matters seriously. We have already undertaken a number of steps to address concerns raised in the DPIAs, and are continuing discussions with the Dutch government. In the interim, we want to clarify a few key areas openly and transparently. 

Firstly, we want to be clear that we never use customer data or service data (such as usage activity) for ads targeting. Google does not show any ads in Workspace and Workspace for Education Core Services, which are the premium versions of tools such as Gmail, Google Meet, and Google Chat that we offer to subscribers. And we never process customer data or service data to create ads profiles or to improve Google Ads Products. 

Secondly, customers control their data. Customer data is the customer’s, not Google’s. We only process Cloud customer data according to instructions set out in our customers’ agreements.

Thirdly, Google is committed to transparency, compliance with regulations like the GDPR, and privacy best practices. As part of our ongoing commitment to improve transparency, we expanded our public documentation about how Google processes personal data in the context of using Cloud services last year. We understand our customers’ desire for greater clarity and have taken steps to address this by the publication of the Google Cloud Privacy Notice. This provides information to users on how we process service data—such as the information Google collects or generates while providing and administering Google Workspace. This information is critical to help ensure the security and availability of our services. We acknowledge there is always room to improve transparency and are committed to providing more specificity in the Google Cloud Privacy Notice in line with this feedback.

We have also updated our Workspace Data Protection Implementation Guide and published a new Google Workspace for Education Data Protection Implementation Guide to provide more information about how data is processed in Workspace Core Services and Additional Services, as well as included a new section on privacy best practices.

Our goal in addressing the DPIA is complete transparency for our customers, regulators and policymakers on the open issues. We will continue to discuss the findings with the Dutch government in the next few months, with the goal of reaching an agreement that will lead to more choice for public sector organizations in the Netherlands and beyond.