Officials in Denmark have recently carried out a risk assessment around the risks posed by Google when processing personal data for schools. As a result of this investigation, schools in Denmark have effectively banned the use of Google services. The decision, which was published last week by Datatilsynet (Denmark’s data protection agency), stated that Google’s cloud based software services which includes Gmail, Google Drive, and Google Docs, does not reach the requirements set out in the European Union’s GDPR data privacy regulations.

A particular concern highlighted by Datatilsynet was that Google’s terms and conditions allow for some personal data to be sent to different countries, despite the fact that it is usually stored in Google’s EU servers.

Schools across Denmark, as they do across the world, use Google Chromebook laptops, as well as Google Workspace. The investigation carried out by Datatilsynet was only conducted in the Municipality of Helsingør, as they had reported a breach of personal data security. The ruling given out by the agency only applies currently in Helsingør, however they have stated that the reasons for their decision will probably apply across the whole of Denmark, suggesting that further bans may be coming. Datatilsynet expects other Municipalities to take a look at Google’s use of their personal data in schools and act accordingly should they find the same breaches in the terms and conditions. For Helsingør, the ban is effective immediately, however they have until August 3rd to delete user data.

In the past, there existed an EU-US Privacy Shield, which regulated the transfer of data between the US and EU. This agreement is no longer in place, and whilst there is a new agreement agreed in principle, it hasn’t taken effect yet, which has left organisations in the middle wondering what they should do with pre-existing agreements. A member from Google recently spoke on the matter, saying:

“We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organisations to comply with the GDPR.”

“Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students’ data is never used for advertising or other commercial purposes. Independent organisations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance.”

The decision by Datatilsynet comes after data Watchdogs in countries such as Italy and Austria similarly ruled that websites using Google Analytics to track visitors went against EU data privacy rules, due to the fact that data is transferred to the US for the purposes of processing. With countries wishing to take more control over their data, rather than allowing the processing to be taking place outside elsewhere, Google has made an effort to change their infrastructure and processes to allow countries to use their services by giving them controls to “limit and monitor transfers of data to and from the EU.” These controls won’t be available for use until later this year, and some won’t be here until 2023. Whilst Google hope that these changes will mean that private and public organisations across Europe will continue to use their services, it is unclear at this stage whether or not the new controls will be any more GDPR compliant than the current ones that have resulted in the banning of Google’s services in schools in Denmark’s municipality of Helsingør.