The Danish data protection authority (Datatilsynet) has issued an injunction regarding student data being funneled to Google through the use of Chromebooks and Google Workspace services in the country's schools.
The matter was brought to the agency's attention roughly four years ago by a concerned parent and activist, Jesper Graugaard, who protested how student data is sent to Google without any consideration about the potential for misuse or the impact it could have on those persons in the future.
The agency has now decided that the current methods of transferring personal data to Google do not have a legal basis for all disclosed purposes. Hence, 53 municipalities across Denmark must adjust their data processing practices.
Specifically, municipalities are ordered to:
- Cease the transfer of personal data to Google for specific purposes or obtain a clear legal basis for such transfers,
- Analyze and document how personal data is processed before using tools like Google Workspace, and
- Ensure that Google refrains from processing any data it receives for non-compliant purposes.
The agency clarified that permissible uses of student data include providing the educational services offered by Google Workspace, enhancing the security and reliability of these services, facilitating communication, and fulfilling legal obligations.
Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome browser, including measuring performance or developing new features and services for these platforms.
"Today's IT services often function in such a way that the transfer of personal data is built into the product, and that the use of the information is often a prerequisite for getting the full benefit of the products' functionality," stated the agency's IT security and law specialist, Allan Frank.
"However, this does not always happen with sufficient focus on the protection of the citizens whose information is used."
"But neither the functionality of the solutions you want to use, the supplier's market position, the standardized structure, or the mere use of a standard product can justify not complying with the rules on data protection, which it has been decided from a political point of view that we must have in Europe."
The authority's decision doesn't directly translate to a ban on Chromebooks, which are widely used in Danish schools, but it imposes significant restrictions on how personal data can be shared with Google.
Also, given that restricting sensitive data processing on Google's end will be hard, if not impossible, for municipalities to assure, there may be no practical way to adhere to the new policies without blocking the use of Google Chromebooks and/or Google Workspace.
Municipalities have until March 1, 2024, to declare precisely how they intend to comply with Datatilsynet's order and until August 1, 2024, to fully align their data processing practices with the new requirements.
Although people in Denmark and elsewhere welcomed the agency's announcement, many noted the unnecessarily long time it took the authority to reach a decision, which was 4.5 years.
Additionally, observers have pointed out that the poor practices identified in the agency's report have persisted for at least a decade and should warrant fines or other corrective measures for those responsible.
Comments
NoneRain - 4 months ago
So: the gov found out that the company that profits mostly by advertising fueled by big data, is collecting (too much) data in schools, where they utilize the entire Google's environment without a thought?
Mind-blowing indeed. Four years to conclude that; must be a record!
povlhp - 4 months ago
Problem is, that we have young children who can't legally give consent to anything.
And getting a data processor agreement with google seems to be impossible. Thus schools using google would be in non-compliance with GDPR.
This should apply to all of EU - So I assume that google would have to change on this area.
The reason for the long processing time is a mix of many things. Cost for schools to get real PCs instead of chriomebooks, money already invested etc. And of course it has implications for all of EU, as the problem is GDPR.
electrolite - 4 months ago
Nowadays real PCs are no better with Windows 11 (Windows 10 is bad enough). Microsoft does not want to be out done by google.
Really folks, start teaching kids Linux at computer classes in schools at an early stage for crying out loud. Use SBCs to keep cost down. The kids will be smarter in the long run rather than using the dumbed down Android/Chrome/Windows spyware.