Denmark’s data protection authority (Datatilsynet) has issued an injunction against the transmission of student data to Google through the use of Chromebooks and Google Workspace services in the country’s schools.
The issue was brought to the attention of authorities about four years ago by concerned parent and activist Jesper Graugaard. He protested the way student data was sent to his Google without any consideration for potential misuse or the impact on school officials. future.
The agency has now determined that the current method of transferring personal data to Google has no legal basis for all disclosed purposes. The 53 municipalities across Denmark will therefore have to adjust their data processing practices.
Specifically, local governments are mandated to:
- Stop the transfer of your personal data to Google for a specific purpose or obtain a clear legal basis for such transfer.
- Before using tools like Google Workspace, analyze and document how personal data is processed.
- Make sure Google doesn’t process the data it receives for non-compliant purposes.
The agency clarifies that permissible uses of student data include providing educational services provided by Google Workspace, enhancing the security and reliability of those services, facilitating communication, and fulfilling legal obligations. Did.
Disallowed purposes include purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome browser, including measuring the performance of these platforms and developing new features and services.
“Today’s IT services often have the transfer of personal data built into the product, and the use of the information is often a prerequisite for making full use of the product’s functionality,” the agency said. says an IT security professional. and legal expert Alan Frank.
“However, this is not always done with sufficient focus on protecting the public for whom the information will be used.”
“However, the functionality of the solution you want to use, the market position of the supplier, the standardized structure or the mere use of standard products justify not complying with the rules on data protection determined from a political point of view. This is not the perspective we should have in Europe. ”
The authorities’ decision does not directly mean a ban on Chromebooks, which are widely used in Danish schools, but it does impose significant restrictions on how personal data can be shared with Google.
Also, given that it is difficult, if not impossible, for local governments to restrict the processing of sensitive data on Google’s side, the reality of complying with the new policy without blocking the use of Google Chromebooks or Google Workspace may be a challenge. There may not be a correct method.
Local governments have until March 1, 2024 to declare exactly how they intend to comply with the Datatilsynet order, and have until August 1, 2024 to fully align their data processing practices with the new requirements .
The public in Denmark and elsewhere welcomed the authorities’ announcement, but many pointed out that the authorities took an unnecessarily long time (four and a half years) to make a decision.
Additionally, observers note that the inappropriate practices identified in the agency’s report have been going on for at least a decade, requiring fines or other corrective action for those responsible.