Insufficient legal basis to use Google Workspace as an educational tool in schools

28.05.2024

The Danish Data Protection Agency has in the widely discussed Chromebook case assessed the legal basis for disclosure of personal data relative to the use of digital tools such as Google Workspace on school computers, revealing its insufficiency. As a consequence, schools are now ordered to address this issue.

The Chromebook case: background

Contrary to its name, the Chromebook case is more about the use of Google Workspace than the use of Chromebooks. Google Workspace is a suite of web applications that can be accessed on school computers.

The issue of legal basis for the use of digital tools in education started back in 2019, when a parent of a child in Helsingør Municipality complained that the school had not taken sufficient measures to protect the child's personal data whilst using digital tools in the classroom.

This led to criticism from the Danish Data Protection Agency about 53 municipalities’ failure to prepare a risk assessment for the use of digital tools such as Google Workspace on e.g. school computers and their failure to contact parents regarding the processing of their children's personal data.

 

Prerequisite for using digital tools

The criticism stemmed from the fact that, in order to use digital tools, it is a prerequisite for organizations to establish how personal data is collected, disclosed and processed through use of the given tool.

This especially applies to public schools, which in their position as a public authority and in the interest of protection of citizens’ personal data have a special incentive to fulfill this duty of investigation. Thus, the 53 municipalities’ non-compliance with this prerequisite entailed sanctions in 2021 and 2022.

Based on material collected from the 53 municipalities in question, light has since then been shed upon the disclosure to Google of personal data collected through the use of Google Workspace on school computers. The legality of this disclosure has now been assessed by the Danish Data Protection Agency.

 

The Danish Data Protection Agency's decision

The conclusion in the Chromebook case can be divided into two coherent legal assessments on respectively the disclosure of personal data and on its processing.

Regarding the disclosure of personal data, the legal basis has been assessed as sufficient for the purpose of:

  1. provision of services such as Google Workspace
  2. improvement/reliability of the service in question
  3. communication with e.g. municipalities
  4. compliance with legal obligations.

Regarding the processing of the disclosed personal data, however, the Danish Data Protection Agency assesses that there is insufficient legal basis in the Danish Public School Act for following purposes:

  1. maintaining and improving the Google Workspace for Education service, ChromeOS and the Chrome browser
  2. measuring performance and developing new features and services in ChromeOS and the Chrome browser.

 

Injunction to the municipalities

As a result of this decision, the municipalities have been injuncted to ensure the sufficiency of the legal basis for the processing of the disclosed personal data. To achieve this, several options can be considered:

  1. Municipalities can cease the disclosure of personal data to Google for these purposes.
  2. Google itself can refrain from processing the data for these purposes.
  3. The Danish Parliament can provide a sufficiently clear legal basis for disclosure for these purposes.

In addition, the Danish Data Protection Agency calls for the contractual basis of digital tools to be made transparent in order to make it easier to understand and navigate.

The municipalities have until August 1, 2024, to comply with the injunction of the Danish Data Protection Agency.

 

Focus on protecting citizens’ data

Despite the fact that the disclosure of personal data is usually built into the digital tools and that the processing of personal data is often a condition for the use of these tools, the Danish Data Protection Agency's decision in the Chromebook case and the injunction to the municipalities reflect the ambition to reconcile the use of digital tools with the requirements for personal data protection. As such, the Chromebook case thus testifies to a continued strong focus on protecting citizens’ data.

 

Article provided by INPLP member: Claas Thöle (advores Advokater & Rechtsanwälte, Denmark)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.