Can Public Schools Use Google Under the GDPR? Finland’s Top Court Says “Yes, But…”

26.06.2025

The Finnish Supreme Administrative Court recently addressed whether Finnish municipalities can rely on GDPR Article 6(1)(c), a statory obligation to process personal data, when using cloud tools like Google Workspace for Education. It confirmed that that statutory obligations may serve as a legal basis, however provided each service is shown to be necessary and proportionate.

The Finnish Supreme Administrative Court recently issued a ruling concerning the public education institutions’ right to use commercially developed cloud-based tools in public schooling.

The context of the case goes back to the late 2010s, when the City of Espoo, one of Finland’s largest municipalities, chose to implement Google Workspace for Education in its public schools. The purpose and aim of the implementation was to enable the pupils to learn the basics of cloud-based software tools. But as the case waited for the Finnish data protection authority, the Data Protection Ombudsman, to initiate the investigation, which did not happen until early 2020s, the need for software-based platforms had also become crucial for education as COVID put everyone in a full remote mode.

The case originated from a concerned citizen raising questions with the Data Protection Ombudsman and finally landed at the Finnish Supreme Administrative Court of Finland (KHO), which issued a landmark ruling (KHO:2025:29) in April 2025.

 

A Brief Chronology and Background

Following the request for an investigation by an individual citizen, the Ombudsman issued its own decision in December 2021, concluding that the city had relied on an incorrect legal basis for processing student data.

Espoo argued that it could rely on the GDPR Article 6(1)(c) as its right to implement and use Google’s services. In other words, Espoo said that it had a legal obligation to process, among others, the pupils’ personal data in the context of running Google Workspace for Education.

The Ombudsman did not agree. According to her, Espoo could not use GDPR Article 6(1)(c), as the Finnish Basic Education Act did not mandate the use of a specific digital platform like Google Workspace.

The Ombudsman also raised concerns about the scale and sensitivity of the data involved, as well as Espoo’s limited visibility into how Google processed that data. Espoo, the Ombudsman argued, had not demonstrated that using Google’s services was strictly necessary or proportionate to fulfilling its legal obligations. The city was ordered to reassess its practices and seek an alternative legal basis. Yet, the Ombudsman remain considerably vague on what the correct legal basis might be while raising doubts on the validity of consent or the applicability of the legitimate interest.

Espoo appealed the decision to the Helsinki Administrative Court, which in June 2023 upheld the Ombudsman’s ruling. The court reaffirmed that while organizing education is indeed a legal obligation, it does not necessitate the use of any particular platform. Like the Ombudsman, the court was unconvinced by Espoo’s argument that its use of Google Workspace was necessary or adequately controlled.

Seeking clarity and vindication, Espoo applied for leave to appeal to the Supreme Administrative Court. In April 2025, KHO not only accepted the case but also overturned the DPAs and the lower court’s decisions. And quite expectedly so, some might argue…

 

KHO’s Take on Statutory Obligation Under GDPR Article 6(1)(c)

The central question for the Supreme Administrative Court was whether Finland’s education laws imposed a legal obligation sufficient to justify the processing of personal data through a service like Google Workspace. GDPR Article 6(1)(c) permits such processing, but only when it is “necessary for compliance with a legal obligation to which the controller is subject.”

KHO’s answer was yes, though with certain caveats.

The Court held that the statutory framework governing basic education in Finland, including obligations imposed by the Basic Education Act, the law which regulates the main, yet high-level, obligations for public education institutions to fulfil their duty of schooling Finnish citizens, and the national core curriculum, does indeed create legal duties for municipalities. These duties include equipping students with digital literacy, ICT skills, and the ability to navigate and collaborate in digital environments. While the law does not mention Google Workspace by name, KHO emphasized that a specific tool does not need to be codified to be justified under Article 6(1)(c).

Crucially, KHO clarified that the determining factor is whether the use of a particular tool is necessary and proportionate to fulfilling those legal educational duties, not whether the law lists a specific brand or service provider. Digital tools can be lawful under Article 6(1)(c), but municipalities must be able to demonstrate that their use is genuinely necessary and that the associated processing is not excessive.

 

Errors in the Reasoning of the Data Protection Ombudsman and the Administrative Court

KHO identified several key flaws in how the Ombudsman and the Helsinki Administrative Court had evaluated Espoo’s case.

First, both authorities relied on an overly rigid interpretation of Article 6(1)(c), assuming that unless a law specifically names a digital tool or a type of technology, its use cannot be based on a statutory obligation. KHO firmly rejected this approach. Education law may not prescribe particular technologies, but it clearly mandates outcomes, such as digital competence, that require the use of such tools.

Second, the earlier decisions employed an “all-or-nothing” logic, treating the Google Workspace platform as a monolithic entity. Either the entire platform was necessary and lawful, or none of it was. KHO found this approach legally flawed. Instead, each function or application within the platform, such as Docs, Calendar, Meet, and so on, must be assessed individually to determine whether the processing of personal data in that context is necessary and proportionate.

Third, the Ombudsman and the lower court conflated the question of whether a legal basis exists with broader compliance questions under the GDPR. For example, concerns about international data transfers, access by third parties, or the amount of data processed are relevant under the GDPR's general principles (such as minimization and transparency) but do not themselves disqualify the use of Article 6(1)(c). KHO stressed that these considerations belong in the necessity and proportionality analysis, not in the determination of whether a legal basis exists at all.

Fourth, both the Ombudsman and the court failed to examine the factual context in sufficient detail. Google Workspace is a suite of distinct applications with varying data profiles and purposes. KHO noted that Espoo had only activated certain core tools, yet the Ombudsman had lumped the entire suite together as unjustified. This blanket approach ignored important distinctions and failed to tailor the assessment to the actual processing taking place.

Finally, KHO took issue with how the Ombudsman applied the accountability principle. While the Court agreed that public authorities must be transparent and able to demonstrate GDPR compliance, it found that the Ombudsman had not actually determined that Espoo had breached this duty. If the Ombudsman believed Espoo lacked adequate documentation or understanding of Google’s processing practices, the appropriate response would have been to ask for clarification, not to reject the legal basis entirely.

 

Digital Learning Environments as Lawful and Necessary Tools

KHO’s decision reflects an understanding of how digital tools have become embedded in modern education. The Finnish national curriculum emphasizes the development of ICT competencies as part of core learning outcomes. In practice, fulfilling these objectives requires access to tools that support digital communication, collaboration, content creation, and information retrieval.

For GDPR in general, the decision underlines the basic importance of not only choosing the right legal basis for a data controller’s intended processing operations, but also analyzing the actual processing activities that take place within a context of an IT system or an IT service, rather than treating the system or service as a monolithic entity from the perspective of the lawfulness of processing of personal data.

The same goes for the Finnish supervisory authority. The KHO decision seems rather clear in saying that lumping an entire service provider under one legal basis is not a proper conduct and exercise of public authority, which the data protection authorities are granted under law. Rather, it is the obligation of the authorities to build their cases and collect their evidence before substantive and enforceable decisions can be issued.

Ultimately, the case was thrown back to the Finnish Data Protection Ombudsman for a revised decision. Thus, it still remains to be seen what the final outcome will be on the City of Espoo’s right to use Google’s tools in an educational context.

 

 

Article provided by INPLP member: Otto Lindholm and Daniel Stranius (Dottir Attorneys Ltd, Finland)

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.