Is Google Workspace illegal in Denmark?

Data protection authority drops processing ban in Chromebook case

Published on July 14, 2022 by Allan Frank. Translated by deepl.com.

In a case concerning the use of Chromebooks in the municipality of Helsingør, the Danish Data Protection Authority (DPA) severely criticises and prohibits the transfer to third countries and the use of Google Workspace.

File number: 2020-431-0061

Summary

For some time, the Data Protection Authority has focused on the use of Chromebooks and Google Workspace (formerly G Suite for Education) in municipalities. The use is widespread nationwide, but specifically, the Data Protection Authority has had a pending case in the municipality of Helsingør.

In September 2021, the Danish Data Protection Authority issued a decision ordering the municipality of Helsingør to carry out a risk assessment of the municipality's processing of personal data in primary schools using Chromebooks and Workspace. Based on the documentation and assessment of the risk to data subjects prepared by the Municipality of Helsingør, the Data Protection Authority has now found that the processing does not comply with the requirements of the GDPR on several points.

"The Municipality of Helsingør has done a great and skilful job of mapping how personal data is used in primary schools, but it also highlights the data protection issues that can arise with the ways in which large tech companies go about the task," says Allan Frank, an IT security specialist and legal officer at the Danish Data Protection Authority.

The Data Protection Agency finds that the municipality has not assessed any concrete risks in relation to the data processor design. In addition, the data processor agreement states that data may be transferred to third countries in support situations without the required level of security.

In light of the September 2021 decision, the Data Protection Authority has now issued a decision. Among other things, it contains:

• Suspension of the Municipality of Helsingør carrying out processing operations in which data is transferred to third countries without the required level of protection
• A general ban on processing with Google Workspace until adequate documentation and impact assessment has been made and until the processing operations have been brought into compliance with the Regulation
• Serious criticism of the processing of personal data by the municipality

The EDPS draws attention to the fact that many of the conclusions in this decision are likely to apply to other municipalities using the same processing design. The EDPS therefore expects these municipalities to take appropriate action themselves in the light of the decision - even if the EDPS is currently finalising a number of cases concerning other municipalities.

Decision

The Danish Data Protection Authority hereby returns to the case in which the municipality of Helsingør reported a personal data breach to the Danish Data Protection Authority on 29 January 2020. The notification has the following reference number:

ce0e5422ddfb3fefaa9f621cfa0f129127058500

On 10 September 2021, the data protection supervisor issued a decision on the personal data breach. In particular, the Data Protection Supervisor found grounds for serious criticism that the processing of personal data by the Municipality of Helsingør using Google Chromebooks had not been carried out in accordance with Article 5(2) of the Data Protection Regulation, cf. Article 5(1)(c) and (f), and Article 5(1)(a), cf. Article 6(1), as well as Articles 32(1), 33(1) and 35(1).

Furthermore, the EDPS considered that there were grounds to issue an injunction to Helsingør Kommune to bring its processing of personal data using Google Chromebooks into compliance with the GDPR. This should be done by the Municipality of Helsingør carrying out a risk assessment of the processing activity, reflecting the flows of personal data that the processing involves. The risk assessment should partly address the necessary options for configuring the product and address the questions about the scope of the homes in the Public Schools Act for the use of Chromebooks that the municipality requires of pupils. If the risk to data subjects' rights and freedoms was assessed as high, the municipality was also required to carry out an impact assessment as part of the injunction.

The injunction was issued pursuant to Article 58(2)(d) of the Data Protection Regulation.

In addition, the EDPS considered that there were grounds to issue a warning to the Municipality of Helsingør that the use of Google G-Suite add-on applications without carrying out a data protection impact assessment, as required by Article 35(1) of the Regulation, was likely to be in breach of the GDPR.

Finally, the EDPS considered that there were grounds for imposing a temporary restriction on the processing activities of the municipality of Helsingør if the risk assessments that the municipality was required to carry out showed a high risk to the rights and freedoms of data subjects and the municipality had not reduced these risks to a less than high level before the expiry of the injunction period. The restriction implies that processing of personal data presenting a high risk to the rights and freedoms of data subjects could not take place as long as the risks had not been reduced to a level below high.

Following the decision of the Data Protection Authority of 10 September 2021, the Municipality of Helsingør submitted its risk assessment regarding the use of Google Chromebooks and G-Suite for Education by letter of 10 November 2021, as well as additional documentation to demonstrate the lawfulness of the processing activity. In addition, on 9 December 2021, the municipality submitted further information on the case in response to the EDPS's request of 2 December 2021.

Toggle the rest of the statement (long)

Decision

After reviewing the risk assessment of the Municipality of Helsingør and the documentation of the Municipality in general, the Data Protection Agency considers that there are grounds to issue a prohibition order to the Municipality of Helsingør for the processing of personal data using Google Chromebooks and Workspace for Education. The prohibition applies until the Municipality of Helsingør has brought the processing activity into compliance with the GDPR, as set out in this Decision, and has produced adequate documentation to this effect.

In addition, any transfer of personal data to the United States that the Municipality of Helsingør has instructed Google Cloud EMEA Limited to carry out as a data processor for the Municipality is suspended until the Municipality of Helsingør can demonstrate compliance with Chapter V of the GDPR.

The prohibition and suspension shall take effect immediately, but the Municipality of Helsingør shall be granted a period until 3 August 2022 to withdraw and deactivate users and rights, and to delete data already transferred.

The prohibitions are issued pursuant to Article 58(2)(f) and (j) of the Data Protection Regulation.

Infringement of a prohibition issued by the Data Protection Authority shall be punishable under Article 41(2)(4) of the Data Protection Act by a fine or by imprisonment for a term not exceeding six months, cf. Article 41(1).

Finally, the Data Protection Supervisor finds grounds for serious criticism of the fact that the processing of personal data by the Municipality of Helsingør has not been carried out in accordance with Article 5(2) of the Data Protection Regulation, cf. Article 5(1)(a), Article 24, cf. Article 28(1), Article 35(1) and Article 44, cf. Article 46(1).

