Den­mark: Ban on the use of Chrome­books and Goog­le Work­s­pace by municipalities

In a deci­si­on dated July 14, 2022, the Danish data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, Data­til­syn­et, com­men­ted on the use of Goog­le pro­ducts by a muni­ci­pa­li­ty and in par­ti­cu­lar on the trans­fer to the USA:

Back­ground and prohibitions

The back­ground was the use of Chrome­books from Goog­le and Goog­le Work­s­pace by Danish muni­ci­pa­li­ties, in this case the muni­ci­pa­li­ty of Hel­sin­gør. In Sep­tem­ber 2021, the Danish aut­ho­ri­ty had inst­ruc­ted the muni­ci­pa­li­ty to con­duct a risk assess­ment in this con­text, which, depen­ding on the out­co­me, would lead to an actu­al data pro­tec­tion impact assessment.

The muni­ci­pa­li­ty had sub­mit­ted a cor­re­spon­ding assess­ment in Novem­ber 2021, which rated the risk of per­so­nal data being used in bre­ach of con­tract, e.g. for mar­ke­ting or other fur­ther pur­po­ses, as low.

The risk of trans­fer to the USA was also low. The con­trac­tu­al part­ner of the muni­ci­pa­li­ty was Goog­le Cloud EMEA Ltd. and per­so­nal data was only stored in the EEA. It is clear from the con­si­de­ra­ti­ons of the aut­ho­ri­ty that the muni­ci­pa­li­ty ther­eby pres­um­a­b­ly reli­ed on the TIA form by David Rosen­thal has sup­por­ted. Howe­ver, remo­te access for sup­port pur­po­ses by Goog­le LLC in the USA was not exclu­ded (wher­eby Goog­le uses the SCC intern­al­ly wit­hin the group – see our Con­tri­bu­ti­on to the imple­men­ta­ti­on of the SCC).

Based on this assess­ment, the Aut­ho­ri­ty has now made the fol­lo­wing disposition:

  • of the muni­ci­pa­li­ty will Pro­hi­bi­ted from pro­ces­sing per­so­nal data with Chrome­books and Goog­le Work­s­pace for Edu­ca­ti­onuntil this pro­ces­sing acti­vi­ty has not been brought into com­pli­an­ce with the GDPR;
  • any Trans­fer of per­so­nal data to the USA is sus­pen­deduntil the muni­ci­pa­li­ty pro­ves that the GDPR is com­plied with in the process;
  • the muni­ci­pa­li­ty had to deac­ti­va­te users and rights and trans­fer­red Dele­te data, with an imple­men­ta­ti­on period;
  • a bre­ach of the­se orders may be punis­ha­ble by a fine or impr­i­son­ment of up to six mon­ths (this becau­se Danish law does not allow fines under the GDPR but pro­vi­des for indi­vi­du­al fines or impr­i­son­ment; see Rec. 151 of the GDPR and Art. 41 f. of the Danish Data Pro­tec­tion Act).

Inte­re­stin­g­ly, the aut­ho­ri­ty did not issue any fines, but only threa­tened them in case of non-com­pli­an­ce. As far as can be seen, the Ita­li­an, Austri­an and French aut­ho­ri­ties also did not impo­se any fines in their post-Schrems deci­si­ons – perhaps a resi­du­al under­stan­ding that the­se pro­hi­bi­ti­ons take only limi­ted account of reality.

Key results

The authority’s stance can be descri­bed as extra­or­di­na­ri­ly strict in all respects. This app­lies not only to the issue of trans­fers to the U.S., whe­re the zero-risk approach agreed throughout Euro­pe is fol­lo­wed (see below), but also to other points, such as the requi­re­ments for docu­men­ting risks and con­duc­ting a data pro­tec­tion impact assessment.

It is striking that alt­hough the aut­ho­ri­ty impo­ses far-rea­ching con­di­ti­ons (for examp­le, the muni­ci­pa­li­ty should not sim­ply rely on the con­trac­tu­al pro­hi­bi­ti­on of misap­pro­pria­ti­on of data by Goog­le, TOMs are also requi­red – appar­ent­ly the aut­ho­ri­ty does not con­si­der Goog­le to be con­trac­tual­ly faith­ful), it hard­ly justi­fies this in legal terms. It essen­ti­al­ly con­t­ents its­elf with refe­ren­ces to Art. 5(2) (accoun­ta­bi­li­ty) and to the black box of Art. 24 GDPR, which cir­cum­scri­bes the “respon­si­bi­li­ty of the con­trol­ler” in a gene­ral and the­re­fo­re for every opi­ni­on con­nec­ta­ble way.

