The Danish Data Protection Authority has banned the use of Google products (Google Workspace and Chromebook computers) in schools and municipalities due to their sending of personal data to the United States. The agency recalls that these shipments are incompatible with the general European regulation on data protection (RGPD).
Data protection checks whether Google Analytics complies with EU rules
The treaty regulating these transfers of personal information to the US was struck down by the EU Court of Justice in 2020, but US digital multinationals have continued to make them under a mechanism called standard contractual clauses. . According to him, these annexes in the contracts signed with their European customers give legal support to shipments. However, data protection authorities are investigating them and several have found them not to be in compliance with the law.
Austria, France and Italy have blocked the use of another Google tool, Google Analyticsdue to these shipments to the United States, while Ireland prepares to veto international data transfers from Meta, matrix of Facebook, Instagram and WhatsApp. The social media company warned that the shipping ban could cause Facebook and Instagram to be pulled from Europe.
In another decision along these lines, the Danish authority (Datatilsynet) now bans Google products in schools and town halls. The resolution was drafted regarding the specific case of Helsingør City Council, which was ordered to stop using Google Workspace and its Chromebook computers by August 3. However, it is applicable to all the municipalities of the country which are in a similar case.
“Datatilsynet draws attention to the fact that many of the conclusions of this decision are probably applicable to other municipalities that use the same data processing design. Therefore, Datatilsynet expects these municipalities to take appropriate action themselves in light of the ruling, although Datatilsynet is currently finalizing a number of cases involving other municipalities.” pray the resolution.
Chromebooks are personal computers that run a Google operating system, widely used in schools around the world. Google Workspace is a service that provides various services of the multinational, such as e-mail, cloud storage or office tools, in a domain bearing the name of the client. It is also widely used both in schools and by organizations of all kinds.
In a statement sent to this media, Google says its tools are safe. “We know that students and schools expect the technology they use to be compliant, accountable and secure. That’s why, for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so everyone can see how we’re helping organizations comply. GDPR.” spokesperson.
“Schools have their own data. We only process your data in accordance with our contracts with them. At Workspace for Education, student data is never used for advertising or other commercial purposes. Independent organizations have audited our services and we constantly monitor our practices to maintain the highest possible security and compliance standards.
European digital, on hold
The accumulation of decisions against the use of digital tools by American multinationals has put the European digital sector, which is very dependent on these tools, on the edge of a precipice.
The origin of this whole situation is the ability that American law grants to the National Security Agency (NSA) or to the FBI to investigate the databases of its multinationals without the principle of proportionality. This was the main argument of the CJEU to invalidate in 2020 the bilateral agreement between Washington and Brussels which until then regulated data transfers. The protocol, known as the “Privacy Shield”, did not sufficiently protect Europeans from indiscriminate surveillance by US agencies, the magistrates ruled.
The plaintiff in this case was the Austrian Max Schrems, president of the NGO Noyb. The young man took Facebook to court for not having prevented American intelligence services from accessing European data. The CJEU agreed with him in a judgment known as Schrem IIsince five years earlier there was a Schrems I: In 2015, the activist had already succeeded in having the CJEU cancel the data transfer agreement prior to the “Privacy Shield”, known as “Safe Harbour”.
However, after the Schrems II ruling, US multinationals decided to continue making transfers based on standard contractual clauses. Noyb has sent 101 complaints to European regulators against companies using its tools.
“Instead of adapting their services to comply with European standards, US companies have simply tried to add an addendum to their privacy policies and ignore the CJEU. Many EU companies have followed this lead in instead of implementing legal options,” Schrems said.
Washington and Brussels have reached an agreement to draft a new treaty to provide a legal basis for sending personal data to the United States, but that’s not expected to happen until late 2022. Meanwhile, decisions to invalidate the use of U.S. multinational services in Europe continue to be taken. One of the following cases could occur in Spain, because as this support progressed, the Spanish Data Protection Agency is investigating Google Analytics’ compliance with the GDPR.