Privacy regulator in Denmark makes local schools to stop sending data to Google

Danish government is concerned about the data that Google collects

Schools in Denmark are required by law to stop sending student data to Google, according to a directive from Datatilsynet,^[1] the Danish Data Protection Authority. Concerns concerning the safety and legality of utilizing Google Workspace services and Chromebooks in educational settings have prompted the release of this directive.

Four years ago, parent and activist Jesper Graugaard objected to the indiscriminate sharing of student data with Google, which brought the matter to light. Following the conclusion of Datatilsynet's inquiry, 53 municipalities were ordered to update their data handling procedures because the existing practices of transmitting personal data to Google lacked a legal basis for all the purposes mentioned.^[2]

Municipalities are now required to cease the transfer of personal data to Google for certain activities unless a clear legal basis is established, conduct assessments on data processing before employing Google Workspace, and ensure Google does not use the data for non-compliant purposes.

This decision emphasizes the permissible use of student data for educational services, security enhancements, communication facilitation, and legal obligation fulfillment while prohibiting its use for service maintenance, performance measurement, and feature development. The decision underscores the critical need for educational institutions to prioritize the protection of personal data in their digital tool selections

The directive will be implemented next summer – is it enough time?

The directive from Datatilsynet does not outright ban the use of Google's Chromebooks and Workspace in schools but imposes strict limitations on data-sharing practices. Municipalities face the challenge of ensuring compliance with these restrictions, potentially leading to significant operational changes.

Schools may find it difficult to continue using Google's services without breaching the new data protection requirements. By March 1, 2024, municipalities must outline their compliance strategies, with a complete adjustment to data processing practices required by August 1, 2024.

The lengthy decision-making process by Datatilsynet, taking over four years to finalize, has been met with criticism for its delay. Observers have noted that the identified data handling issues have persisted for a decade, suggesting that further actions, such as fines or corrective measures, may be warranted to address these longstanding concerns.

The practice could spread to educational institutions in other countries

The Datatilsynet decision emphasizes the mounting concern over how big internet corporations manage personal data in educational settings, particularly that of students. The necessity for municipalities to reconsider and modify their use of Google services shows how crucial data privacy is in the modern digital world. The goal of the order is to strike a compromise between the need to protect student's privacy and the educational benefits of using technology.^[3]

As Danish municipalities work towards compliance, broader conversations about data privacy in education and the obligations of digital companies to comply with privacy regulations can be facilitated by the scenario. The Danish decision may have an impact on data protection laws and procedures in educational institutions outside of the country, highlighting how important it is to protect students' privacy in online learning environments on a worldwide scale.