As with many other deci­si­ons by data pro­tec­tion aut­ho­ri­ties, the impres­si­on ari­ses that an aut­ho­ri­ty is pur­suing a maxi­mum approach, which it legi­ti­mi­zes not dog­ma­ti­cal­ly, but with its sen­se of mis­si­on. This turns a law-app­ly­ing aut­ho­ri­ty into a poli­ti­cal one. If courts do not inter­vene and do not place the deci­si­ons – regard­less of the out­co­me – on a legal­ly sustainab­le basis, this can ulti­mate­ly only be descri­bed as a bre­ach of the con­sti­tu­ti­on, name­ly a bre­ach of the sepa­ra­ti­on of powers. From this per­spec­ti­ve, the FDPIC’s res­traint, which has been noted on various occa­si­ons, is beneficial.

Fin­dings on the manage­ment of risks

  • Insuf­fi­ci­ent risk assess­mentThe risk assess­ment of the muni­ci­pa­li­ty of Elsi­no­re had gene­ral­ly not ful­ly con­si­de­red some sce­n­a­ri­os, espe­cial­ly of a tech­ni­cal nature.
  • No suf­fi­ci­ent miti­ga­ti­on of the misap­pro­pria­ti­on riskWith regard to the risk of misap­pro­pria­ti­on of the data by Goog­le, it should be noted that a misap­pro­pria­ti­on by Goog­le was con­trac­tual­ly exclu­ded. Nevertheless, the muni­ci­pa­li­ty had not suf­fi­ci­ent­ly docu­men­ted that com­pli­an­ce with the GDPR was ensu­red by Goog­le as an order pro­ces­sor. It was not enough to rely only on con­trac­tu­al gua­ran­tees (!). Rather, the muni­ci­pa­li­ty should have eva­lua­ted tech­ni­cal or orga­niz­a­tio­nal mea­su­res to miti­ga­te the risk of misappropriation.
  • No per­for­mance of a DSFA: Any risk that has a strong impact on the rights and free­doms of data sub­jects requi­res a data pro­tec­tion impact assess­ment, even in the case of a rela­tively low pro­ba­bi­li­ty of occurrence.

For trans­mis­si­on to the USA

Duties of the per­son responsible

The star­ting point here was the fact that alt­hough Goog­le stores the municipality’s per­so­nal data only in the EEA area, accord­ing to Google’s list can also use sub­con­trac­tors out­side the EEA and, among others, also in the USA.

Here, the aut­ho­ri­ty takes the posi­ti­on that the The per­son respon­si­ble must have a legal basis for the trans­fer to third coun­tries, inclu­ding a trans­fer for sup­port services.

In par­ti­cu­lar, be both, the per­son respon­si­ble and the order pro­ces­sor, obli­ga­ted toThe data con­trol­ler is obli­ged to ensu­re such a legal basis, even if the order pro­ces­sor has con­clu­ded the SCC with a sub­con­trac­ted pro­ces­sor in a third coun­try. Howe­ver, it is not enti­re­ly clear here whe­ther the con­trol­ler only has a cor­re­spon­ding docu­men­ta­ti­on obli­ga­ti­on or an ori­gi­nal obli­ga­ti­on to ensu­re the lega­li­ty of the onward trans­fer by the processor.

TIA: Access risk assessment

In its TIA, the muni­ci­pa­li­ty had con­si­de­red, among other things, that FISA 702 did not per­mit access to data when the Access to a US per­son tar­getsi.e. a per­son (inclu­ding a com­pa­ny) who is in the USA at that time (§1881a(b)). This exclu­des access at Goog­le LLC, becau­se the rele­vant data is trans­mit­ted to Goog­le LLC and thus a US person.

The data pro­tec­tion aut­ho­ri­ty does not agree with this argu­ment. In its view, this restric­tion app­lies only if the pur­po­se of the data access is to obtain infor­ma­ti­on about US per­sons to rai­se, not at US com­pa­nies:

After reviewing the legal restric­tions on the collec­tion of infor­ma­ti­on under FISA 702, the Pri­va­cy Board belie­ves that the restric­tions [in §1881a(b)] are inten­ded to pre­vent the collec­tion, both direct­ly and indi­rect­ly, of Infor­ma­ti­on about US per­sons, inclu­ding com­pa­nies, pre­vent the­se per­sons from rea­ching the tar­get of the sur­vey are.

Accord­ing to the Danish Data Pro­tec­tion Aut­ho­ri­ty, the restric­tions the­re­fo­re do not app­ly if and to the extent that Danish citi­zens or the muni­ci­pa­li­ty of Hel­sin­gør as a who­le beco­me the sub­ject of data collec­tion under FISA 702.

