Concerned at the potential misuse of students’ data, Denmark’s data protection authority has ordered schools to stop sending students’ data to Google, via the use of Chromebooks and Google Workspace services.
The regulator Datatilsynet issued an injunction to 53 municipalities, ordering them to no longer pass on students’ personal data to Google.
The matter was brought to the agency’s attention around four years ago by a concerned parent and activist, Jesper Graugaard.
Graugaard protested how student data is sent to Google without any consideration about the potential for misuse.
The Danish agency has now decided that the current methods of transferring personal data to Google do not have a legal basis for all disclosed purposes.
Municipalities have time until March 1 to declare precisely how they intend to comply with the regulator’s order and to fully align their data processing practices with the new requirements by August 1.
Google was yet to comment on the Danish agency’s order.
Most IT standard products today have a very complex contractual basis, which not only contains many options for variations in the processing of personal data, but also has a relatively high frequency of changes, said Allan Frank, IT security and law specialist at the agency.
This makes it more difficult than necessary for data-responsible companies and authorities to live up to GDPR, because it is easy to lose track of what is happening with data, he said in a statement.
Municipalities have been ordered to cease the transfer of personal data to Google for specific purposes or obtain a clear legal basis for such transfers.
They are told to analyze and document how personal data is processed before using tools like Google Workspace, and ensure that Google refrains from processing any data it receives for non-compliant purposes.
This recent move by Denmark’s data protection authority highlights growing concerns about the privacy and security of students’ data in the digital age. As education increasingly relies on technology, the collection and use of student data have become commonplace. However, the unrestricted flow of this sensitive information raises significant risks for both individuals and society as a whole.
Jesper Graugaard, the parent who initially raised the issue, expressed his concerns about the lack of consideration given to the potential misuse of student data. His activism has now compelled the Danish agency to take action and reassess the legality of transferring personal information to Google.
The regulator’s injunction demands that 53 municipalities cease sending students’ personal data to Google through the use of products like Chromebooks and Google Workspace services. The Danish agency has determined that the current methods of transferring student data lack a legal basis for all disclosed purposes. Municipalities have been granted a deadline until March 1 to declare their compliance plans and must fully align their data processing practices with the new requirements by August 1.
Allan Frank, an IT security and law specialist at the agency, highlighted the complexity of IT standard products and their contractual basis. The multitude of options for personal data processing and the frequent changes involved make it challenging for companies and authorities to meet the requirements of the General Data Protection Regulation (GDPR) and maintain control over data usage.
With this order, Danish municipalities are now obligated to analyze and document how personal data is processed before utilizing tools like Google Workspace. They must also ensure that any data received by Google is not processed for non-compliant purposes.
Google, the recipient of this directive, has yet to issue a response. The tech giant’s compliance and commitment to protecting personal data will be under scrutiny as it faces the task of aligning its practices with the Danish agency’s order.
In the broader context, this decision reflects the growing concerns and challenges surrounding data privacy in the digital era. Educational institutions must carefully navigate their use of technology to strike a balance between leveraging its benefits and safeguarding the privacy of students. As data protection regulations continue to evolve, it becomes increasingly important for schools and technology providers to reevaluate data transfer practices and prioritize the security of students’ information.
