email and google cloud “not eligible”
student privacy must be protected
In a statement published in mid-July, the Danish data protection agency expresses “serious criticism and prohibitions… the use of google workspace”.
based on a risk assessment for the municipality of helsingør, the data protection authority concluded that the processing of pupils’ personal data does not comply with the requirements of the gdpr and must therefore be stopped.
The ban is effective immediately. Helsingør has until August 3 to delete the student’s data and start using an alternative cloud solution.
“the municipality of helsingør has done an excellent and skilled job of mapping how personal data is used in primary school, but also highlights the data protection legal issues that can arise with the way big tech companies They solve the task.” says allan frank, IT security specialist and lawyer at the danish data protection authority.
privacy protection invalidated
This decision follows similar decisions by the Dutch and German authorities.
The problems that government institutions are facing began with the invalidation of the privacy shield in 2020.
privacy shield has been a data transfer agreement between the us. uu. and the European Union and was supposed to make data transfers between the two legally possible. however, the agreement has been declared invalid by the european court of justice (ecjt) in 2020 due to privacy issues.
a major problem pointed out by the eu court is that the data of foreigners is not protected in the us. uu. the protections that exist, however limited, only apply to us, the citizens. The NSA can gain complete access to any and all data on non-US citizens of US companies at any time. In addition, non-U.S. data subjects uu. They have no actionable rights in court against US authorities. uu., which violates the “essence” of certain fundamental rights of the eu, concluded the tjce.
the data processing agreement is not enough
After the invalidation of the privacy shield, US cloud services became dependent on data processing agreements with their European customers.
however, this practice is highly questioned among data privacy experts, particularly with regard to its legality.
The statement now issued by the Danish Data Protection Authority proves this once again. complains, among other things, that
“the data processing agreement establishes that the information can be transferred to third countries in situations of support without the required level of security”.
The decision summarizes four main issues:
-
suspension of the municipality of helsingør that carries out the information processing when this information is transferred to third countries without the necessary level of protection.
a blanket ban on processing with google workspace until proper documentation and impact analysis has been carried out and processing is GDPR compliant.
serious criticism of the processing of personal data by the municipality.
Many of the conclusions of this decision will likely apply to other municipalities that use the same processing structure. these municipalities are expected to take appropriate action themselves based on the decision.
google analytics is also illegal in europe
This latest decision comes after data privacy watchdogs in France and Austria ruled it illegal for European websites to use Google Analytics to track visitors due to a breach of regulations. European data privacy regulations.
also here the problem is that personal data is transferred to the united states for processing without the consent of website visitors.
consequences for the Danes, Dutch & german schools
according to statements from the danish, dutch and german privacy watchdogs, schools in denmark, the netherlands and germany cannot use google email or cloud services.
While statements by Danish, Dutch and German privacy watchdogs are mostly about pressuring US tech companies to finally adhere to strict European privacy standards, it would be preferable to have a true alternative to microsoft, google and apple. . that’s what tutanota is building right now. Started with secure emails, tutanota today also offers an encrypted address book, encrypted calendar, and secure connection encrypted contact form. Many more features are planned, such as an encrypted drive, and we estimate that in a few more years, we can offer encrypted groupware with the utmost respect for user privacy.
European alternative
European schools can now wait until Big Tech fixes their privacy issues. or they can start looking for European alternatives. the latter will have a great positive impact on europe and on europeans as a whole:
-
The European technology business is getting stronger and can establish an alternative to the big technology companies.
the data of European citizens is being protected in accordance with the gdpr.
The data is stored in Europe and no data transfer takes place.
tutanota, for example, meets all the requirements that a European school would want to protect the confidential data of students, teachers and parents. many schools, particularly in germany, are already using tutanota.
“In a very sensitive business environment, we have chosen tutanota among several encryption programs. tutanota impresses with its extremely simple application. even non-technical colleagues can encrypt sensitive text and attachments in accordance with data protection regulations. simple administration, immediately accessible and always friendly experts and a fair price also stand out,” says dietmar kopp, maria-montessori-school.
In addition to complying with strict data protection regulations, all data at tutanota is stored encrypted on German servers. Therefore, Tutanota is fully GDPR compliant.
-