In addi­ti­on, the EDPS belie­ves that FISA 702, by its very pur­po­se, pro­vi­des a legal basis for U.S. law enfor­ce­ment agen­ci­es to obtain infor­ma­ti­on about for­eign per­sons who may be rea­son­ab­ly belie­ved to be out­side the U.S. for the pur­po­se of collec­ting for­eign intel­li­gence information.

Against this back­ground, the DPA con­si­ders that the per­so­nal data trans­fer­red to Goog­le LLC could be obtai­ned by US law enfor­ce­ment aut­ho­ri­ties. In doing so, the EDPS has taken into account the fact that Goog­le LLC to be con­si­de­red an “elec­tro­nic com­mu­ni­ca­ti­ons ser­vice pro­vi­der”. and that the per­so­nal data trans­fer­red to Goog­le LLC con­cerns the stu­dents and employees of the muni­ci­pa­li­ty, i.e. Danish citizens.

Requi­re­ments for the level of pro­tec­tion in the desti­na­ti­on country

As far as the requi­red level of pro­tec­tion is con­cer­ned, it fol­lows from the Schrems II ruling of the ECJthat

a level of pro­tec­tion for per­so­nal data must be ensu­red in the third coun­try con­cer­ned which is equi­va­lent to that in the Essen­ti­al­ly cor­re­sponds to the level of pro­tec­tion wit­hin the EU/EEA.

Accord­ing to the aut­ho­ri­ty, this requi­re­ment appar­ent­ly app­lies not only to the que­sti­on of whe­ther a sta­te has an ade­qua­te level of pro­tec­tion, but also to trans­fers based on the stan­dard con­trac­tu­al clau­ses. It justi­fies this – not expli­ci­tly, but in con­text – with GDPR 44:

Any trans­fer of per­so­nal data […] shall be per­mit­ted only if the con­trol­ler and pro­ces­sor com­ply with the con­di­ti­ons set forth in this chap­ter […]. All pro­vi­si­ons of this chap­ter shall be app­lied to ensu­re that the not under­mi­ne the level of pro­tec­tion affor­ded to natu­ral per­sons by this Regu­la­ti­on will.

This in turn means that

any trans­mis­si­on must be sub­ject to ade­qua­te safe­guards. Thus, it is not suf­fi­ci­ent that almost all trans­fers or a cer­tain per­cen­ta­ge of trans­fers enjoy the pro­tec­tion of the Regu­la­ti­on, unless this is pro­vi­ded for in the Regulation.

Here is pro­bab­ly the Zero risk approach now also to the Danish super­vi­so­ry aut­ho­ri­ty. This is an unusu­al view – it can perhaps be para­phra­sed as fol­lows: If a resi­du­al risk of an aut­ho­ri­ty access of 2.5% is accep­ted, sta­tis­ti­cal­ly 2.5% of the trans­mis­si­ons do not enjoy suf­fi­ci­ent pro­tec­tion, which is why a suf­fi­ci­ent level of pro­tec­tion is lacking in this respect. This is not what the aut­ho­ri­ty says, but it can hard­ly be under­s­tood other­wi­se that any and not only almost every trans­mis­si­on is in need of protection.

Lack of addi­tio­nal measures

The Aut­ho­ri­ty the­re­fo­re con­clu­ded that sup­ple­men­tal pro­tec­ti­ve mea­su­res were requi­red in addi­ti­on to the SCCs, not­with­stan­ding the community’s risk assessment:

The­re­fo­re, the EDPS con­si­ders that the trans­fer of the data in que­sti­on in the United Sta­tes is Sub­ject to con­di­ti­ons that pre­vent the stan­dard con­tract used as the basis for the trans­fer from being an ade­qua­te means of ensu­ring of a level of pro­tec­tion sub­stan­ti­al­ly equi­va­lent to that in the EU/EEA. The muni­ci­pa­li­ty of Elsi­no­re is the­re­fo­re obli­ged to ensu­re that addi­tio­nal mea­su­res are taken to bring the level of pro­tec­tion up to the requi­red level.

Howe­ver, such mea­su­res are said to be mis­sing here. The encryp­ti­on of the data was not suf­fi­ci­ent. Appar­ent­ly it was pos­si­ble for Goog­le LLC to access data in plain text, accord­ing to the account of the muni­ci­pa­li­ty its­elf (alt­hough the key was mana­ged by Goog­le EMEA, but decryp­ti­on was appar­ent­ly requi­red in the sup­port case).