Executive summary

On 11 December 2019, a citizen complained to the Data Protection Authority about the processing of personal data by the Municipality of Helsingør.

By letter dated 6 January 2020, the Municipality of Helsingør confirmed that a parent had complained to the municipality in 2019 that his child had - without his knowledge - been given a YouTube account, allowing the child's name to be published on YouTube.

The Municipality of Helsingør further stated that it considered that the incident was unlikely to have led to a risk to the rights and freedoms of data subjects and therefore had not given rise to a notification of a personal data breach to the DPA, in accordance with Article 33(1) of the GDPR.

On 29 January 2020, the Municipality of Helsingør notified the incident to the DPA as a personal data breach. At the same time, a number of other municipalities made similar notifications, which is why the Data Protection Authority dealt with the cases jointly, and by letter dated 11 March 2020, the Authority asked the municipalities concerned for their opinion.

On 10 September 2021, the data protection supervisory authority took a decision on the personal data breach in question notified to the supervisory authority by the municipality of Helsingør. The decision of the Data Protection Authority of 10 September 2021 is reproduced above in section 1 and is attached in its entirety.

In response to the decision of 10 September 2021, the Municipality of Helsingør submitted its risk assessment regarding the use of Google Chromebooks and G-Suite for Education by letter dated 10 November 2021, as well as additional documentation to demonstrate the lawfulness of the processing activity. In addition, on 9 December 2021, the municipality submitted further information on the case in response to the EDPS's request of 2 December 2021.

Opinion of the municipality of Helsingør

Conduct of risk assessment, including data protection impact assessment where appropriate

On 10 November 2021, the Municipality of Helsingør submitted the Municipality's risk assessment for the use of Google Chromebooks and G-Suite for Education (Google Workspace for Education).

At the same time, the Municipality of Helsingør has informed the Data Protection Authority that the Municipality does not use Google Workspace's additional services and has therefore assessed that the Municipality is not obliged to prepare a data protection impact assessment.

Processing of personal data for other purposes

Among the risks identified by the Municipality of Helsingør in using Google Chromebooks, the risk of "use of data for unintended purposes" appears in the risk assessment. The risk is described as follows:

"There is a risk that Google or other third parties may use personal data of teachers and students for marketing or other purposes for which the Municipality of Helsingør, as data controller, does not want personal data to be processed. In particular, contact information, IP address and digital tracks (general information) are relevant in this context. It should be noted that personal data related to pupils are subject to special protection under data protection rules and therefore the access to and processing of personal data related to pupils constitutes an additional element in relation to the risk assessment."

On the likelihood of this risk materialising, the following is stated:

"The municipality uses the Google Workspace for Education Standard product, where the municipality is guaranteed by the data processor agreement that data will not be used for other purposes, including marketing, provided that the municipality only uses Core Services.

Reference is made to the data processing agreement and the correspondence of the Municipality of Helsingør with Google, where Google has stated that 'Information as part of the use of Chromebooks and Google Workspace for Education Standard cannot be used by Google for marketing purposes towards a student or students in a class'. "There are no ads shown in Google Workspace for Education core services. Also, none of the personal information collected in the core services is used for advertising purposes (ii) Students' username, also in connection with the created Google Workspace for Education account, is only accessible to Google as a data processor, and usage of Chromebooks and Google Workspace for Education - for example viewing YouTube videos - does not lead to the publication of the username". "The school's admin may allow students to access Google services, such as YouTube, that have features that allow users to share information with others or publicly. For example, if you leave a review in Google Play, your name and photo appear next to your activity. And if you share a photo with a friend who then makes a copy of it, or shares it again, then that photo may continue to appear in your friend's Google Account even after you remove it from your Google Account. Remember, when you share information publicly, your content may become accessible through search engines, including Google Search. For additional information on how Workspace for Education data is shared, please see the Workspace for Education Privacy Notice."

Core Services (14 services: Classroom, Drive/Docs, G-mail, Chat, Chrome Sync, Groups, Meet, Vault, Playlist, Jamboard, Calendar, Keep (stickynotes), Tasks, Sites)

Additional services provided by Google, are subject to different terms in the data processor agreement, which means that the municipality cannot instruct Google on how personal data may be used. Therefore, the Municipality has disabled the use of Ancillary Services.

Conclusion

Based on the measures implemented above, the Municipality of Elsinore assesses that the likelihood of the risk becoming a reality is low. However, it cannot be completely excluded that Google breaches the contractual obligations and nevertheless uses personal data for marketing or other unintended purposes for which the Municipality of Helsingør has not given instructions in accordance with the data processing agreement."

Transfer of personal data to third countries

An additional risk identified by the Municipality of Helsingør in the use of Google Chromebooks and Workspace for Education in the risk assessment is the risk of transfers to third countries.

The risk is described as follows:

"There is a risk that personal data of pupils and teachers (in principle general personal data, but it cannot be excluded that sensitive personal data will also be included) will be transferred to insecure third countries without an adequate basis for the transfer and without ensuring that the third country in question guarantees equivalent data protection rights as in other EU countries."

On the likelihood of this risk materialising, the following is stated:

"The Municipality of Helsingør, as data controller for the processing of personal data of pupils, has implemented the following relevant mitigating measures in order to reduce the likelihood of the described risk becoming a reality:

The EU Commission's standard terms and conditions have been concluded (transfer basis), as there is a risk of access from the US via support. A separate Transfer Impact Assessment (TIA) has been prepared as an additional basis (complementary measures) in accordance with the requirements of the Data Protection Authority and the EDPB. Reference is made to the TIA prepared.

