Final Decision on Chromebook Case in Denmark
This week saw a conclusion on the Danish Chromebook case. The result, long-awaited by father and privacy activist Jesper Graugaard, shows that the Danish Data Protection Authority has issued an injunction regarding the tracking of children's personal data via Chromebook and Google platforms in schools.
From 1 August 2024 onwards, Danish schools will no longer be allowed to enable Chromebooks and Google platforms to collect students' personal data for processing. Each municipality will need to give an indication of how they will comply to this injunction by 1 March 2024.
For activist Graugaard, the decision comes as a relief. He began his crusade against Chromebooks in school in his home town Elsinor over four years ago. While this week's report makes no reference to Jesper's initiatives, it is clear that this injunction could not have been issued without his tireless and sometimes solitary activism.
Hopefully the Danish Chromebook case's conclusion will draw attention to the unchecked intrusion of data mining companies into schools in other countries within Europe, and worldwide. It would be good to see checks on Google's dominance in schools, currently achieved via attractively priced hardware and free proprietary platforms built for this purpose.
And on a personal note: Congratulations, Jesper!
I interviewed Jesper Graugaard in October of 2023, when results of his case were pending. Those interviews can be read here and here.
These interviews were reworked and published as an article titled 'The fight for privacy in Danish schools' on the Freedom Tech blog, managed by Seth for Privacy, shortly after that.
In my communication with Jesper I learned how it all started when he, a parent with an open-minded stance towards IT in schools, discovered his child's data was being made public via a Google account set up by the school.
Over the years, Jesper has been determined to explore avenues for protest against Google, for drawing attention to the misuse of students' personal data, and for taking action against it. His story shows that one person's critical questions and actions can impact what feels like a mammoth and immovable industry.
The English translation of the full report on the injunction by the Danish Data Protection can be read here.
Here are a few key points:
In the case of the use of Google Workspace in the primary schools, the Danish Data Protection Authority assesses that there is no authority to pass on personal data to Google for all the purposes that are passed on today. Therefore, the Danish Data Protection Authority is now giving an order to the municipalities to bring the processing in line with the rules and indicates various ways in which this can be done.
Therefore, the Danish Data Protection Authority gives an order to the municipalities to bring the processing in line with the rules by ensuring that there is authorization for all the processing that takes place. This can happen, for example, by:
• That the municipalities no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• That Google itself refrains from processing the information for these purposes.
• That the Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.
The municipalities must comply with the order from 1 August 2024, but must indicate how they intend to comply by 1 March at the latest.
The original Danish text is here.
This is, at first sight, a positive outcome for the protection of children's data in Denmark, and at least a warning signal to companies hoping to introduce their products to each new generation of children via schools. With the 1st of March date not far off, the order should enforce a quick response from educational boards in each municipality.
Response so far
After the final decision was made, Jesper's case—he refers to it as the 'Chromebook saga'—suddenly received a lot of attention. On his LinkedIn profile, he wrote earlier this week:
Suddenly LinkedIn exploded, the phone rang almost non-stop and the rest of my day disappeared in an ocean of documents, conversations with journalists, tech people, LinkedIn connection requests, congratulations, articles, analyses and a tide of opinion and thoughts. 4 ½ years of hard work to keep a case current, which I am personally passionate about and have carried forward - often alone -, was about to culminate. (edited)
Reading through his comments, one also senses a dose of realism and caution. The day after publication of the decision, Jesper posted a translation of an article by journalist Peter Christian Bech-Nielsen from Techmediet Radar, which asks critical questions about the unnecessary four-year length of the case, and explores the possibility large data companies might try to avoid taking real steps to change the way data is currently transferred.
Meanwhile, Camilla Ley Valentin, the Director of DI Digital, the lobby organisation representing IT businesses in Denmark, posted this response from the side of the tech companies:
But I cannot help but wonder about the decision that has landed. Because in this case, we are not talking about sensitive data relating to the individual child, which is used, for example, for marketing.
The case concerns pseudonymized and aggregated usage data, such as data to measure a browser's performance or data to assess whether a button in a digital solution works better if it is green rather than blue.
A regular listener to The Surveillance Report and the Firewalls Don't Stop Dragons podcasts, I am skeptical about such dismissive statements from the world's wealthiest companies. It is often discovered after the fact that data companies were furtively collecting more data than promised. Listening to the news items on these podcasts, it also seems difficult to truly anonymise data and remove the potential for cross referencing with other data sets.
We will have to see where all of this leads.
Are there solutions?
Having worked in schools for many years, I can imagine the education departments in the municipalities affected by the decision will be scrambling to find ways to avoid halting the use of Chromebooks in schools.
One might be inclined to sympathise. What is wrong, after all, with making computers widely available in schools? But as Jesper has often pointed out to me, Danish schools and educational boards have known about his case and the potential illegality of the practice for years now, yet have made no effort to think of a 'plan B', should the verdict land on the side of protecting the rights of children.
