January 28, 2023

In 2021, privacy consultants working for two Dutch universities published a critical report card of Google Apps for Education, a suite of classroom tools such as Google Docs used by more than 170 million students and educators worldwide.

This audit warning Google’s school tools lack some of the privacy protections required by European law — such as strict restrictions on how the company can use the personal data of students and teachers.Although the company targets some worriesAccording to the report, Google refused to comply with the Dutch request to reduce many of the “high risks” listed in the audit.

The Dutch Data Protection Authority, the national privacy watchdog, has issued a threat to help break the deadlock: Dutch schools will soon have to stop using Google’s educational tools, government agency saysif the product continues to pose these risks.

Two years later, Google developed New Privacy Measures and transparency tools to address Dutch concerns. The tech giant now plans to roll out the changes to its education customers later this year in the Netherlands and elsewhere around the world.

The Dutch government and educational organizations have had notable success in forcing big tech companies to make big changes about privacy. Their carrot-and-stick approach involves months of highly technical discussions among top Silicon Valley executives, and then makes them worth their time by negotiating collective agreements that allow companies to sell their vetted tools to various government ministries and national schools. The Netherlands’ push for change could provide a playbook for other smaller nations wrangling tech superpowers.

For some U.S. tech companies, Dutch accreditation has now become a status symbol, a stamp of approval they can show regulators elsewhere to demonstrate that they have passed Europe’s most stringent data protection compliance processes one.

How the Netherlands, a small country of about 17.8 million people, is influencing US tech giants is a David and Goliath story involving a landmark law called General Data Protection Regulationimplemented by EU member states in 2018.

This EU law requires companies and other organizations to minimize the collection and use of personal information.It also requires companies, schools and others to conduct audits, known as Data Protection Impact Assessmentfor certain practices that may pose a high privacy risk, such as handling sensitive personal information.

But the Dutch central government and educational institutions have gone further, commissioning exhaustive technical and legal assessments of complex software platforms such as Microsoft Office and google workspace – and make sure top companies are involved in the process.

“They take a centralized approach, which allows them to have a scalable solution,” says Julie Brill, Microsoft’s Chief Privacy Officer. “The Netherlands punches above its weight.”

last year, zoom declare major After months of changing its data protection practices and policies For an in-depth discussion with SURF, A cooperative in the Netherlands negotiating contracts with technology suppliers on behalf of Dutch universities and research institutions.

Lynn Haaland, Zoom’s chief privacy officer, said the talks helped the video communications company understand how it could improve its products to meet European data protection standards and “be more transparent with our users.”

Additionally, Zoom released a 11 pages of documents Detail how the company collects and uses personal information about individuals who participate in meetings and chats on its platform.

Dutch technical expertise has helped privacy auditors gain exceptionally granular insight into how some of the biggest software companies collect personal data on hundreds of millions of people. It also allows Dutch experts to summon companies over practices that appear to violate European rules.

Some big U.S. tech companies were hesitant at first, saying SeranasSenior Advisor to Privacy Corporation, a The Hague-based consulting firm that conducts data risk assessments for the Dutch government and other agencies.

“We were so small that initially, a lot of cloud providers just looked at us, raised their eyebrows and said, ‘So what? You’re the Netherlands. You don’t matter,'” said Ms. Nass, who helped lead the Dutch Negotiations with Microsoft, Zoom and Google. But then, she said, the companies came to know that Dutch teams were negotiating Dutch compliance with data protection rules that also apply across the European Union.

“Then technology providers realize they’re not going to be able to serve 450 million people,” Ms Nass said.

The Dutch effort began to gather strength in 2018 after the Dutch Ministry of Justice and Security commissioned an audit of the enterprise version of Microsoft Office. that report said Microsoft systematically collected as many as 25,000 user activities, such as spelling changes Get software performance details from programs like PowerPoint, Word, and Outlook without requiring documentation or giving administrators the option to limit data collection.exist a blog post At the time, Ms Nass’ company was audited and said the results were “shocking”.

Consumer software often collects vast amounts of usage and performance data from users’ devices and cloud services — diagnostic data that U.S. tech companies often use for free for commercial purposes, such as developing new services. But under EU law, diagnostic data linked to an identifiable user is considered personal information, like emails a person sends or photos they post.

That means companies must limit their use of diagnostic personal data and provide people with copies of it upon request. The Dutch audit found Microsoft had failed to do so.

Microsoft agreed to address these issues. In 2019, the company rolled out a new privacy and transparency policy for global cloud customers that included “changes requested by the Dutch Ministry of Justice,” Ms. Brill wrote. In a company blog post. Microsoft also released a Data Viewer Tool Let customers see the “raw diagnostic data” that Office sends to the company.

Ms. Brill said discussions with the Dutch helped Microsoft adopt a European view of data protection, which she sees as a more important shift in business culture than software changes.

“It starts with culture, and then making sure that the cultural pivot is reflected in our products and software, and most importantly, in the way we describe what we do to our customers,” Ms. Brill said.

The pandemic accelerated the Dutch impact on U.S. tech companies.

In 2021, a Dutch audit of Google’s school tools (now called Google Workspace for Education) reported that the products lacked certain privacy controls, transparency and contractual restrictions on the use of personal data. Educational tools include applications such as Gmail and Google Classroom, an online learning center.

Google finally agreed to the Netherlands’ request to dramatically narrow the scope of personal data the company collects using its educational tools — something U.S. regulators have yet to do.

Among other things, Google agreed to limit the way it uses diagnostic data for the Core Education app to only three fixed uses, down from a dozen uses. These three uses include providing services to customers and dealing with issues such as security threats.

Google also agrees not to use the diagnostic data for purposes such as market research, user profiling or data analysis. It also agreed to develop a tool for education customers to view their diagnostic data.

“We had to explain to Google that it was the responsibility of school boards to be mindful that they had to control the personal data of their students,” said Job Vos, data protection officer at SIVON, a Dutch cooperative that negotiates contracts with technology suppliers on behalf of a group that has been involved with Google for years. The Dutch School of Dialogue. “It cannot be used for commercial purposes.”

In a recent interview, Google Cloud’s chief information security officer, Phil Venables, said that Google regularly works with global regulators and didn’t think the discussions with the Dutch — or the resulting changes to Google’s data practices — were particularly worthwhile. Notice. He added that the company welcomed the technological maturity of the Dutch effort.

“We’re delighted to be working with the Dutch because they’re very demanding of this,” Mr Venables said, “and we’ve responded to that.”

Google agreed to provide new privacy controls and transparency tools by the end of 2022. Ms Nass and Mr Wirth said they were now testing Google’s proposed solution, a process that could take several months.

The Dutch effort could provide privacy improvements for schools in the U.S. and elsewhere, many of which lack the in-house technical expertise to independently investigate how complex platforms like Google collect and use student data.

But Dutch privacy experts see their audit and negotiation process as part of a larger effort by countries to try to assert their digital sovereignty in the face of the US tech superpower.

“We’ve basically been captured by the tech giants,” Ms. Nass said. “We’re starting to realize that the only way to fix this is to negotiate them to comply with European standards.”

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *