11. L EGAL G ROUNDS
11.2 P ERSONAL DATA IN A DDITIONAL S ERVICES , O THER RELATED SERVICES , T ECHNICAL S UPPORT S ERVICES AND ALL
As explained above, the processing of personal data in the context of G Suite (Enterprise) for Education currently does not comply with the principle of purpose limitation. The G Suite DPA does not cover the processing of personal data in the Additional Services, the Google Account (when not used in conjunction with the Core Services), the Technical Support Services310 and the Other related services. The contractual guarantees equally do not apply to any Diagnostic Data.
However, as analysed in Section 5.4, Google and the universities are joint controllers.
310 Google calls this ‘Support Data’ in the Technical Support Services Guidelines. According to the G Suite DPA, Google processes the Customer Data in the Technical Support Services as data processor. However, the G Suite DPA does not apply to Customer Data (i.e. Support Data) that are actively provided to Google in the context of the Technical Support Services. See Sections 1.5.4 and 5.3.5.
As explained above, universities can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of consent.
Section 11.1.1 above explains why Google cannot rely on the legal ground of consent for the processing of personal data through the Core Services, the Features and the Google Account. This section will explain why the same analysis also applies to the processing of personal data in the Additional Services, the Technical Support Services, the Other related services and all Diagnostic Data.
As described in Section 3.2.1 of this report, access to the Additional Services is enabled by default in G Suite (Enterprise) for Education (except when the services are used in primary and secondary schools).. It thus requires an active intervention from end-users to block access to these services. As analysed in Section 5.3.3, with the use of these default settings Google benefits from cognitive limitations that prevent end-users and administrators from making any changes to the default settings, even if those settings do not match their privacy interests. The failure to actively object against these settings cannot be construed as ‘consent.’
Google’s failure to obtain valid consent for the Diagnostic Data is especially problematic in relation to the collection of information from end-user devices through telemetry data and cookies. As explained in Section 9 of this report, article 11.7a of the Dutch Telecommunications Act (based on the ePrivacy Directive) in principle obliges website owners to obtain valid informed consent prior to retrieving or placing information on an end-user device, such as cookies in a browser. However, consent is not required if the cookies (or similar information) are necessary for the technical operation of a site or online service, or if the cookies do not infringe on users’ privacy rights, or only to a very limited extent.
The applicability of the GDPR does not exclude applicability of the Dutch Telecommunications Act with regard to cookies and similar technologies. As described in Section 2.3, Google collects personal data from Android devices, the Chrome OS and the Chrome browser in the form of unique end-user and device information, combined with potentially sensitive Customer Data (for example a sentence in the Enhanced Spellcheck) and behavioural information such as app usage and the use of biometric authentication with timestamps. Google does not inform data subjects about the collection of these data, and does not obtain separate consent. Because these telemetry data are not strictly necessary to operate its services, while the collection of these data does infringe on the fundamental rights of data subjects, Google fails to obtain the legally required consent
As joint controllers, Google and the universities cannot rely on consent, even though such consent is required by the Dutch Telecommunications Act when these personal data are processed for commercial communication, personalised marketing and tracking purposes. Google does not ask for consent for the retrieval of unique identifiers from the Chrome OS and the Chrome browser, nor for the reading of telemetry data (Diagnostic Data).
311 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice
As explained above, universities can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of performance of a contract.
As explained in Section 11.1.2, universities can base processing on the legal ground ‘performance of a contract’ when they have a (labour) contract with the relevant data subject and the processing is necessary to perform their obligations in relation to each data subject. Processing for the purpose of technically providing the Core Services can likely be based on this legal ground. This can also be the case for the Technical Support Services and services that provide essential functionality, such as Features. This includes the processing of both Customer Data and Diagnostic Data, but only if the processing is necessary for the execution of the contract with each individual data subject.
Reliance on the legal ground of ‘performance of a contract’ requires adequate purpose limitation to ensure that the personal data will not be processed for other purposes for which no legal grounds are available. Without purpose limitation, it remains impossible to ascertain what the purposes of processing are, and thus whether a legal ground can apply with respect to all purposes.
11.2.3 Public interest
As explained above, universities can currently not rely on any legal ground for the processing of personal data. This includes the legal ground of ‘public interest’.
As a side note, as described in Section 3.1.5, Google has used the location history of end-users that have turned on the Additional Service ‘Location History’ to proactively publish statistics “to help public health officials combat COVID-19.” Google cannot process personal data on the legal ground of public interest, because Google does not carry out any public tasks. Google did not process these location data as processor at the request of universities either. Since G Suite (Enterprise) for Education end-users were not made aware of such further processing of their location data prior to enabling this setting, Google cannot base this processing on consent either.
11.2.4 Legitimate interest
As explained above, universities can currently not rely on any legal ground for the processing of personal data. This includes the legal ground ‘legitimate interest’.
As joint controllers with Google, Dutch universities may (instruct Google to) process a limited set of innocent Diagnostic Data on the basis of the necessity for their legitimate interest, if the data processing is not necessary to perform a public task. This can be the case for the following purposes:
• detect and solve new information security risks
• process the data according to the settings chosen by the administrators
• use Diagnostic Data to provide Technical Support, when an admin asks for this help
• keep the service functioning and up-to-date (providing automatic product updates; and
• determine the account status and ads personalisation preferences [cookies].
Universities may also rely on this legal ground for the (limited) use of some Diagnostic Data for (security) analytics, as long as the rights and freedoms of the end-users and other data subjects do not prevail over this interest. However, universities may not allow further processing of the Diagnostic Data obtained from devices and browsers for any purpose that involves tracking and profiling of end-users and end-user behaviour. Such a purpose would require consent based on the ePrivacy Directive, and employees are not free to give such consent.
As mentioned above for the ground of ‘public interest’, reliance on the legal ground of ‘legitimate interest’ requires adequate purpose limitation. Without a specific purpose or specific purposes, it is impossible to identify an appropriate any legal ground, including ‘legitimate interest’.
In sum, as joint controllers for the processing of the personal data in the Additional Services, the Technical Support Services, the Other related services and all Diagnostic Data, nor Google nor the universities have a legal basis for the processing under the current circumstances.