Editor’s Note: To clarify, the ban on Chromebooks and Google Workspace applies exclusively to the municipality of Helsingør. The initial report from Datatilsynet only suggested that other municipalities may follow if similar data processing agreements were found to be in force.
Google has found itself in a pickle once again in the EU and this time, there’s more than just a fine on the table. This week, Denmark’s governing data protection agency Datatilsynet has ruled that the municipality of Helsingør is to immediately cease the use of Chromebooks and Google Workspace in educational institutions. The decision came as a result of a risk assessment ordered by Datatilsynet in September of 2021. The focus of the assessment was the processing of personal data on Chromebooks and in Google Workspace. According to the results of the assessment:
the Danish Data Protection Agency has now found that the processing does not meet the requirements of the GDPR on several points.
The 9,000+ word report details the various specifics of the decision but the major contributing factor for the ban stems from the terms of service for Workspace that allows for the transmission of data to Google data centers in other countries. While Google operates data centers in Europe, the data processor agreement allows for data to be sent to other Google centers for the purpose of support when needed.
To clarify what has happened here, neither Denmark nor Datatilsynet is claiming that Google has intentionally violated any law as it pertains to the European Union’s GDPR data privacy regulations. This was not the result of a data breach or any sort of misuse of data. Simply that the current terms of service for Google Workspace and the managed Chromebooks used for schools in Denmark do not meet the GPDR requirements. As a matter of fact, the Helsingør Municipality is the entity that will have to make changes in light of the risk assessment. Effective immediately, Helsingør has been ordered to ban processing personal data using Google Chromebooks and Workspace for Education. Helsingør has until August 3 to delete user data. Here are some key details of the decision:
- Suspension that Helsingør Municipality conducts processing where information is transferred to third countries without the necessary level of protection
- A general ban on treatment with Google Workspace until adequate documentation and impact assessment has been carried out and until the treatments have been brought into line with the Regulation
- Serious criticism of the municipality’s processing of personal data
For the time being, the ban only applies to Helsingør but the Data protection agency stated that “many of the conclusions in this decision will probably apply to other municipalities that use the same treatment structure.” TechCrunch spoke with Google about the decision and this was the company’s official statement on the matter.
We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organisations to comply with the GDPR.
Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students’ data is never used for advertising or other commercial purposes. Independent organisations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance.Google via TechCrunch
Again, this is a matter of how and where data is transferred. Google is very stringent about how the personal, identifying information of students is collected and used. As such, it is likely that Google will work with Denmark and other EU countries to reach a mutually beneficial manner in which Chromebooks and Google Workspace can be used in compliance with the European Union’s GDPR data privacy regulations. Stay tuned for more coverage on this as it arrives. You can find the official decision and report from the Data Protection Authority of Denmark here.