Following a data protection impact assessment (DPIA), the Dutch government has approved Google Cloud for use in the central public sector. SLM Rijk concludes that no known high privacy risks remain if the recommended measures are implemented. This provides a formally assessed alternative to Microsoft. The question, however, is whether the EU-US Data Privacy Framework (DPF), on which the approval depends, will remain in place.
According to Google, all key concerns have been addressed. In other words, there are no high data protection risks if the proposed settings are used. It is primarily the responsibility of system administrators at government organizations to implement these settings. Google provides the necessary tools, but the DPIA-approved steps are often not the default.
Google Workspace also passed this same DPIA assessment in mid-2024. Now that GCP has followed suit, it is therefore possible to choose another public cloud in addition to Azure. However, much depends on the recently destabilized legislation regarding data transfers between the U.S. and the European Union. On the U.S. side, the EU-U.S. Data Privacy Framework is overseen by the Federal Trade Commission (FTC) as an independent authority, but according to the U.S. Supreme Court, this is not a correct assessment. According to those justices, the FTC cannot be independent.
Read also: EU-US Data Privacy Framework shaken to its core
Building on Workspace
The future is therefore somewhat uncertain for Google due to a legal ruling in the U.S. On the European side as well, regulators have not always been particularly flexible regarding Google’s offerings. The initial assessment of G Suite initially identified ten high privacy risks, later reduced to eight. These included a lack of transparency regarding metadata and diagnostic data, as well as the division of roles between the controller and the processor. Resolving these shortcomings led to a positive assessment of Workspace, but this time an external factor is the potential deal-breaker.
Following negotiations, Google agreed to assume the role of data processor and to grant the government enhanced audit rights. This approach illustrates how SLM conducts such assessments: even with Microsoft Copilot, a few medium- and low-level risks remained after a DPIA.
The government in the cloud
The Netherlands Court of Audit had previously been critical of the government’s cloud adoption, noting that it has limited visibility into its cloud services and risk assessments. Since 2022, ministries have been permitted, under certain conditions, to use platforms such as Azure, AWS, and Google Cloud.
At the same time, the broader debate over sovereignty is ongoing, in which European cloud providers have an edge despite the fact that their competitive position is highly questionable; those requiring a broad range of services typically end up using an American cloud service anyway.