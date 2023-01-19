



In 2021, privacy consultants working at two Dutch universities will share important information about Google’s educational apps, a set of classroom tools such as Google Docs used by over 170 million students and educators worldwide. issued a report card.

The audit warned that Google’s tools for schools lack many privacy protections, including narrow restrictions on how students’ and teachers’ personal data is used, as required by European law. The company addressed some concerns but refused to comply with Dutch requests to reduce many of the high risks identified in the audit, the report said.

Threats from the Dutch data protection authority, the country’s privacy regulator, helped break the impasse. Dutch schools will soon have to stop using Google’s educational tools, the agency said.

Two years later, Google has developed new privacy measures and transparency tools to address Dutch concerns. The tech giant now plans to roll out these changes to its educational customers in the Netherlands and around the world later this year.

The Dutch government and educational institutions have had remarkable success in forcing big tech companies to make major privacy changes. Their carrot-and-stick approach has involved Silicon Valley officials in months of highly technical debates before allowing companies to sell vetted tools to various government departments and schools across the country. increase their value by negotiating collective agreements that And the Dutch effort to drive change could provide an example for other smaller nations competing with the tech superpowers.

For some US tech companies, the Dutch imprimatur has become a status symbol. This is like a seal of approval that can be shown to regulators elsewhere to show that he has passed one of Europe’s most stringent data protection compliance processes.

How the Netherlands, a tiny country of about 17.8 million people, came to dominate America’s tech giants is the result of a landmark 2018 implementation by the European Union called the General Data Protection Regulation. The story of David and Goliath, including the law. Member States.

That EU law requires businesses and other organizations to minimize the collection and use of personal information. It also requires businesses, schools, and others to conduct audits, known as data protection impact assessments, for certain practices that may pose high privacy risks, such as the processing of sensitive personal information.

However, the Dutch central government and educational institutions have taken the initiative by commissioning a thorough technical and legal evaluation of complex software platforms such as Microsoft Office and Google Workspace, and ensuring high-level corporate participation in the process. , going further.

Microsoft’s chief privacy officer, Julie Brill, said that they are taking a centralized approach that leads to the ability to have a scalable solution. Holland punches above its weight.

Last year, Zoom changed its data protection practices and policies significantly after months of intensive discussions with SURF, a Dutch cooperative that negotiates contracts with technology vendors on behalf of Dutch universities and research institutions. announced a change.

Zoom’s chief privacy officer, Lynn Haaland, said the talks helped the video operator understand how to improve its product to meet European data protection standards and be more transparent to its users. said.

In particular, Zoom has released an 11-page document detailing how it collects and uses personal information about individuals participating in meetings and chats on its platform.

Dutch technical expertise has given our privacy auditors a very detailed insight into how some of the big software companies collect the personal data of hundreds of millions of people. . Dutch experts were also able to accuse companies of practices they believed violated European rules.

Some big US tech companies are hesitant at first, said Sjoera Nas, a senior adviser at The Hague-based consulting firm Privacy Company.

We are so small that at first many cloud providers look at us and frown and say, you are holland “You don’t care,” said Nas, who led Dutch negotiations with Microsoft, Zoom and Google. But then companies began to understand that the Dutch team was negotiating Dutch compliance with data protection rules that also apply across the European Union, she said.

After that, technology providers will find themselves unable to serve 450 million people, Nas said.

The Dutch effort started gaining momentum in 2018 after the country’s Ministry of Justice and Security commissioned an audit of the enterprise version of Microsoft Office. According to the report, Microsoft systematically collected up to 25,000 types of user activity, including spelling changes and software performance details, from programs such as PowerPoint, Word, and Outlook, but did not provide documentation or limit data collection. It never gave administrators the option to In a blog post at the time, Nas, whose company conducted the audit, said the results were astonishing.

Consumer software typically collects a set of usage and performance data from a user’s device and diagnostic data for cloud services. These data are often freely used by US technology companies for business purposes such as developing new services. However, under EU law, diagnostic data associated with an identifiable user is considered personal information, along with emails you send or photos you post.

This means that companies should limit their use of diagnostic personal data and provide copies of it to people upon request. A Dutch audit found that Microsoft did not.

Microsoft has agreed to address these issues. In 2019, the company introduced new privacy and transparency policies for its cloud customers around the world. This included changes requested by the Dutch Ministry of Justice. Brill wrote in a company blog post. Microsoft has also released a data viewer tool that allows customers to see the raw diagnostic data that Office has sent to the company.

Brill said discussions with the Dutch helped Microsoft embrace European views on data protection. A change in business culture is more important than a change in software, she said.

It starts with culture and then allows the cultural pivot to manifest in our products and software and, most importantly, the way we explain what we do to our customers, Brill said.

The pandemic has accelerated Dutch influence on US tech companies.

In 2021, a Dutch audit of Google’s tool for schools, now known as Google Workspace for Education, found that the product lacked certain privacy controls, transparency and contractual restrictions on the use of personal data. Reported. Educational tools included apps like Gmail and Google Classroom, an online learning hub.

Google eventually agreed to Dutch demands to significantly narrow how it uses personal data collected by its educational tools, something U.S. regulators have failed to achieve.

Among other things, Google has agreed to limit how it uses diagnostic data from its core educational apps to three fixed purposes out of ten or more. Three uses included providing services to customers and handling issues such as security threats.

Google also agreed not to use diagnostic data for purposes such as market research, user profiling, and data analysis. We also agreed to develop a tool that would allow educational customers to review their diagnostic data.

School boards had a duty of care and had to explain to Google that they had to control students’ personal data, said Job Vos, SIVON’s data protection officer. increase. A Dutch school that participated in long-standing discussions with Google. You may not use it for commercial purposes.

In a recent interview, Phil Venables, Chief Information Security Officer at Google Cloud, said that Google works regularly with regulators around the world and has made changes as a result of discussions with the Netherlands and Google’s data practices. said he did not consider it particularly noteworthy. He added that the company welcomes the technical sophistication of the Dutch effort.

According to Venables, they have been very strict about this and we were happy to work with Holland and respond.

Google has agreed to deliver new privacy controls and transparency tools by the end of 2022. Nas and Vos said they are currently testing Google’s proposed solution. This process can take months.

The Dutch effort could improve privacy for schools in the US and elsewhere. Many lack the in-house technical expertise to independently investigate how complex platforms like Google collect and use student data.

But Dutch privacy experts believe their audit and negotiation process is part of a larger effort by countries seeking to assert digital sovereignty in the face of the American superpower.

According to Nas, they were basically captured by the tech giants. I was beginning to realize that the only way to deal with it was to negotiate to comply with European standards.

