Denmark bans Chromebooks and Google Workspace in schools over data transfer risks

Denmark is effectively banning Google’s services in schools, after officials in the municipality of Helsingør were last year ordered to carry out a risk assessment around the processing of personal data by Google.

In a verdict published last week, Denmark’s data protection agency, Datatilsynet, revealed that data processing involving students using Google’s cloud-based Workspace software suite — which includes Gmail, Google Docs, Calendar and Google Drive — “does not meet the requirements” of the European Union’s GDPR data privacy regulations.

Specifically, the authority found that the data processor agreement — or Google’s terms and conditions —  seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google’s EU data centers.

Google’s Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused specifically on Helsingør for the risk assessment after the municipality reported a “breach of personal data security” back in 2020. While this latest ruling technically only applies to schools in Helsingør for now, Datatilsynet notes that many of the conclusions it has reached will “probably apply to other municipalities” that use Google Chromebooks and Workspace. It added that it expects these other municipalities “to take relevant steps” off the back of the decision it reached in Helsingør.

The ban is effective immediately, but Helsingør has until August 3 to delete user data.

Data flows

At the heart of the issue is the now defunct EU-US Privacy Shield that regulated how data can be shared between the EU and United States. While a new data flow deal has been agreed to in principle, it is not yet in effect, which has left many organizations in limbo. Consequently, Big Tech companies are relying on standard contractual clauses for their data processing practices.

A Google spokesperson told TechCrunch:

We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organisations to comply with the GDPR.

Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students’ data is never used for advertising or other commercial purposes. Independent organisations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance.

This latest announcement comes after local data watchdogs in France, Italy and Austria ruled that websites using Google Analytics to track visitors contravened European data privacy rules, given that personal data is transferred to the U.S. for processing. And Ireland’s Data Protection Commission (DPC), meanwhile, is currently mulling how Facebook’s parent company Meta is transferring data between Europe and the U.S., which could impact how Europeans are able to access services such as WhatsApp and Instagram.

With European lawmakers keen to establish a greater degree of digital sovereignty, Google has been bolstering its platform and infrastructure to help ensure public and private organizations stay with the company. A few months back, Google announced that it would be rolling out new “sovereign controls” for Workspace users in Europe, allowing them to “control, limit, and monitor transfers of data to and from the EU.”

However, these controls won’t be made available until later this year, with additional data control tools arriving throughout 2023. And it’s still not clear at this early stage whether these new tools will be watertight in terms of GDPR compliance.