It should also be noted that the Municipality of Helsingør has opted for a solution whereby, as a clear starting point, data are located exclusively within the EU in the data centres concerned. It is thus only the risk of support access from an insecure third country that may lead to access from an insecure third country:

"Settings in Data Regions in Google Workspace for Education Standard ensures that the data center is located within the EU - and additionally: will there be online access from countries outside of the EU, for example in connection with support."

Conclusion

Based on the measures implemented above, the Municipality of Elsinore considers that the likelihood of the risk becoming a reality is low."

Furthermore, the Municipality of Helsingør has submitted its evidence of compliance with Chapter V of the Data Protection Regulation when using Google Workspace for Education in the form of the Municipality's "Transfer Impact Assessment" (hereinafter "TIA").

This shows that the Municipality of Helsingør uses Google Cloud EMEA Limited as data processor with regard to its use of Google Chromebooks and Workspace for Education. In particular, the municipality has ensured through settings in Google Workspace for Education that personal data is stored only in data centres located within the EU/EEA.

However, it appears that - notwithstanding the above setting - personal data may be transferred to Google LLC in the United States as part of remote access for support purposes. The transfer is made on the basis of the EU Commission's standard contract.

Finally, point 1.8 on the context and purpose of the transfer of personal data states the following:

"As part of Google's cloud solution, Helsingør Kommune is using:

Google Chromebooks and G Suite for Education (now named Workspace), which is used by Helsingør Kommune for the purpose of educating students as part of Helsingør Kommune's public law obligation as a local, public authority to provide education. It is Helsingør Kommune's assessment that this obligation is best managed with Google as supplier of the above services and Datatilsynet has accepted this premise pursuant to the governing law in the Folkeskoleloven.

In order for Helsingør Kommune to use the mentioned services and products offered by Google, it is a requirement that Helsingør Kommune transfers the personal data related to the data subjects stated in sections 1.9-1.10 below to Google's cloud. The purpose of the transfer is thus to store the personal in the data centres (cloud), ensure a high security of the personal data as well as management/support from Google."

In the TIA, the Municipality of Helsingør has - as far as the EDPS understands - assessed whether the basis for the transfer to the US in the form of the standard contract is effective in the light of the circumstances of the transfer, including assessing whether there are laws and/or practices in the US that affect the effectiveness of the standard contract concluded.

Accordingly, paragraph 2.4 of the TIA states:

"Based on statistics and other arguments from the data importer/data recipient, how many years in addition to the assessment period will it take before the probability of access by a public authority (that is lawful in the third country) is still only 50:50?

Based on the following statistics and arguments, it is Helsingør Kommunes assessment that even if additional 50 years were added to the assessment period of 5 years, the probability of an access by a US public authority (that is lawful in the US) that violates EU law as stated in the Schrems II judgement is still only 50 % chance of occurring within this period of 55 years and thus the risk of a lawful access occurring in the assessment period of 5 years is of a more theoretical than practical nature:

• A) Google will carefully review each request to make sure it satisfies applicable laws. If a request asks for too much information, Google will try to narrow it, and in some cases Google object to producing any information at all. Google will share the number and types of requests received in the Transparency Report.
• B) When Google receive a request from a government agency, Google will send an email to the user account before disclosing information. If the account is managed by an organisation, Google will give notice to the account administrator. If Google is legally prohibited from giving notice, it will not do so. If this is the case, Google will provide notice after the legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired.
• C) When a Google entity within the EU, as it the case in this matter, receives data disclosure requests from US government authorities, Google will only provide personal data if doing so is consistent with all of the following: (i) National law in the Member State of establishment, including any applicable EU laws such as the GDPR. Google will therefore the US require the authority to follow the same due process and legal requirements that would apply if the request were made to a local provider of a similar service. (ii) International norms, which means that Google will only provide personal data in response to requests that satisfy the Global Network Initiative's Principles on Freedom of Expression and Privacy and its associated implementation guidelines in Google's policies. This includes any applicable terms of service and privacy policies, as well as policies related to the protection of freedom of expression.
• D) With regard to requests for information in emergencies, such as if Google reasonably believe that disclosure can prevent someone from dying or from suffering serious physical harm, Google may provide information to a government agency. This includes bomb threats, school shootings, kidnappings, suicide prevention, and missing persons cases. Google will still consider such requests in light of applicable laws and our policies.
• F) Statistics

Google GCP/G-Suite Access requests / disclosed Denmark 2019-2020: 0 / 0

Google Workspace Access requests / disclosed Denmark 2019-2020: 1 / 0

Google Global Diplomatic Legal requests: 1

Google Global User data requests / percentage disclosed Denmark 2019-2020:

30 June 2019 Emergency 2 / 50%. Other legal 29 / 52%. Preservation 8 / 45%. 31 December 2019 Emergency 3 / 0%. Other legal 48 / 38%. Preservation 12 / 41%.

30 June 2020 Emergency 5 / 100%

Other legal 80 / 58%. Preservation 34 / 63%. 31 December 2020 Emergency 1 / 100%. Other legal 87 / 75%. Preservation 32 / 41%

Google National Security Letter requests (NSL) and released 2019/2020 total number all countries: 21

Conclusion

Based on this legal approach and these statistics, it is clear that:

• It is statistically improbable that Helsingør Kommune will be the target of a request regarding the use of GCP and G-Suite (now named Workspace).
• For other services the risk is minimal given the number of requests / disclosures and the total number of users of using services provided by Google in Denmark.
• The number of NSL requests is so low than it is statistically without importance.
• If personal data are targeted for a request, Google will carry out an honest assessment of the legality based on EU law. This is supported by the statistics of actual disclosures."

The TIA further states in para. 3.4 that the personal data transferred to Google LLC in the US will be available to Google LLC in clear text:

"Is the personal data at issue accessible in the target jurisdiction in clear text by the data importer/recipient or a third party (i.e. the data is either not appropriately encrypted or access to the keys to decrypt is possible)?

