Even before the pandemic forced schools around the world to move classes online, learning management systems (LMS) like Google Classroom, offered as part of Google’s Workspace for Education suite, were already popular with educational institutions and formed a key component of the modern educational toolkit.
But as schools and colleges were shuttered in 2020, those that hadn’t already made the switch rushed to set up online portals, while teachers who had previously underused LMS functionality suddenly found themselves running their entire curriculum through the digital system.
According to a Bloomberg report, as the COVID-19 pandemic spread throughout the world in 2020, Google Classroom doubled its active users to more than 100 million between March and April of that year, with much of that growth coming from outside of the U.S.
In the European Union, for example, the accelerated adoption of Google products in educational environments has caught the eye of European regulators. And with back-to-school season in full gear, this puts privacy concerns over the way the search giant processes data through its cloud platforms back in the spotlight.
Related: EU Opens Silicon Valley Office to Streamline Communication With Big Tech
In July, Denmark’s data protection agency, Datatilsynet, revealed that data processing involving students using Google’s cloud-based software suite does not meet the requirements of the EU’s General Data Protection Regulation (GDPR). The agency joins its peers in the Netherlands and Germany that have previously raised similar concerns.
Ultimately, the issue boils down to the way GDPR distinguishes between “data processors” and “data controllers.” While Google’s user agreement states that the company is a processor while the educational institution remains the controller, authorities are finding that in practice, Google often steps into the controller position, yet fails to meet the legal obligations that the position stipulates.
In a Data Protection Impact Assessment (DPIA) commissioned by the University of Groningen and the Amsterdam University of Applied Sciences, the authors found that Google “cannot successfully claim any legal ground for the processing, as required in Article 6 of the GDPR.”
As such, they state that “until Google becomes a data processor […] universities are advised not to use G Suite (Enterprise) for Education.”
Data Controller or Processor?
Highlights of the DPIA’s objections can be summarized as follows: Google does not offer an exhaustive list of purposes for which it processes user data, only excluding specific ones such as processing personal data for advertising. The DPIA pointed to dragnet processing practices such as scanning the contents of communications to proactively detect unlawful content as not providing adequate data security according to GDPR standards.
As such, “Google steps outside of its role as data processor. In the absence of any explicit and specific purpose in the documented instructions, Google factually acts as a data controller,” for which it does not meet the necessary criteria.
See also: Back to School for the Connected Economy, Too
As a result of the DPIA, in May, the Dutch Data Protection Authority (DPA) warned schools and universities to stop using Google Workspace for Education before the start of the new school year.
Last month, Google agreed to “major privacy improvements” to appease the DPA. As a result, schools have been allowed to continue using Google services for the time being.
However, the author of the DPIA, the Privacy Company, has cautioned that “the full adaptation of the data processor role requires significant technical and organizational changes to Google’s systems and processes and can therefore not be implemented overnight.” But for now, “the high risks will be mitigated before the start of the new school year.”
Returning to Datatilsynet’s verdict on the use of G Suite for Education, the controller/processor distinction is critical to one of the authority’s main concerns: The Danish watchdog found that Google’s terms and conditions allow for data to be transferred to the U.S.
As a data processor, Google is required to act under the conditions set by the controller, which means that it should be able to guarantee that data is not exported to servers outside of the EU, as required under GDPR by all educational institutions in the regional bloc. In the end, however, Datatilsynet found that Google cloud services cannot offer such a guarantee, even though the data is ordinarily stored in one of Google’s EU data centers.
Away from education, the data export issue has been causing Google and other Big Tech firms headaches on multiple fronts.
Read more: French Privacy Regulator Rules Against Use of Google Analytics
Data watchdogs in France, Italy and Austria have recently ruled that websites using Google Analytics to track visitors are in breach of the law for failing to uphold GDPR’s strong data sovereignty provisions.
Likewise, Ireland’s Data Protection Commission has found Meta’s data processing practices illegal for the same reason, with Meta even stating that the ongoing threat of legal action may force it to shut down Facebook and Instagram within the EU.
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.