Denmark’s data watchdog has banned Google’s Workspace productivity suite amid growing fears that the tech giant’s products are not compatible with GDPR. It is the latest European regulator to rule that Google’s international data transfers are in breach of the bloc’s data protection laws in recent months.
The ruling from the Danish Data Protection Agency, Datalisynet, follows a risk assessment of personal data processing by primary schools in the Helsingør municipality, in North Eastern Denmark.
From 3 August, public sector organisations in the region will be banned from using Google Workspace, which includes GMail and the Google Docs suite of apps, as well as its Chromebook laptops. Those who do not comply with the ban could face jail time as a result.
Though the ruling initially applies only in Helsingør, it is likely to be extended across the country to every Danish municipality using Google systems as more investigations are carried out.
Why is Denmark banning Google from its public sector?
Datalisynet’s investigation concluded that personal data on Danish citizens using Workspace and Chromebooks was being transferred to US-based servers without the appropriate level of anonymisation, and is thus incompatible with GDPR.
Data transfers between Europe and US have technically been illegal since the ruling in the so-called Schrems II case in 2020, which found an existing agreement between the US and Europe, the Privacy Shield, was not compatible with GDPR. This is because US law allows its government to requisition client data from companies on national security grounds, something which is prohibited under GDPR.
Since then companies have been relying on a different legal instrument, standard contractual clauses (SCCs), for transatlantic data transfers, which offer increased protection. But the legitimacy of these remains largely untested in court, and a new agreement, the Trans-Atlantic Data Privacy Framework, was brokered earlier this year. At present, it only exists at a political, rather than legal, level, and is likely to be challenged by privacy campaigners if and when it comes into force.