Can you go to jail for a GDPR violation?
Yes! You have already read numerous times about crippling fines for GDPR violations. These can amount to 4% of annual revenue or €20 million, depending on which is higher.
But you probably didn't know you can also face jail time!
On the 3rd of August 2022, the Danish Data Protection Authority implemented 1 a ban on using Google Chromebooks and Google Workspace for Education on the Danish Municipality of Helsingør.
...the Data Protection Agency considers that there are grounds to issue Helsingør Municipality with a ban on processing personal data when using Google Chromebooks and Workspace for Education. The prohibition applies until the Municipality of Helsingør has brought the processing activity into compliance with the GDPR...
As we keep reading, a grave significance emerges:
Violation of a prohibition issued by the Data Protection Authority is punishable under Section 41(2)(4) of the Data Protection Act by a fine or imprisonment for up to six months, cf. Section 41(1).
Six MONTHS! A violation of this ban could result in imprisonment for up to six months!
Nearly a year ago, we wrote about the impact and scale of GDPR fines on businesses, institutions, and even individuals. In this case, we are discussing far more severe implications of data privacy violation.
What is the basis for such a harsh decision?
The Danish DPA, the Datatilsynet, engaged in a lengthy review of Google Chromebooks and Google Workspace usage by the Danish municipalities. Back in September 2021, Google Chromebooks and Workspace usage were widespread nationwide.
After reviewing documentation and risk assessment from the Municipality of Helsingør, the Datatilsynet has decided that the data processing activities do not comply with GDPR.
The Municipality of Helsingør was forcing pupils to use tools such as Google Chromebooks and Google Workspace for Education. The DPA's decision is clear. Neither Google Chromebooks nor Google Workspace provide sufficient data protection and are considered illegal.
By demanding that the municipality suspend data transfer to the third country without necessary data protection, the DPA has prevented using Google Chromebooks at schools. Similarly, Google Workspace for Education was banned.
The municipality produced a long and detailed risk assessment concerning their usage of Google systems. What is interesting is that the risk assessment does mention the risk of data being accessed by U.S. authorities in violation of E.U. citizens' rights. But it deemed the probability of such an event to be low and unlikely.
Is Google stealing kids' and students' data for marketing purposes?
The decision by Danish Data Protection Authorities introduces a novel language to the data privacy discourse.
In this case, the authorities lean on the common knowledge that Google is short of being little more than a vast ad tech machine. The concern expressed by the authorities is that systems used for Chromebooks and Google Workspace for Education are, in part, shared with services used for collecting information and creating targeted marketing.
Relying on common knowledge allows the authority to undermine statements and assurances made by Google. And Google, until now, claims to deliver GDPR compliance services, despite numerous rulings asserting otherwise.
Schrems II strikes again
A significant chunk of the decision evolves around data transfer to the United States.
At first, you might wonder why this is the case. After all, the Danish municipality used Google EU-based cloud. Upon further investigation of DPA, additional details emerged. Google clarified that as part of the agreement, they might transfer data to sub-processors and sub-entities. In the case of Google, a significant chunk of these entities reside in the U.S.
The transfer to these U.S. entities is to be protected by standard contracts (SCCs), which is the E.U.-sanctioned method of providing additional security measures for transfer to a third country.
There is a caveat, though. The SCCs are insufficient if the third country's legislation allows authorities to interfere with the data. And such is the case with the United States.
FISA Section 702 (FISA 702) authorizes the U.S. Government to obtain information about persons who are not U.S. citizens, etc. ("non-U.S. persons"), and who may reasonably be expected to be outside the United States, for the purpose of collecting foreign intelligence information ("foreign intelligence information"). This is done by issuing directives to "electronic communications service providers" to disclose or cause to be disclosed personal information sent to or received from a "selector", with a portion of these communications also being disclosed to law enforcement authorities. 2
We described our journey to EU-only Web Analytics service. We know first-hand that while challenging, it is possible to build a service that guarantees control over data transfer. Wide Angle Analytics provides the only fully EU-hosted SaaS web analytics, down to detail such as our email system and support platform.
In yet another blow, the Danish Data Protection Authority has pointed out that it is nearly impossible to use Google's services legally in the context of GDPR. And even thorough risk assessment will not allow you to transfer data to Google.
If you fail to adhere to GDPR, you will face fines and, as illustrated in this case, even jail time!