Denmark's data protection agency has issued a ban on the use of Google Workplace in schools, marking the fourth European country to prohibit Google services this year.

The Danish Data Protection Authority, Datatilsynet, released a verdict on 14 July, declaring a "ban on processing personal data using Google Chromebooks and Workspace for Education" in Helsingør Municipality.

The ban applies to educational institutions within the municipality, and prohibits use of services such as Gmail, Google Docs and Google Drive.

While this ban only applies to Helsingør Municipality for now, the verdict also stated "many of the conclusions in this decision will probably apply to other municipalities that use the same processing structure".

In explaining the reasoning behind its prohibitive verdict, Datatilsynet cited the tech giant's enormous data collection practices, as well as Google's habit of transferring the personal data of Danish citizens abroad to US servers (thus violating European Union (EU) and Danish legislation).

The roots of this ban can be traced back to December 2019, when a citizen issued a complaint regarding Helsingor Municipality's handling of his child's personal data - namely, their child had created a YouTube account without his knowledge.

Their complaint centered around the concern that their child's name could be published online via the Youtube account, and in 2020, Helsingor Municipality was consequently ordered to carry out a risk assessment regarding its processing of personal data.

Datatilsynet then reviewed the municipalities' risk assessment, reaching a verdict in 2021 which led to the now unfolding ban of Chromebooks and Google Workspace.

Datatilsynet further expressed "serious criticism" towards Helsingor Municipality, citing multiple violations of data protection regulation, and concluded Helsingor Municipality must "contact the parents of the registered children with a view to carrying out the corrections, anonymisation or deletion of the registered personal data."

GDPR Crackdown

Since the EU's General Data Protection Regulation (GDPR) commenced in 2018, countless companies have faced increased regulatory pressure in regards to how they handle data.

This year has been especially tumultuous for Google, having seen France, Austria, Italy and now Denmark issuing bans on multiple Google services.

The EU has been particularly scrutinous of GDPR violations from Google Analytics, which performs mass collection of data, including unobscured IP addresses, and transmits said data via cookies to the United States.

Since GDPR requires a certain level of anonymisation over personal data – and US law grants the government the ability to requisition data from private companies in specific circumstances – many companies which collect and transmit data to the US, including Google, wind up in direct conflict with GDPR requirements.

Previously, data sharing from Europe to the US was allowed and protected under the now defunct EU-US Privacy Shield agreement.

New negotiations are currently underway to establish a similar agreement, but for the time being, large companies such as Google and even Meta are indiscriminately subject to major bans.

Google's next steps

Denmark is often lauded as the most cyber safe country, and its ruling over Google's data practices carries significant weight.

Given the growing enforcement of GDPR against US tech giants in the EU, Google and other vendors are under increased pressure to reevaluate their approach to handling data.

A few months back, Google announced it would be rolling out new “sovereign controls” for Workspace users in Europe, allowing them to “control, limit, and monitor transfers of data to and from the EU.”

These changes may be enough to address the requirements of Datatilsynet's verdict, however, they do not roll out until the end of 2022.

Denmark's ban of Google Workspace services is effective immediately, and the municipality has until 3 August to delete specified data.