NEW: Introducing ComplyCloud AI for faster and smarter compliance.
A case about the use of Google Chromebook and Workspace in public schools has become a saga in Denmark.
It started with a complaint from a parent about a primary school handing out Google Chromebooks to students. Since then, we’ve seen several decisions from the Danish Data Protection Agency, making this case into a hot potato.
The case should remind everyone how important it is to:
So, feel free to read on if you want to know what’s up and down in the case – and what I see as the three highlights of the case.
We have seen a total of five decisions from the Danish DPA. Let’s go through them from one end to the other:
In September 2021, the DPA concluded that the Danish municipality Helsingør Municipality had not assessed the risks that the use of Google Chromebooks in schools posed to the data subjects (primary school students).
The Danish DPA issued an injunction requiring the municipality to risk assess the processing in Chromebooks and Workspace. In addition, they prohibited the municipality from using them until the risks to the data subjects had been minimized.
In July 2022, the Danish DPA banned the processing of personal data with Google Chromebooks and Workspace. Both because the risks to the data subjects had not been adequately assessed and because these risks were too high.
The prohibition would be maintained until sufficient documentation was provided that Helsingør Municipality had brought the processing in accordance with the rules.
In addition, the Danish DPA suspended all related transfers of personal data to the US until Helsingør Municipality complied with the GDPR rules on third country transfers.
In August 2022, the Danish DPA published its third decision. After the municipality had submitted their data protection impact assessment regarding the use of Chromebooks and Workspace, the DPA upheld the ban and concluded that the received material did not meet the GDPR requirements for a data protection impact assessment.
However, in the fourth decision from September 2022, the DPA temporarily lifted the ban. They accepted the use of Chromebooks and Workspace while the DPA awaited changes and clarification of the data processing agreement and the technical aspects of the commercial agreements between the municipality and Google.
In the latest decision of January 30, 2024, the Danish DPA assessed whether Helsingør Municipality had the correct and necessary legal basis for sharing students’ personal data with Google, as the data processing agreement and the commercial agreements prescribed.
The Danish DPA’s focus was on the personal data that the municipality disclosed to Google, where Google was the data controller and thus did not act under the municipality’s instructions. Google used this information to improve its products and services.
The municipality used the legal basis in GDPR Article 6(1)(e), which requires that the processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.“
This legal basis for processing requires that there is another legal basis in Danish law that – so to speak – makes the processing “necessary,” cf. GDPR, Article 6(3)(b).
As the municipality’s task of running the Danish schools is laid down in the Danish School Act, the Danish DPA believed that the legal basis had to be found in the Danish School Act if the use of the legal basis for processing was to be lawful.
The Danish DPA concluded that there was insufficient legal basis in the Danish School Act to use the stated legal basis for processing. Therefore, the authority ordered the municipality to legalize the processing of personal data or stop processing them in Google Chromebooks.
The DPA imposed a deadline of August 24, 2024, for the municipality to comply with the injunction.
It’s almost too trivial to emphasize that you should read and understand your agreements. But you should. The Chromebook case emphasizes that the devil is in the details – not only in the directly applicable agreements but also the surrounding agreements, which in this case regulate services that are not part of the data processing agreement and the purchase.
The case also highlights the need to specifically identify how the system works and what type of data flow is involved. This understanding is key to identifying how personal data is processed and where there might be potential gaps.
The case shows how important it is to examine the purposes of any disclosure and that there is a legal basis for all these purposes. This requires a thorough analysis of the existing legislation and applicable rules.
If you cannot ensure a legal basis, you can try to use the solution in another way that does not process personal data or ultimately, you may end up not needing to use the specific service.
While the GDPR does not prohibit the use of off-the-shelf products that may have challenging and non-negotiable contractual bases, the case shows that the use of off-the-shelf products is not an excuse for not complying with the GDPR or having clear contractual terms.
In another recent decision, the Danish DPA addressed the Region of Southern Denmark’s use of a cloud-based Microsoft 365 solution. It shows that the issues from the Chromebook case are also present when implementing other IT systems.
In the statement, the Danish DPA put forward a number of specific questions that the Region of Southern Denmark should clarify in connection with the migration to the cloud-based solution. Among other things, the Danish Data Protection Agency asked the following questions:
1) “What will be the legal basis for the region’s processing of the personal data in question?” In other words, they asked: Where is your dual legal basis?
2) “What specific purposes will Microsoft process data for as part of keeping “products up to date and performing and improving user productivity, reliability, efficiency, effectiveness, quality and security” and in what role?” In other words, they asked: Does Microsoft use the information to improve services to which the Region does not subscribe?
3) “How are the above-mentioned aggregated statistics generated in concrete terms, in particular, whether aggregation or anonymization takes place before data is disclosed to Microsoft?” In other words, they asked: Is the information personal data at all when Microsoft uses it for their own purposes?
The Chromebook case is an important lesson for public authorities looking to implement new IT systems that process personal data about citizens.
When we read the Chromebook case from a broader perspective and remove the Public School Act from the equation, the case provides just as much learning for private companies.
For me, the following big questions remain:
I answered these questions at a webinar on April 10, 2024. The webinar was in Danish, so for you as a non-Danish reader, I’ll share the answers and key takeaways from my webinar with you here:
You can avoid falling into the Chromebook trap if you follow these 4 guidelines:
In a poll, I asked if the audience believed that disclosure of personal data for product improvement can be supported by legitimate interest.
58% said no.
In the next poll, I asked if the audience, from a political point of view, believed it to be wrong if you can’t use IT systems where personal data is collected for product improvement.
66% said yes.
We find it highly interesting that the audience’s opinions were different depending on whether they looked at the case from a legal or political perspective. It also emphasizes why this is a complex case where GDPR may restrict the use of widely used services where it makes good commercial sense to use them.
Finally, a person from the audience asked Martin the million-dollar question:
“Can you argue that private companies have a legal basis in Article 6(1)(f) to use Google?“
My answer was:
“Yes, it can be possible if you can prove that you have a legitimate interest.”
However, you should make sure to document your legal basis. This can be done in a Legitimate Interest Assessment (LIA). In ComplyCloud, our in-house lawyers are working on a document like this to offer to our customers soon.