Helsingør Kommune's personal data is always encrypted when at rest as Google uses several layers of encryption to protect customer data at rest in Google Cloud products, using one or more encryption mechanisms. Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with ("wrapped" by) key encryption keys that are exclusively stored and used inside Google's central Key Management Service. Google's Key Management Service is redundant and globally distributed.

All data stored in Google Cloud is encrypted at the storage level using AES256. In this connection, Google uses a common cryptographic library, Tink, which incorporates the FIPS 140-2 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. Consistent use of a common library means that only a small team of cryptographers needs to implement and maintain this tightly controlled and reviewed code.

However, this encryption does not prevent Google personnel from accessing Helsingør Kommune's personal data because Google has the key to decrypt data. Google LLC in the U.S. is on the contrary not in possession of the decryption key. This implies that Google in the US or other Google entities outside the EU/EEA or third parties cannot access Helsingør Kommune's personal data without approval by the applicable Google entity established in the EU (Google Ireland).

Although encryption - and pseudonymisation, which is also used by Google - does not ensure that Helsingør Kommune has complete control of access to personal data in the EU data center, it serves as a mitigating factor to meet regulatory or compliance obligations, i.e. in accordance with the guidelines from the EDPB."

In addition, the TIA states in para. 3.5 regarding the established transfer basis:

"As stated above in section 1.7 above, it follows from Google's Data Processing Amendment to Google Workspace and/or Complementary Product Agreement modified on 24 September 2021 that the 2021 SCC will be the legal basis for transfers (including online access as part of online support) to countries outside the EU/EEA without an adequacy decision. In this connection Google is contractually obligated as processor to comply with comply with the obligations applicable to it under European Data Protection Law with respect to the processing of Helsingør Kommune's personal data.

Helsingør Kommune has no reason to believe that any Google entity will not comply with the SCC.

furthermore, Helsingør Kommune will evaluate, and continuously monitor, that Google complies with the 2021 SCC by reviewing, for example, audit reports and standard certifications made available. Helsingør Kommune also has the right to carry out a special 3rd party audit if assessed necessary, cf. the DPA."

Finally, the TIA states in para. 4.1.1 as regards legislation and/or practice in the United States affecting the effectiveness of the standard contract concluded:

"The data importer/recipient is not subject to a higher interest from a public foreign authority in requesting access to the personal data (i.e., the data importer or potential recipient is not subject to national law facilitating mass surveillance)

Section 702 FISA

The US entity Google LLC may in practice be seen as the parent company for the EU entities providing the services to Helsingør Kommune. Google LLC. may qualify as an Electronic Communications Service Provider pursuant to Section 702 FISA for its US customers as the term is broadly understood: "any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored."

However, there is a high likelihood that the data accessible to the Google LLC, is per se excluded from access under Section 702 FISA because it is data that are not transmitted by it but to it for the purpose of providing a support service. Thus, it is a communication targeted to a "U.S. person" for which the intelligence searches are prohibited (see Alan Charles Raul, "Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers", December 21, 2020, available at https://bit.ly/3qHNMy7 and a full paper from the same author at https://bit.ly/2V9veez with the follow-up post "Transferring EU Data To US After New Contractual Safeguards" of May 17, 2021, available at https://bit.ly/3l12oHZ). In addition, Helsingør Kommune's personal data does not comprise personal data about "U.S. Persons" and US authorities are thus barred from accessing data under Section 702 FISA for this reason as well.

Hence, it likely that Helsingør Kommune's personal data in EU data centres will not be subject to Section 702 FISA.

We understand that this argument may not be shared by everyone and that requests nevertheless may take place in relation to Google, which is why we rate the probability of this argument to be valid very conservatively to be on the safe side.

EO 12.333

Executive Order 12.333 (EO 12.333) authorizes US intelligence agencies to collect foreign "signals intelligence" information, which is information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means (i.e. all data from telecom and IT infrastructure). EO 12.333 thus permits "surveillance in transit", such as the accessing of data that are not properly encrypted while it is passing over transatlantic cables. As described under section 3.3. above, all personal data will be transmitted with required and strong encryption in transit. It is thus our assessment that the required technical measurement through encryption means that EO 12.333 will not entail a higher risk for mass surveillance US authorities."

It appears below that the Municipality of Helsingør has assessed the probability that the above assessment is accurate at 40%.

On the basis of the letter of the Municipality of Helsingør dated 10 November 2021 with annexes, the Data Protection Authority requested further information from the Municipality on 2 December 2021. The Data Protection Authority stated that any transfers of personal data to the United States as part of support were - in the opinion of the Data Protection Authority - intentional, although the municipality has assessed this as a risk of support flowing from the United States.

The Data Protection Authority requested, among other things, a copy of the municipality's transfer basis, any changes in the instruction and data processing agreement with Google, and a review of any additional measures that the municipality may have deemed necessary.

By letter dated 9 December 2021, the Municipality of Helsingør stated - in clarification of the above risk - the following:

"The possible transfer to Google - and the associated risk - is related to Google's setup. I.e. even if the municipality has chosen an EU cloud, Google has secured in the data processing agreement the right to potentially get support from third countries. This is also the reason why Google has established a transfer basis under the new SCC (from June 2021), which the municipality uses in its risk assessment.

In general, regarding the risk of support in particular, the following facts can generally be taken into account: in very specific support situations from an insecure third country, there will be a very limited window in which the supporter can potentially access personal data in clear text. It is very unlikely that in that limited window the supporter would be obliged by the government [of the insecure third country] to provide the personal data.

The Municipality further notes that the TIA prepared states that the Municipality has assessed that the use of Google Workspace for Education is necessary for the performance of the Municipality's duties under the Education Act, that the option of third country support cannot be opted out when Google is the data processor, and that the Municipality has therefore assessed the risk of using Google.

The transfer basis is, as stated, the new SCC (from June 2021)."

