In 2021, privacy advisors from two Dutch universities issued a critical report on Google’s education apps, a suite of classroom tools such as Google Docs used by more than 170 million students and teachers worldwide.
The audit warned that Google’s tools for schools lacked some privacy protections – such as tight limits on how the company can use students’ and teachers’ personal data – required by European law. While the company addressed some of the concerns, the report said, Google refused to comply with Dutch requests to reduce some of the “high risks” cited in the audit.
It took a threat from the Dutch Data Protection Authority, the country’s privacy regulator, to break the deadlock: Dutch schools would soon have to stop using Google’s education tools, the government agency said, if the products continued to pose risks to entail.
Two years later, Google has developed new privacy measures and transparency tools to address Dutch concerns. The tech giant now plans to roll out these changes to its education customers in the Netherlands and elsewhere in the world later this year.
The Dutch government and educational organizations have been remarkably successful in forcing Big Tech companies to make major privacy changes. Their carrot-and-stick approach engages high-level Silicon Valley executives in months of highly technical discussions, then makes it worthwhile by creating collective agreements that allow companies to sell their vetted tools to various government departments and national schools. And the Dutch efforts to bring about change could provide a playbook for other small nations grappling with tech powerhouses.
For some American tech companies, the Dutch imprimatur has now become a status symbol, a sort of seal of approval they can show to regulators elsewhere to demonstrate that they have passed one of Europe’s strictest data protection procedures.
How the Netherlands, a small country with a population of about 17.8 million people, came to influence American tech giants is a David and Goliath story about a groundbreaking law called the General Data Protection Regulation, enacted by the European Union in 2018 entered Member States.
That EU law requires companies and other organizations to minimize their collection and use of personal information. It also requires companies, schools and others to conduct audits called Data Protection Impact Assessments for certain practices, such as handling sensitive personal information, that can pose significant privacy risks.
But the Dutch government and educational institutions have gone much further, commissioning extensive technical and legal reviews of complex software platforms such as Microsoft Office and Google Workspace and ensuring that companies participate at a high level in the process.
“They have a centralized approach leading to the ability to have scalable solutions,” he said Julie Bril, the chief privacy officer at Microsoft. “The Netherlands is in over his head.”
Last year, Zoom announced major changes to its data protection practices and policies after months of intense discussions with SURF, a cooperative in the Netherlands that negotiates contracts with technology suppliers on behalf of Dutch universities and research institutions.
Lynn Haaland, chief privacy officer at Zoom, said the talks helped the video communications company understand how it can improve its products to meet European data protection standards and to be “more transparent with our users”.
Among other things, Zoom has published an 11-page document detailing how the company collects and uses personal information about individuals who participate in meetings and chats on its platform.
Dutch technical expertise has helped privacy auditors gain an unusually detailed understanding of how some of the largest software companies collect personal data about hundreds of millions of people. Dutch experts may also hold companies accountable for practices that appear to be in conflict with European rules.
Some large American tech companies are hesitant at first, says Sjoera Nas, senior advisor at Privacy Company, a consultancy in The Hague that performs data risk assessments for the Dutch government and other institutions.
“We’re so small that many cloud providers initially just look at us, raise an eyebrow and say, ‘So what? You are the Netherlands. You don’t matter,” said Ms. Nas, who helped lead the Dutch negotiations with Microsoft, Zoom and Google. But then, she said, the companies begin to understand that the Dutch teams are negotiating for the Netherlands to comply with data protection rules that also apply throughout the European Union.
“Then the technology providers realize they can’t provide their services to 450 million people,” Ms Nas said.
The Dutch effort started to gain momentum in 2018, after the Dutch Ministry of Justice and Security commissioned an audit of a corporate version of Microsoft Office. According to the report, Microsoft systematically collected up to 25,000 types of user activity, such as spelling changes and software performance details of programs such as PowerPoint, Word, and Outlook without providing documentation or giving administrators an option to limit that data collection. In a blog post at the time, Ms Nas, whose company conducted the audit, described the results as “alarming”.
Consumer software typically collects a lot of usage and performance data from users’ devices and cloud services — diagnostic data that U.S. tech companies often use freely for business purposes, such as developing new services. But under EU law, diagnostic data linked to an identifiable user is considered personal information, just like the emails people send or the photos they post.
That means companies must limit their use of diagnostic personal data and provide people with a copy of it upon request. The Dutch audit showed that Microsoft had not done this.
Microsoft agreed to address these issues. In 2019, the company introduced a new privacy and transparency policy for cloud customers around the world, which included “changes requested by the Dutch Ministry of Justice,” Ms. Brill wrote in a blog post from the company. Microsoft has also released a data viewer tool that allows customers to see the “raw diagnostic data” that Office has sent to the company.
Ms. Brill said the talks with the Dutch helped Microsoft embrace European views on data protection, a shift in corporate culture that she said was more important than the software changes.
“It starts with culture and then making sure that the cultural linchpin is reflected in our products and our software and, more importantly, in the way we describe to our customers what we do,” said Ms. glasses.
The pandemic accelerated the Dutch effect on US technology companies.
In 2021, the Dutch audit of Google’s tools for schools, now known as Google Workspace for Education, reported that the products lacked certain privacy controls, transparency, and contractual limits regarding the use of personal data. The education tools include apps such as Gmail and Google Classroom, an online learning center.
Google eventually agreed to Dutch requests to significantly restrict how the company could use the personal data collected by its education tools — something that U.S. regulators failed to achieve.
Among other things, Google agreed to limit the use of diagnostic data from its main education apps to just three set targets, instead of more than a dozen targets. The three uses include providing services to customers and handling issues such as security threats.
Google also agreed not to use the diagnostic data for purposes such as market research, user profiling or data analysis. And it agreed to develop a tool for education customers to view their diagnostic data.
“We had to explain to Google that school boards have a duty of care and control over students’ personal data,” said Job Vos, a data protection officer at SIVON, a Dutch cooperative that negotiates contracts with technology suppliers. on behalf of Dutch schools, who participated in the years of conversations with Google. “It should not be used for commercial purposes.”
In a recent interview, Phil Venables, the chief information security officer at Google Cloud, said Google regularly works with regulators around the world and doesn’t see the discussions with the Dutch — or the resulting changes in Google’s data practices — as particularly noteworthy. . He added that the company welcomed the technical sophistication of the Dutch effort.
“We liked working with the Dutch because they had a lot of requirements,” said Mr. Venables, “and we responded to that.”
Google agreed to provide new privacy controls and transparency tools by the end of 2022. Ms. Nas and Mr. Vos said they were now testing Google’s suggested solutions, a process that could take months.
The Dutch efforts could bring privacy improvements to schools in the United States and elsewhere, many of which lack the in-house technical expertise to independently investigate how complex platforms like Google collect and use student data.
But Dutch privacy experts see their scrutiny and negotiation process as part of a much larger effort by countries trying to assert their digital sovereignty against US tech superpowers.
“We’ve basically been captured by the tech giants,” Ms Nas said. “We are starting to realize that the only way to deal with it is to negotiate their compliance with European standards.”