On 18 August 2022, the Danish Data Protection Agency (DDPA) maintained its previous decision to ban the Municipality of Helsingør’s use of Google Chromebooks in its education activities at the elementary schools. The essence of the case is that Google as both a hardware and software provider is unclear in its explanation on how Google uses personal information for its own purposes.
The Municipality of Helsingør (the School(s)) and Google has a data processor agreement (DPA) which regulates the software provided by Google called Workspace. All regulatory requirements are fulfilled in the DPA between the Schools and Google. The personal information about the school children which is processed in Workspace is defined as “Customer Personal Data”. The instruction, which is a core element of a DPA is accurate and narrowed down to the strictly necessary to deliver Workspace.
The issue is that Google besides Customer Personal Data also operates with a term called Service Data for its cloud services in general.
From Google’s Cloud Privacy Notice it appears that Google uses technical information such as device identifiers, identifiers from cookies or tokens, and IP addresses to improve the performance and functionality of Cloud Services.
Google further explains the following:
As legal base for the processing activities, Google refers to the legitimate interest rule in the GDPR (article 6(1)(f)).
There are many detailed analyses and specific requirements which have been assessed by the School and the DDPA. However, the following facts are in my view the ones that have been decisive for the ban:
1. The DPA between the Schools and Google does not regulate Service Data.
2. When asked directly in the case by the DDPA, Google has not been very firm or persuasive when explaining its own purposes and the reach of the processing of Service Data.
3. The history and knowledge of Google’s commercial strategy as a data driven profit machine.
4. The lack of knowledge of how Google administers settings and data collection between being a hardware provider and a software provider at the same time.
5. School children are to a high degree below the age of 13, which is the age threshold for children in Denmark (in a GDRP perspective).
6. Children merit specific protection with regard to their personal data (GDPR preamble, para. 38).
7. The School’s risk assessment and DPIA do not include a deeper assessment of Google’s possibility to learn about the school children’s behavior. On the contrary, the risk assessment is trust-based on this subject, meaning that the School relies fully on the contractual measures made. As stated above, such contractual measures only cover Customer Personal Data and not Service Data.
8. It is not part of the public school system in Denmark to enable private undertakings such as Google to build their business and operations based on the behavior of the children in elementary schools.
The case holds many different aspects and an endless level of details the closer you look. However, the bottom line is quite straight-forward:
For all private companies, it would be wise to investigate the privacy notices belonging to any used cloud services. If all collected facts go into a risk assessment, it is easier to defend the choices made. The DDPA does not like post rationalizations.