Google for Education and data protection
A little over a week ago, the news on TV3 broadcast an extensive report on the use of Google for Education in schools. Subsequently, Popap, the programme on Catalunya Ràdio for which I am a regular contributor, discussed it at length
The use of Google Education has become increasingly common in schools in Catalonia over the past 2 or 3 years. The fact that the tool and the Google environment we all know is free of charge means that its use is spreading with almost no competition (Microsoft offers similar services but is used much less frequently). The debate on the security and privacy of personal data saved or shared via Gmail, Drive, or Classroom of such a sensitive group as that of children is logical, and I believe it shows the degree of maturity of our society. We should, however, also consider the following:
Regarding the Google for Education service:
- Google has access to the data as a service provider, in legal speak known as the “Processor”, and this point is crucial. This is the complete opposite to when you open a gmail account, where Google is what is known as the controller of the data it collects and of the purposes for which it is used. In Google for Education, the controller of this data is the School, and Google a “mere service provider” compelled to comply with its contractual obligations with the School.
- There is a clear difference between two types of service:
a) Core services of Google for Education: Gmail, Calendar and Classroom. The conditions make it very clear that this data is accessed within the context of the provision of a service and that Google will never use the data for any purpose (e.g. advertising) other than the service provision.
b) Additional services: You Tube, Gmaps, Blogger. This is where the trick lies, as Google also makes it clear that it can use the data to “provide, maintain, protect and improve these services, and to develop new ones”. What is important here is that Google indicates (1) that Schools must ask for express consent from parents to use these additional services, and (2) it will never use the data of students to target ads.
That said, in terms of the core services, School administrators must review and sign the data processing amendment that Google provides. These clauses are available at Administration / Legal information and compliance / Additional security and privacy conditions. Check that the GSuite Terms of Service have been expressly accepted.
On 20th September 2017, Google was given approval by the Spanish Data Protection Agency (AEPD) to transfer data from the EU to the company’s servers in the US.
Therefore, although I agree that we should keep an eye on whether or not Google actually complies with the agreements it makes its customers sign, if we focus on the core services then I think the controversy is slightly disproportionate for the reasons indicated. Essentially, and to give a simple comparison, it would be like worrying about how an employment agency uses the data on the employees of its clients. The agency (and Google) is bound by a service agreement, and cannot use the data to which it has access for its own purposes.
Having said this we mustn’t be naive and think that Google needs the data identifying students (their name) in order to make the most of it, as tools such as Big Data enable it to use this information anonymously. This is where the additional services come in, and Google has the tools to analyse user activity, despite not knowing the name, for such a wide-ranging activity as providing, maintaining, protecting and improving these services, and developing new ones. I believe, therefore, that the controversy should focus on this.