Iceland Data Protection Authority Reviews Child Data Protection Practices
On December 6, 2023, Persónuvernd, Iceland's data protection agency, announced several regulations following an audit of the largest local governments' use of cloud services in elementary schools. The main focus was on the handling of personal data of elementary school students by Google's education system (Google Workspace for Education). The agency issued five fines, and here is a summary of the penalties:
City of Hafnarfjörður
Persónuvernd issued decision number 2022020415, fining Hafnarfjörður Municipality 2.8 million Icelandic Króna (about $20,430) for violating privacy and personal data processing legislation (hereinafter referred to as the Act) and the General Data Protection Regulation (GDPR). The investigation found that Google's handling of elementary students' personal data exceeded the directives of Hafnarfjörður Municipality, and the data processing was not limited to the purposes defined by the government. Thus, the municipality was found in violation of:
- Failing to fulfill its obligations in selecting Google as a data processor, violating Articles 9, 23, and 25(1) of the Act and Articles 5, 24(1), and 28(1) of the GDPR;
- Not ensuring that the data processing agreement met the requirements of Article 23(3)(a) of the GDPR and Article 25(3) of the Act;
- Not clearly specifying the purpose of individual processing operations and ensuring that students' personal data were not used for incompatible purposes, violating Article 8(1) of the Act and Articles 5(1)(c) and 6(4) of the GDPR;
- Failing to fulfill obligations regarding storage limitation and default data protection, violating Articles 8(1) and 24(2) of the Act and Articles 5(1)(e) and 25(2) of the GDPR;
- Failing to fulfill obligations regarding data minimization and built-in and default data protection, violating Articles 8(1), 24(1), and 24(2) of the Act and Articles 5(1)(c), 25(1), and 25(2) of the GDPR; and
- Not conducting a Data Protection Impact Assessment (DPIA), violating Articles 35(1) and 35(11) of the GDPR and Article 29 of the Act, and therefore failing to fulfill its obligations under Article 24(1) of the GDPR and Article 23 of the Act. Additionally, the municipality's existing assessments did not meet the requirements of Articles 35(7)(a) and 35(7)(c) of the GDPR and Article 29(1) of the Act;
- Failing to ensure the secure transfer of personal information to the United States, violating Article 46 of the GDPR.
Considering the above, Persónuvernd fined Hafnarfjörður Municipality 2.8 million Icelandic Króna and ordered it to rectify its behavior to make the processing of children's personal information comply with the municipality's privacy legislation.
City of Reykjavík
Persónuvernd, in case number 2022020363, fined the City of Reykjavík 2 million Icelandic Króna (about $14,560) for violating privacy and personal data processing legislation and the GDPR. The authority reviewed the use of Google's cloud solutions in elementary school activities, focusing on the protection of children's personal information. It found that the City of Reykjavík's use of Google's education system to process children's personal data in its elementary schools also did not comply with privacy regulations, reflected in:
- Failing to fulfill its obligations when assessing and deciding to use Google for data processing (Articles 8, 23, 25(1) of the Act, and Articles 5, 24(1), 28(1) of the GDPR);
- Data processing agreements with Google not complying with privacy law (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
- Not clearly specifying the purpose of individual processing operations and ensuring that students' personal data were not used for incompatible purposes, violating Article 8(1) of the Act and Articles 5(1)(c) and 6(4) of the GDPR;
- Failing to adhere to the principle of minimization and built-in and default data protection systems (Articles 8(1), 8(3), 24(1), 24(2) of the Act, and Articles 5(1), 25(1), 25(2) of the GDPR);
- Failing to meet the minimum requirements for processing impact assessments (Article 29(1) of the Act and Article 35(7) of the GDPR);
- Failing to ensure the secure transfer of personal data to the United States (Article 46 of the GDPR).
Consequently, Persónuvernd fined the City of Reykjavík 2 million Icelandic Króna and demanded that it rectify the processing of children's personal information in all elementary schools across the city to comply with regulations.
City of Kópavogur
In decision number 2022020414, Persónuvernd fined Kópavogur Municipality 3 million Icelandic Króna (about $21,860) for violating privacy and personal data processing legislation (the Act) and the General Data Protection Regulation (GDPR). The authority found that Kópavogur Municipality's use of Google's education system in elementary schools to process children's personal data did not comply with privacy regulations:
- Failing to fulfill its obligations when assessing and deciding to use Google for data processing (Articles 8, 23, 25(1) of the Act, and Articles 5, 24(1), 28(1) of the GDPR);
- Not complying with processing agreements with Google (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
- Not clearly specifying the purpose of individual processing operations and ensuring that students' personal data were not used for incompatible purposes, violating Article 8(1) of the Act and Articles 5(1)(c) and 6(4) of the GDPR;
- Failing to adhere to the principle of minimization and built-in and default data protection systems (Article 8(1), 24(1), and 24(2) of the Act, and Articles 5(1)(c), 25(1), and 25(2) of the GDPR);
- Failing to fulfill storage limitation and default data protection obligations (Article 8(1), 8(5), and 24(2) of the Act, and Articles 5(1)(e) and 25(2) of the GDPR);
- Not conducting timely impact assessments and complying with existing assessment requirements (Articles 29(1) and 23 of the Act, and Articles 24(1), 35(1), 35(7), and 35(11) of the GDPR);
- Failing to ensure the secure transfer of personal data to the United States (Article 46 of the GDPR).
