The fight for privacy in Danish schools

I learned about Jesper Graugaard’s activism against Chromebooks in Danish schools through my work on The Privacy Dad blog. Our shared interest in privacy and data protection in schools led to a collaboration in the form of an interview which was published in two parts.

Below is an abridged version of that interview. Some questions refer to a 2022 Wired article about Jesper’s case, which can be found here. It provides an excellent overview of the Elsinor Chromebook case.

As a parent, teacher, and privacy advocate, I greatly admire what Jesper is doing and hope his case against Google will garner more attention. A win for privacy in schools in Denmark could set a positive precedent for Europe and the rest of the world.

You can find Jesper on LinkedIn.

When did you first begin to have concerns about your children’s privacy in school?

I never imagined that privacy would be a problem in schools until the Chromebook came into my home. I honestly thought the school administration had everything in place and would ensure a digital safe space in school for my children, with protected data and privacy.

The day my kids came home with their first Chromebook, they were proud. I was even positive, as I expected they were about to learn coding, and tech history and culture. I put aside the knowledge that the Chromebook was a Google product, a company that makes most of its revenue by harvesting data and selling it.

But my hopes soon turned into disappointment and it became a digital nightmare. They were not learning anything. They were using the Chromebook as a substitute for books, pen and paper. And Google were doing what they do best: getting the data. I saw that getting data from a person age six is a best-case-scenario for a company like Google. And to achieve this nation-wide is better than ever imagined. They got it for free, and we even paid them for collecting data.

When the school implemented YouTube profiles for the students, giving away my child's full name, age, school name and class, that was the tipping point for me. I had not given consent to share everything about my child in public school.

It was then I really understood the importance of protecting my children's digital copy - the digital twin - and their data. As long as they are not of legal age, it is my duty as a parent to protect and care for my children. But in this situation, I couldn't. Or at least, it felt very difficult to achieve this within the public school framework in Denmark. As a parent you are not informed about what data is being collected and shared. In some schools there are more than 400 apps in use. Who can keep track on any of these?

The Wired article states you made an official complaint to Denmark's data protection regulator in 2019. Tell us more.

Denmark's data protection regulator is the Danish Data Protection Authority (DPA). The Danish Data Protection Authority is the central, independent authority that supervises that the rules on data protection are complied with.

I did not know much about them or their role before this case. I found out about them as I called friends within the tech industry and explained my problem. I approached the DPA, explained my issue to them, and they explained how to file the case, and what documentation was needed in order to begin.

Their role is to investigate the documentation and the solution to create closure on the case. Their decisions will set the standard for what Google and the municipalities shall do in order to make Chromebooks GDPR compliant.

If I do not agree on the final decision, which will hopefully be made this autumn, I will have to re-think my case and go the EU.

Your complaint initially led to a ban on Chromebooks in schools in the Elsinore Municipality in 2021. What is the situation today?

The ban was disabled after three months, because there was no “plan B” for continuing education in public schools. Without Chromebooks, schooling could not continue. The ban was not extended to other municipalities.

The ban could be reinstated if the DPA decides to do so. But if that happens, I expect that the ban will be final, and Google will be out for good, and schools will have to come up with a plan B. We are currently waiting for the final closure of the case from the DPA. It was expected to come end June, then in August and now in October. Not sure how long it will take, but it could be any day now. I am very excited.

We have at least 53 municipalities using Chromebooks in public schools who are waiting to know whether its legal to continue doing so or not. Then we have the rest of the 50 municipalities that are using Microsoft. They are holding their collective breath along with Microsoft.

On the 4th October, the Danish tech media site Version 2 published an article with access to documents that reveal that these Chromebook municipalities are tied to illegal transfers of school children's personal data to countries such as Mexico, Colombia and India. This is shown in the latest memo from the National Association of Municipalities to the Danish Data Protection Authority, which has announced a decision will be made very soon. It also documents that:

“Before the children's information - such as names, email addresses, direct communication, school assignments and much more - ends up in countries outside the EU, it is sent to Ireland, where Google, like other tech giants, has its European headquarters. Google's American department can also be sent the information, but after the recent data agreement between the EU and the US, it is no longer illegal to send personal data across the Atlantic.” link

What is it like being an activist? Have you or your family experienced negative consequences as a result of your activism? Has it changed your views about work?

I pursue the case in my spare time. I am not getting paid to do it, and that makes me free of any political and financial conflicts of interest. I keep focusing on the simple principle that my children have a right to digital privacy while in public school.

That is currently not the case. Data is being collected, a 'digital twin' or profile is being created, and when my children are of legal age they do not own the rights to their profile. They cannot change it, nor can they take it back. This must change. They should have the right to own and control their personal data when going to school.

One negative effect for me personally is that I quickly realized that I had to go public. Show my face in the media. That was a big step for me, as I am a private person.

I have also been targeted in local media and social media groups by local politicians for bringing Elsinore to the attention of the world with the data privacy issue.

What are your main frustrations with the case?

