Dutch education IT crisis averted as Google agrees to 'major privacy improvements' Google has agreed to "major privacy improvements" following a threat to ban the use of Google Workspace in education by the Dutch Data Protection Authority (DPA). In March, Privacy Company concluded that eight out of 10 high privacy risks in Google's productivity suite, Workspace, remained. The Dutch educational institutions …
The thought occurs to me that Google probably prefers to have complaints raised by the regulators of small countries. They don't have as much leverage than the EU or the US, but the solutions achieved become reasonable blueprints for everybody else.
If it had been the EU, I'm betting that Google would be forced to protect the accounts even on YouTube, and they'd have paid a stonking big fine as well.
Except that regulators in small countries can issue the same fines as regulators in large countries under the EU's GDPR: Up to 10 million euros or 2 percent of the corporation's global revenue (note: revenue, not profit, not pretax, plain revenue), whichever is the HIGHER. And this is *per violation*.
I have been talking about this for years - as have others. I have always been shouted down with "Google keeps Education users separate and private and doesn't share details" etc., but right from the very first time my children were required to use Google Classroom for homework it was obvious that this is not true, with their Classroom identities following them at the very least to other Google offerings such as YouTube. They don't have personal Google identities* so we've taken to insisting they use Classroom in private windows when at home, which does seem to help a little.
This is such an obvious breach of EU-wide GDPR regulations and nothing has been done about it that I was beginning to wonder if perhaps I'd misunderstood something. Turns out not.
M.
*One of my children has recently received their first smartphone - a Moto g10. Now the Nokia 5.3 I bought recently was "vanilla" Android, and works just fine without a Google account, but the g10 - also claimed to be "near vanilla" Android - has a persistent popup reminding me that I haven't completed setup because I haven't logged in to my Google account. I can see no way to get rid of this. It doesn't stop the phone working at all, but it is annoying on the homescreen. Any suggestions?
You should install Blokada first.
Then I would consider using one of the ten minute email sites to create a dummy account. (Enjoy the irony and Google it.) Write down the dummy email address and password just in case. When Google asks for personal information, like birthday, fill it in with bogus information and make sure you write that down too. It will be a lot harder to track a person by email when Google doesn't have a valid email. Have another phone? Use the same trick with a different dummy email address.
I also keep my location off except when I need directions.
@Martin an gof
Pardon the intrusion - the mention of one of your sprogs jogged my memory - regarding the subject of railways that you mentioned not long ago - if you were to contact the editor here (PK), I think he may well have some information on that regard that may be worth following up
"This is such an obvious breach of EU-wide GDPR regulations and nothing has been done about it that I was beginning to wonder if perhaps I'd misunderstood something. Turns out not."
Basically the same issue was identified with Office365 use by government agencies two years ago in Holland (also involving Privacy Company):
https://www.theregister.com/2019/07/30/dutch_office_online_mobile/
It wasn't clear in that case whether the changes Microsoft made for Holland would also be automatically rolled out across all the EU (I can't see how Microsoft could avoid doing so).
You'd have thought that back at that time the same checks would have been made by the Dutch Data Protection agency (or indeed by the central EU one) regarding Google Workspace's compliance right after the O365 problems were highlighted - but that would have been too sensible...
1 - somewhere, Microsoft seems to have gotten itself a pass by bribing and paying off a LOT of officials lobbying hard to the point that local Privacy Commissioners have been explicitly instructed from upon high NOT to investigage any breaches associated with Microsoft. Thanks for the heads up, because I have some fun details that would warrant an EU-wide investigation - the problem is that I picked up rumours that this "essential" malarky may even play at EU level so maybe it needs to be made public via Pro Publica first.
2 - from the article: "The Dutch experience does show though that regulation can be effective in moderating the behaviour of big tech"
Well, no. It only shows they will have to adopt EUROPEAN approaches to bribing and paying off a LOT of officials lobbying. Look at Facebook - it just found the weakest link and pounced on it: the Irish DPA officers who see their position merely as an audtion for a fat cushy job with Big Tech. Remember, these boys know more about you than even you do and will happily use it against you, augmented by the fact that as far as I can see, European politicians are as corrupt as the rest, they just hide it better.
There is a simple rule: ask two questions:
- how they make their money?
- how do they act when under threat?
As soon as especially a US based outfit has enough money to bend or ignore the law for profit, you can be sure it will. Every. single. time.
"... This means that Google may only process this data about the individual use of the services for the purposes approved by the schools."
Under the GDPR a processor is more restricted than merely to specific "purposes". It's subject to a contract with the controller that specifies "the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller".[GDPR Article 28.3]
That means the data controller has (not surprisingly) total control over all aspects of the processing. Unfortunately, being defined as a data processor makes almost all behemoth data slurpers' business model entirely inoperable as different data controllers will have differing expectations and requirements, necessitating individually negotiated contracts with each data controller.
It's strictly not lawful under the legislation for a data processor to specify the processing - they can negotiate it with the data controller, but the data controller must be the approving party to the contract.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
