Denmark's data protection watchdog, Datatilsynet, revealed that data processing involving students using Google's cloud-based Workspace software suite -- which includes Gmail, Google Docs, Calendar and Google Drive -- "does not meet the requirements" of the European Union's GDPR data privacy regulations.
The authority found that the data processor agreement -- or Google's terms and conditions -- seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google's EU data centers.
Google's Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused on Helsingor for the risk assessment after the municipality reported a "breach of personal data security" in 2020.
While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet notes that many of the conclusions it has reached will "probably apply to other municipalities" that use Google Chromebooks and Workspace.
It added that it expects these other municipalities "to take relevant steps" off the back of the decision it reached in Helsingor. The ban is effective immediately, but Helsingor has until August 3 to delete user data.
A Google spokesperson told TechCrunch: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That's why for years, Google has invested in privacy best practices and diligent risk assessments and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR.
Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."