Google Workspace offers a safer choice for EU public sector organizations with Dutch DPIA/DTIA approval and new capabilities

At Google, our unwavering commitment to user privacy and security is paramount. While technologies, regulatory landscapes, and user expectations may evolve, our dedication to safeguarding user data remains unchanged. As we usher in a new era of artificial intelligence with Gemini, we’re more committed than ever to ensuring our users feel safe, secure, and confident in their privacy. Our proven track record of actively collaborating with customers, privacy regulators, and policymakers worldwide while staying ahead of cybersecurity threats demonstrates that we are well-positioned to meet this commitment. Privacy and security remain central to everything we do, which is one of the key reasons why organizations choose Google Workspace and Google Workspace for Education. The recent highlights below illustrate how we are continuously working to uphold this commitment to our customers and users:

1. Dutch DTIA on Google Meet: Following a rigorous Data Transfer Impact Assessment (DTIA), the Dutch Ministry of Justice and the Dutch Ministry of Education have publicly communicated its successful completion to the Dutch Parliament. This reaffirms their confidence in Workspace by permitting the use of Meet across the Dutch public sector and educational institutions, giving our customers peace of mind that their communications are private and secure. 

2. Dutch DPIA on Workspace: The green light on the DTIA builds upon the stamp of approval granted last year after we worked extensively with Dutch authorities and representatives SLM, SURF, and SIVON through Data Protection Impact Assessments (DPIAs) of Workspace and Workspace for Education, underscoring our dedication to customer privacy and GDPR compliance. With the conclusion of the DTIA, which was the final part of the DPIA, customers can use Workspace with great confidence: 

• “We are proud of the result we achieved together with SIVON. Google has shown it has an eye for protecting the privacy of students and pupils in Dutch education,” said Jet de Ranitz, CEO and chair of SURF's board of directors. 
• The Dutch Ministry of Justice, in its letter to Parliament, concludes that “[t]his means that GDPR-compliant use of Google Workspace is possible.”¹

We appreciate the partnership with the Dutch government and education sector, and we continue to support organizations across the Netherlands, the EU, and globally in their compliance journeys.

How we’re supporting customers on their compliance journeys

1. DPIA support for all customers: We know first-hand that conducting DPIAs can be a complex task and we remain firmly committed to helping all customers navigate their DPIAs by enhancing resources like our comprehensive DPIA Cloud Resource Center. Additionally, we’ve met with many customers at in-person workshops in the Nordic countries to enhance their ability to conduct their Workspace DPIAs.

2. Investing in our data processor role: To meet the highest standards of data protection for our customers, Google continues to invest heavily in our secure by design infrastructure. We have expanded four ISO certifications (27001, 27017, 27018, 27701) and are rolling out new data processor commitments to cover our handling of service data as a processor in Workspace (including Gemini for Workspace). We also developed a data processor mode for managed ChromeOS devices, and Chrome browser running on managed ChromeOS devices, which is currently available in several European countries and will be expanded to additional markets later this year.

3. Enhanced privacy and security controls: For organizations that want even greater control over where their data is stored and who has access to their data, Google also offers advanced data residency and protection controls.

• With Data Regions and Access Management, customers have the ability to not only choose the region where their data is stored and processed, but also to choose the physical location of Google support teams that can be allowed to access data to provide support. This helps mitigate the risk of data transfers under legacy “follow the sun” support models.
• Moreover, customers can enable client side-encryption (CSE) to help prevent vendor or foreign government access to their “special categories of personal data” in Workspace, including Gmail.

These enhanced features underscore Google's commitment to giving our customers the confidence that they remain in control over their most sensitive data when using Workspace.

Workspace as a secure foundation

We believe that user privacy is built on a foundation of trust, and that trust is only as strong as the security measures in place to protect user data. Recent cybersecurity trends highlight an alarming evolution of the threat landscape, including ongoing breaches by state-sponsored threat actors as documented in the recent Cyber Safety Review Board (CSRB) report.

Sixty-five percent of successful intrusions in 2023 began with a software exploit, phishing, or stolen credentials. Once an attacker gains access to a network, they typically steal confidential data, deploy crippling ransomware, and can even take control of the entire system rendering the privacy of that system moot. These threats can put customers’ data at risk and carry far reaching implications for businesses, governments, and societies. To help organizations address these challenges, we would also like to highlight a few recent enhancements in Workspace: 

1. The Secure Alternative Program: In light of major cybersecurity incidents with legacy providers, Google can provide a safer alternative for business and government organizations. In fact, the recent report from the Cyber Safety Review Board (CSRB) recognized² Google's efforts in securing its systems and products against various these types of attacks:

• “Google re-worked its identity system to rely as much as possible on stateful tokens, in which every credential is assigned a unique identifier at issuance and recorded in a database as irreversible proof that the credential Google receives is one that it had issued. Google also implemented fully automatic key rotation where possible and tightened the validation period for stateless tokens, reducing the window of time for threat actors to locate and obtain active keys. Google also undertook a comprehensive overhaul of its infrastructure security including implementing Zero Trust networks and hardware-backed, Fast IDentity Online (FIDO)-compliant two-factor authentication (2FA) to protect these identity systems."
• Additionally, Google’s implementation of zero trust networks (known as BeyondCorp and BeyondProd) and hardware-backed, FIDO-compliant two-factor authentication (2FA) were acknowledged as strengthening our infrastructure security. Organizations that use Workspace experience 40% fewer security incidents on average and can save up to 50% on insurance premiums³. We are now offering organizations that want to move to a safer email and collaboration platform special pricing and migration assistance via the Secure Alternative Program. 

2. Security innovations with AI: Gmail's advanced AI defenses automatically block more than 99.9% of spam, phishing attempts, and malware from reaching users' inboxes. With the implementation of large language models, spam in Gmail has been further reduced by 20% for all users. These AI advancements also enable the evaluation of 1,000 times more user-reported spam daily. This is like having 1,000 times more people fighting spam on your behalf.

• Additionally, customers can leverage the power of large language models to classify documents through AI classification, allowing customers to use tailored, privacy-preserving models to automatically identify, classify, and safeguard sensitive data. 

As the generative AI era continues to evolve, our commitment to privacy and security remains steadfast. The foundational work we've done, and continue to do, helps us build AI tools that not only transform how work gets done but also uphold the highest standards of data protection and privacy.

¹ Source: Letter to Dutch Parliament with the title ‘Stand van zaken Google Workspace’ as published on behalf of Dutch Minister of Justice and Security on Tweedekamer.nl (quote translated into English from original Dutch language).

²Source: CSRB, Review of the Summer 2023 Microsoft Exchange Online Intrusion, page 20, (CSRB, 2024).

³ Source: At-Bay - “Ranking Email Security Solutions: A Data Analysis of Cyber Insurance Claims,” 2/2023