Denmark bans Gmail and Co from schools due to privacy concerns

Danish schools must stop using Google’s email and cloud services due to concerns or violating the high European
privacy standards defined by the GDPR. According to
Denmark’s data protection authority, Google’s cloud-based Workspace software suite “does not meet the requirements”
of the European Union’s GDPR data privacy regulations.

Google’s email and cloud “does not meet requirements”

Pupil’s privacy must be protected

In a statement
published mid July, the Danish data protection agency expresses
“serious criticism and bans … the use of Google Workspace”.

Based on a risk assessment for the Helsingør Municipality, the data protection authority concluded that the
processing of personal data of pupils does not meet the requirements of the GDPR and must, therefor, stop.

The ban is effective immediately. Helsingør has until August 3 to delete pupil’s data and start using an alternative
cloud solution.

“Helsingør Municipality has done a great and skilled job to map how personal data is used in the primary school, but it
also highlights the data protection legal problems that can be with the big tech companies’ ways of solving the task,” says
Allan Frank, who is an IT security specialist and lawyer at the Danish Data Protection Authority.

Privacy Shield invalidated

This decision follows similar decisions by Dutch and German authorities.

The issues that governmental institutions see themselves faced with has started with the
invalidation of Privacy Shield back in 2020.

Privacy Shield has been a data transferring agreement between the USA and the European Union and was supposed to
make data transfers between the two legally possible. However, the agreement has been declared invalid by the
European Court of Justice (ECJ) in 2020 due to privacy concerns.

One major problem that the EU court pointed out is that data of foreigners is not protected in the USA. The protections that are there – even
if limited – only apply to US citizens. The NSA can get full access to any and all data of non-US citizens from US companies at any time.
In addition, non-US data subjects have no actionable rights
before the courts against the US authorities, which violates the “essence” of certain EU fundamental rights, the ECJ found.

Data processing agreement not sufficient

In the after-match of Privacy Shield being invalidated, American cloud services shifted to relying on data
processing agreements with their European customers.

However, this practice is highly questioned among data privacy experts, particularly in regards to its legality.

The now issued statement by Denmark’s data protection authority proves this once again. It complains – among other
issues – that

“the data processing agreement states that information can be transferred to third countries in support situations
without the required level of security.”

The decision summarizes four main issues:

  1. Suspension of Helsingør Municipality carrying out processing of information where this information is transferred to third countries without
    the necessary level of protection.

  2. A general ban on processing with Google Workspace until adequate documentation and impact analysis has been made and until
    the processing is brought into compliance with the GDPR.

  3. Serious criticism of the municipality’s processing of personal data.

  4. Many of the conclusions in this decision will probably apply to other municipalities that use the same processing structure. These
    municipalities are expected to take relevant steps themselves
    based on the decision.

Google Analytics also illegal in Europe

This latest decision comes after data privacy watchdogs in France and Austria ruled that it is
illegal for European websites to use Google Analytics to
track visitors because of a violation of European data privacy rules.

Also here the issue is that personal data is transferred to the United States for processing without consent from the
website visitors.

Consequences for Danish, Dutch & German schools

Based on the statements by the Danish, Dutch and German privacy watchdogs, schools in Denmark, in the Netherlands and in
Germany may not use Google’s email or cloud services.

While the statements by the Danish, Dutch and German privacy watchdogs are mostly about pressuring American tech companies
to finally adhere to strict European privacy regulations, it would be much preferred to have a true alternative to Microsoft, Google and Apple.
That’s what Tutanota is building right now. Started with secure emails, Tutanota today also offers an encrypted address
book, an encrypted calendar, and the encrypted contact form Secure Connect. Many
more features such as an encrypted Drive are planned, and we estimate that in a few more years, we can offer an encrypted Groupware with
maximum respect of user privacy.

European alternative

European schools can now either wait until Big Tech fixes their privacy issues. Or they can start looking for European
alternatives. The latter will have a great positive impact on Europe and European people as a whole:

  1. European tech business is strengthened and can establish an alternative to Big Tech.

  2. Data of European citizens is being protected according to the GDRP.

  3. Data is stored in Europe and no data transfer is happening.

Tutanota, for example, ticks all the boxes a European school would want to protect the sensitive data of pupils,
teachers, and parents. Many schools, particularly in Germany, are already using Tutanota.

“In a very sensitive business environment, we have chosen Tutanota among various encryption programs. Tutanota impresses with
its extremely simple application. Even non-technical colleagues can encrypt sensitive attachments and texts in accordance with data
protection regulations. The simple administration, immediately accessible & always friendly experts and a fair pricing also stand out”,
says Dietmar Kopp, Maria-Montessori-School.

On top of complying with strict data protection regulations, in Tutanota all data is stored encrypted on German servers.
Thus, Tutanota is in full compliance with the GDPR.