2. P ERSONAL DATA AND DATA SUBJECTS
2.4 R ESULTS ACCESS REQUESTS
Google explains in its G Suite DPA that it is the customer’s responsibility to answer data subject access requests.
“..if Google’s Cloud Data Protection Team receives a request from a data subject in relation to Customer Personal Data, and the request identifies Customer, Google will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.”140
Where Google is a data processor, it should provide the data controller (i.e. the universities) with information necessary to comply with data subject access requests. As explained in Section 2.2.1 the access Google provides to the personal data it processes in the available audit logs does not provide a complete overview of all information about all personal data processed by Google. This means that
136 https://myactivity.google.com/ .
137 Google, View the activity on your Google Docs, Sheets & Slides, URL:
138 Google, How Google helps you manage data with My Activity, URL:
https://support.google.com/accounts/answer/9784401 Google writes: “If you delete activity, it’s no longer used to personalize your Google experience.”
140 Google G Suite DPA, Sections 9.2.1 and 9.2.2.
Google, in its role as data processor, does not provide customers with sufficient information to adequately respond to data subject access requests.
As analysed in more detail in Section 5 of this report, Google considers itself to be an independent data controller for the processing of Diagnostic Data, data relating to the Google Account (except when used in conjunction with a Core Service), data relating to the Additional Services, to Feedback, and data relating to ChromeOS and the Chrome browser. Where Google is an independent data controller, data subject access requests must be filed with Google.
To obtain access to these personal data, on 30 January 2020, two formal data subject access
requests were sent to Google for the personal data relating to the two UG test accounts that Google processes as data controller. Google did not provide any personal data in response to this access request, but referred, in a mail of 10 February 2020, to the information available in the console for administrators.
“Please contact your account administrator, who has access to tooling and functionality to respond directly to your request. Your account administrator can provide you with personal data associated with your account and detailed logs of what actions you have taken while using G Suite Core Services. This would include, for example, what files you have created, read, updated, deleted or shared in Drive, email sent and received.
Additionally, some of the information you seek is already available to you via the end-user interfaces of the products you are using and a number of secure online tools we provide to all end-users to access their data. Please see the table below which provides an overview of these tools.”141
Google provided hyperlinks to five download tools for the end-user.
As listed in Table 9 below, none of these self-service tools show all the personal data Google collects, such as unique identifiers and content data, through (1) use of the Google Account in the Core Services, Additional Services and Other related services such as Feedback and the Enhanced Spellcheck in the Chrome browser, (2) the cookies and similar technologies used, plus the information recorded in the webserver access logs with information about IP address, end-user and device to keep track of use of services through websites and apps and (3) information collected by the Chrome browser and Chrome OS, including device information from the Chromebook with Android apps that had access to the Play Store.
Table 9: Google overview of self-service tools for end-users Resource Google explanation
User data export142 A tool which enables end-users to export and download [content] data.
My Activity143 and view your Google Dashboard144
Allows end-users to see and actively manage their recent activity and to manage the data in their Google Account.
141 Google email reply to data subject access requests for the test accounts, 10 February 2020.
142 Google, Download your data, URL: https://support.google.com/accounts/answer/3024190?hl=en
143 Google, My Google Activity, URL: https://myactivity.google.com/myactivity
144 Google Dashboard, See and manage the data in your Google Account, URL:
Drive Activity Dashboard145
Administrators and end-users can access personal information related to their Drive file activity through the Drive Activity Dashboard. G Suite administrators can control whether end-users see each other's file activity on an Activity Dashboard. File activity includes the names of end-users who have viewed Docs, Sheets, and Slides files and the time they viewed them. Users can control whether their file-viewing information is displayed in the Activity dashboard. For example, if an administrator turns an end-user’s view history On, that end-user can still choose privacy settings to hide the file views from the Drive Activity dashboard.
Review how you share data with third-party apps and sites146
List of sites and apps with access to the end-user’s Google Account.
A description and list of the cookies Google uses
“We are a data processor of Customer Personal Data as defined in the G Suite DPA. Our goal is to protect the privacy and security of our end-users and we do not want to provide data to the wrong person. As discussed, we do not provide information where we do not believe there is a secure means of after-the-fact offline re-identification of a data subject in the context of a Subject Access Request, for example in situations where two or more individuals may use a device. Mobile Device Management is a solution for admins to control user/device policies and access.”148
If end-users have chosen privacy friendly settings, they cannot see any activity data in their personal dashboard. As explained above, in Section 2.3.1, this does not mean Google deletes the data.
“Activity you keep helps Google provide you with a more personalized experience, including faster searches, automatic recommendations, and a better YouTube homepage. If you delete activity, it’s no longer used to personalize your Google experience. (…) For business or legal compliance purposes Google must retain certain types of data for an extended period of time.”
Google continues with an explanation why Google does not provide certain personal data, because Google finds it impossible to reliably verify the identity of the data subject as that of the requester, or because such transparency would hurt Google’s own efforts to protect the security of its systems.
“Please note that certain personal data is not included in our responses to data subject access requests.
For example, data is not included to the extent we are unable to verify that the person making the request is the data subject to which it relates (Article 11(2) and Article 12(2) GDPR). This applies, for example, to data that is associated with unique identifiers (e.g. so-called cookie IDs) where we are unable to verify that they relate to the person making the request. Additionally, data is not included to the extent that
145 Google, View the activity on your Google Docs, Sheets & Slides, URL:
146 Google, Apps with access to your account, URL: https://myaccount.google.com/permissions
148 Google response 5 June 2020.
providing a copy of such data would adversely affect the rights and freedoms of others (Article 15 (4) GDPR). This applies, for example, to data we are processing in the context of detecting threats to the security of our system, the disclosure of which could impact the ability of others to safely use the services.”149
The researchers have offered Google multiple ways to verify their identity and properties of the (test)devices used to perform the scenarios, including providing detailed device, access and cookie identifiers, access to the intercepted data and a physical or virtual visit to a location to prove their identity, if necessary with copies of their passports. Google has refused all these options.
In sum, sections 2.2 to 2.4 show that the Diagnostic Data from the Core Services are personal data.
The review of the audit logs available for administrators shows they contain IP addresses, end-user and account identifiers, and sometimes email addresses. The telemetry logs recorded through the Chrome browser contain IP addresses, and sometimes sensitive content of files (collected through use of the Enhanced Spellcheck).
Google only provides limited access to some usage data collected (in its role as data processor) about the use of some Core Services and the Google Account. These Diagnostic Data are generally personal data, since these data are generated by (and protected by access credentials) the activities of individual end-users (data subjects).
Google fails to provide access to Diagnostic Data about the use of the Features and Additional Services, including the Chrome OS and Chrome browser. Google acknowledges in its reply to the data subject access requests that some data, such as cookie identifiers, are personal data, but Google states it cannot reliably verify that the person making the data subject access request is the data subject that these data relate to. Google was not willing to let the researchers provide additional information enabling their identification.