What just happened? After deliberating for around four years, Denmark's data protection agency, Datatilsynet, has finally ruled that Google cannot easily access students' personal data. The US corporation is prohibited from exploiting children's data for commercial purposes.

Four years ago, Jesper Graugaard alerted Datatilsynet that his children's data was being sent to Google through Chromebook devices and other internet services. The Danish data protection authority has now decided that personal data must be treated with due respect for Denmark and the EU's privacy laws (GDPR), and that the current transfer process must stop.

According to Datatilsynet's decision, municipalities have confirmed that personal data belonging to primary school students has been collected by Google, and Google has used such data for its own (commercial) purposes. The authority has now ordered 53 municipalities across Denmark to change the data processing practices, potentially hindering Google's ability to offer its services in the first place.

In particular, schools are ordered to stop the transfer of their students' personal data to Google if there isn't a clear legal basis for the transfer. They also have to check (and document) how personal data is processed before using digital tools like Google Workspace and ensure that Google won't process data for non-compliant purposes.

Local municipalities will have until August 1 to comply with Datatilsynet's order, but they must explain how they intend to comply by March 1. Google can still use students' data to provide its services, enhance security and reliability, and fulfill other legal obligations.

What Google cannot do anymore, the data protection agency explains, is process data for improving Google Workspace, ChromeOS, and the Chrome browser. The corporation will not be able to legally use personal data for performance measurement or feature development.

Datatilsynet notes how modern IT services are essentially built to facilitate personal data transfer and processing, and personal data transfer is often the prerequisite for getting the "full benefits" of productivity and educational products, and that the products aren't always focused on protecting the privacy of citizens the data belongs to.

However, nothing can justify Google's inability to comply with data protection rules enforced in Europe, Datatilsynet says. The authority is not banning the use of Chromebooks and Google services from Denmark's schools right away, but Mountain View could be forced to stop providing its educational products in the country anyway.