Tristan Terlouw – Digital Marketing Strategy Nixon
28 July 2022
Denmark is going to ban Google services in schools after last year the municipality of Helsingør was ordered to look at the processing of personal data by Google.
In the week of July 11, the Danish data protection agency, Datalisynet, revealed that the data processing in Google’s Cloud-based workspace, including Gmail, Google Docs, Google Drive and Calendar involving students, does not meet the requirements of the European Union’s GDPR data privacy regulations.
It appeared that the data processing agreement – or Google’s terms and conditions allows the data to be transferred to countries outside Europe to provide support, while the data is also already stored in one of Google’s EU data centers.
Throughout Denmark, Chromebook laptops and Google Workspace are used. Datatisynet focused this investigation on Helsingør for the risk assessment after the municipality reported a breach of the security of personal data of the schools in Helsingør in 2020. The municipality has until August 3, 2022, to delete user data.
The problem lies in the EU-US Privacy Shield, which regulates how data can be shared between Europe and the United States. Although a new data flow agreement has been reached, it does not yet apply, which leaves organizations in limbo. As a result, companies rely on standard contractual clauses for their data processing practices.
Data protection agencies in France, Italy and Austria have ruled that Google Analytics also violates European data privacy rules, as personal data is also processed there. Even the Irish Data Protection Commission (DPC) is investigating how Facebook’s parent company Meta transfers data between Europe and the United States so that Europeans can access Meta’s services such as WhatsApp and Instagram.
Google has announced that they are working on a new security update. Google will strengthen its platform and infrastructure to ensure that public and private organizations do not go to Google’s competitors. There will be new sovereign controls for Google Workspace users in Europe, which will allow the user to limit and control the transfer of data to and from Europe.
However, these updates with additional data control tools will be made available later this year. It is also not entirely clear yet whether this update from Google matches the terms of GDPR compliance.
Google has announced that its plan to remove third-party tracking cookies is delayed until at least 2024.