Danish DPA temporarily bans use of Google Chromebooks and Workspace in Helsingør schools.
Over the last few months we have seen rulings from the French, Austrian and Italian Data Protection Authorities against companies unlawfully transferring data to the US through their improper use of Google’s Google Analytics services.
The Danish Data Protection Authority, Datatilsynet, has now opened a new front of criticism against the use of the tech giant Google’s Chromebooks and Workspace, claiming they are operating without a thorough assessment of the risks associated with potential international data transfers.
Background
The municipality of Helsingør had elected to roll out Google Chromebooks and, by extension, Google Workspace (formerly known as G-Suite) in its primary schools. However, it became clear over time that the municipality had improperly configured of the platform’s settings to protect the privacy of the students in accordance with the requirements of the GDPR.
This case came to the attention of Datatilsynet through a data breach notification in 2020 and from complaints from parents, stating that the municipality created Google accounts for the students without their knowledge or consent. These factors highlighted that the municipality had failed to conduct sufficient risk assessments prior to rolling out the technology and led to the investigation by Datatilsynet.
Datatilsynet’s Investigation
In their investigation of the municipality’s use of Google’s services, Datatilsynet found that the municipality failed to configure the Chromebooks and G-Suite original core programs for strictly educational purposes, and in a manner that would protect the privacy of the pupils. For example, the municipality could have configured the programs to keep personal data within the EU/EEA area, created aliases for the students and ensured that only the registered student and authorised administrators could access personal data.
In response to this investigation, the municipality were ordered in September 2021 to conduct a risk assessment of their use of Chromebooks and Workspace. Though Datatilsynet acknowledged that the municipality had skilfully mapped out how personal data is used in their primary schools and that their risk assessment addressed the most important scenarios and threats, there were remaining issues centred on transfers of data outside the EU.
Upon Datatilsynet’s review of the Data Processor Agreement with Google, they found that Google Cloud EMEA limited in Ireland can transfer personal data to their sub-processor, Google LLC in the US, for technical support. This is despite the fact that Google otherwise used data centres within the EU to store personal data relating to Google accounts. This transfer for technical support would not have been done with the required level of security and protection as required under Chapter V of the GDPR.
In light of this, the municipality of Helsingør have been banned from using Google Workspace until an impact assessment has been carried out and the processing operations have been brought into line with the GDPR.
What this means for you
This decision has serious implications for all companies using Google Workspace in their business operations. While Google have announced upcoming Sovereign Controls for Google Workspace to provide organisations with more control over the transfers of data to and from the EU, these will not be in place until the end of 2022 and into 2023.
In the meantime, any organisations who use, or plan to use, Google Workspace should consider the following:
- Review your agreements with Google to identify where your data is being stored. If any personal data is being transferred outside the EU, such as for technical support, a Transfer Impact Assessment and appropriate transfer safeguards are required.
- Minimise the personal data. Datatilsynet recommended that the municipality should have used aliases rather than the child’s real name. Consider whether this would be possible for your school or organisation.
- Review your assessments. If you have previously conducted risk assessments regarding the configuration of your Google Workspace, your findings should be reconsidered against the backdrop of this decision.