In Europe, can I refuse to use Gsuite / Office365 at work?

Question

See above. In a country where GDPR applies (Italy in my case), do I have the right to refuse giving consent to Google and Microsoft to store my personal data, if this account is for work use? Or, in other words, can my employer force me to make a Google account (or provide one for me) and forfeit my personal data, browsing habits, image while videoconferencing etc. to Google?

Answer 1

You probably can't refuse to use such services.

The relationship between you and these services is very different when you interact with them as a consumer, versus when these services are provided on behalf of your employer. In the latter case, the service is (or at least should be) bound as a data processor who can only* use your personal data as instructed by the data controller, your employer. Thus, it is your employer who determines for what purposes your data will be used, not the cloud service.

Your employer has a legitimate interest in providing a modern and secure productivity suite to its employees, and in requiring you to use such services for efficient communication and collaboration. Of course it would be possible to provide some such services on-premises, but the GDPR doesn't really discriminate between self-hosted and third party services, as long as the third party service is contractually bound as a data processor.

To a large degree, this is of course a legal fiction.

• The cloud services deploy new features all the time, and all that your employer can really do is agree to those changes, including agreeing to new ways for how to process your data.

• Also, the service provider may act both as a data processor on behalf of your employer for some purposes, but as their own data controller for others.

  E.g. in Google Workspace (formerly GSuite, formerly Google Apps for Business) Google collects analytics data about how you use their Docs product, and they use it for their own purposes. However, they would only process the document itself as a data processor.

  This is quite different in the consumer version where Google can use personal data for their own purposes, although within the limits of their privacy policy.

Within your work account, you do have some privacy controls, similar to a consumer account. While your employer can set defaults and restrict features, you are not forced to share all data. E.g. in a Google Account, you can “pause” web and app activity (i.e. browsing history) that would otherwise be collected from Chrome browsers while logged in with your work account, or from Android devices that are managed by your employer. This data would potentially be used by Google for Ads, even with a Workspace account (I'm not sure). However, Google Workspace services generally do not feature ads themselves, e.g. the paid Gmail version does not feature ads.

The largest real issue with the use of such services by an European employer is the international transfer of data to a non-EU jurisdiction, especially into the U.S. The GDPR offers many alternatives for how such transfers can be protected. In the past, the EU and US had used the Privacy Shield mechanism. However, it was found to be invalid in the 2020 Schrems II ruling, due to concerns about US mass surveillance. Subsequent guidance from supervisory authorities explained that it's not sufficient to use “standard contractual clauses” as an alternative protection, but that additional safeguards have to be implemented, which would effectively deny the personal data to actors in the US. Both Google and Microsoft offer some “data sovereignty” choices that prevent international transfers into the US. However, those have to be configured appropriately by your employer.

Thus, instead of asking “can these services be used?” to which the answer is yes, it might be better to ask “is my employer using these services in a compliant manner?”. If you have concerns about such issues, you can contact your employer's data protection officer

Answer 2

Your employer should have a Data Protection Officer. The first step when you have data privacy concerns at the workplace should be to talk to the DPO.

An institution using software as a service by Microsoft, Google etc. will usually have a contract with the provider. This contract differs from the contract you have e.g. with Stackexchange, where you sign away partial rights to your data and intellectual property in exchange for free use of expensive servers.

There are some doubts if Microsoft Windows can be used in a GDPR-compliant way, considering how much "telemetry" it sends home, but I'm not aware of any decision to ban it outright. Similarly, the use of SaaS will depend on the specific terms.

Answer 3

No. In or outside Europe, you can't refuse to use Gsuite / Office365 or any other tool your employer reasonably requires.

You might think refusing to use the given cheap-crap, flat-pack desk when you prefer a custom-built mahogany work of art "reasonable" and how much credence d'you think a court would give that, even if you yourself paid for the swank?

Which personal data is your employer requiring you to disclose?

What browsing habits could you mind about, when using your employer's account purely for professional purposes?

What other issues d'you think videoconferencing, etc, could raise?