“What a data controller needs to do BEFORE processing personal information.” That is what the Danish Chromebook-case is all about, according to the caseworker from the Danish DPA, Allan Frank. He’s seen progress, however, on January 30th he told 53 Danish municipalities to make sure that their use of Google Workspace is legal on August 1st at the latest.
The Danish Chromebook-case is already a bit of a Scandinavian saga. The father of a school child in Elsinore initiated the case in the summer of 2019 - more than 4,5 years ago.
The schools in Elsinore had bought Chromebook for the pupils, making them use Google Workspace. Google collects various personal information about the pupils and uses it for everything from improving security to developing their products.
The question is: Does the Public School Act authorise the schools to send that information to Google?
If not, the schools must seize to transfer the data to Google.
Now, 4,5 years later, the Danish DPA says that the data cannot be legally passed on to Google for the purpose of improving and developing their products.
No overview of data flows
In theory, figuring out if you can use Google Workspace in schools is pretty straightforward. You get an overview of the data flows and then apply the law to them.
However, the schools and municipality did not have an overview of the data flows, risks and consequences of the processing activities within Google Workspace. They had not done a DPIA, data protection impact assessment.
As a matter of fact, it took 4,5 years before the complex data flows were sufficiently described.
"We gutted the animal, and now we can see down into the entrails. Then we’ll see if there is anything that needs to be operated on or done differently,” Allan Frank from the Danish DPA says and continues:
“We now have a responsible description of the data flows in the system. We are now able to assess the risks and see which processing activities actually go on.”
Allan Frank is the employee with the Danish DPA in charge of the Chromebook-decision. II asked him why it had taken so long to get an overview of the data flows:
“I think the organisations in question - both the municipalities and the supplier - have known parts of the processes. However, it seems that not all of the processes have been present in one place. They are now,“ Allan Frank says.
The decision
With the data flows described, it is now possible for Allan Frank and the Danish DPA to assess whether the Public School Act authorises the schools to pass on the data to Google.
The assessment is “that the Public School Act does not sufficiently clearly authorise the municipalities to pass on the students' information for the maintenance and improvement of the Google Workspace for Education service, ChromeOS and the Chrome browser, or for measuring the performance and development of new functions and services in ChromeOS and the Chrome browser,” as the decision states.
You should know that in Denmark we have, generally, been restrictive in transferring data in the public sector - even between entities within the public sector it is often not possible to pass on information.
“There are things that are necessary for the delivery of IT as such. And, the closer the association, the more likely it is that the DPA finds that the transfer is in accordance with the law,” Allan Frank says and continues. “As an example, we do not get a lot of IT without an IP address. The further away the association is, the more difficult it is to find authority.”
Now, Elsinore and another 52 municipalities using Google Workspace have until August 1st to correct the solution.
Asked about why it has taken so long, Allan Frank says: “I think we need to respect that they are actually trying to solve the problem on behalf of 53 different data controllers. I think there should be room for that. But, yes, it has taken a long time.”