After the city of Helsingor was ordered to conduct a risk assessment of personal data processed by Google last year, Denmark has effectively banned Google’s services in schools. In a ruling published last week, Danish data protection agency, Datatilsynet revealed that the processing of student data involving the use of Google’s cloud-based Workspace software suite, which includes Gmail, Google Docs, Calendar and Google Drive, is “not compliant” with EU GDPR data privacy regulations. To this end, Denmark bans Google Chromebooks and Workspaces in schools.
Specifically, the authorities found that the data processor agreement — or Google’s terms and conditions — appears to allow the transfer of data to other countries for support. Even when the storage of the data is in one of Google’s EU data centres, the company can still transfer it.
Google’s Chromebook laptops and Google Workspace are common in schools across Denmark. Following the 2020 report “Breach of Personal Data Security”, Datatilsynet conducted a risk assessment specifically for Helsingor. While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet noted that many of the conclusions already reached will “probably apply to other cities using Google Chromebooks and Workspace”. Datatilsynet hopes that other cities will “take relevant measures” following the decision in Helsingør.
Google responds to the ban in Denmark
Denmark ban on Google ban takes effect immediately, and Helsingoer has until August 3 to delete user data.
A Google spokesperson responded:
“We understand that students and schools want the technology they use to be legal, responsible, and secure. That’s why over the years, Google has invested in privacy best practices and careful risk assessment. Our documentation is widely available so anyone can read it to how we help organizations comply with GDPR.
Schools have their own data. We process data only in accordance with our contract with them. In Workspace for Education, student data is never for advertising or other commercial purposes. Our services go through auditing by independent organisations. Our practices also pass internal reviews to maintain the highest possible standards of security and compliance.”
The latest announcement is coming after a ruling from local data regulators in France, Italy and Austria. The ruling claims that websites using Google Analytics to track visitors violate European data privacy rules. This is because personal data was transferred to the United States for processing. Meanwhile, the Irish Data Protection Commission (DPC) is currently examining how Meta transfers data between Europe and the US. This could affect how Europeans access services such as WhatsApp and Instagram.