School students in Denmark regularly use Chromebooks and Google Workspace in class. But from now on, their data will not be sent to the tech giant.
The Danish data protection authority (Datatilsynet) has now issued an injunction regarding the data and the fact that it’s being sent to Google through the use of the company’s products.
The agency began analyzing the problem around four years ago when it was contacted by Jesper Graugaard, a concerned parent and activist. He was worried that student data was being sent to Google despite the potential for its misuse or the impact that it could have in the future when these kids grow up.
His protestations were justified, it seems. The agency has now decided that the current methods of transferring personal data to Google do not have a legal basis, and 53 municipalities across Denmark must adjust their data processing practices.
Using tools like Google Workspace will also have to stop for now, as schools will have to analyze and document how personal data is processed. The country’s educational institutions must ensure that Google refrains from processing any data it receives for non-compliant purposes.
Municipalities have until March 1st to declare precisely how they intend to comply with Datatilsynet's order and until August 1st to fully align their data processing practices with the new requirements.
"Today's IT services often function in such a way that the transfer of personal data is built into the product, and that the use of the information is often a prerequisite for getting the full benefit of the products' functionality,” said the agency’s IT security and law specialist, Allan Frank.
“However, this does not always happen with sufficient focus on the protection of the citizens whose information is used.”
“Neither the functionality of the solutions you want to use, nor the supplier's market position, the standardized structure or the mere use of a standard product can justify not complying with the rules on data protection which we must have in Europe.”
However, Frank called these rules political and said it was today extremely difficult for data-responsible companies and authorities to live up to the GDPR (General Data Protection Regulation), the European Union’s regulation on information privacy.
“It is easy to lose track of what is happening with data. We at the Danish Data Protection Authority therefore call for contracts to be made more transparent – not just in relation to the processing structure, but also in relation to the consequences when conditions surrounding the delivery change.”
More from Cybernews:
Subscribe to our newsletter