23

See above. In a country where GDPR applies (Italy in my case), do I have the right to refuse giving consent to Google and Microsoft to store my personal data, if this account is for work use? Or, in other words, can my employer force me to make a Google account (or provide one for me) and forfeit my personal data, browsing habits, image while videoconferencing etc. to Google?

Federico Poloni
  • 714
  • 5
  • 15
  • 15
    Didn't your contract include that you will use whatever tools the employer wants you to? – Greendrake Jan 10 '21 at 09:11
  • 6
    @Greendrake In my specific case, it's complicated, because I work as a university professor and there is no written contract; it has a special legal status. Anyhow, I am not objecting to using a spreadsheet or a word processor here, just to the data collection and transfer that happens behind the scenes and is arguably a non-necessary part of it (the employer could use a self-contained app instead). – Federico Poloni Jan 10 '21 at 09:15
  • Surely if it's for work use, on a work gsuite/Office365 account, the data you are providing is your work data, not your personal data? There's no obligation to do personal browsing etc. on your work computer. I believe the only usage both products make of your image when videoconferencing is to send it to other people on the call (presumably intended - or switch your camera off) but YMMV. – abligh Jan 11 '21 at 07:22
  • 7
    @abligh My name and face when videoconferencing are personal data. Usually there is a provision that they can use my data also for other purposes, for instance "to improve our product". In addition, if the data reach an American server, they are subject to American law and could be subpoena'd by US agencies. – Federico Poloni Jan 11 '21 at 07:27
  • 6
    @Greendrake The background: Here in Europe, there is the discussion if it is legal to store or transfer personal data (such as names, pictures of persons, the spoken voice of a person) using cloud-based services at all. Currently, this question seems not to be decided, yet. If it should be illegal, any contract saying the opposite would be void. – Martin Rosenau Jan 11 '21 at 09:25
  • @MartinRosenau Why would it be illegal if consent is given? A contract would effectively be such consent. – Greendrake Jan 11 '21 at 09:28
  • 5
    @abligh GDPR compliance is not so much about “private data” but about “personal data” – any information that relates to an identifiable person. That can include names, habits, preferences. This requires a much broader, more holistic view on data protection. Thinking about “work data” is misleading in this context because it can overlap with personal data. Employees are protected as well, but an employer might have a legitimate interest in using some personal data. – amon Jan 11 '21 at 09:42
  • 2
    @Greendrake That's not 100% correct. The GDPR rules that the person must be able to revoke the "consent" at any time. And the question is asking if the employee can refuse to use such services. And in this case he user will of course revoke the consent first. – Martin Rosenau Jan 11 '21 at 12:07

3 Answers3

36

You probably can't refuse to use such services.

The relationship between you and these services is very different when you interact with them as a consumer, versus when these services are provided on behalf of your employer. In the latter case, the service is (or at least should be) bound as a data processor who can only* use your personal data as instructed by the data controller, your employer. Thus, it is your employer who determines for what purposes your data will be used, not the cloud service.

Your employer has a legitimate interest in providing a modern and secure productivity suite to its employees, and in requiring you to use such services for efficient communication and collaboration. Of course it would be possible to provide some such services on-premises, but the GDPR doesn't really discriminate between self-hosted and third party services, as long as the third party service is contractually bound as a data processor.

To a large degree, this is of course a legal fiction.

  • The cloud services deploy new features all the time, and all that your employer can really do is agree to those changes, including agreeing to new ways for how to process your data.

  • Also, the service provider may act both as a data processor on behalf of your employer for some purposes, but as their own data controller for others.

    E.g. in Google Workspace (formerly GSuite, formerly Google Apps for Business) Google collects analytics data about how you use their Docs product, and they use it for their own purposes. However, they would only process the document itself as a data processor.

    This is quite different in the consumer version where Google can use personal data for their own purposes, although within the limits of their privacy policy.

