🇩🇰 Danish Google Workspace for Education Chromebook case (Helsingørgate)

The Danish DPA's landmark decision of 2022, to ban certain use of Google products and US transfers, is still ongoing, with the latest update Feb 2024.

10 months ago   •   8 min read

By Rie Aleksandra Walle
Table of contents

TL;DR: The Danish data protection authority banned a municipality's use of Google Workspace for Education and suspended all US transfers in a landmark decision of July 2022. As of Feb 2024, the case is still ongoing.

🎙️
We now have four (!) Grumpy GDPR episodes on this case (by popular demand), see all links below and make sure you listen to the last one Piece of Cake! with Allan Frank from the 🇩🇰 DPA.

In what’s perhaps the most significant event since the Schrems II ruling, and almost exactly two years later, the Danish data protection authority (DPA) Datatilsynet published a decision relating to the municipality Helsingor and their processing of personal data in the primary and lower secondary school (“folkeskole”).

Initially, their decision was for this one municipality only, although the DPA wrote that many of their conclusions "likely will apply to other municipalities using the same processing setup" and expected them to "take necessary actions".

Their latest decision of 30 January 2024, however, applies to all (53) municipalities using the same tech stack and processing setup.

In this article I outline all five (!) decisions in this case. If you want to read the latest one, click here to jump straight to it.


💡
The whole discussion around using Google products in Danish schools actually dates back to 2010, when the DPA concluded that the intended processing of special category personal data in Google Apps couldn’t fulfil the security requirements of the (then) Danish Personal Data Act. However, in 2017, the DPA gave Hedensted municipality persmission to use Google Apps for Education with 2010 SCCs (case file 2014-323-0221, case referenced on Dataethics.eu).

The decision of 14 July 2022 is a result of a prior decision issued in September 2021. As both decisions are part of the same case and closely connected, let’s start by summarizing the latter.

The first decision – September 2021

The case against Helsingor municipality dates back to a complaint lodged by a parent in 2019, after his son became very anxious after reading a negative comment on his YouTube account – an account the parent was completely unaware of.

And neither was the municipality; at some point Google updated their terms to include several additional services such as YouTube and Gmail, but the municipality evidently hadn’t read these (!).

And even though the municipality hadn’t even conducted an initial risk assessment for the use of Google products in their schools, they managed to conclude, after the complaints from parents, that it was “unlikely” that the incident could represent any risk for the childrens’ rights and freedoms – so they decided not to notify the DPA.

💡
But Helsingor isn’t the only one underperforming in privacy and data protection classes – a survey done by the Danish news outlet Version2 in 2021 shows that an astonishing 24 municipalities had never conducted a risk assessment at all, nor a DPIA, despite using Google products in schools for years. Another one admitted that they chose to continue using Google after the Schrems II ruling, despite identifying high risks. Perhaps worse is that they decided that a DPIA was “unnecessary”, although this is a clear requirement for high-risk processing activities.

The use of Google products in Danish schools has created a lot of debate over the past years, shown by numerous news articles and comment fields on 🔥. Although we won’t be able to cover it all in this article, you can read more in the various links.

Violations

To sum up the September 2021 decision, the DPA held that the municipality:

  • Failed to assess risks for the pupils’ rights and freedoms, consequently failing to demonstrate compliance with the GDPR Article 5(1)(c) as they didn’t minimize the personal data processed when creating users (the municipality admitted that it was indeed possible to minimize data).
  • Failed to demonstrate compliance with Article 5(1)(f), especially as they couldn’t demonstrate how they had configured new users account and, thus, could ensure sufficient security for the processing activities.
  • Lacked a legal basis in (and thus violated) Article 6(1) for processing personal data in Google’s “Additional Services” (such as YouTube and Gmail).
  • Failed to assess possible risks of using Additional Services after Google changed their terms of service. Since the DPA considers that the use of novel and complex technology, including software, and especially in the education space where the data subject are children and youth, generally represents a high risk, they held that the municipality had breached Article 35(1).
  • Failed, in several instances, to protect children whose names should be changed to an alias, resulting in a personal data breach as per Article 4(12).
  • Breached Article 32(1) by i) not conducting a risk assessment to identify risks connected with using Googles Additional Services, ii) not analyzing the consequences of pupils accessing these Additional Services, iii) not testing the functionality and scope of these services before starting to use them, iv) not ensuring that pupils with protected names and addresses were anonymized and, finally, v) not sufficiently securing the computers against unauthorized access.
  • Failed to notify the DPA for several violations with a clear risk for the data subjects, in breach of Article 33(1).

Based on the above, the DPA ordered the municipality to bring their processing activities in line with the GDPR, by i) assessing risks following from the use of Chromebooks and G-Suite (now Workspace) for Education, which shows the personal data streams the processing activities entail, and, ii) if the risk is deemed high, conduct a DPIA.

💡 Finally, the DPA instructed the municipality to contact all parents to ensure necessary corrections, anonymizations or erasure is done where their kids’ personal data has been unintentionally published or shared.

The second decision – July 2022

Many were slightly shocked to see that the DPA on 14 July ordered Helsingor municipality to suspend all US transfers and imposed a general ban on all processing in Google Workspace, giving them a deadline until 3 August. ⏰

However, as the prior decision clearly shows, this has been ongoing for several years, so the municipality has had ample time to rectify the violations. What’s particularly interesting in this case, though, is the focus on transfers to the US and the DPA’s findings.