Google will want to keep this case low profile, as Chromebooks are used in schools all over the world. The Danish Data Protection Authority suggests that a possible solution would be for Google to create a new tool that intercepts children's data before it is sent to their servers. It is unlikely Google will want to develop such a tool, given they make money on personal data. However, seen from Google's perspective, they have already made big gains by establishing their products and platforms as the standard in schools worldwide.
Journalist Peter Christian Bech-Nielsen, mentioned earlier, also suggests looking into local IT companies—Magenta and Semaphore—that might already be ready to provide open source alternatives to the Google educational platforms.
Why not Linux?
I don't see why educational ministers and boards world-wide haven't embraced user-controlled Linux for schools. If the argument for the use of Chromebooks in schools is the low cost, well, then there is no argument, because open source desktop Linux software is free. If the concern is getting the hardware, then I say: Look to hardware refurbishing companies and organisations. Laptops deemed outdated for corporate use can easily be adapted for an additional five years of school use1 by installing a Linux distro on them and running free, open source software like LibreOffice. Chrome can be replaced with Firefox and DuckDuckGo, and school platforms can run on an open source platform like Nextcloud.2
Using refurbished hardware in schools is cheap, good for the environment, creates new IT jobs and introduces new generations of young people to recycling and to open source software. If managed well, open source is secure, and light on hardware resources. As a teacher, I have had to use educational IT services and devices for many years, and I do not see a downside to using Linux for these purposes.3
I want to conclude with Jesper's own thoughts on the future of his case. I appreciate he was able to find the time during his hectic week to respond to my emails and questions.
Here's Jesper today:
I will attend a professional course in GDPR, normally intended for Data Privacy Officers, as I feel it's important to me to get deeper into the way DPOs think and work. Also, I am trying to understand where my legal rights are in this mess. Not that I plan to sue the state or municipality for immaterial damage; but I want to understand why the rights of the citizen are sidelined in this case. There seems to be place where I, as a citizen, can hand over responsibility.
It's now official that the children have been using illegal technology for years, but the only result thus far is that those responsible are getting more time to fix the problem. Via journalists who have access to documents we know that the Municipalities' Land Association (KL) has sent some of the documents twice, thereby prolonging the proceedings. They have made children continue to use Chromebooks for nearly ten years now, with four-and-a-half of those ignoring the newly introduced GDPR regulations affecting children aged six and up. The case concerns hundreds of thousands of children nationwide using only one specific main provider: Google. We still have nearly 50% of the rest who use products from different providers, such as Microsoft and Apple.
So what's next?
The question is:
How can it be politically acceptable that:
Children have been illegally using a specific technology close to 50% of the time for nearly a decade?
This concerns a minimum 50% of all children in Denmark's public schools aged 6-18?
They all shared their personal data with at least one Big Tech company for ten years without the consent from themselves or from their parents?
Possible outcomes that I foresee are:
Municipalities will finally find a technical solution and then proceed legally (But why haven't they done this already?)
Google and other global data companies will adapt to follow Danish law
The government changes the law so what's illegal today will be legal tomorrow
No matter what happens, Danish children seem to have no legal rights; all they can do is sit and wait.
Someone posted my article on HN, where it gained some traction. The discussion can be read here.
Someone has posted about the issue on r/Denmark. The discussion is in Danish and can be read here.
I found this comment (translated) interesting:
There are alternatives to Google Workspace that municipalities could use: https://oscampus.dk/. Compared to their Chromebooks, it's not even because they need to be scrapped. You could re-install them with the Danish OS2BorgerPC: https://www.os2.eu/os2borgerpc
Some of these links lead to the LinkedIn platform.
DPA decision in Danish and related article
English translation of the full report on the injunction by the Danish Data Protection
"The day after the Danish DPA decision In the Chromebook saga" (LinkedIn post by Jesper Graugaard with link to English translation of Peter Christian Bech-Nielsen article)
Jesper Graugaard on LinkedIn
Peter Christian Bech-Nielsen on LinkedIn
Camilla Ley Valentin's statement on LinkedIn
Magenta and Semaphore (open source platforms)
The fight for privacy in Danish schools (freedom.tech)
My interviews: "Jesper Graugaard's Fight Against Chromebooks in Danish Schools
2022 Wired article
Nextcloud for schools
-----Discuss on Reddit-----
Subscribe to my blog via email or RSS feed.
Find me on Mastodon and Twitter.
Back to Blog
An added advantage here is that such refurbished laptops would likely have more hard disk space than Chromebooks (which rely entirely on cloud-based storage), hence removing the reliance on WiFi throughout the day. Any student, teacher or parent reading this will know that WiFi connectivity in schools can be woeful at times.↩
The Nextcloud site has a section about using their software in schools.↩
Some IT personnel in school's I have worked in told me they would prefer a switch to desktop Linux, but that it is often the school's management who are hesitant about ending contracts with Microsoft, Google and other commercial platforms and otherwise rocking the boat in any way.↩