Denmark bans Chromebooks and Google Workspace in schools due to data transfer risks – TechCrunch
Denmark effectively bans Google services in schools, after Helsingør municipality officials were ordered last year to carry out a risk assessment of Google’s handling of personal data.
In a verdict published last week, the Danish data protection agency, Datatilsynet, revealed that data processing involving students using Google’s cloud-based Workspace software suite – which includes Gmail, Google Docs, Calendar and Google Drive – “does not meet the requirements” of the European Union’s GDPR Data Privacy Rules.
Specifically, the authority found that the data processing agreement – or Google’s terms and conditions – apparently allows the transfer of data to other countries for the purpose of providing support, even though the data is usually stored in one of Google’s European data centers.
Google Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused specifically on Helsingør for the risk assessment after the municipality reported a “personal data security breach” in 2020. Although this latest ruling technically only applies to schools in Helsingør for now, Datatilsynet notes that many of the conclusions it reached “will likely apply to other municipalities” that use Google Chromebooks and Workspace. He added that he expects these other municipalities to “take relevant action” following the decision in Helsingør.
The ban is effective immediately, but Helsingør has until August 3 to delete user data.
At the heart of the problem is the now defunct EU-US Privacy Shield, which regulated how data can be shared between the EU and the US. Although a new data flow agreement has been agreed in principle, it is not yet in effect, which has left many organizations in limbo. Therefore, Big Tech companies rely on standard contractual clauses for their data processing practices.
A Google spokesperson told TechCrunch:
We know that students and schools expect the technology they use to be legal, responsible and safe. That’s why, for years, Google has invested in privacy best practices and rigorous risk assessments, and made our documentation widely available so everyone can see how we’re helping organizations comply with GDPR. .
Schools have their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, student data is never used for advertising or other commercial purposes. Independent organizations have audited our services and we constantly monitor our practices to maintain the highest possible security and compliance standards.
This latest announcement comes after local data watchdogs in France, Italy and Austria ruled that websites using Google Analytics to track visitors breached European data privacy rules, as personal data is transferred to the United States for processing. And the Irish Data Protection Commission (DPC), meanwhile, is considering how Facebook’s parent company, Meta, transfers data between Europe and the United States, which could have an impact on how Europeans can access services such as WhatsApp and Instagram.
As European lawmakers seek to establish a greater degree of digital sovereignty, Google has bolstered its platform and infrastructure to help ensure public and private organizations stay with the company. A few months ago, Google announced that it would be rolling out new “sovereign controls” for Workspace users in Europe, allowing them to “control, limit and monitor data transfers to and from the EU”.
However, these controls won’t be available until later this year, with additional data control tools arriving throughout 2023. And it’s still unclear at this early stage if these new tools will be watertight in terms of GDPR compliance.