Within your work account, you do have some privacy controls, similar to a consumer account. While your employer can set defaults and restrict features, you are not forced to share all data. E.g. in a Google Account, you can “pause” web and app activity (i.e. browsing history) that would otherwise be collected from Chrome browsers while logged in with your work account, or from Android devices that are managed by your employer. This data would potentially be used by Google for Ads, even with a Workspace account (I'm not sure). However, Google Workspace services generally do not feature ads themselves, e.g. the paid Gmail version does not feature ads.

The largest real issue with the use of such services by an European employer is the international transfer of data to a non-EU jurisdiction, especially into the U.S. The GDPR offers many alternatives for how such transfers can be protected. In the past, the EU and US had used the Privacy Shield mechanism. However, it was found to be invalid in the 2020 Schrems II ruling, due to concerns about US mass surveillance. Subsequent guidance from supervisory authorities explained that it's not sufficient to use “standard contractual clauses” as an alternative protection, but that additional safeguards have to be implemented, which would effectively deny the personal data to actors in the US. Both Google and Microsoft offer some “data sovereignty” choices that prevent international transfers into the US. However, those have to be configured appropriately by your employer.

Thus, instead of asking “can these services be used?” to which the answer is yes, it might be better to ask “is my employer using these services in a compliant manner?”. If you have concerns about such issues, you can contact your employer's data protection officer

amon
  • 23,930
  • 3
  • 44
  • 76
  • 6
    The "contractually bound as a data processor" part is in fact one of the major differences between enterprise and consumer plans, even for the exact same product. E.g. in my workplace, we are required to use Teams (with our company account) and forbidden to use Skype despite the fact that technically speaking, it makes no different to me as a user which one I use. But MS does not offer data processing contracts nor data sovereignty for Skype, only for Teams. (In our case, it's even more complicated because we have a US office that is part of the same IT infrastructure.) – Jörg W Mittag Jan 10 '21 at 19:29
21

Your employer should have a Data Protection Officer. The first step when you have data privacy concerns at the workplace should be to talk to the DPO.

An institution using software as a service by Microsoft, Google etc. will usually have a contract with the provider. This contract differs from the contract you have e.g. with Stackexchange, where you sign away partial rights to your data and intellectual property in exchange for free use of expensive servers.

There are some doubts if Microsoft Windows can be used in a GDPR-compliant way, considering how much "telemetry" it sends home, but I'm not aware of any decision to ban it outright. Similarly, the use of SaaS will depend on the specific terms.

o.m.
  • 17,538
  • 3
  • 37
  • 64
  • 1
    I think this is the answer which best answers the original question to its intent. Note that other services such as Zoom even if "certified" to be GDPR had issues such as the macOS client saving audio records of all meetings. In the face of these recent events, DPOs are (or should, IMHO) quite touchy when it comes to US cloud services. – ljrk Jan 11 '21 at 20:27
  • "There are some doubts if Microsoft Windows can be used in a GDPR-compliant way"

    Can you provide any evidence for this?

     – deep64blue Jan 12 '21 at 15:30
  • 1
    @AlanDev, can you read German texts? A notable problem is the update mechanism, one would have to re-test again and again. https://www.heise.de/newsticker/meldung/Datenschutzkonferenz-Hohe-Huerden-fuer-den-Einsatz-von-Windows-10-4584678.html – o.m. Jan 12 '21 at 16:00
-7

No. In or outside Europe, you can't refuse to use Gsuite / Office365 or any other tool your employer reasonably requires.

You might think refusing to use the given cheap-crap, flat-pack desk when you prefer a custom-built mahogany work of art "reasonable" and how much credence d'you think a court would give that, even if you yourself paid for the swank?

Which personal data is your employer requiring you to disclose?

What browsing habits could you mind about, when using your employer's account purely for professional purposes?

What other issues d'you think videoconferencing, etc, could raise?

