Why the Spanish Data Protection Agency does not like Google Workspace for Education

google workspace for education

The use of technological tools in education is already common in primary and secondary schools, but over the past few months it has also become part of the debate about the possible negative effects of the use of technology among minors. Digitalisation in education, as in so many other areas, creates many benefits and opportunities. But at the same time, unfortunately, it opens the door to possible abuses by the big Internet giants, who base their business on the use of data, in this case data from a vulnerable population, that is, minors.

Certain parental groups are being especially active in reporting possible abuses, such as the group Adolescencia Libre de Móviles (Mobile-free Adolescence). But it is not simply a matter of social activism. The Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD in its Spanish acronym), the official organisation responsible for ensuring the privacy and protection of citizens’ data, has issued very clear recommendations on, specifically, Google Workspace for Education, one of the most widespread technology platforms for education.

In February 2024, the AEPD’s legal department responded to a consultation raised by the National Institute of Innovative Technologies and Teacher Training (Instituto Nacional de Tecnológicas Innovativas y Formación al Profesorado, INTEF in its Spanish acronym) on the implementation of Google Workspace for Education in classrooms.

The conclusion reached by the AEPD was definitive. The use of this platform is not recommended for these reasons, among others:

The contractual terms are not clear. Google Workspace for Education defines some of its services as central and others as additional, such as Google searches, the use of Google Maps or YouTube. But an educational tool based on the Google ecosystem where you could not use Google searches, for example, would not make much sense.

Data that is too highly shared. The AEPD highlights that, according to the privacy policy, Google could share user names, email addresses and passwords; secondary email addresses; phone numbers, profile photos and any information that the user adds to their account; and information about cookies, where settings such as language used are stored. It should be noted that this data would be shared with the service administrator and also with Google affiliates and other third-party providers, as well as in any country where Google or its sub-processors have facilities.

Opacity in the processing of data. The AEPD emphasises the lack of clarity with which the purpose of the processing of personal data is treated in the contractual conditions, and that there are aims that do not serve the purpose of the “administrator” of the processing (the educational centre) but rather only the “supplier” (Google). In addition, these aims are defined in ambiguous and non-specific terms (improving services, providing support, etc.).

Consent and responsibility. When implementing Google Workspace for Education, the platform places the obligation on the user to ensure that consent has been granted by both the client (which would be the educational centre) and the users (which would be any member of the educational community who is the recipient of the technological solution, such as the administrator, as well as the faculty and the students).

And, as the AEPD points out, such consent would not be “free and informed”. If a student did not accept these terms, they would be in unequal conditions as they could not use the service, so it is not possible to speak about freedom of consent.

Similarly, families may not have enough information to assess the implication of such consent. Sometimes even data of other family members using devices and the same connection as the minor who is using a Google Workspace account would be compromised.

Unilateral and unjustified modifications. The AEPD reports that, according to the Terms of Service, Google could make “commercially reasonable changes when it deems them appropriate”. Thus it follows that, unilaterally, it could modify elements that have an impact on the processing of personal data.

Moreover, Google states that, in the case of hiring a new sub-processor for the data during the term of the contract, it would notify users within 30 days before this processor begins to provide services. The users, for their part, would have 90 days to terminate the contract in the face of this new circumstance. This means that the termination could occur when this sub-processor already has the users’ personal information.

It is noteworthy that termination of the contract by the educational centre does not imply a real possibility for refusal, but rather is an alternative forced on them by Google.

Non-European legislation. In the addendum on data processing, Google states that a non-European Data Protection Regulation may also apply to the processing of clients’ personal data, and that this addendum would prevail regardless of whether the European Data Protection Regulation […] applies to the processing of clients’ personal data.

The AEPD notes that this should not be possible, given that the EU Data Protection Regulation is mandatory.

Communication of incidents. The AEPD stresses that, in its terms, there is no commitment on the part of Google to notify the processing administrator of the incident in less than 72 hours, as established by EU regulations for security breaches.

The conclusion of the AEPD opinion is that learning digital skills is part of the fundamental right to education contained in the Constitution, but the need to hire services that are presented as additional to reach this goal threatens the privacy of minors. The AEPD points out that the invasive collection of personal information, the possibility of using it to create profiles, and the fact that this information may be transferred to third parties are all unnecessary risks. It would be a massive collection of data, involving a large number of people, many of them minors.