Regarding the data sources used, the Municipality of Helsingør has provided the following information:

"There are different "data sources" in relation to the risk assessment and the TIA. The risk assessment is based on the fact that the data processor agreement describes the relationship between the parties in more detail, i.e. that Google is the data processor for the municipality and that Google reserves the right to provide support from third countries, and that the municipality has ensured that the service is provided from an EU cloud.

The TIA is based on the documents and links provided in the subtab of the TIA."

In addition, the Municipality of Helsingør has provided the following information regarding its assessments as set out in the TIA:

"The assessments in the TIA of the likelihood of each legal argument holding are estimates. In this respect, the Municipality considers that the probabilities set are conservative, i.e. the Municipality has allowed for doubts in the interest of the rights and freedoms of the data subjects. If the EDPS has a different, reasoned assessment of the probability that the individual arguments hold, the municipality will be pleased to hear about it. It is also noted, for the sake of good order, that the calculated overall risk - based inter alia on these arguments, the circumstances of the possible transfer, published statistics from Google, practices and mitigating measures - is quite low. The municipality also undertakes to monitor and evaluate the likelihood of the validity of these arguments on an ongoing basis.

The legality of the use of Google Workspace for Education in these circumstances is thus not dependent on the assessment of the likelihood of the validity of a single argument not being moved by reasoned arguments."

Finally, the Municipality of Elsinore has submitted a large amount of documentation regarding the data processor arrangement with Google Cloud EMEA Limited, including the data processor agreement "Data Processing Amendment to Google Workspace and/or Complementary Product Agreement" dated 24 September 2021.

Justification of the decision of the Data Protection Supervisor

In general, the EDPS is of the opinion that a controller using a data processor - for all processing operations - must comply with and be able to demonstrate compliance with the GDPR and the Data Protection Act, regardless of where in the data processing chain processing takes place.

This follows from Article 5(2) of the GDPR, which states that the controller is responsible for and must be able to demonstrate compliance with paragraph 1. This means, inter alia, that the controller is responsible for and must be able to demonstrate that the personal data are processed lawfully, fairly and transparently, in accordance with Article 5(1)(a).

Furthermore, Article 24(1) of the Regulation requires the controller to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing complies with this Regulation. This must be done taking into account the nature, scope, context and purposes of the processing concerned, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and the measures must be reviewed and updated as necessary.

With this decision, the Data Protection Authority has only taken a position on whether - and to what extent - the Municipality of Helsingør, as the controller, processes personal data in accordance with the data protection rules. The competence of the Data Protection Authority follows from Section 27 of the Data Protection Act and Chapters VI and VII of the Data Protection Regulation, including Article 55(2) thereof.

Use of Google Chromebooks and Google Workspace for Education

It follows from Section 2(1) of the Education Act that the local authority is responsible for the education of children.

For primary schools, it follows from § 18(1) and § 19 of the Act that the organisation of teaching, including the choice of teaching and working methods, teaching materials and the selection of subjects, as well as the payment for this, in all subjects must comply with the aims, objectives and subjects of the primary school and be varied so that it corresponds to the needs and prerequisites of the individual pupil.

The EDPS is of the opinion that both the choice of using IT in teaching, including the brand and software to be used, fall within this margin.

The EDPS notes in this respect that the data protection rules are technology neutral and the EDPS can only assess the circumstances in which personal data are processed, in accordance with Article 2(1) of the GDPR.

While the Public School Act - in the view of the EDPS - confers competence on the municipal council to decide whether - and if so - which IT equipment should be used in education, this use must continue to be made within the framework of the GDPR and the Data Protection Act.

The rights of children and young people enjoy special protection under data protection rules. The EDPS is of the opinion that this consideration is included in the assessment of which processing operations can be carried out on the basis of the legal basis provided by the Public Schools Act to each municipality.

As also stated in the decision of 10 September 2021 of the Data Protection Inspectorate, it is the opinion of the Inspectorate that the Municipality of Helsingør can determine which tools are used in the municipality's primary schools, in accordance with Article 6(1)(e) of the Data Protection Regulation.

However, it remains an essential condition that the Regulation and the Data Protection Act are otherwise complied with in the processing of personal data that takes place.

Risk and consequences

In general, the EDPS finds that the risk assessment of the Municipality of Helsingør regarding the use of Google Chromebooks and Workspace for Education addresses the main scenarios and threats.

However, it is the opinion of the EDPS that the use of new, complex technology, including software - especially in the field of education, where the data subjects are children and young people - usually entails a high risk to the rights and freedoms of these pupils.

In the specific case, where it is common knowledge that the technologies used for the delivery and system support of the chosen service - Google Chromebooks and Workspace for Education - are also used to deliver other parts of Google's products, and these are used for information collection, targeted marketing and sale of this information. Such matters must therefore be taken into account when assessing the risks to the rights and freedoms of data subjects when using Google Workspace for Education.

The EDPS considers that the risk assessment of the Municipality of Helsingør does not fully document the risk scenarios that may arise as a result of the data processor design and the system choices made. This applies in particular to (i) how the devices and applications used actually handle the personal data collected, as well as (ii) how the Municipality of Helsingør controls Google's access to the personal data, including in particular the ordinary use of Google Chromebooks' operating system and Google Workspace's interaction with Google's backend in relation to the possibilities for separation of personal data that must take place under the data processor law.

The EDPS is of the opinion that conducting a concrete risk assessment and impact assessment - before providing IT equipment to pupils and processing pupils' data - is a prerequisite for establishing and maintaining an adequate level of security. This is because an adequate level of security must be seen in the light of the risks, including consequences, that the processing of pupils' personal data may have for them. The EDPS notes that several of the above-mentioned failures to comply with data protection rules could have been avoided if the Municipality of Helsingør had assessed the risks of the processing and taken appropriate measures in the light of those risks.

