The Danish Data Protection Agency banned Chromebooks and Google Workspace in the school district of Helsingør. Security researchers say it might spread across the entire country.
Officials in the municipality of Helsingør last year were ordered by Datatilsynet, Denmark’s data protection agency, to carry out a risk assessment around the processing of personal data by Google in primary schools. This came after Helsingør reported a “breach of personal data security” back in January 2020.
Not meeting the requirements
A verdict published last week by Datatilsynet revealed that data processing involving students using Google’s cloud-based Workspace software suite (such as Gmail, Google Docs, Calendar and Google Drive) “does not meet the requirements of the GDPR on several points”. Datatilsynet says that the data processor agreement seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google’s EU data centers.
More municipalities to follow?
Google’s Chromebook laptops and Google Workspace are being used in schools across Denmark. Even though this ruling applies only to schools in Helsingør, Datatilsynet notes that many of the conclusions it has reached will “probably apply to other municipalities” that use Google Chromebooks and Workspace. It added that it expects these other municipalities “to take relevant steps” off the back of the decision it reached in Helsingør.
Google had already announced in May this year a package of additional controls for European users of Google Workspace, which will allow them to control, limit, and monitor transfers of data to and from the EU, but roll out is only supposed to start at the end of this year.
