In a statement published mid July, the Danish data protection agency expresses "serious criticism and bans ... the use of Google Workspace".
Based on a risk assessment for the Helsingør Municipality, the data protection authority concluded that the processing of personal data of pupils does not meet the requirements of the GDPR and must, therefor, stop.
The ban is effective immediately. Helsingør has until August 3 to delete pupil's data and start using an alternative cloud solution.
"Helsingør Municipality has done a great and skilled job to map how personal data is used in the primary school, but it also highlights the data protection legal problems that can be with the big tech companies' ways of solving the task," says Allan Frank, who is an IT security specialist and lawyer at the Danish Data Protection Authority.
This decision follows similar decisions by Dutch and German authorities.
The issues that governmental institutions see themselves faced with has started with the invalidation of Privacy Shield back in 2020.
Privacy Shield has been a data transferring agreement between the USA and the European Union and was supposed to make data transfers between the two legally possible. However, the agreement has been declared invalid by the European Court of Justice (ECJ) in 2020 due to privacy concerns.
One major problem that the EU court pointed out is that data of foreigners is not protected in the USA. The protections that are there - even if limited - only apply to US citizens. The NSA can get full access to any and all data of non-US citizens from US companies at any time. In addition, non-US data subjects have no actionable rights before the courts against the US authorities, which violates the "essence" of certain EU fundamental rights, the ECJ found.
In the after-match of Privacy Shield being invalidated, American cloud services shifted to relying on data processing agreements with their European customers.
However, this practice is highly questioned among data privacy experts, particularly in regards to its legality.
The now issued statement by Denmark’s data protection authority proves this once again. It complains - among other issues - that
"the data processing agreement states that information can be transferred to third countries in support situations without the required level of security."
The decision summarizes four main issues:
Suspension of Helsingør Municipality carrying out processing of information where this information is transferred to third countries without the necessary level of protection.
A general ban on processing with Google Workspace until adequate documentation and impact analysis has been made and until the processing is brought into compliance with the GDPR.
Serious criticism of the municipality's processing of personal data.
Many of the conclusions in this decision will probably apply to other municipalities that use the same processing structure. These municipalities are expected to take relevant steps themselves based on the decision.
This latest decision comes after data privacy watchdogs in France and Austria ruled that it is illegal for European websites to use Google Analytics to track visitors because of a violation of European data privacy rules.
Also here the issue is that personal data is transferred to the United States for processing without consent from the website visitors.
Based on the statements by the Danish, Dutch and German privacy watchdogs, schools in Denmark, in the Netherlands and in Germany may not use Google's email or cloud services.
While the statements by the Danish, Dutch and German privacy watchdogs are mostly about pressuring American tech companies to finally adhere to strict European privacy regulations, it would be much preferred to have a true alternative to Microsoft, Google and Apple. That's what Tutanota is building right now. Started with secure emails, Tutanota today also offers an encrypted address book, an encrypted calendar, and the encrypted contact form Secure Connect. Many more features such as an encrypted Drive are planned, and we estimate that in a few more years, we can offer an encrypted Groupware with maximum respect of user privacy.
European schools can now either wait until Big Tech fixes their privacy issues. Or they can start looking for European alternatives. The latter will have a great positive impact on Europe and European people as a whole:
European tech business is strengthened and can establish an alternative to Big Tech.
Data of European citizens is being protected according to the GDPR.
Data is stored in Europe and no data transfer is happening.
Tutanota, for example, ticks all the boxes a European school would want to protect the sensitive data of pupils, teachers, and parents. Many schools, particularly in Germany, are already using Tutanota.
"In a very sensitive business environment, we have chosen Tutanota among various encryption programs. Tutanota impresses with its extremely simple application. Even non-technical colleagues can encrypt sensitive attachments and texts in accordance with data protection regulations. The simple administration, immediately accessible & always friendly experts and a fair pricing also stand out", says Dietmar Kopp, Maria-Montessori-School.
On top of complying with strict data protection regulations, in Tutanota all data is stored encrypted on German servers. Thus, Tutanota is in full compliance with the GDPR.