Google Workspace and data privacy
Shaheen Qureshi (CIPP/E)
Legal Counsel at Coda | Certified Information Privacy Professional/Europe (CIPP/E) | Law and Data Privacy
The Danish DPA (Datatilsynet) banned the use of Google Workspace across municipalities in a recent case pertaining to processing of personal data by the municipality of Helsing?r in primary schools. After Italy (Garante), France (CNIL) and Austria (DSB) on Google Analytics, Denmark now becomes the fourth country to sanction Google for data privacy.
As more and more EU countries are ruling that Google products violate EU law, let us look at the hows and whys of the data privacy concerns surrounding Google below:
Why did the Danish DPA ban Google Workspace?
In September 2021, Datatilsynet ordered a risk assessment of the municipality of Helsing?r's processing of personal data in primary schools. The assessment concluded that personal data might be transferred to third countries, including the USA, without adequate privacy mechanisms in place. Therefore, it was ruled that the processing of personal data by municipality of Helsing?r did not comply with the EU GDPR requirements.
What followed?
The municipality of Helsing?r has been suspended from processing operations involving personal data transfer to the US. Additonally, a general ban was imposed on the municipality for processing with Google Workspace. Datatilsynet stated that the decision would also apply to other municipalities using the same processing design.
Although the suspension was to take effect immediately, the municipality of Helsing?r was given a deadline till 3rd August 2022 to delete data already transferred.
Is this Google's first tryst with a data protection authority?
As stated at the outset of this article, this is definitely not Google's first data privacy rendezvous. Google has often been on the radar of data protection authorities across the globes. Post August 2020 when Schrems II invalidated the Privacy Shield, Google's history with data privacy breaches looks something like this:
领英推荐
Why was Google Analytics banned in several geographies?
Flashback to July 2020, when NOYB (an NGO for digital rights) filed a complaint that argued data transfer to the US violates GDPR. This became known as?Schrems II judgement, which successfully invalidated the Privacy Shield.
The primary purpose of GDPR is to safeguard the privacy of EU citizens. When personal data is transferred to the US, the same is at risk and privacy of EU citizens cannot be guaranteed. Google qualifies as an “electronic communication service provider,” within the meaning of 50 US Code § 1881 and accordingly, is subject to surveillance by US intelligence services in accordance with Section 702 of the Foreign Intelligence Surveillance Act (FISA). This means that Google is obliged to provide the US authorities with personal data. Therefore, personal data transferred by Google to US has been declared unlawful.
Apart from Google's failure to adopt supplementary measures to avoid personal data from being accessed by the US authorities, the French DPA (CNIL) brought to fore the following issues:
Practical implications:
Shortly after CNIL banned Google Analytics, the EU & US reached an agreement, which was, however, only a political one with no legal merits. Until a legal agreement is drafted and an adequacy decision is made on it, Google products continue to be a threat to the privacy of EU citizens and cannot be used in jurisdictions where it has been banned.
It is yet not clear how companies which use Google products, including Google Analytics, should proceed. The most consistent solution with the data protection authorities' latest interpretations is to stop using the tool, which, however, is not being opted for by most companies. What is crucial at this point, as DPAs are thoroughly investigating transfers outside the EEA, is having all the appropriate agreements, policies, procedures and proper transfer impact assessments in place.