Google has rejected the idea that its flagship Google Workspace suite of productivity tools and services is embedded with several data protection risks to end-users after the Dutch government published data protection impact assessments (DPIAs).
Two assessments conducted by Privacy Company, in partnership with the Dutch government, have found eight highly-rated data protection risks in Google Workspace, alongside three low-risk issues.
These include a lack of purpose limitation for content and diagnostic data collection, a lack of transparency on the same data types, and a lack of privacy controls for administrators and users, among other glaring issues.
Users told to ditch OneDrive and Office 365 to avoid 'covert' data harvesting Google Workspace updates take aim at hybrid working General Data Protection Regulation (GDPR)
“Many of the identified privacy risks identified stem from Google's position that it may process the information it receives about employee behaviour for its own purposes,” said senior privacy adviser, Sjoera Nas.
“In fact, Google considers itself to be an independent controller for the personal data on the individual use of the online services, the Diagnostic Data. The same applies to the content of (and information on) support requests that employees submit to Google, and comments that users submit via the Feedback form.”
Google, however, has rejected these claims, insisting that it never uses customer data for targeted advertising, allows customers to control their data, and that it’s committed to transparency and compliance with regulations such as GDPR.
Privacy Company conducted technical and legal research into the data Google processes through the entirety of Google Workspace between December 2019 and June 2020, originally finding ten high-risk data protection issues, alongside three low-risk problems.
After entering negotiations with the Dutch government, which commissioned these DPIAs, Google implemented a series of measures to mitigate these risks. The firm published a new privacy notice on the processing of service data in November 2020, for example. Privacy Company claims these measures only addressed two high-risk flaws, however, and have published the full findings of the DIPAs.
“We adhere to regulatory and compliance requirements to protect our customers' data,” said Google Cloud vice president EMEA South, Samuel Bonamigo. “And we believe that it is deeply important for us to be transparent about our products and our practices, which helps to ensure that our customers and stakeholders understand our strong commitment to privacy, security, and compliance.
“We engage closely with European customers, regulators, policymakers, and other stakeholders to provide higher levels of transparency and to build trust. This helps us understand their security and privacy needs, so we can incorporate their feedback into how we build our products and tools. We also use this feedback to improve our public documentation so that customers and users understand how to configure our services to meet their compliance needs or privacy preferences.”
The DPIAs examined Google Workspace, formerly known as G Suite, as used on smartphones running both iOS and Android, on a Chromebook, on a MacBook and on Windows 10 laptops. These also analysed what happens when you use Workspace through a browser, or offline, as well as how microservices such as spell-check handles data.
Address multi-cloud configuration risks
Cloud security challenges and how to overcome them
Among several issues, researchers were dissatisfied with the level of information about the exact types of data Google collects through telemetry, through the use of its website and in its cloud log servers. Google has, in response, promised to publish information on the content of the telemetry data by the end of 2021.
Privacy Company previously played a role in investigating whether Microsoft’s OneDrive and Office 365 products were similarly embedded with privacy risks, on behalf of the Dutch government.
The organisation found in November 2018 that Microsoft Office and Windows 10 Enterprise used a telemetry data collection mechanism that violated GDPR. Their findings outlined eight high-risk data protection problems with ProPlus subscriptions of Office 2016 and Office 365 as well as the web-based Office 365.
Privacy Company’s findings sparked a back-and-forth between Microsoft and European regulators that led to the European Data Protection Supervisor express serious concerns that Microsoft may have violated data protection laws.
Google has suggested it will continue to engage with the Dutch government and discuss these findings with the goal of reaching an amicable agreement.