Against the above background, the EDPS finds that the Municipality of Helsingør - (i) by not including the risk scenarios that may arise from the data processor design and the system choices made in its risk assessment, (ii) by not having sufficiently tested the scope and functioning of the hardware and software used, and (iii) by not being able to document, how the municipality controls Google's access to the personal data, including in particular by ordinary use of Google Chromebooks operating system and Google Workspace's interaction with Google's backend in relation to the possibilities for separation of personal data that may occur under the Data Processors Directive, - has not demonstrated that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject pursuant to the Data Processors Directive. Article 5(2) of the Data Protection Act, see Article 5(1)(a).

Use of data for other purposes

It is the opinion of the Data Protection Authority that the processing of personal data by the Municipality of Helsingør under the Elementary School Act, cf. Article 6(1)(e) of the Regulation, does not include situations where personal data are processed for purposes other than those provided for in the Elementary School Act. The data cannot therefore be lawfully disclosed to other controllers for their purposes either, where the purposes are not provided for in the Education Act. This also includes the processing of personal data that may occur through the use of the equipment and software by pupils, including metadata data used for marketing and profiling purposes, whether the data are used for direct marketing to the individual pupil or indirectly as part of a group (class, year, school, etc.).

The EDPS considers that the Municipality of Helsingør does not use Google Workspace for Education's additional products.

It appears from the risk assessment of the Municipality of Helsingør that personal data collected in core services - according to the data processor agreement - is not used for marketing purposes.

The Data Protection Authority considers that the Municipality of Helsingør, as data controller, has assessed that "it cannot be completely excluded that Google breaches the contractual obligations and nevertheless uses personal data for marketing or other unintended purposes for which the Municipality of Helsingør has not given instructions in accordance with the data processing agreement."

The EDPS also considers that the Municipality of Helsingør also processes special categories of personal data, as referred to in Article 9 of the Regulation, when using Google Workspace for Education.

In this context, the EDPS would like to point out in general terms that, pursuant to Article 28(1) of the Regulation, a controller may only use processors which can provide the necessary guarantees that they will comply with the data protection rules when processing the data on behalf of the controller.

This implies that an expectation on the part of the controller that the chosen processor will act in breach of the concluded processor agreement - in itself - implies that the controller may not use that processor, in accordance with Article 28(1) of the Regulation.

However, the EDPS has taken as a basis that, in assessing this risk, the Municipality of Helsingør only considers the risk of the processor acting in breach of the data processing agreement as hypothetical rather than outright foreseeable.

The EDPS considers that the Municipality of Helsingør - in its assessment of this risk - has not demonstrated that in this situation the Municipality of Helsingør uses a data processor that can provide the necessary guarantees that it will comply with the requirements of the GDPR, as set out in Article 24 of the Regulation, cf. Article 28(1).

The EDPS has paid particular attention to the fact that there would be an intrusive loss of rights for data subjects if the risk in question materialised and that the municipality has not indicated in its risk assessment any real remedial technical or organisational measures to mitigate this risk. In particular, the EDPS is of the opinion that the reference made by the Municipality of Helsingør to the fact that the municipality has confidence in the supplier's general compliance with the contract does not constitute a sufficient mitigation of this risk.

Moreover, the EDPS notes that any risk entailing a high impact on the rights and freedoms of data subjects - even with relatively low probabilities of the risk materialising - is likely to entail a high risk to the rights of data subjects, triggering the obligation to carry out a data protection impact assessment under Article 35(1) of the Regulation.

In view of this - and of the Municipality of Helsingør's own assessment that it cannot be excluded that the data processor will act in breach of the data processor agreement - the EDPS is of the opinion that the relationship triggers the obligation to carry out a data protection impact assessment, Article 35(1) of the Regulation.

Against this background - and given that the Municipality of Helsingør has stated that it has not carried out a data protection impact assessment - the EDPS considers that the processing of personal data by the Municipality of Helsingør has not been carried out in accordance with Article 35(1) of the Regulation.

Transfers of personal data to third countries

Transfer of personal data by the cloud infrastructure

The EDPS has firstly noted that it is the opinion of the Municipality of Elsinore that the Municipality has configured its use of Google Workspace for Education in such a way that "data are, as a clear starting point, only located within the EU in the data centres concerned. It is thus only the risk of support access from an insecure third country that may lead to access from an insecure third country."

The Municipality of Helsingør's contractual framework with Google, which regulates the processing activity, includes the "Data Processing Amendment to Google Workspace and/or Complementary Product Agreement" (Agreement Addendum), dated 24 September 2021.

The Addendum states, inter alia:

"10.1 Data Storage and Processing Facilities. Subject to Google's data location commitments under the Service Specific Terms and to the remainder of this Section 10 (Data Transfers), Customer Data may be processed in any country in which Google or its Subprocessors maintain facilities. [...]

11. Subprocessors

11.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors of those entities listed as of the Amendment Effective Date at the URL specified in Section 11.2 (Information about Subprocessors). In addition, without prejudice to Section 11.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement as Subprocessors of any other third parties ("New Subprocessors").

11.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: https://workspace.google.com/intl/en/terms/subprocessors.html (as may be updated by Google from time to time in accordance with this Data Processing Amendment)."

Section 11.2 of the Agreement refers to a list of Subprocessors used for the purpose of providing Google Workspace for Education. The list includes a wide range of sub-processors used to provide technical support, located both in the EU and in third countries, including third countries where the EU Commission has not taken a decision on the level of protection of the countries in accordance with Article 45.

The list also includes a large number of Google subsidiaries used for limited activities such as Google Workspace, which are also located both inside and outside the EU/EEA.

In this decision, the DPA has not taken a position on the extent to which the Municipality of Helsingør, by using Google Workspace for Education - in addition to the United States, see further below in Section 4.6 - transfers personal data to other third countries, even though the data are "stored" within the EU/EEA.

However, the EDPS recommends that the Municipality of Elsinore ensures - inter alia, by reviewing the Google Workspace "Service Specific Terms" referred to in paragraph 10.1 of the addendum to the agreement - that the data, as part of processing other than "storage", e.g. as part of general service and support of the underlying cloud infrastructure, etc., is not transferred to third countries, unless the Municipality of Elsinore instructs the data processor to do so and provides a valid basis for the transfer.

