How the Netherlands manages Big Tech

Two Dutch universities’ privacy consultants released a report card on Google Apps for Education in 2021. It is a suite that includes Google Docs and other classroom tools. More than 170 million teachers and students worldwide use it.

The Audit warned Google’s tools for schools lack a number of privacy protections — such as narrow restrictions on how the company uses personal data of students and teachers — that European law requires. However, the company can be addressed. Some concernsAccording to the report, Google refused to comply with Dutch requests for reducing a number “high risk” issues cited in the audit.

It took a threat by the Netherlands’ Data Protection Authority (the country’s privacy regulator) to break the deadlock. Dutch schools will soon have stop using Google’s educational tools. government agency saidIf these products continue to pose risks,

Google has evolved two years later New privacy measures Dutch concerns will be addressed by transparency tools and information. These changes will be available to education customers later in the year in the Netherlands, and elsewhere in the world.

The Dutch government has had remarkable success in requiring big tech companies to change their privacy policies. High-ranking Silicon Valley executives are engaged in months-long technical discussions. After that, they negotiate collective agreements that allow companies the ability to sell their vetted gadgets at various government departments and schools. The Dutch efforts to bring about change could serve as a template for other small nations that want to fight with the technological superpowers.

The Dutch permit has become a status symbol for US tech companies. This is a type of seal of approval that they can show to regulators in other countries to prove they have passed one of Europe’s strictest data protection compliance procedures.

A landmark law called “The Netherlands” is one of the many examples of how a small country like Netherlands, with 17.8m people, has influenced American tech giants. General Data Protection RegulationThe 2018 European Union member states made it effective.

This EU law requires companies to reduce the collection and use personal information by other organizations. Companies, schools, and other organizations are also required to conduct audits. Data protection impact assessmentsFor certain practices, such processing sensitive personal data, which can pose high privacy threats.

The Dutch central government and educational institutions went further and commissioned comprehensive technical and legal assessments for complex software platforms, such as XML. Microsoft OfficeAnd Google Workspace– To ensure high-level participation from the company.

He stated that they have a centric approach, which allows them to have scalable solutions. Julie Brill, Chief Privacy Officer at Microsoft. “The Netherlands punches above their weight”

Zoom achieved its highest level of success last year Declare a majorAfter several months, there have been changes to the data protection policies and practices. extensive discussions with SURF,A Dutch cooperative that negotiates technology vendor contracts on behalf of Dutch universities.

Len Haaland of Zoom, Zoom’s chief privacy officers, stated that the conversations helped Zoom understand how to improve its products to comply with European data protection standards, and “be more transparent” with its users.

Zoom published a number of other publications, including a 11-page documentIt describes how the Company collects, uses, and protects personal data about individuals who participate in meetings and conversations on its Platform.

Privacy auditors in the Netherlands have been able gain extraordinary insight into the practices of large software companies that harvest personal data from hundreds of millions of people. This has been possible thanks to Dutch technical expertise. It allowed Dutch experts to recall companies that were suspected of violating European regulations.

In the beginning, large US technology companies claimed they refused to accept them. Seguera NasPrivacy Company, a leading consultancy in The Hague, conducts data risk assessments for government and other institutions.

“We are so small, that many cloud service providers look at us, raise an eyebrow, and then say, “So what?” You are the Netherlands. “It doesn’t matter,” Ms. Nas, who led Dutch negotiations with Microsoft Zoom, Google, and Zoom, said. She said that companies understood that the Dutch teams were negotiating compliance for the Netherlands under data protection rules that apply across the European Union.

“Then the technology providers realize that they will not be able to provide their services to 450 million people,” Nas said.

After the Ministry of Justice and Security of the Netherlands commissioned a review of a Microsoft Office enterprise edition, the Dutch effort started to take root in 2018. the reportHe stated that Microsoft collected up to 25,000 types users activities, including spelling changes. It provides information about software performance in programs like Word, Outlook, and PowerPoint without providing documentation or giving administrators the option to limit data collection. In blog post Nas, the company that conducted the review at the time, called the findings “alarming”.

Consumer software typically collects reams of usage and performance data from users’ devices and cloud services—diagnostic data that US technology companies often use freely for commercial purposes such as developing new services. EU law makes diagnostic data associated with an identifiable user personal information. It is similar to the emails that people send or the photos they upload.

This means that companies should limit their use diagnostic personal data and give people copies upon request. The Dutch audit revealed that Microsoft had failed in this regard.

These issues were addressed by Microsoft. Ms. Brill writes that Microsoft introduced a new privacy-transparency policy for cloud customers in 2019 that included “changes required under the Dutch Ministry of Justice.” In a company blog post. Microsoft also released a Data viewer toolTo enable customers to view the “raw diagnosis data” that the office has provided to the company.

Ms. Brill explained that Microsoft was able to accept European views on data protection through discussions with the Dutch, which she claimed was more important than software updates.

“It starts with culture and then making sure that the cultural hub appears in our products and programs and, most importantly, in the way we describe what we do to our customers,” said Ms. Brill.

The Dutch influence on US tech companies has been accelerated by the pandemic.

In 2021, the Dutch Google Tools for Schools audit, now Google Workspace for Education, found that the products had no privacy controls, transparency or contractual restrictions on their use of personal data. Gmail and Google Classroom were two examples of educational tools.

Google eventually agreed to Dutch requests to drastically narrow how the company uses personal data collected by its education tools — something US regulators haven’t done.

Google has also agreed not to use diagnostic data from its core educational apps in any way other than what it needs. Three fixed purposesThis is a drop of more than a dozen goals. These three uses included customer services and security issues.

Google also agreed not to use diagnostic data for market research, user profiling, or data analytics. It agreed to develop a tool to allow education customers to view their diagnostic information.

Job Vos (data protection officer at SIVON), a Dutch cooperative that negotiates technology vendor contracts on behalf of Dutch schools, said that he was involved in the long-running talks with Google. It cannot be used commercially.

In a recent interview, Phil Venables, Google Cloud’s chief information security officer, said Google worked regularly with regulators around the world and didn’t view discussions with the Dutch — or the resulting changes in Google’s data practices — as particularly noteworthy. He said that the company was open to technical developments by the Dutch.

Mr Venables stated that he was delighted to work alongside the Dutch as they were very tough on this. He also said that he responded to that.

Google has committed to introducing new privacy and transparency controls before the end of 2022. Ms. Nas and Mr. Vos stated that they are currently testing solutions offered by Google. This could take several months.

The Dutch initiative could offer privacy improvements to schools in the United States and around the world. Many schools lack the technical expertise to investigate how Google collects and uses student data.

However, privacy experts in the Netherlands see their vetting process and negotiation as part of a larger effort by other countries to assert digital supremacy over America’s tech superpowers.

“We are basically captured by the tech giants,” Ms Nas said. “We are realizing that the only way to get rid of it is to negotiate our way toward compliance with European standards.”