Denmark is proficiently banning Google’s solutions in schools, immediately after officials in the municipality of Helsingør had been final year ordered to carry out a threat assessment about the processing of individual information by Google.
In a verdict published last week, Denmark’s information protection agency, Datatilsynet, revealed that information processing involving students making use of Google’s cloud-based Workspace software suite — which consists of Gmail, Google Docs, Calendar and Google Drive — “does not meet the requirements” of the European Union’s GDPR data privacy regulations.
Particularly, the authority identified that the information processor agreement — or Google’s terms and situations — seemingly let for information to be transferred to other nations for the objective of supplying help, even even though the information is ordinarily stored in one particular of Google’s EU information centers.
Google’s Chromebook laptops, and by extension Google Workspace, are employed in schools across Denmark. But Datatilsynet focused particularly on Helsingør for the threat assessment immediately after the municipality reported a “breach of individual information security” back in 2020. Whilst this newest ruling technically only applies to schools in Helsingør for now, Datatilsynet notes that lots of of the conclusions it has reached will “probably apply to other municipalities” that use Google Chromebooks and Workspace. It added that it expects these other municipalities “to take relevant steps” off the back of the choice it reached in Helsingør.
The ban is productive right away, but Helsingør has till August three to delete user information.
At the heart of the situation is the now defunct EU-US Privacy Shield that regulated how information can be shared in between the EU and United States. Whilst a new information flow deal has been agreed to in principle, it is not but in impact, which has left lots of organizations in limbo. Consequently, Major Tech providers are relying on regular contractual clauses for their information processing practices.
A Google spokesperson told TechCrunch:
We know that students and schools anticipate the technologies they use to be legally compliant, accountable, and protected. That is why for years, Google has invested in privacy most effective practices and diligent threat assessments, and produced our documentation broadly readily available so anybody can see how we support organisations to comply with the GDPR.
Schools personal their personal information. We only procedure their information in accordance with our contracts with them. In Workspace for Education, students’ information is in no way employed for marketing or other industrial purposes. Independent organisations have audited our solutions, and we preserve our practices beneath continual overview to preserve the highest feasible requirements of security and compliance.
This newest announcement comes immediately after regional information watchdogs in France, Italy and Austria ruled that sites making use of Google Analytics to track guests contravened European information privacy guidelines, provided that individual information is transferred to the U.S. for processing. And Ireland’s Information Protection Commission (DPC), meanwhile, is currently mulling how Facebook’s parent company Meta is transferring information in between Europe and the U.S., which could effect how Europeans are capable to access solutions such as WhatsApp and Instagram.
With European lawmakers keen to establish a higher degree of digital sovereignty, Google has been bolstering its platform and infrastructure to support assure public and private organizations keep with the enterprise. A couple of months back, Google announced that it would be rolling out new “sovereign controls” for Workspace customers in Europe, permitting them to “control, limit, and monitor transfers of information to and from the EU.”
Having said that, these controls will not be produced readily available till later this year, with further information handle tools arriving all through 2023. And it is nevertheless not clear at this early stage irrespective of whether these new tools will be watertight in terms of GDPR compliance.