Denmark’s data watchdog has banned schools from using Google’s Workspace productivity suite amid growing fears that the tech giant’s products are not compatible with GDPR. It is the latest European regulator to rule that Google’s international data transfers are in breach of the bloc’s data protection laws in recent months.
The ruling from the Danish Data Protection Agency, Datalisynet, follows a risk assessment of personal data processing by primary schools in the Helsingør municipality, in North Eastern Denmark.
From 3 August, public sector organisations in the region will be banned from using Google Workspace, which includes GMail and the Google Docs suite of apps, as well as its Chromebook laptops. Those who do not comply with the ban could face jail time as a result.
Though the ruling initially applies only in Helsingør, it is likely to be extended across the country to every Danish municipality using Google systems as more investigations are carried out.
Why is Denmark banning Google from its public sector?
Datalisynet’s investigation concluded that personal data on Danish citizens using Workspace and Chromebooks was being transferred to US-based servers without the appropriate level of anonymisation, and is thus incompatible with GDPR.
Data transfers between Europe and US have technically been illegal since the ruling in the so-called Schrems II case in 2020, which found an existing agreement between the US and Europe, the Privacy Shield, was not compatible with GDPR. This is because US law allows its government to requisition client data from companies on national security grounds, something which is prohibited under GDPR.
Since then companies have been relying on a different legal instrument, standard contractual clauses (SCCs), for transatlantic data transfers, which offer increased protection. But the legitimacy of these remains largely untested in court, and a new agreement, the Trans-Atlantic Data Privacy Framework, was brokered earlier this year. At present, it only exists at a political, rather than legal, level, and is likely to be challenged by privacy campaigners if and when it comes into force.
Which European countries have outlawed Google products?
Denmark is the latest in a series of European countries to endeavour to regulate against what they deem to be Google’s contravention of GDPR. In January, the Austrian data protection authority (DSB) published findings that appeared to show that companies who use Google Analytics would inadvertently transfer IP addresses and identifiers in cookie data of their customers out of the EU to the US, which they deemed to be in breach of GDPR.
France’s data regulator the CNIL introduced a similar ban in June, deeming the use of Google Analytics to be illegal across the country, while Italy’s Garante per la protezione dei dati personali (SA) regulator did similar weeks later. It noted that the methods used by Google to transfer information to the US “do not currently guarantee an adequate level of protection of users’ personal data”.
But what do these regulations mean for everyone else?
A spokesperson for Google Cloud said: “We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments and made our documentation widely available so anyone can see how we help organisations to comply with the GDPR.
“Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students’ data is never used for advertising or other commercial purposes. Independent organisations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance.”
However, Google’s position means an unfair burden of compliance is put on the end user, argues Emily Taylor, associate fellow at the international affairs think tank Chatham House.
“All of these things like IP addresses and anonymisation, they all rely on the user themselves to configure their settings,” she says. “The burden goes on the user, so it’s up to you to dig into the many thousands of words and to interpret some very friendly sounding terms of service and really think about what they’re not saying as well as what they are saying and what that means.”
Taylor says this “imposes liability on people who aren’t actually providing Google Analytics – small businesses, schools, municipalities – who have a right to believe that when they’re implementing things that are more or less general-purpose utilities”, and as such should not run the risk of GDPR violation.
She adds that the only way to solve this is to make big changes to the way the people understand their data and its value, but warns “this will take years”.