Violations

In the July 2022 decision, the DPA held that the municipality:

  • Breached Article 5(2), cf. 5(1)(a) by i) not including all risk scenarios, ii) not testing the functionality and scope of selected hardware and software, and, iii) not documenting how the municipality controls Google’s access to the personal data, especially in Chrome OS and Workspace’s interaction with Google’s backend.
  • Failed to document that the appointed processor could provide suffient guarantees to satisfy the requirements of Article 28(1). Because they couldn’t exclude the possibility of the processor breaching their agreement, the DPA also held that this is a high risk in itself and the municipality should have conducted a DPIA as per Article 35(1).
  • Failed to ensure that transfers of personal data to the US is sufficiently protected from possible surveillance by the US government, thus breaching Article 44, cf. Article 46(1)(c). The municipality had localized storage to Europe, but their agreement with Google was contingent on allowing for support from outside of the EEA. For this, they had the 2021 SCCs in place. The DPA, however, found that Google is an “electronic communications service provider” as defined in 50 U.S.C. § 1881(b)(4) and, thus, subject to FISA 702 as we all know is highly problematic (read more here). Thus, the DPA held that contractual and organizational measures were insufficient and the municipality has to put technical measures in place.

In sum, the DPA expresses serious criticism of the municipality’s processing of personal data, which is in violation of Articles 5(2), cf. 5(1)(a), 24, cf. 28(1), 35(1) and 44, cf. 46(1).

The third decision – August 2022

The second decision sent shock waves not only through Helsingor and every municipality, organization and business in Denmark - but across the EEA. The local debate has been hefty, to say the least, with numerous news articles, interviews and opinions.

We all waited impatiently for the next steps, one of which was the municipality's DPIA. But when it was published, most GDPR practicioners were not only surprised, but slightly shocked over its deficiencies. ❌ Not least because it lacked the DPO's comments (!).

Violations

In the August 2022 decision, the DPA held that:

  • The municipality still fails to demonstrate that their use of Google Chromebooks and Workspace for Education is in line with the GDPR.
  • Notably, the documentation submitted to the DPA on 1 August, is not in line with Article 35(1) and (7), as well as Article 36(1).

On this basis, the DPA upholds their decision of 14 July 2022, however changes it to a ban against processing personal data by using Google Chromebooks and Workspace for Education.

⏰ The ban is effective immediately and lasts until the municipality has brought their processing in line with the GDPR, as stated in the prior decision, and when they have conducted a DPIA in line with the content and requirements as per Articles 35 and 36.

The fourth decision – September 2022

Following the third decision, the DPA met with the municipality and other actors (including the Local Government Denmark (KL), the association and interest organisation of the 98 Danish municipalities).

Helsingor municipality subsequently submitted more documentation and also requested a consultation with the DPA as per Article 36.

Shortly after (and somewhat surprisingly), the DPA temporarily suspended their processing ban against the municipality until 5 November 2022.

They also ordered the municipality to:

  • Change the data processing agreement with Google so that the DPA's remarks in their 14 July and 18 August decisions, are implemented. This includes, at a minimum, a clarification of where and if Google acts as a sole controller and any uncertainties that may entail that Google acts beyond their role as a processor, cf. Article 28(3)(a).
  • Document that all transfers of personal data to insecure third countries, are in line with the GDPR.
  • Describe all data flows and identify the personal data that are shared with the vendor, and clarify when the vendor acts as a sole or joint controller. This documentation must include the whole technology stack used by the municipality (for this processing activity).
  • Update their data protection impact assessment based on all identified risks.
  • Consult the DPA if the DPIA shows any high risks the municipality is not able to mitigate.
  • If any processing activities are still not in line with the GDPR on 3 November 2022, present a final plan for bringing them in line with the GDPR.

The fifth (!) decision - January 2024

After November 2022, it got quiet for a long time. Then, on 30 Jan 2024, the DPA published a new decision. Notably, this time the decision applied to all (53) municipalities using the same Google tech stack and processing setup.

Moreover, KL (Local Government Denmark) has been representing the municipalities. And since the last decision, they've submitted a substantial amount of documentation to the DPA, and asked (and gotten) several extensions.

In their documentation, the municipalities clarified that they share personal data with Google—data that Google uses for their own purposes.

Based on this, the DPA concluded that the municipalities:

✅ have a legal basis for sharing pupils' personal data for purposes related to deliver services, improve security and reliability of those services, communicate with the municipalities and uphold legal obligations,

❌ but not to maintain and improve Google Workspace for Education, ChromeOS and Chrome browser, or measure performance and develop new functions and services in ChromeOS and Chrome browser.

Consequently, the DPA has ordered all municipalities to bring their processing in line with the GDPR, by ensuring they have a legal basis for all processing activities. They even suggest some ways of achieving this (just as examples, it's up to the municipalities to determine and decide their options):

  • Stop sharing personal data with Google for purposes where you lack a legal basis. This will likely require Google to develop a technical solution for stopping the data streams.
  • Google stops processing the personal data for these purposes.
  • The Danish Parliament creates a legal basis for the processing.

The municipalities have until 1 March to report their solution to the DPA, and must then ensure that their processing is compliant before 1 August.

What happens next

We'll have to wait until August (2024) to see!

How will the municipalities solve their conundrum? Will Google help out? Should we go back to pencil and paper? Will the kids get their fundamental privacy rights back?

One thing’s for sure – we’ll continue to watch this case closely. 🧐

Spread the word

Keep reading