Danish DPA bans Google Workspace use and US transfers

🧨 Danish DPA with most significant (?) decision since the Schrems II ruling - banning certain use of Google products and US transfers.

4 months ago   •   7 min read

By Rie Aleksandra Walle
Table of contents

TL;DR: The Danish data protection authority banned a municipality's use of Google Workspace for Education and suspended all US transfers in a landmark decision of July 2022.

🎙️
Listen to the Grumpy GDPR podcast where Miloš and I discussed this decision and, not least, our follow-up episode where Allan Frank from the Danish DPA visited to elaborate on the case, and his revisit after their third decision, upholding the second one.

In what’s perhaps the most significant event since the Schrems II ruling, and almost exactly two years later, the Danish data protection authority (DPA) Datatilsynet published a decision relating to the municipality Helsingor and their processing of personal data in the primary and lower secondary school (“folkeskole”).

Note that their decision is for this specific municipality. However, the DPA also writes that many of their conclusions "likely will apply to other municipalities using the same processing setup" and expects them to "take necessary actions".

💡
The whole discussion around using Google products in Danish schools actually dates back to 2010, when the DPA concluded that the intended processing of special category personal data in Google Apps couldn’t fulfil the security requirements of the (then) Danish Personal Data Act. However, in 2017, the DPA gave Hedensted municipality persmission to use Google Apps for Education with 2010 SCCs (case file 2014-323-0221, case referenced on Dataethics.eu).

The decision of 14 July 2022, however, is a result of a prior decision issued in September 2021. As both decisions are part of the same case and closely connected, let’s start by summarizing the latter.

🔥️ Update 18 August 2022: The Danish DPA issued a third decision upholding the second one. Read the summary below.

The first decision – September 2021

The case against Helsingor municipality dates back to a complaint lodged by a parent in 2019, after his son became very anxious after reading a negative comment on his YouTube account – an account the parent was completely unaware of.

And neither was the municipality; at some point Google updated their terms to include several additional services such as YouTube and Gmail, but the municipality evidently hadn’t read these (!).

And even though the municipality hadn’t even conducted an initial risk assessment for the use of Google products in their schools, they managed to conclude, after the complaints from parents, that it was “unlikely” that the incident could represent any risk for the childrens’ rights and freedoms – so they decided not to notify the DPA.

💡
But Helsingor isn’t the only one underperforming in privacy and data protection classes – a survey done by the Danish news outlet Version2 in 2021 shows that an astonishing 24 municipalities had never conducted a risk assessment at all, nor a DPIA, despite using Google products in schools for years. Another one admitted that they chose to continue using Google after the Schrems II ruling, despite identifying high risks. Perhaps worse is that they decided that a DPIA was “unnecessary”, although this is a clear requirement for high-risk processing activities.

The use of Google products in Danish schools has created a lot of debate over the past years, shown by numerous news articles and comment fields on 🔥. Although we won’t be able to cover it all in this article, you can read more in the various links.

Violations

To sum up the September 2021 decision, the DPA held that the municipality:

  • Failed to assess risks for the pupils’ rights and freedoms, consequently failing to demonstrate compliance with the GDPR Article 5(1)(c) as they didn’t minimize the personal data processed when creating users (the municipality admitted that it was indeed possible to minimize data).
  • Failed to demonstrate compliance with Article 5(1)(f), especially as they couldn’t demonstrate how they had configured new users account and, thus, could ensure sufficient security for the processing activities.
  • Lacked a legal basis in (and thus violated) Article 6(1) for processing personal data in Google’s “Additional Services” (such as YouTube and Gmail).
  • Failed to assess possible risks of using Additional Services after Google changed their terms of service. Since the DPA considers that the use of novel and complex technology, including software, and especially in the education space where the data subject are children and youth, generally represents a high risk, they held that the municipality had breached Article 35(1).
  • Failed, in several instances, to protect children whose names should be changed to an alias, resulting in a personal data breach as per Article 4(12).
  • Breached Article 32(1) by i) not conducting a risk assessment to identify risks connected with using Googles Additional Services, ii) not analyzing the consequences of pupils accessing these Additional Services, iii) not testing the functionality and scope of these services before starting to use them, iv) not ensuring that pupils with protected names and addresses were anonymized and, finally, v) not sufficiently securing the computers against unauthorized access.
  • Failed to notify the DPA for several violations with a clear risk for the data subjects, in breach of Article 33(1).

Based on the above, the DPA ordered the municipality to bring their processing activities in line with the GDPR, by i) assessing risks following from the use of Chromebooks and G-Suite (now Workspace) for Education, which shows the personal data streams the processing activities entail, and, ii) if the risk is deemed high, conduct a DPIA.