It is the view of the Data Protection Authority that the controller must provide a valid basis for transfer to all third countries to which personal data may be transferred as part of the provision of a service under the contractual basis, including service and support.

Transfer of personal data to the United States

Initially, the EDPS notes that - in the EDPS' view - there is an intentional and instructed transfer to the United States for the Municipality of Helsingør as a result of the agreed possibility to provide support - in or from the United States - with access to personal data.

The rules on transfers to third countries, including the possible grounds for transfer, are laid down in Chapter V of the Data Protection Regulation.

The main rule for transfers of personal data to third countries is set out in the general principle of Article 44 of the GDPR. This states that:

"Any transfer of personal data undergoing processing or intended for processing following a transfer to a third country or an international organisation may take place only if the conditions laid down in [Chapter V] are fulfilled, without prejudice to the other provisions of this Regulation, by the controller and the processor, including by onward transfer of personal data from that third country or international organisation to another third country or international organisation. All the provisions of this Chapter shall apply in order to ensure that the level of protection guaranteed to individuals by this Regulation is not undermined."

Any transfer of personal data can thus only take place if the conditions of Chapter V of the Regulation are met.

The EDPS understands Article 44 of the Regulation as an obligation for both the controller and the processor. Both parties are therefore obliged to ensure that an effective basis for the transfer is provided in the light of all the circumstances of the transfer. This also applies in cases where it is in practice the processor who has concluded a standard contract under Article 46(2)(c) of the Regulation with any sub-processors in third countries. In this case, the obligation for the controller is in practice to ensure - and be able to demonstrate to the EDPS - that the processor has established the necessary transfer basis and that this transfer basis is effective in the light of all the circumstances of the transfer, including the implementation of additional measures where necessary.

Furthermore, the EDPS is of the opinion that, without prejudice to the exceptions provided for in Article 49 of the Regulation, the wording of Article 44 stating that any transfer of personal data may only take place if the conditions laid down in Chapter V are met, in conjunction with the principle that the level of protection ensured by the Regulation must not be undermined, must be understood as meaning that any transfer must be subject to appropriate safeguards. Thus, it is not sufficient that almost all transfers or a percentage of transfers enjoy the protection provided by the Regulation, unless this is provided for in the Regulation.

One of the ways to provide a valid basis for transfers under Chapter V is by concluding a standard contract adopted by the European Commission with the organisation in the third country to which the data are transferred, as provided for in Article 46(1)(c) of the Regulation.

In particular, the case shows that the Municipality of Helsingør has instructed its data processor - Google Cloud EMEA Limited in Ireland - to transfer personal data to a sub-processor - Google LLC - in the United States. The transfer takes place on the basis of an EU Commission standard contract between Google Cloud EMEA Limited and Google LLC in the USA. This standard contract has been used as the basis for transfers to the US since the end of September 2021.

In case C-311/18, Schrems II, the European Court of Justice has clarified that the use of the EU Commission's standard contracts presupposes that a level of protection for personal data in the third country concerned can be ensured which is essentially equivalent to the level of protection within the EU/EEA[1].

The CJEU further noted that there may be situations in which the EU Commission's standard contract does not constitute "an adequate means of ensuring in practice the effective protection of the personal data transferred to the third country in question. That is the case, in particular, where the legislation of that third country allows its public authorities to interfere with the rights of data subjects in respect of those data."[2]

In such cases, where the standard contract, by its nature, cannot provide guarantees going beyond the contractual obligation to ensure that the necessary level of protection is provided, additional measures may be needed, depending on the circumstances in the third country, to ensure that the necessary level of protection is provided[3] Such additional measures may be technical, organisational or contractual[4].

It is thus necessary to examine - on a case-by-case basis - whether the legislation of the third country ensures the adequate level of protection of the personal data transferred on the basis of the standard contract and, if necessary, to take additional measures in addition to the standard contract[5].

The CJEU has also assessed whether selected US legislation - Foreign Intelligence Surveillance Act (FISA) section 702 and Executive Order 12 333 (E.O. 12 333) - allows US public authorities to interfere with data subjects' rights to an extent that does not meet the minimum requirements of EU law.

FISA Section 702 (FISA 702) authorizes the U.S. government to obtain information about persons who are not U.S. citizens, etc. ("non-U.S. persons"), and who may reasonably be expected to be outside the United States, for the purpose of collecting foreign intelligence information ("foreign intelligence information"). This is done by issuing directives to "electronic communications service providers" to provide or cause to be provided personal information sent to or received from a "selector," with a portion of these communications also being disclosed to law enforcement authorities[6].

With respect to E.O. 12333, this statutory basis allows law enforcement to access information "in transit" to the United States by accessing undersea cables, and to collect and retain that information before it reaches the United States and there becomes subject to the FISA provisions.[7]

The CJEU then held that neither FISA Section 702 nor E.O. 12 333, read in conjunction with Presidential Policy Directive-28 (PPD-28), satisfy EU law's proportionality requirement, with the result that surveillance programs based on these provisions cannot be considered limited to what is strictly necessary. The Court further held that FISA 702 or E.O. 12 333, read in conjunction with PDD-28, do not provide data subjects with rights that are enforceable against the U.S. authorities before the courts[8].

In assessing whether there are circumstances in the United States that prevent the standard contract used as a basis for transfer from being a sufficient means of ensuring a level of protection substantially equivalent to that within the EU/EEA, the Municipality of Elsinore has stated that it is likely that Google LLC should be considered an "electronic communications service provider" as that term is defined in 50 U.S.C. § 1881(b)(4).

Similarly, it is DPA's assessment that Google LLC - in providing the service (support, etc.) that gives rise to the transfer of personal data thereto - should be considered an "eletronic communications service provider" and thus may be subject to law enforcement directives under FISA 702.