Robbie Goodwin
  • 322
  • 1
  • 6
  • 14
    Which personal data: my name and the image of my face, for instance. What browsing habits: for instance, my typing speed, which can be inferred from auto-completion, and used to identify me on other sites I frequent. Other issues by videoconferencing: for instance, they get an image of my face and sufficient data to insert it in deepfake-style videos. – Federico Poloni Jan 11 '21 at 07:23
  • 7
    Your premise is just wrong. There are a lot of laws and regulations employers have to follow, and violation of some of them can be a valid cause to refuse to work. - Unless you exclude those circumstances from being reasonable in the first place... You have a valid point about not using company accounts for anything private - but we don't protect personal data because it contains something private, but because it is not separable from the person it is about - and thus is inherently something private. – I'm with Monica Jan 11 '21 at 08:50
  • @FedericoPoloni If those are your worries, how will you feel safe anywhere? I'm with Monica Your idea of "reasonable refusal" seems wholly backwards and you seem to be restricting "personal data" to something like biometrics, while ruling out the financial info most people actually worry about. – Robbie Goodwin Jan 11 '21 at 10:40
  • 3
    @RobbieGoodwin I don't feel particularly safe online, but blocking trackers and avoiding the bigger companies helps. – Federico Poloni Jan 11 '21 at 11:31
  • 1
    @FedericoPoloni Yes and the OQ Asked specifically about refusing to comply with workplace policies, not general internet safety. – Robbie Goodwin Jan 11 '21 at 12:33
  • 5
    Are you able to edit this answer so that it better engages with the law? – Pat W. Jan 11 '21 at 15:17
  • @PatW Can you explain what you had in mind? – Robbie Goodwin Jan 12 '21 at 00:34
  • You may have misunderstood my previous comment: Personal data is anything that has a connection to me that cannot be severed without the data becoming useless (for most purposes). If it is disconnected, it becomes anonymous data - which isn't personal anymore. - And this inseparability is reason enough to protect it, because any and all data can and will be used against the data subject, when they get into the wrong hands. – I'm with Monica Jan 12 '21 at 13:34
  • @I'mwithMonica Now you're going off-topic into a huge debate about what constitutes personal data, while Federico seemed to be asking quite differently about how particular tools or platforms store it. – Robbie Goodwin Jan 13 '21 at 08:19
  • I think you're sidetracking, yourself. I maintain that there are strict regulations - for a very good reason - and it is illegal to break them. The responsible entity for this is the employer, not the supplier of the tool. Illegal behaviour is not necessarily, but can possibly be, a valid reason to refuse to use a tool. Recourse to the proper authorities should be the first step, though. - For all of this the exact definition of personal data is irrelevant, but you tried to use it as a straw man argument in https://law.stackexchange.com/questions/60016/60036?noredirect=1#comment124326_60036 – I'm with Monica Jan 15 '21 at 08:59
  • @I'mwithMonica We all know strict regulations constrain employer, worker and SW provider. That has nothing to do with the original Question.

    Illegal behaviour anyone is a valid reason to reject a tool.

    For clarity: what constitutes personal data has almost nothing to do with whether an employer can insist on workers using specific software… only what's being done with the data.

    If you can't accept that, why not raise a separate Question seeking clarification, or go to Chat?

     – Robbie Goodwin Jan 15 '21 at 19:08
  • Thanks and could any one of those 7 downvoters break cover at least to explain the idea? I don't mind about anyone's identity and I do feel sure neither I nor anyone else should ever be allowed to make an unsubstantiated Comment, let alone a Downvote. Please note that "neither I…"! – Robbie Goodwin Dec 15 '21 at 03:12
  • Your name appears to be the most basic kind of personal data yet astonishingly, I've found not only my daily-used Robert Goodwin but also my full Robert Andrew Goodwin in use by other data subjects.

    (Can we all acknowledge that however logical, "data subject" could never be preferable to "person"?)

    If you really mind your employer using the image of your face, that suggests this is to do politics, not technicalities.

    Does that not make all else irrelevant?

     – Robbie Goodwin Dec 20 '21 at 22:55