Danish DPA restricts schools from sending student data to Google amid privacy concerns

The Danish data protection authority (DPA), Datatilsynet, has issued an injunction against the transfer of student data to Google via Chromebooks and Google Workspace in 53 municipalities.

The decision follows a four-year complaint by activist Jesper Graugaard, highlighting privacy concerns and potential data misuse. Datatilsynet ruled the current data transfer lacks a legal basis for all disclosed purposes. Municipalities are ordered to cease specific data transfers or establish legal bases, document data processing, and ensure Google refrains from non-compliant purposes. Datatilsynet clarified that permissible student data uses include educational services, security enhancement, communication facilitation, and legal obligations. Non-permissible cases involve improving Google products. Datatilsynet’s IT specialist, Allan Frank, emphasized compliance despite product functionality.

The decision doesn’t ban Chromebooks but imposes restrictions on data sharing. With challenges restricting Google’s data processing, practical adherence may require blocking Chromebook and Workspace use. Municipalities must declare compliance plans by 1 March 2024 and align practices by 1 August 2024.

While this decision was welcomed, criticism arose for the Danish data protection authority’s 4.5-year delay in addressing poor data practices. Critics claim this has violated privacy for over ten years, and those accountable have not faced fines or other measures to ensure compliance.