A Data Protection Impact Assessment (DPIA) into Google Workspace was launched by the Central Dutch government in 2020. The report noted there were eight high-risk issues
principally around data collection. It also noted that Google did not provide all the personal data it held when asked to do so under the GDPR provisions for the right to request access.
Google said today: “As a result of this process, the Central Dutch government, the Dutch education sector organisations/institutions, and Google Cloud found agreement and will continue working together on the DPIA recommendations.”
According to Google: “DPIAs help organizations better understand how companies process and protect personal data and define parameters for GDPR compliance.”
Google Cloud’s managing director for Benelux, Joris Schoonis, said: “This is a milestone for Google Cloud’s relationship with the Central Dutch Government, as we see the results of the DPIAs come to fruition.
“We’ve designed Google Workspace products and solutions, including Google Workspace for Education, to secure and protect the privacy of our customers’ data.”
Rousing stuff, particularly since Google’s ad business is all about collecting as much data as legally possible about customers in the hope of better targeting ads. In recent years the company has recognized that EU lawmakers are worried about privacy, and this month Google trumpeted the arrival of Sovereign Controls for Google Workspace Microsoft intends to implement its own EU Data Boundary by the end of 2022.
Google said the agreement between Google and the privacy regulator would help facilitate multicloud adoption in the Dutch central government.
The EU is in Google’s crosshairs. It opened a new Google Cloud region in Madrid last week, “allowing both Spanish businesses and government entities to meet their availability, data residency, and sustainability needs in Spain while also accelerating their digital transformation.”
A spokesperson for Google told The Register: “Users will be able to choose the region depending on their needs, based on services available, residency of data, latency and so on,” before directing us back to the Sovereign Controls blog post.
We’ve yet to hear back from the search giant on the specifics of what had to be done to satisfy the Dutch DPIA.
The agreement follows another regarding data protection in Google Workspace for Education which was signed off last year The education ministry said at the time that a “timeline” had been agreed for Google to implement the GDPR requirements.
Productivity suite rival Microsoft has had its own run-ins with the Dutch Government over the years. Most recently it was the subject of another DPIA (focusing on Teams, OneDrive, Sharepoint, and Azure Active Directory), the results of which could be summarized as “must try harder.” Mitigations were suggested by the DPIA to deal with worries over encryption and data moving out of the EU