Denmark: 6 months in jail for using Google’s services

On 14th July, six months after we published a post about how Google Analytics was made illegal in the EU, we woke up to our privacy officer, Rie, telling the world that Google products are banned from processing personal data of any kind.

This ban is no joke, as there is potential jail time for lack of compliance.

In 2019, a parent in Helsingør Municipality complained to the municipality that his child - without his knowledge - had set up an account for YouTube, whereby the child's name could be published on YouTube. This was done using a Chromebook issued by the school.

Not a surprise

Honestly, is anyone actually surprised? We’ve read through the decision and the justifications for the DPA’s decision (“Hey, stop using Google services. Seriously, or you’re going to jail”) can be summarised as follows:

1. The municipality is responsible for ensuring that personal data is processed legally, fairly and in a transparent manner. And we all know how great Google is for being fair & transparent with how they process data…
2. Google Chromebooks are used to provide other Google products and these other products are used for information collection, targeted marketing and sales of this information. Is this really a surprise at this point? Google is an advertising company.
3. The DPA considers Google to be a data controller, and there is no legal mechanism for the municipality to be passing on personal data for Google to control.
4. Despite what they say, Google could still be violating their contractual obligations and using personal data for marketing or other unintentional purposes, and the municipality has not given instructions via data processing agreement. This is a completely reasonable stance to take by anybody. Heck, just search for “Google tracking children lawsuit” on a search engine and you’ll be flooded with results (even if you use Google itself to search for it!)
5. The municipality may process special category data using Google’s services.
6. Data is transferred to the United States. The DPA brought up Schrems II, which invalidated the EU-US privacy shield meaning there’s no legal mechanism to transfer EU personal data to the US without supplementary measures (as per the EDPB recommendations). You can read more about that here.

Now what?

The Danish DPA has found that using Google’s services does not meet the requirements of the GDPR. Now what? Well, they’ve asserted that Helsingør Municipality must stop sending personal data to the United States immediately (hey, this feels like deja vu). Google workspaces has been banned. The decision impacts other municipalities, and the DPA expects those municipalities to have to comply with their decision as well.

Any transfer of personal data to the United States that Helsingør Municipality has instructed Google Cloud EMEA Limited to carry out as a data processor for the municipality is suspended until Helsingør Municipality can demonstrate that the rules in Chapter V of the Data Protection Regulation have been complied with. For those of you who have read our article on how Google Analytics is illegal, you’ll know that this just isn’t realistic, so the municipalities should just stop using Google products all together.

What happens if the ban is violated?

Violation of a ban issued by the Danish Data Protection Agency is punishable pursuant to the Data Protection Act, section 41, subsection. 2, no. 4, with a fine or imprisonment for up to 6 months, cf. section 41, subsection 1.

Stop using Google’s services in schools

When I was in school, we had e-learning systems. The software used was Moodle, and it was hosted in the UK. Why are governments & schools gravitating towards using services provided by advertising companies like Google? It doesn’t make any sense. And seems to put the needs of corporate greed above the needs of the children they are teaching.

Regardless of what we think of the GDPR and the EU, we should be actively involved in holding schools accountable for what they expose our children to. It doesn’t matter if your in the US or the EU, why should an advertising company (with a disturbing history of privacy violations) have any insight into what our children are doing?

Privacy can’t be a “nice to have”, it needs to be a basic human right, especially when it relates to a group (children in this case) who don’t have a choice in what tools they use when they are getting an education in public schools.

Decision (in Danish):

https://www.datatilsynet.dk/afgoerelser/afgoerelser/2022/jul/datatilsynet-nedlaegger-behandlingsforbud-i-chromebook-sag-