Understanding the Danish Chromebook-case

Written by
Niels-Peter Kjølbye
from
Donatzky & Partnere
-
September 6, 2022

Introduction

On 18 August 2022, the Danish Data Protection Agency (DDPA) maintained its previous decision to ban the Municipality of Helsingør’s use of Google Chromebooks in its education activities at the elementary schools. The essence of the case is that Google as both a hardware and software provider is unclear in its explanation on how Google uses personal information for its own purposes.

Facts

The Municipality of Helsingør (the School(s)) and Google has a data processor agreement (DPA) which regulates the software provided by Google called Workspace. All regulatory requirements are fulfilled in the DPA between the Schools and Google. The personal information about the school children which is processed in Workspace is defined as “Customer Personal Data”. The instruction, which is a core element of a DPA is accurate and narrowed down to the strictly necessary to deliver Workspace.

The issue is that Google besides Customer Personal Data also operates with a term called Service Data for its cloud services in general.

From Google’s Cloud Privacy Notice it appears that Google uses technical information such as device identifiers, identifiers from cookies or tokens, and IP addresses to improve the performance and functionality of Cloud Services.

Google further explains the following:

    “To achieve these purposes [e.g. improving Google’s services], we may use Service Data together with information we collect from other Google products and services. We may use algorithms to recognize patterns in Service Data. Manual collection and review of Service Data may also occur, such as when you interact directly with our billing or support teams. We may aggregate and anonymize Service Data to eliminate personal details, and we may use Service Data for internal reporting and analysis of applicable product and business operations.”

As legal base for the processing activities, Google refers to the legitimate interest rule in the GDPR (article 6(1)(f)).

Decisive factors for the ban

There are many detailed analyses and specific requirements which have been assessed by the School and the DDPA. However, the following facts are in my view the ones that have been decisive for the ban:

1. The DPA between the Schools and Google does not regulate Service Data.

2. When asked directly in the case by the DDPA, Google has not been very firm or persuasive when explaining its own purposes and the reach of the processing of Service Data.

3. The history and knowledge of Google’s commercial strategy as a data driven profit machine.

4. The lack of knowledge of how Google administers settings and data collection between being a hardware provider and a software provider at the same time.

5. School children are to a high degree below the age of 13, which is the age threshold for children in Denmark (in a GDRP perspective).

6. Children merit specific protection with regard to their personal data (GDPR preamble, para. 38).

7. The School’s risk assessment and DPIA do not include a deeper assessment of Google’s possibility to learn about the school children’s behavior. On the contrary, the risk assessment is trust-based on this subject, meaning that the School relies fully on the contractual measures made. As stated above, such contractual measures only cover Customer Personal Data and not Service Data.

8. It is not part of the public school system in Denmark to enable private undertakings such as Google to build their business and operations based on the behavior of the children in elementary schools.

My reflections

The case holds many different aspects and an endless level of details the closer you look. However, the bottom line is quite straight-forward:

  • The DDPA finally got the chance to put (indirect) pressure on Google. It is a high-profiled public case due to the aspect of children’s data and since public schools have purchased Google equipment for the taxpayers’ money.
  • This is just the right case for the DDPA to take something out of the hands of the Irish data protection agency, which would usually be the one-stop-shop authority for Google’s European headquarter. This one-stop-shop principle has frustrated the effective enforcement of the GDPR in 4 years.

For all private companies, it would be wise to investigate the privacy notices belonging to any used cloud services. If all collected facts go into a risk assessment, it is easier to defend the choices made. The DDPA does not like post rationalizations.