Given the above, Persónuvernd imposed an administrative fine of 3 million Icelandic Króna on Kópavogur Municipality. Persónuvernd also stated that if Kópavogur Municipality wishes to continue using Google's cloud services, it must rectify its existing violations to make the processing of children's personal information comply with privacy regulations.
City of Reykjanesbær
In the case number 2022020416, Persónuvernd ruled that Reykjanesbær Municipality was fined about 2.5 million Icelandic krona (approximately $18,210) for violating privacy and personal data processing laws, as well as GDPR provisions. Persónuvernd found that Reykjanesbær Municipality’s use of Google's education system in primary schools for processing children's personal data did not comply with privacy regulations, violating the following:
- Failure to fulfill its duty in deciding to use Google as a data processor (Data Processing Law Articles 8, 23(1), 25 and GDPR Articles 5(1), 5(2), 25);
- Non-compliance of processing agreement with Google with privacy regulations (GDPR Article 28(3)(a) and Data Processing Law Article 25(3));
- Lack of clarity in processing purposes and incompatible processing (Law Articles 8(1), 8(2) and GDPR Articles 5(1)(b), 6(4));
- Failure to adhere to the principle of data minimization and in-built and default personal protection systems (Law Articles 8(1), 8(3), 24(1), 24(2) and GDPR Articles 5(1), 25(1), 25(2));
- Failure to comply with storage limitation and default personal protection obligations (Data Processing Law Articles 8(1), 8(5), 24(2) and GDPR Articles 5(1)(e), 25(2));
- Not conducting timely impact assessments and not meeting minimum requirements of existing assessments (GDPR Articles 29(1), 23, 35(1), 35(11), 24(1), 35(7));
- Failure to ensure secure transfer of personal data to the USA (GDPR Article 46).
Consequently, Persónuvernd imposed a 2.5 million krona fine on Reykjanesbær Municipality and ordered rectification of these issues to bring the processing of children's personal information in all its primary schools into compliance.
City of Garðabær
In case number 2022020418, Persónuvernd ruled that the municipality of Garðabær was fined 2.5 million Icelandic krona (approximately $18,210) for violating the Act and GDPR. Persónuvernd found that Google’s processing of personal data of students in basic education schools exceeded the scope directed by Garðabær Municipality; the data processing also did not limit itself to the purposes defined by the municipality. Persónuvernd identified the following violations by Garðabær Municipality:
- Failure to fulfill its duty in choosing Google as a data processor, violating GDPR Articles 26, 29 and the Act Article 23;
- Not ensuring that data processing with Google remained within the scope of personal data processing directed by Garðabær Municipality, violating GDPR Article 28 and the Act Article 25;
- Not ensuring that personal data processing complied with the principles of legality, fairness, and transparency, violating GDPR Article 5 and the Act Article 8;
- Failure to fulfill processing obligations related to purpose limitation, storage limitation, data minimization, and privacy protection, violating GDPR Articles 5, 32;
- Not conducting an impact assessment that meets the minimum requirements of GDPR Article 35.
- Google's transfer of personal data to the USA lacked sufficient protective measures.
In light of these findings, Persónuvernd imposed a fine of 2.5 million krona on Garðabær Municipality and demanded rectification of these violations.
These rulings by the Iceland data protection authority, Persónuvernd, against local governments for privacy and personal data processing violations in using Google Workspace for Education, signal a significant compliance message. These cases emphasize the standards of privacy and data protection that businesses must adhere to when selecting and using third-party cloud service providers, as well as the strict enforcement attitude of regulatory bodies. This incident serves as a reminder to businesses going global that compliance is not only a legal obligation but also key to building consumer trust and maintaining competitiveness. Companies entering international markets must thoroughly understand and adhere to local privacy laws and data protection standards – this includes not only understanding and complying with the European General Data Protection Regulation (GDPR) but also potentially similar laws in other regions and countries, as demonstrated in these Icelandic cases, to avoid unnecessary financial and reputational risks.
Other resources:
1. https://www.personuvernd.is/personuvernd/frettir/uttektir-a-skyjathjonustu-google-i-grunnskolastarfi
2. https://www.personuvernd.is/personuvernd/frettir/uttektir-a-skyjathjonustu-google-i-grunnskolastarfi
3. https://www.personuvernd.is/personuvernd/frettir/uttektir-a-skyjathjonustu-google-i-grunnskolastarfi
4. https://www.personuvernd.is/personuvernd/frettir/uttektir-a-skyjathjonustu-google-i-grunnskolastarfi
5. https://www.personuvernd.is/urlausnir/uttekt-a-notkun-gardabaejar-a-skyjalausn-google-i-grunnskolastarfi