💡 Finally, the DPA instructed the municipality to contact all parents to ensure necessary corrections, anonymizations or erasure is done where their kids’ personal data has been unintentionally published or shared.

The second decision – July 2022

Many were slightly shocked to see that the DPA on 14 July ordered Helsingor municipality to suspend all US transfers and imposed a general ban on all processing in Google Workspace, giving them a deadline until 3 August. ⏰

However, as the prior decision clearly shows, this has been ongoing for several years, so the municipality has had ample time to rectify the violations. What’s particularly interesting in this case, though, is the focus on transfers to the US and the DPA’s findings.

Violations

In the July 2022 decision, the DPA held that the municipality:

  • Breached Article 5(2), cf. 5(1)(a) by i) not including all risk scenarios, ii) not testing the functionality and scope of selected hardware and software, and, iii) not documenting how the municipality controls Google’s access to the personal data, especially in Chrome OS and Workspace’s interaction with Google’s backend.
  • Failed to document that the appointed processor could provide suffient guarantees to satisfy the requirements of Article 28(1). Because they couldn’t exclude the possibility of the processor breaching their agreement, the DPA also held that this is a high risk in itself and the municipality should have conducted a DPIA as per Article 35(1).
  • Failed to ensure that transfers of personal data to the US is sufficiently protected from possible surveillance by the US government, thus breaching Article 44, cf. Article 46(1)(c). The municipality had localized storage to Europe, but their agreement with Google was contingent on allowing for support from outside of the EEA. For this, they had the 2021 SCCs in place. The DPA, however, found that Google is an “electronic communications service provider” as defined in 50 U.S.C. § 1881(b)(4) and, thus, subject to FISA 702 as we all know is highly problematic (read more here). Thus, the DPA held that contractual and organizational measures were insufficient and the municipality has to put technical measures in place.

In sum, the DPA expresses serious criticism of the municipality’s processing of personal data, which is in violation of Articles 5(2), cf. 5(1)(a), 24, cf. 28(1), 35(1) and 44, cf. 46(1).

The third decision – August 2022

The second decision sent shock waves not only through Helsingor and every municipality, organization and business in Denmark - but across the EEA. The local debate has been hefty, to say the least, with numerous news articles, interviews and opinions.

We all waited impatiently for the next steps, one of which was the municipality's DPIA. But when it was published, most GDPR practicioners were not only surprised, but slightly shocked over its deficiencies. ❌ Not least because it lacked the DPO's comments (!).

Violations

In the August 2022 decision, the DPA held that:

  • The municipality still fails to demonstrate that their use of Google Chromebooks and Workspace for Education is in line with the GDPR.
  • Notably, the documentation submitted to the DPA on 1 August, is not in line with Article 35(1) and (7), as well as Article 36(1).

On this basis, the DPA upholds their decision of 14 July 2022, however changes it to a ban against processing personal data by using  Google Chromebooks and Workspace for Education.

⏰ The ban is effective immediately and lasts until the municipality has brought their processing in line with the GDPR, as stated in the prior decision, and when they have conducted a DPIA in line with the content and requirements as per Articles 35 and 36.

The fourth (!) decision – September 2022

Following the third decision, the DPA met with the municipality and other actors (including the Local Government Denmark, the association and interest organisation of the 98 Danish municipalities).

Helsingor municipality subsequently submitted more documentation and also requested a consultation with the DPA as per Article 36.

Shortly after (and somewhat surprisingly), the DPA temporarily suspended their processing ban against the municipality until 5 November 2022.

They also ordered the municipality to:

  • Change the data processing agreement with Google so that the DPA's remarks in their 14 July and 18 August decisions, are implemented. This includes, at a minimum, a clarification of where and if Google acts as a sole controller and any uncertainties that may entail that Google acts beyond their role as a processor, cf. Article 28(3)(a).
  • Document that all transfers of personal data to insecure third countries, are in line with the GDPR.
  • Describe all data flows and identify the personal data that are shared with the vendor, and clarify when the vendor acts as a sole or joint controller. This documentation must include the whole technology stack used by the municipality (for this processing activity).
  • Update their data protection impact assessment based on all identified risks.
  • Consult the DPA if the DPIA shows any high risks the municipality is not able to mitigate.
  • If any processing activities are still not in line with the GDPR on 3 November 2022, present a final plan for bringing them in line with the GDPR.

What happens next

We'll have to wait until November to see!

And the already debate has taken off yet again: What will happen now that they cannot use their computers legally? Who will pay for new ones? How long will it take? What will they use instead of Google products? And will the kids get their fundamental privacy rights back?

One thing’s for sure – we’ll continue to watch this case closely. 🧐

Spread the word

Keep reading