In addition, the Municipality of Helsingør has argued that there is a high probability that information available to Google LLC per se cannot be accessed under FISA 702, as the personal data is not transferred by Google LLC, but to Google LLC for the purpose of providing support. In particular, the Municipality of Elsinore has argued that this is an electronic communication to a "U.S. person" and that law enforcement authorities are therefore precluded from obtaining this information in light of the restrictions in FISA 702. In addition, the Municipality argues that the personal information transferred to Google LLC does not constitute personal information of "U.S. persons" and that law enforcement authorities are also barred from collecting the information under FISA 702 for this reason.

After reviewing the legal restrictions on the collection of information under FISA 702[9], the EDPS is of the opinion that the restrictions are aimed at preventing the collection - both direct and indirect - of information about U.S. persons, including companies, when such persons are the target of the collection.

Thus, in the view of the FSA, the restrictions do not apply if and to the extent that Danish citizens or the Municipality of Helsingør as a whole become the subject of the collection of information under FISA 702.

Furthermore, it is the opinion of the DPA that FISA 702, by its purpose, provides a legal basis for U.S. law enforcement authorities to obtain information about foreign persons who may reasonably be expected to be outside the United States for the purpose of collecting foreign intelligence information.

Against this background, the EDPS considers that the personal data transferred to Google LLC could be obtained by US law enforcement authorities. In doing so, the EDPS has placed emphasis on the fact that Google LLC is to be considered as an "electronic communications service provider" and that the personal data transferred to Google LLC relate to the municipality's school pupils and employees, i.e. Danish citizens.

It is thus the assessment of the Data Protection Authority that the transfer of the data in question is subject to conditions in the United States which prevent the standard contract used as a basis for the transfer from being a sufficient means of ensuring a level of protection substantially equivalent to that within the EU/EEA. The Municipality of Helsingør is thus obliged to ensure that additional measures are put in place to bring the level of protection up to the required level.

In particular, the EDPS notes that contractual and organisational supplementary measures will generally not counter access to or collection of personal data by US law enforcement authorities for surveillance purposes. Therefore, additional technical measures will be necessary.

The Municipality of Helsingør has stated that personal data is encrypted both in transit and at rest when the data is transferred and processed by Google LLC. However, the Municipality has also indicated that Google LLC can access the data in clear text.

It is the EDPS' assessment that encryption can be an effective supplementary measure, suitable to complement the EU Commission's standard contract and overall bring the level of protection in a third country up to the required European level.

However, the EDPS considers that, in the present case, encryption is not suitable to address the conditions in the US which prevent the standard contract from being a sufficient means to ensure the effective protection of the personal data transferred.

In this respect, the EDPS has taken into account that the collection of personal data by US law enforcement authorities under FISA 702 is carried out by issuing directives to electronic communication service providers and thus requires their assistance, and that in these circumstances the personal data transferred may be obtained under FISA 702, as Google LLC has access to the data in clear text.

Accordingly, the EDPS considers that the personal data which the Municipality of Helsingør has instructed Google Cloud EMEA Limited to transfer to the United States are not afforded a level of protection substantially equivalent to that in the EU/EEA and that the Municipality of Helsingør has not taken the necessary additional measures to bring the level of protection up to that required.

The EDPS therefore considers that the transfer of personal data which the Municipality of Helsingør has instructed Google Cloud EMEA Limited to carry out is not in accordance with Article 44 of the Data Protection Regulation, cf. Article 46(1)(c).

Summary

In view of the injunction issued on 10 September 2021, and the processing restriction issued on the same date, and following a review of the risk assessment carried out by the Municipality of Helsingør and the Municipality's documentation in general, the Data Protection Supervisor considers that there are grounds for issuing a prohibition to the Municipality of Helsingør to process personal data using Google Chromebooks and Workspace for Education. The prohibition applies until the Municipality of Helsingør has brought the processing activity into compliance with the GDPR, as set out in this Decision, and has produced adequate documentation to this effect.

In addition, any transfer of personal data to the United States that the Municipality of Helsingør has instructed Google Cloud EMEA Limited to carry out as a data processor for the Municipality is suspended until the Municipality of Helsingør can demonstrate compliance with Chapter V of the GDPR.

The prohibition and suspension shall take effect immediately, but the Municipality of Helsingør shall be granted a period until 3 August 2022 to withdraw and terminate users and rights, as well as to delete data already transferred.

The prohibitions are issued pursuant to Article 58(2)(f) and (j) of the Data Protection Regulation.

Infringement of a prohibition issued by the Data Protection Authority shall be punishable under Article 41(2)(4) of the Data Protection Act by a fine or by imprisonment for a term not exceeding six months, cf. Article 41(1).

Finally, the Data Protection Supervisor finds grounds for serious criticism of the fact that the processing of personal data by the Municipality of Helsingør has not been carried out in accordance with Article 5(2) of the Data Protection Regulation, cf. Article 5(1)(a), Article 24, cf. Article 28(1), Article 35(1) and Article 44, cf. Article 46(1).

Choice of corrective measures

In choosing the remedy, the EDPS has put emphasis on bringing the unlawful situation to an end quickly. In addition, the EDPS has given mitigating weight to the fact that the Municipality of Helsingør has - at all stages of the processing of the case - contributed positively and responsibly to providing the necessary documentation and clarity about the processing operations, and has given particular weight to the fact that the transfers of personal data in question to the United States were previously subject to an adequacy finding pursuant to Article 45 of the Regulation, which expired.

Concluding remarks

The EDPS notes that it is the responsibility of the Municipality of Helsingør to rectify and erase data in accordance with the Decision. The municipality must therefore contact the parents of the children concerned in order to carry out the rectifications, anonymisations or erasures of the personal data recorded which the parents themselves cannot carry out in the systems in which the pupils' personal data have been inadvertently published or transmitted.

View source at datatilsynet.dk (Danish).