In the Netherlands, data regulators are leading the way in continent-wide efforts to curb excessive data collection by U.S. tech giants, landing major concessions from Microsoft and Google. Private privacy consultants and government watchdogs have leveraged the General Data Protection Regulation (GDPR) to make major privacy changes.
The context
In late 2019, the University of Groningen and Amsterdam University of Applied Sciences commissioned a private company to assess the data privacy implications of Google services in education. The full report, which was completed in 2021, said that Google’s Workspace for Education lacked several privacy protections that were required by European and Dutch law. While Google addressed some of the concerns, a number of “high risks” identified in the report were left unresolved.
Soon after the report was released, Autoriteit Persoonsgegevens, the data protection authority for the Netherlands, warned that Google’s education tools would be banned in Dutch schools if the tech giant failed to resolve the privacy and compliance risks.
How the Dutch leveraged GDPR
The GDPR, which became E.U. law in 2018, introduced stricter consent requirements for data collection by businesses and organizations. The law also requires schools and other large bodies to conduct audits, called Data Protection Impact Assessments, for data collection and processing practices with high privacy risks.
The Dutch government and educational sector went beyond the directive’s minimum standards and commissioned in-depth audits of major services like Zoom, Google Workspace, and Microsoft 365. They also negotiated directly with the parent companies to secure commitments and concessions.
Enhanced data privacy for all
In March 2022, Zoom unveiled major privacy changes in response to a DPIA. Zoom agreed to “improved transparency and documentation,” enhanced data protection practices, and new privacy features.
Microsoft amended its global privacy and transparency policy for commercial cloud contracts to accommodate changes requested by the Dutch Ministry of Justice and Security. Julie Brill, Microsoft’s Chief Privacy Officer, said that the company “remain[s] committed to listening closely to our customers’ needs and concerns regarding privacy.”
Google also announced that it has introduced “new contractual privacy commitments” to address the Dutch concerns surrounding Google Workspace. These privacy updates, limited to education customers, will roll out in the Netherlands beginning in 2023 and worldwide in 2024.