Three Norwegian municipalities are breaking the law in their use of Google Suit for Education (GSFE) and thus get a warning from the Data Protection Authority (DPA). It is very hard – if possible at all – to actually use Google in schools and at the same time comply with GDPR according to guidelines issued by the Norwegian DPA.
Though Norway is not a member of the EU, it is enforcing the EU’s General Data Protection Regulation, GDPR.
“If you decide to use Google you must understand what it means to the pupils’ privacy,” says Bjørn Erik Thon, managing director of the Norwegian Data Authority according to their press release. “They must have a an overview over which data is collected, and what they are used to. When you have that overview, you can then analyse what is at stake for the pupils, but the municipalities did do have that.“
The ruling towards the three municipalitets Sandnes, Strand and Bergen from the Norwegian DPA is indeed very interesting, because as with other data-driving services like Google it is very hard – if possible – to get the full picture of Google’s use of personal data. They are known for being ‘black boxes’. The DPA says that the use of Google in schools are considered ‘high risk,’ when it comes to the pupils’ rights and freedom, and thus municipalities must carry out a personal data risk assessment before using GSFE.
The Norwegian DPA has developed Guidelines for use of Google Chromebook and G Suit for Education, and it explains that the use of the ‘core services’ i GSFE are Gmail, Hangouts, Chat, Meet, Docs, Sheets, Slides, Drive. For this Google promises not to use the data for advertising (thus not ruling out other uses such as training its artifical intelligence).
However, for all other use of Google services – called ‘additional services’ – such as use of the Chrome Browser, Google Maps, Google Search and Youtube, the pupils can be profiled by Google.
“It is worth noticing that the Google Chrome is not part of GSFE but of Chrome OS. This means that the pupils can be profiled and served advertising when they surf the web,” according to the guidance.
Google is a Challenge
Google is considered data processor, when municipalities decide to use GSFE, and that is challenging according to the Norwegian DPA, who seems to not really be able to get the full overview itself.
“It is very hard to get a full overview of all elements in an agreement with Google. They refer to websites inside the agreement, who then refer to other agreements, and Google is also changing name to Workspace and thus sometimes uses ‘G Suite’, other times ‘Workspace’,” it states – and lists all the links Google is refering to in its agreements:
- G Suite for Education – hovedside (edu.google.com)
- Senter for personvern og sikkerhet (edu.google.com)
- Avtale for Google Workspace for utdanning på nettet (workspace.google.com)
- Data Processing Amendment to Google Workspace and/or Complementary Product Agreement (workspace.google.com)
- Google Workspace Service Specific Terms (workspace.google.com)
- Additional Product Terms (workspace.google.com)
- Google Cloud and Workspace Privacy Polic (cloud.google.com)
- G Suite for Education Privacy Notic (workspace.google.no)
- Services Summary (workspace.google.com)
- Google Cloud Terms (cloud.google.com)
- Google Cloud Platform Subprocessors (cloud.google.com)
- Retningslinjer for akseptabel bruk av Google Workspace (workspace.google.com)
- Google Meet Providers (workspace.google.com)
Yet, the DPA demands that the municipalies must get a full overview of the agreements, when using GSFE, including all the referrals before they sign on to GSFE.
Our conclusion: If you want to be GDPR compliant and use GSFE, you are in for a challenge that might be hard to overcome.