Denmark’s data protection agency has banned the use of Google SaaS services and Google Chromebooks by local governments amid concerns around Google Workspace GDPR compliance and data processing.
Updated 19 July 2022 15:42: Clarified ramifications for other local authorities in Denmark, added Google statement.
The Danish "Datatilsynet" watchdog has been looking into Google Workspace GDPR issues in Helsingør Municipality, specifically in primary schools, since 2020. Last week the Datatilsynet ruled the local authority cannot use the search and advertising giant’s systems, including GMail, Google Docs and lightweight Chromebooks.
Datatilsynet ordered Helsingør to suspend any processing of data by Google Cloud EMEA which is transmitted to the US, and issued a general ban on the use of the SaaS suite, starting on 3 August, until the Google Workspace GDPR issues were resolved. The regulator also issued “serious criticism” of Helsingør’s processing of personal data.
The issue started with a compliant in 2019 by a parent concerned that their child had opened a Youtube account under their own name via a school Chromebook; something not initially seen by the municipality as a breach of data protection, but a flurry of similar incidents were reported, triggering the broader investigation.
Along with Helsingør -- better known in English as Elsinore, thanks to Shakespeare’s use of the city’s imposing castle as the main setting for Hamlet -- the regulator made it clear the decision could affect other local authorities.
"The Danish Data Protection Agency draws attention to the fact that many of the conclusions in this decision will probably apply to other municipalities that use the same treatment structure. The Danish Data Protection Agency therefore expects these municipalities to take relevant steps on the basis of the decision - even though the Authority is currently finalising a number of cases concerning other municipalities," said the regulator's announcement of its decision.
(All quotes are via Google Translate.)
It is as yet unclear if the ruling will also have significance to private sector organisations, or beyond Denmark. The watchdog had found that Danish citizens' data was being transferred to US-based servers by Google without the appropriate level of anonymisation
To send, or not to send, that is the question
At the heart of the issue is the potential for Google to send data out of the EU to the US. As Helsingør stated in a letter to Datatilsynet “even though the municipality has chosen an EU cloud, Google has in the data processor agreement secured the right to potentially receive support from third countries”.
But even with this acknowledgement, Datatilsynet ruled Helsingør had not included potential Google Workspace GDPR risk scenarios in an obligatory risk assessment and had not done adequate testing of the hardware and software it was to use – and therefore could not show that data was being processed lawfully.
The agency did acknowledge the municipality’s good faith, however.
"Helsingør Municipality has done a great and skilled work to map how personal data is used in primary school, but it also sheds light on the data protection law problems that can be with the big tech companies' ways of solving the task," said Allan Frank, IT security specialist and lawyer at the Danish Data Protection Agency.
What a piece of work is FISA!
The regulator’s ruling noted: “The Danish Data Protection Agency has placed particular emphasis on the fact that there would be a significant loss of rights for the data subjects if the risk in question materialised, and that the municipality in its risk assessment has not stated any remedial technical or organizational measures to mitigate this risk.”
“The Danish Data Protection Agency is of the opinion that Helsingør Municipality's reference to the municipality having confidence that the supplier generally complies with the agreement does not constitute a necessary reduction of this risk.”
The agency also said data transmitted to the US would be subject to FISA 702 – a provision of US law which permits intelligence gathering on non-US citizens. Helsingør had argued FISA 702 did not apply to its data – which is a surprising conclusion, given the known willingness of the US FISA court to grant access to data (in 2017 the court rejected 34 requests out of 1,372, a record-high rejection rate of 2.5%).
GDPR: More honoured in the breach than the observance?
The Danish Google Workspace GDPR ruling joins a long line of cases where US companies have been found to be in breach of GDPR; in September 2021 WhatsApp was fined €225 million by EU authorities, and in July 2021 Amazon received a whopping €746 million fine in Luxembourg. Last month the Italian data protection regulator ruled Google Analytics was incompatible with EU privacy legislation.
This latest ruling could have wider potential, given the ban on Google Workspace is on the basis of the risk of a hypothetical breach and its impact. It is also notable the Datatilsynet decision appears to ban the use of Google Workspaces in general by local authorities, even though the case itself centred around the use of Google products in education.
The Stack has contacted Datatilsynet for comment.
Many bodies, including Google, the EU itself, and countless organisations which rely on SaaS packages, will be hoping any wider significance of this Google Workspace GDPR decision will be short-lived. The EU and US are currently working on a new “Trans-Atlantic Data Privacy Framework”, to replace the Privacy Shield agreement which was struck down in 2020 as a result of the Schrems II decision.
Theoretically any use of products and services which transfer data from the EU to the US are in breach of GDPR, following the Schrems II decision. But in practical terms the use continues, with EU users relying on untested "standard contractural clauses"
The EU and US announced an agreement-in-principle on the new framework in March, with negotiations ongoing to finalise the details. But privacy campaigners, including Max Schrems himself, have raised concerns about the viability of any new deal unless stronger protections against US surveillance can be put in place – with Schrems also warning about the use of executive orders, which can be revoked at any time, to enact the agreement in the US.
The rest is silence
As yet, no concrete details about the framework have been released. EU justice commissioner Didier Reynders expressed confidence a deal would be completed this year, and told the Washington Post in early June he expected the legal text to be released “in the next weeks”.
Since then, however, there has been no news of the framework, and no comment from Reynders or other commissioners on the subject. Given any agreement will have to undergo significant scrutiny within the EU, and all parties involved will want it to be robust enough to survive the inevitable legal challenges it will face, the window of opportunity for completing and enacting the framework this year is closing rapidly.
The Stack has contacted the European Commission for comment.
In a statement, a Google spokesperson told The Stack: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That’s why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organisations to comply with the GDPR.
“Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organisations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance.”