The Danish data protection authority (Datatilsynet) has issued an injunction regarding student data being funneled to Google through the use of Chromebooks and Google Workspace services in the country’s schools.
The matter was brought to the agency’s attention roughly four years ago by a concerned parent and activist, Jesper Graugaard, who protested how student data is sent to Google without any consideration about the potential for misuse or the impact it could have on those persons in the future.
The agency has now decided that the current methods of transferring personal data to Google do not have a legal basis for all disclosed purposes. Hence, 53 municipalities across Denmark must adjust their data processing practices.
Specifically, municipalities are ordered to:
- Cease the transfer of personal data to Google for specific purposes or obtain a clear legal basis for such transfers,
- Analyze and document how personal data is processed before using tools like Google Workspace, and
- Ensure that Google refrains from processing any data it receives for non-compliant purposes.
The agency clarified that permissible uses of student data include providing the educational services offered by Google Workspace, enhancing the security and reliability of these services, facilitating communication, and fulfilling legal obligations.
Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome browser, including measuring performance or developing new features and services for these platforms.
“Today’s IT services often function in such a way that the transfer of personal data is built into the product, and that the use of the information is often a prerequisite for getting the full benefit of the products’ functionality,” stated the agency’s IT security and law specialist, Allan Frank.
“However, this does not always happen with sufficient focus on the protection of the citizens whose information is used.”
“But neither the functionality of the solutions you want to use, the supplier’s market position, the standardized structure, or the mere use of a standard product can justify not complying with the rules on data protection, which it has been decided from a political point of view that we must have in Europe.”
The authority’s decision doesn’t directly translate to a ban on Chromebooks, which are widely used in Danish schools, but it imposes significant restrictions on how personal data can be shared with Google.
Also, given that restricting sensitive data processing on Google’s end will be hard, if not impossible, for municipalities to assure, there may be no practical way to adhere to the new policies without blocking the use of Google Chromebooks and/or Google Workspace.
Municipalities have until March 1, 2024, to declare precisely how they intend to comply with Datatilsynet’s order and until August 1, 2024, to fully align their data processing practices with the new requirements.
Although people in Denmark and elsewhere welcomed the agency’s announcement, many noted the unnecessarily long time it took the authority to reach a decision, which was 4.5 years.
Additionally, observers have pointed out that the poor practices identified in the agency’s report have persisted for at least a decade and should warrant fines or other corrective measures for those responsible.
