February 7, 2024 at 03:18PM
Danish data protection authority orders 53 municipalities to stop sending student data to Google without a legal basis. They must document data processing, ensure Google complies with regulations, and limit data use to authorized purposes. The authority allows use of Google Workspace for educational services but restricts other purposes. Municipalities have until 2024 to comply.
Key Takeaways from the meeting notes:
1. The Danish data protection authority (Datatilsynet) has issued an injunction regarding the transfer of student data to Google through the use of Chromebooks and Google Workspace services in the country’s schools.
2. The matter was originally raised by a concerned parent and activist, Jesper Graugaard, approximately four years ago, leading to the agency’s decision.
3. 53 municipalities across Denmark are required to adjust their data processing practices, with specific directives including ceasing the transfer of personal data to Google for certain purposes or obtaining a clear legal basis for such transfers.
4. The agency has outlined permissible and non-permissible uses of student data, as well as the requirement for municipalities to analyze and document how personal data is processed before using tools like Google Workspace.
5. The authority’s decision does not directly translate to a ban on Chromebooks, but it imposes significant restrictions on how personal data can be shared with Google.
6. Municipalities have a deadline until March 1, 2024, to declare how they intend to comply with the order, and until August 1, 2024, to fully align their data processing practices with the new requirements.
7. The time it took for the authority to reach a decision (4.5 years) and the persistence of poor practices for at least a decade have raised concerns among observers, who believe there should be fines or other corrective measures for those responsible.
Overall, the meeting notes highlight the Datatilsynet’s decision to control the transfer of student data to Google, along with the directives for municipalities to adjust their data processing practices. It also underscores the need for timely enforcement and accountability for poor data protection practices.