The Danish Data Protection Authority, Datatilsynet, has issued a directive to 53 municipalities to overhaul their data processing operations involving student information. This action comes after a concerned parent highlighted the risks associated with the transfer of student data to Google through Chromebooks and Google Workspace services used in schools. The authority has determined that the current data transfer methods to Google for various purposes lack a proper legal basis, prompting the need for immediate change.
The injunction mandates that municipalities must either cease transferring personal data to Google for specific purposes or establish a clear legal basis for these transfers. Additionally, a thorough analysis and documentation of data processing must be conducted when employing tools like Google Workspace. It is also required that Google is prevented from using any received data for purposes that are not compliant with the regulations.
The Datatilsynet has specified that acceptable uses of student data include providing educational services through Google Workspace, enhancing service security and reliability, facilitating communication, and fulfilling legal obligations. However, uses such as improving and maintaining Google Workspace, ChromeOS, and the Chrome browser, including performance measurement and new feature development, are not allowed. Allan Frank, an IT security and law specialist at the agency, emphasized the importance of focusing on citizen data protection and stated that standard product use does not excuse non-compliance with European data protection rules.
Municipalities are faced with a tight deadline, having until March 1, 2024, to outline their compliance strategies, and until August 1, 2024, to fully align their data processing with the new requirements. While the decision stops short of banning Chromebooks, which are prevalent in Danish schools, it significantly restricts how personal data can be shared with Google. Observers have both praised the announcement and criticized the lengthy 4.5-year duration it took to reach this resolution, suggesting that the longstanding data handling issues should also result in fines or corrective actions.