GDPR is responsible for ensuring that personal data is processed legally, fairly and in a transparent manner. We all know how great Google is for being fair & transparent with how they process data…
At the end of the day, Google is an advertising company at its core. All its products from Google Chromebooks to their phones and other Google products collect information for targeted marketing and sales.
The DPA states that Google is a data controller, and there is no legal mechanism for the municipality to be passing on personal data for Google to control.
Despite what they say, Google could still be violating their contractual obligations and using personal data for marketing purposes, and they have not given instructions via a data processing agreement.
The Danish DPA has found that using Google’s services does not meet the requirements of the GDPR. Now what? Well, they’ve asserted that Helsingør Municipality must stop sending personal data to the United States immediately (hey, this feels like deja vu). Google workspaces have been banned. The decision impacts other municipalities, and the DPA expects those municipalities to have to comply with their decision as well.
Any transfer of personal data to the United States that Helsingør Municipality has instructed Google Cloud EMEA Limited to carry out as a data processor for the municipality is suspended until Helsingør Municipality can show that the rules in Chapter V of the Data Protection Regulation have been complied with.
If the ban is violated it is punishable under the Data Protection Act, section 41, subsection. 2, no. 4, and you will likely receive a fine or be sentenced to up to 6 months in prison, under cf. section 41, subsection 1.
Many governments & schools are using Google-based products as learning aids for children where advertising and personal data will be required. Some have said that this is very wrong and appears to state that corporate gain is more important than the needs of the children that they are teaching.
Regardless of what we think of GDPR, schools should be held accountable and be made to be careful in what they expose the children under their care to, as using Google-based products gives Google the power and insight into what our children are doing.
Privacy needs to be seen as a human right, not just something that would be “nice to have”, especially when it relates to children and the schools where we send our children to learn.