Can Chromebooks (or anything else) be used in schools for teaching?

On January 30, 2024, the Danish supervisory authority, Datatilsynet, issued a decision ordering 53 municipalities to bring their personal data processing related to Chromebooks into compliance with the obligations of the GDPR. Municipalities must comply with the order from 1 August 2024, and they must inform the supervisory authority by 1 March 2024 how they intend to comply with the decision.

Already in 2022, Datatilsynet notified the municipality of Helsingør of the ban on processing personal data related to Google Chromebooks and Workspace for Education. Now the investigation of the matter has progressed and the latest decision affects 53 municipalities in Denmark. It is about whether personal data can be handed over for Google's own use in connection with basic education, or whether Google itself could offer similar services without processing personal data for its own commercial purposes.

In its decision, Datatilsynet accepts that as part of the selection of teaching and learning resources for municipal primary schools, it is necessary to process and transmit personal data to Google as part of the use of Google Chromebooks and Workspace for Education (i) to provide the services in question and (ii) to ensure safety and reliability. Danish national legislation related to basic education contains regulations on the processing of personal data to provide services, to improve the security and reliability of services, and to communicate with municipalities.

However, Datatilsynet considers that this legislation does not oblige municipalities to hand over personal data to Google for its own purposes, such as improving its services, measuring them, developing new features or developing its services.

Because of this, Datatilsynet considers that it is justified to issue an order to municipalities to bring their personal data processing activities into compliance with GDPR obligations. In this regard, Datatilsynet provides three possible solutions:

1. Municipalities will no longer disclose personal data to Google for these purposes. This would likely require Google to develop a technical feature to block these data flows.

2. Google itself refrains from processing personal data for these purposes.

3. The Danish Parliament shall enact a sufficiently clear legal basis for the above-mentioned purposes in the national legislation.

It's not just Google

Although the case concerns the processing of personal data related to Google Chromebooks, certain conclusions can be drawn from it regarding other cloud services as well. However, it is still worth remembering that the decision is not legally binding and an appeal regarding the decision is expected.

Today, hundreds of different applications are used in schools, and it is not uncommon for many service providers to reserve the right to process personal data for their own purposes in their contractual terms. The mere existence of a data processing agreement (DPA) is not enough, but organisations should be very careful when looking at the entirety of the agreement. The best way to start is to first determine what data is sent to the service provider and what personal data is being generated or otherwise collected during the use of the service. After that, one must verify all of this personal data is covered by the data processing agreement, or whether the agreement only covers part of the data.

If the service provider processes personal data for its own purposes, there must also be a lawful basis for this processing. Although in this case it is about the organization of basic education in itself, there is no such national obligation that would clearly require, for example, the disclosure of personal data to Google for its own purposes. Asking the students' guardians for consent would probably not fix the problem either. This decision illustrates well that all services, without technical changes, are not suitable for all types of use, especially when it comes to students.

What next?

It is very likely that there will be an appeal. From the point of view of the municipalities, it is about the acquisition of tens of thousands of devices, and they certainly want to use these paid devices in the future. On the other hand, it is also about how the skills needed in working life today for different devices and software can be taught. Can the solutions of all commercial operators be accepted as they are, or can technical changes be required to minimize the processing of students' personal data to only what is really necessary to implement the curriculum?

Also in Finland, the Office of the Data Protection Ombudsman considered in its decision regarding the Google Workspace for Education that the lawful basis for processing of personal data can't be a statutory obligation to organize basic education in accordance with the Basic Education Act.

The Helsinki Administrative Court agreed with the interpretation of the Office of the Data Protection Ombudsman in its decision in summer 2023. An appeal permit has been applied for in the matter from the Supreme Administrative Court, so we will eagerly wait to see how things progress in Finland and Denmark.

Remember to conduct a data protection impact assessment

In it's decision, Datatilsynet refers to the mapping of data flows and the division of roles between the municipalities and Google. The authority justifies its decision with the requirement of Article 35 of the Data Protection Regulation that the data protection impact assessment must be done in such a way that it includes a systematic description of the planned processing activities and the purposes of the processing.

Our team helps with impact assessments. With the help of the PrivacyDesigner Software, we create precise data flow charts to illustrate the flow of personal data in a way that is easy to understand. Our DPIA's always contain a detailed systematic description of the scope of the assessment as required by the GDPR, the roles of the different 3rd parties and the risk assessment. The documentation we create can also be used as part of the necessary documentation required by the accountability obligation of GDPR.