In a landmark ruling, Danish data protection authority Datatilsynet has directed schools in 53 municipalities to stop sending student data to Google via Chromebooks and Google Workspace services. The measure, which stems from concerns about potential data misuse, does not ban Chromebooks outright, but it does impose significant limits on the sharing of personal data with Google.
Parental protests create change
The issue first came to light four years ago when parent and activist Jesper Graugaard raised concerns about student data management. The Datatilsynet decision concludes that the current practice of data transfer to Google lacks a legal basis for all the stated purposes. Local governments must submit compliance plans by March 1st and must be fully compliant by August 1st, 2024.
Google hasn’t responded yet
To date, Google has not responded to this obligation. The move represents a significant disruption to the tech giants’ influence over Danish schools and could lead to similar measures being taken in other jurisdictions.
Complexity of GDPR compliance
Allan Frank, IT security and legal expert at Datatilsynet, highlighted the complexity of the contractual underpinnings of IT standard products. He noted that these contracts often change and consist of multiple data processing variations, making the task of complying with the General Data Protection Regulation (GDPR) extremely difficult. Local authorities are now required to stop the transfer of data to Google for certain purposes unless they can establish a clear legal basis. We also require you to thoroughly analyze and document your data processing practices to ensure that Google does not process your data for non-compliant purposes.