A case about the use of Google Chromebook and Workspace in public schools has become a saga in Denmark.
It started with a complaint from a parent about a primary school handing out Google Chromebooks to students. Since then, we’ve seen several decisions from the Danish Data Protection Agency, making this case into a hot potato.
The case should remind everyone how important it is to:
- understand the specific processing activities and purposes
- verify the legal basis for disclosing personal data
- conduct risk assessments and data protection impact assessments
- take extra care when processing children’s personal data.
So, feel free to read on if you want to know what’s up and down in the case – and what I see as the three highlights of the case.
A long story short
We have seen a total of five decisions from the Danish DPA. Let’s go through them from one end to the other:
The initial decision
In September 2021, the DPA concluded that the Danish municipality Helsingør Municipality had not assessed the risks that the use of Google Chromebooks in schools posed to the data subjects (primary school students).
The Danish DPA issued an injunction requiring the municipality to risk assess the processing in Chromebooks and Workspace. In addition, they prohibited the municipality from using them until the risks to the data subjects had been minimized.
The second decision
In July 2022, the Danish DPA banned the processing of personal data with Google Chromebooks and Workspace. Both because the risks to the data subjects had not been adequately assessed and because these risks were too high.
The prohibition would be maintained until sufficient documentation was provided that Helsingør Municipality had brought the processing in accordance with the rules.
In addition, the Danish DPA suspended all related transfers of personal data to the US until Helsingør Municipality complied with the GDPR rules on third country transfers.
The third and fourth decision
In August 2022, the Danish DPA published its third decision. After the municipality had submitted their data protection impact assessment regarding the use of Chromebooks and Workspace, the DPA upheld the ban and concluded that the received material did not meet the GDPR requirements for a data protection impact assessment.
However, in the fourth decision from September 2022, the DPA temporarily lifted the ban. They accepted the use of Chromebooks and Workspace while the DPA awaited changes and clarification of the data processing agreement and the technical aspects of the commercial agreements between the municipality and Google.
The latest decision
In the latest decision of January 30, 2024, the Danish DPA assessed whether Helsingør Municipality had the correct and necessary legal basis for sharing students’ personal data with Google, as the data processing agreement and the commercial agreements prescribed.
The Danish DPA’s focus was on the personal data that the municipality disclosed to Google, where Google was the data controller and thus did not act under the municipality’s instructions. Google used this information to improve its products and services.
The municipality used the legal basis in GDPR Article 6(1)(e), which requires that the processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.“
This legal basis for processing requires that there is another legal basis in Danish law that – so to speak – makes the processing “necessary,” cf. GDPR, Article 6(3)(b).
As the municipality’s task of running the Danish schools is laid down in the Danish School Act, the Danish DPA believed that the legal basis had to be found in the Danish School Act if the use of the legal basis for processing was to be lawful.
The Danish DPA concluded that there was insufficient legal basis in the Danish School Act to use the stated legal basis for processing. Therefore, the authority ordered the municipality to legalize the processing of personal data or stop processing them in Google Chromebooks.
The DPA imposed a deadline of August 24, 2024, for the municipality to comply with the injunction.
From my point of view: 3 highlights in the Chromebook case
#1: Understand the importance of the framework agreement and system identification
- It’s almost too trivial to emphasize that you should read and understand your agreements. But you should. The Chromebook case emphasizes that the devil is in the details – not only in the directly applicable agreements but also the surrounding agreements, which in this case regulate services that are not part of the data processing agreement and the purchase.
- The case also highlights the need to specifically identify how the system works and what type of data flow is involved. This understanding is key to identifying how personal data is processed and where there might be potential gaps.
#2: Ensure the right legal basis for the disclosure and later use of personal data
- The case shows how important it is to examine the purposes of any disclosure and that there is a legal basis for all these purposes. This requires a thorough analysis of the existing legislation and applicable rules.
- If you cannot ensure a legal basis, you can try to use the solution in another way that does not process personal data or ultimately, you may end up not needing to use the specific service.
#3: Customize configuration and specific use - and don't rely on negotiation - when using standard products
- While the GDPR does not prohibit the use of off-the-shelf products that may have challenging and non-negotiable contractual bases, the case shows that the use of off-the-shelf products is not an excuse for not complying with the GDPR or having clear contractual terms.
- In another recent decision, the Danish DPA addressed the Region of Southern Denmark’s use of a cloud-based Microsoft 365 solution. It shows that the issues from the Chromebook case are also present when implementing other IT systems.
- In the statement, the Danish DPA put forward a number of specific questions that the Region of Southern Denmark should clarify in connection with the migration to the cloud-based solution. Among other things, the Danish Data Protection Agency asked the following questions:
- 1) “What will be the legal basis for the region’s processing of the personal data in question?” In other words, they asked: Where is your dual legal basis
- 2) “What specific purposes will Microsoft process data for as part of keeping “products up to date and performing and improving user productivity, reliability, efficiency, effectiveness, quality and security” and in what role?” In other words, they asked: Does Microsoft use the information to improve services to which the Region does not subscribe?
- 3) “How are the above-mentioned aggregated statistics generated in concrete terms, in particular, whether aggregation or anonymization takes place before data is disclosed to Microsoft?” In other words, they asked: Is the information personal data at all when Microsoft uses it for their own purposes?
- The questions can be used as guidelines for other public organizations and private companies implementing similar systems.
What can we learn from the Chromebook case?
The Chromebook case is an important lesson for public authorities looking to implement new IT systems that process personal data about citizens.
When we read the Chromebook case from a broader perspective and remove the Public School Act from the equation, the case provides just as much learning for private companies.
For me, the following big questions remain:
- How does the Chromebook case affect private companies?
- What are the limits of legitimate interest as a legal basis?
- Last but not least: How can both private companies and public organizations avoid falling into the Chromebook trap?
I answered these questions at a webinar on April 10, 2024. The webinar was in Danish, so for you as a non-Danish reader, I’ll share the answers and key takeaways from my webinar with you here:
Takeaway #1: 4 tips to avoid falling into the Chromebook trap
You can avoid falling into the Chromebook trap if you follow these 4 guidelines:
- You need to understand the commercial agreement and dataflows. It’s just common knowledge that you understand the agreement, meaning that you know who you disclose your personal data with and for what purposes.
- Risk assess your processing carefully and make an impact assessment if necessary. We see a lot of companies skipping this part because they think it takes a lot of time. That’s not necessarily true. You can easily speed up the process. The most important thing is that you do the best you can.
- Make sure to establish and document the legal basis.
- Consider all configuration options. You can often avoid ‘bumps in the road’ if you configure your data.
Takeaway #2: Legal versus political perspective
In a poll, I asked if the audience believed that disclosure of personal data for product improvement can be supported by legitimate interest.
58% said no.
In the next poll, I asked if the audience, from a political point of view, believed it to be wrong if you can’t use IT systems where personal data is collected for product improvement.
66% said yes.
We find it highly interesting that the audience’s opinions were different depending on whether they looked at the case from a legal or political perspective. It also emphasizes why this is a complex case where GDPR may restrict the use of widely used services where it makes good commercial sense to use them.
Takeaway #3: The million-dollar question...
Finally, a person from the audience asked Martin the million-dollar question:
“Can you argue that private companies have a legal basis in Article 6(1)(f) to use Google?“
My answer was:
“Yes, it can be possible if you can prove that you have a legitimate interest.”
However, you should make sure to document your legal basis. This can be done in a Legitimate Interest Assessment (LIA). In ComplyCloud, our in-house lawyers are working on a document like this to offer to our customers soon.