Danish Authority Halts School Data Transfer to Google Over Misuse

By Consultants Review Team Thursday, 08 February 2024

Denmark's data protection authority has directed schools to halt the transfer of student data to Google, citing concerns over potential data misuse. The regulator, Datatilsynet, issued an injunction to 53 municipalities, instructing them to cease transmitting students' personal data to Google through Chromebooks and Google Workspace services.

The directive comes after Jesper Graugaard, a parent and activist, raised concerns about the indiscriminate transfer of student data to Google without adequate consideration for potential misuse, prompting an investigation by the Danish agency about four years ago.

Following their investigation, the Danish authority concluded that the current methods of data transfer to Google lack a legal basis for all disclosed purposes. As a result, municipalities have been given until March 1 to outline their plans for compliance with the regulator's order and must fully align their data processing practices with the new requirements by August 1.

Google has yet to respond to the directive issued by the Danish agency.

Allan Frank, an IT security and law specialist at the agency, highlighted the complexity of contractual agreements governing IT standard products, making it challenging for data controllers to ensure compliance with GDPR regulations. He emphasized the importance of municipalities analyzing and documenting how personal data is processed before utilizing tools like Google Workspace to mitigate risks associated with data processing.

Municipalities are instructed to cease transferring personal data to Google for specific purposes unless a clear legal basis for such transfers exists. They are also mandated to conduct thorough analyses and documentation of personal data processing procedures and ensure that Google refrains from processing any data received for non-compliant purposes.

Current Issue