The Danish data protection authority has issued an injunction regarding student data being funneled to Google through the use of Chromebooks and Google Workspace services in the country's schools.
The matter was brought to the agency's attention roughly four years ago by a concerned parent and activist, Jesper Graugaard, who protested how student data is sent to Google without any consideration about the potential for misuse or the impact it could have on those persons in the future.
The agency has now decided that the current methods of transferring personal data to Google do not have a legal basis for all disclosed purposes.
53 municipalities across Denmark must adjust their data processing practices.
Cease the transfer of personal data to Google for specific purposes or obtain a clear legal basis for such transfers, Analyze and document how personal data is processed before using tools like Google Workspace, and.
Ensure that Google refrains from processing any data it receives for non-compliant purposes.
The agency clarified that permissible uses of student data include providing the educational services offered by Google Workspace, enhancing the security and reliability of these services, facilitating communication, and fulfilling legal obligations.
Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome browser, including measuring performance or developing new features and services for these platforms.
The authority's decision doesn't directly translate to a ban on Chromebooks, which are widely used in Danish schools, but it imposes significant restrictions on how personal data can be shared with Google.
Given that restricting sensitive data processing on Google's end will be hard, if not impossible, for municipalities to assure, there may be no practical way to adhere to the new policies without blocking the use of Google Chromebooks and/or Google Workspace.
Municipalities have until March 1, 2024, to declare precisely how they intend to comply with Datatilsynet's order and until August 1, 2024, to fully align their data processing practices with the new requirements.
Although people in Denmark and elsewhere welcomed the agency's announcement, many noted the unnecessarily long time it took the authority to reach a decision, which was 4.5 years.
Observers have pointed out that the poor practices identified in the agency's report have persisted for at least a decade and should warrant fines or other corrective measures for those responsible.
Check if you're in Google Chrome's third-party cookie phaseout test.
Google tests blocking side-loaded Android apps with risky permissions.
Google says spyware vendors behind most zero-days it discovers.
BTC-e server admin indicted for laundering ransom payments, stolen crypto.
Interpol operation Synergia takes down 1,300 servers used for cybercrime.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 07 Feb 2024 20:20:13 +0000