Thursday, March 28

Denmark vetoes Google products in municipalities and schools for sending data to the US


The Danish data protection authority has prohibited the use of Google products (Google Workspace and Chromebook computers) in schools and municipalities due to the sending of personal data to the US that they carry out. The agency points out that these shipments are incompatible with the European General Data Protection Regulation (RGPD).

Data Protection investigates whether Google Analytics complies with EU rules

Know more

The treaty regulating such transfers of personal information to the US was struck down by the EU Court of Justice in 2020, but US digital multinationals have continued to carry them out under a mechanism called Standard Contractual Clauses. In his opinion, these appendices in the contracts signed with their European clients give legal support to the shipments. However, data protection authorities are investigating them and several have ruled that they do not comply with the law.

Austria, France and Italy have blocked the use of another Google tool, Google Analytics, due to these shipments to the US, while Ireland is preparing to ban international data transfers from Meta, the parent company of Facebook, Instagram and WhatsApp. The social media corporation has warned that the shipping ban could lead to the withdrawal of Facebook and Instagram from Europe.

In a further decision along these lines, the Danish authority (Datatilsynet) now bans Google products in schools and town halls. The resolution has been produced regarding the specific case of the Helsingør city council, which is ordered to stop using Google Workspace and its Chromebook computers before August 3. However, it is applicable to all municipalities in the country that are in a similar case.

“Datatilsynet draws attention to the fact that many of the conclusions of this decision are probably applicable to other municipalities that use the same data processing design. Therefore, Datatilsynet expects these municipalities to take appropriate action themselves in light of the decision, although Datatilsynet is currently finalizing a number of cases relating to other municipalities.” pray the resolution.

Chromebooks are personal computers that run a Google operating system, widely used in schools around the world. Google Workspace is a service that provides various services of the multinational, such as email, cloud storage or office automation tools, in a domain with the name of the client. It is also widely used both in schools and by organizations of all kinds.

In a statement sent to this medium, Google affirms that its tools are safe. “We know that students and schools expect the technology they use to be compliant, responsible and secure. That’s why, for years, Google has invested in privacy best practices and diligent risk assessments, and has made our documentation widely available so anyone can see how we help organizations comply with GDPR.” spokesman.

“Schools own their own data. We only process your data in accordance with our contracts with them. At Workspace for Education, student data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible security and compliance standards.

The European digital sector, in suspense

The accumulation of decisions against the use of digital tools by US multinationals has put the European digital sector, highly dependent on these tools, on the edge of the precipice.

The origin of this whole situation is the ability that US law grants to the National Security Agency (NSA) or the FBI to investigate the databases of their multinationals without a principle of proportionality. That was the main argument of the CJEU to invalidate in 2020 the bilateral agreement between Washington and Brussels that until then had regulated data transfers. The protocol, known as “Privacy Shield” (Privacy Shield), did not adequately protect Europeans from indiscriminate surveillance by US agencies, the magistrates ruled.

The complainant in that case was the Austrian Max Schrems, president of the NGO Noyb. The young man took Facebook to court for not preventing US intelligence services from accessing European data. The CJEU agreed with him in a ruling known as Schrems IIsince five years earlier there was a Schrems I: In 2015 the activist had already managed to get the CJEU to annul the data transfer agreement prior to the “Privacy Shield”, known as “Safe Harbour”.

However, after the Schrems II ruling, the US multinationals decided to continue making the transfers based on the Standard Contractual clauses. Noyb sent 101 complaints to European regulators against companies using its tools.

“Instead of adapting their services to comply with European standards, US companies have simply tried to add some addendum to their privacy policies and ignore the CJEU. Many companies in the EU have followed that example instead of implementing legal options”, denounced Schrems.

Washington and Brussels have reached an agreement to draft a new treaty that provides a legal basis for sending personal data to the US, but this is not expected to arrive before the end of 2022. Meanwhile, decisions to invalidate the use of US multinational services in Europe continue to succeed. One of the following could occur in Spain, since as this medium advanced, the Spanish Agency for Data Protection is investigating whether Google Analytics complies with the RGPD.



www.eldiario.es