Dutch Government Approves Google Cloud for Public Sector
The Dutch government has approved the use of Google Cloud within the central public sector following a thorough Data Protection Impact Assessment (DPIA). The assessment conducted by SLM Rijk concluded that no significant privacy risks remain, provided the recommended security measures are properly implemented. This decision introduces Google Cloud as a formally assessed alternative to Microsoft’s cloud services for government use. However, the continued approval heavily depends on the stability of the EU-U.S. Data Privacy Framework (DPF), which governs data transfers between the European Union and the United States.
Google states that it has addressed all key privacy concerns, ensuring that no major data protection risks exist when the system is configured according to the DPIA’s guidelines. Responsibility for applying these settings lies primarily with system administrators in government organizations. While Google supplies the necessary tools, many of the recommended configurations are not enabled by default, making proper implementation crucial for compliance and data security.
Earlier in 2024, Google Workspace passed a similar DPIA, and now with Google Cloud Platform (GCP) also approved, public sector organizations have a viable alternative to Microsoft Azure. Despite this, the future of these approvals remains uncertain due to recent legal challenges in the United States. The U.S. Supreme Court questioned the independence of the Federal Trade Commission (FTC), which oversees the EU-U.S. Data Privacy Framework, potentially threatening the framework’s validity and, by extension, the legal basis for data transfers.
On the European side, regulators have scrutinized Google’s cloud services closely. Initial assessments of Google’s G Suite identified several high privacy risks, including issues with metadata transparency and the roles of data controllers and processors. Google’s agreement to act as a data processor and provide enhanced audit rights to government clients helped alleviate these concerns. Meanwhile, the Dutch Court of Audit has highlighted the government’s limited oversight of cloud services and associated risks. Although European cloud providers are often favored in sovereignty debates, many organizations still rely on American cloud services for their broad range of offerings.