Denmark effectively bans Google’s services in schools after officials in Helsingør municipality were arrested last year ordered to carry out a risk assessment around the processing of personal data by Google.
In particular, the authority found that the data processing agreement – or Google’s terms and conditions – apparently allows data to be transferred to other countries for the purpose of providing support, even though the data is usually stored in one of Google’s EU data centers .
Google’s Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet specifically targeted Helsingør for the risk assessment after the municipality reported a “personal data security breach” in 2020. While this latest ruling only applies to schools in Helsingør for now, Datatilsynet notes that many of the conclusions it has drawn will “probably apply to other municipalities” that use Google Chromebooks and Workspace. It added that it expects these other municipalities to “take relevant steps” based on the decision it made in Helsingør.
The ban takes effect immediately, but Helsingør has until August 3 to delete user data.
At the heart of the problem is the now-defunct EU-US Privacy Shield that regulated how data can be shared between the EU and the United States. While a new data flow agreement has been agreed in principle, it is not yet in effect, leaving many organizations in uncertainty. Consequently, large technology companies rely on standard contractual clauses for their data processing practices.
A Google spokesperson told londonbusinessblog.com:
We know that students and schools expect the technology they use to be legal, responsible and safe. That’s why Google has invested years in privacy best practices and careful risk assessments, and made our documentation widely available so everyone can see how we’re helping organizations comply with the GDPR.
Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, student data is never used for advertising or other commercial purposes. Independent organizations have audited our services and we continuously monitor our practices to maintain the highest possible safety and compliance standards.
This latest announcement comes after local data watchdogs in France, Italy and Austria ruled that websites that use Google Analytics to track visitors violate European data privacy rules as personal data is transferred to the US for processing. And the Irish Data Protection Commission (DPC) is currently considering how Facebook’s parent company Meta transfers data between Europe and the US, which could affect how Europeans access services like WhatsApp and Instagram.
With European lawmakers eager to establish a greater degree of digital sovereignty, Google has strengthened its platform and infrastructure to ensure public and private organizations stay with the company. A few months ago, Google announced it would roll out new “sovereign controls” for Workspace users in Europe, allowing them to “monitor, restrict and control the transfer of data to and from the EU”.
However, these controls will not be made available until later this year, with additional data control tools arriving in the course of 2023. And it’s still not clear at this early stage whether these new tools will be foolproof in terms of GDPR compliance.