In 2021, privacy consultants working for two Dutch universities issued a critical report on Google Education Apps, a suite of classroom tools like Google Docs used by more than 170 million students and educators around the world.
He audit warned that Google’s tools for schools lacked a number of privacy protections, including tight limits on how the company could use students’ and teachers’ personal data, which were required by European law. Although the company went some of the concernsAccording to the report, Google refused to comply with Dutch requests to reduce a number of “high risks” cited in the audit.
It took a threat from the Dutch Data Protection Authority, the nation’s privacy regulator, to help break the deadlock: Dutch schools would soon have to stop using Google’s educational tools, the government agency saidwhether the products continued to pose those risks.
Two years later, Google has developed new privacy measures and transparency tools to address Dutch concerns. The tech giant now plans to roll out those changes for its education clients later this year in the Netherlands and in other parts of the world.
The Dutch government and educational organizations have had remarkable success forcing big tech companies to make major privacy changes. His carrot-and-stick approach engages high-level Silicon Valley executives in months of highly technical discussions and then makes it pay off by negotiating collective agreements that allow companies to sell their vetted tools to different government ministries and schools across the nation. . And Dutch efforts to drive change could provide a playbook for other small nations battling with tech superpowers.
For some US tech companies, the Dutch nod has now become a status symbol, a kind of stamp of approval that they can show to regulators elsewhere to show that they have passed one of the privacy protection compliance processes. more stringent data from Europe.
How the Netherlands, a small country with a population of around 17.8 million people, came to influence American tech giants is a David and Goliath story involving a landmark law, called General Data Protection Regulationwhich entered into force in 2018 for the member states of the European Union.
That EU law requires companies and other organizations to minimize their collection and use of personal information. It also requires companies, schools and others to conduct audits, called Data Protection Impact Assessmentsfor certain practices, such as the processing of sensitive personal information, that could present high privacy risks.
But the Dutch central government and educational institutions have gone much further by commissioning comprehensive technical and legal assessments of complex software platforms such as microsoft office Y Google workspace — and ensure high-level company involvement in the process.
“They have a centralized approach that leads to the ability to have scalable solutions,” he said. julie brill, Microsoft’s chief privacy officer. “Holland punches above their weight.”
Zoom last year major announced changes to its data protection practices and policies after months of intensive discussions with SURF, a cooperative in the Netherlands that negotiates contracts with technology providers on behalf of Dutch universities and research institutions.
Lynn Haaland, Zoom’s chief privacy officer, said the talks helped the video communications company understand how to improve its products to meet European data protection standards and “be more transparent with our users.”
Among other things, Zoom published a 11 page document detailing how the company collects and uses personal information about people who participate in meetings and chats on its platform.
Dutch technical expertise has helped privacy auditors obtain unusually granular insights into how some of the biggest software companies amass the personal data of hundreds of millions of people. It has also allowed Dutch experts to sue companies for practices that appear to violate European standards.
Some big US tech companies are resistant at first, he said Sjoera NasSenior Advisor at Privacy Company, a consulting firm in The Hague that performs data risk assessments for the Dutch government and other institutions.
“We’re so small that initially a lot of cloud providers look at us, raise an eyebrow and say, ‘So what? You are Holland. It doesn’t matter,’” said Ms. Nas, who helped lead the Dutch negotiations with Microsoft, Zoom and Google. But then, she said, companies are beginning to understand that the Dutch teams are negotiating compliance with Dutch data protection rules that also apply throughout the European Union.
“Then the technology providers realize they won’t be able to serve 450 million people,” Nas said.
The Dutch effort began to gather steam in 2018, after the country’s Justice and Security Ministry commissioned an audit of an enterprise version of Microsoft Office. The report said Microsoft systematically collected up to 25,000 types of user activity, such as spelling changes and software performance details of programs such as PowerPoint, Word, and Outlook without providing documentation or giving administrators the option to limit that data collection. In a blog post at the time, Ms Nas, whose company conducted the audit, described the results as “alarming.”
Consumer software typically collects a large amount of usage and performance data from user devices and cloud services, diagnostic data that is often freely used by US tech companies for business purposes, such as development. of new services. But under EU law, diagnostic data linked to an identifiable user is considered personal information, just like emails a person sends or photos they post.
That means companies must limit the use of personal diagnostic data and provide people with copies of it upon request. The Dutch audit found that Microsoft had not done so.
Microsoft agreed to address those issues. In 2019, the company introduced a new privacy and transparency policy for cloud customers worldwide that included “changes requested by the Dutch Ministry of Justice,” Brill wrote. in a company blog post. Microsoft also released a data viewer tool to allow customers to view the “raw diagnostic data” that Office sent to the company.
Ms Brill said the discussions with the Dutch helped Microsoft embrace European views on data protection, a change in company culture that she said was more significant than the software changes.
“It starts with the culture and then we make sure that the cultural pivot shows up in our products and our software and, more importantly, in the way we describe what we do to our customers,” said Ms. Brill.
The pandemic accelerated the Dutch effect on American tech companies.
In 2021, the Dutch audit of Google’s tools for schools, now known as Google Workspace for Education, reported that the products lacked certain privacy controls, transparency, and contractual limits around the use of personal data. Educational tools included apps like Gmail and Google Classroom, an online learning center.
Google eventually agreed to Dutch requests to significantly reduce how the company could use personal data collected by its educational tools, something US regulators had failed to do.
Among other things, Google agreed to limit how it used diagnostic data from its core educational apps to only three fixed purposes, below more than a dozen purposes. All three uses included providing services to customers and handling issues such as security threats.
Google also agreed not to use the diagnostic data for purposes such as market research, user profiling, or data analysis. And agreed to develop a tool for education clients to view their diagnostic data.
“We had to explain to Google that school boards have a duty of care and must be in control of students’ personal data,” said Job Vos, a data protection officer at SIVON, a Dutch cooperative that negotiates contracts with data providers. technology. on behalf of the Dutch schools, which participated in the year-long talks with Google. “Cannot be used for commercial purposes.”
In a recent interview, Phil Venables, Google Cloud’s chief information security officer, said that Google regularly worked with regulators around the world and did not see the discussions with the Dutch, or the resulting changes in Google’s data practices. , as particularly notable. He added that the company welcomed the technical sophistication of the Dutch efforts.
“We have been pleased to work with the Dutch because they have been picky about this,” Venables said, “and we have responded to that.”
Google has agreed to offer new privacy controls and transparency tools by the end of 2022. Ms Nas and Mr Vos said they were now testing Google’s proposed solutions, a process that could take months.
The Dutch efforts could provide privacy improvements for schools in the United States and elsewhere, many of which lack the in-house technical expertise to independently investigate how complex platforms like Google collect and use student data.
But Dutch privacy experts see their audit and negotiation process as part of a much larger effort by countries trying to assert their digital sovereignty against American tech superpowers.
“We are basically captured by the tech giants,” Nas said. “We are starting to realize that the only way to deal with this is to negotiate our way towards compliance with European standards.”