So far, lobbyists, lawyers, and NGO organisations, all with the power to affect change and help stop the commercialization and violation of children's privacy in schools, have not been able to make any significant impact, with the exception of the Danish Data Protection Authority. Most children's rights organisations and NGOs are spending their time and energy debating the negative side effects of screen time, mobile phones in schools and social media. Hardly anyone is addressing the principles of data harvesting and privacy.

The mistakes and lack of understanding of digital safety were brought to light with the Chromebook case in 2019, just one year after GDPR law was introduced. In 2022 the civil servants of Elsinore made excuses about their lack of following the law, stating GDPR was so new. But how long do we have to wait? It has taken more than four years now! How can the use of Chromebooks in schools continue if we do not know if it's legal?

How can it be that schools are still using Chromebooks while their use is being investigated for security and privacy issues? Public schools are using Chromebooks because there currently is no plan B. Today the Danish public school system is deeply dependent on two Big Tech companies, and there seems to be no way out.

I am not afraid of tech in schools. I just want to secure my children's rights to privacy, and I want schools to have relevant technology training and a safer digital culture. The current digital strategies that schools are following are more than ten years old and were designed in an era where digital safety and awareness were far from where we are today. I have weekly talks with parents who tell me about incidents in their schools, where basic mistakes are happening which put children's personal data and digital safety at risk. Photos are shared on social media, and passwords and logins for Chromebooks placed with stickers on the device or displayed on the wall in the classrooms.

Recently, we had a major hack on five educational institutions in Southern Denmark, because one laptop with infectious ransomware was connected to the school network, thereby giving hackers access to more than 10.000 students' private data, that now are being published on the dark web. This hacker attack led to schools having to contact 40.000 people potentially affected by the attack.

On the 11th of October, the Danish government presented a new plan for the public school sector to try to make schools and education better and more relevant. However, they did this without mentioning safety just once and without introducing specified subjects for technology. This is strange, when put in the context that Denmark proudly claims to be the best digitalized society in the world.

You were invited to speak in September 2023 at the Legal Design Summit in Finland. Can you tell us about that? What have been other, perhaps unexpected, positive outcomes of your activism?

The Chromebook case has pushed the debate of digitalization significantly into the mainstream, and there is a growing awareness of the detrimental consequences of hardcore digitalization of modern society.

The Finnish branch of the Save The Children organisation contacted me to let me know they had decided to base their Legal Design Summit on my case. I was invited to explain and give the context to my case, and help build an understanding of the privacy and data issues that children and parents are facing today in Scandinavian public schools. I hope they can develop a toolkit to make parents and children more aware of their rights and how to file a case.

Other unexpected positive personal outcomes have been that I was honoured by the Georgbruunske Foundation in 2022 for my digital fight. I can now officially call myself a 'Sympathetic Complainer'.

In 2023 I was nominated for the Danish digital freedom fighter 'Libre Prize'. I was nominated along with high profile individuals such as Max Schrems and David Heinemeir Hansson. Of course its hard to beat the large-scale impact that someone like Schrems has had, but being a “dad” without a technical background sitting together with prestigious lawyers and tech people was not only a big honour – it drove home the importance of my case and the impact it has had so far.

The Chromebook case has become a PhD fellowship programme at Aarhus University. Students across universities and schools are now doing Bachelor theses on the case. The Chromebook case is becoming part of the education, part of the history of tech.

I have spoken to Data Protection Officers across the country, and they confirm that my case has pushed Google to change, so I am sure that both Larry Page and Sergey Brin (Founders of Google) are familiar with my name. Politicians in the US Congress are also familiar with my case.

But what has touched me most has been everyone who has reached out to me from all over the world. Parents, professors, data scientists, privacy experts and journalists have contacted me and helped me build a fantastic network. They have inspired me, and, more importantly, pushed me in the right direction, keeping me focused and eager to learn more. That kind of support and acknowledgement has been essential, as I was very much alone in this fight, and still am today.

What further positive outcomes do you hope for?

For me the best outcome of the case would be that Chromebooks and Microsoft are left out of the classroom, at least until the children are around ages of 10 to 12. To date, I have not seen sound educational arguments for using Chromebooks before that.

Another positive outcome would be if Scandinavian countries got together to design custom educational platforms and hardware as an alternative to Google's and Microsoft's solutions. One of the main arguments for a combined Scandinavian strategy is our shared values and culture. Scandinavian countries share similar priorities, which are sometimes different to American ones.

Finally, this case is focused on public schools. But what about the private school sector? In Denmark, private schools don't work within a local authorities framework. In some of these schools, it is the parents who supply the digital device, which makes them the legal data controller instead of the school or local municipality. It is the responsibility of the data controller to make sure the device is GDPR compliant, but can we expect the parents really understand GDPR and can have that responsibility on their shoulders? Also, if private schools have their own device policies, they have to ensure that both risk and consequence analyses are in place.

Some argue that providing students with affordable hardware is more important than protecting their data, given how important IT skills are today. What are your thoughts?

Getting a Chromebook in school is not providing any IT skills. Before giving a child a computer, they need to be given the opportunity to study IT as a subject. This is currently not the case in Denmark.

There has been a debate in Denmark over the past few years about implementing a subject called “technology understanding,” but so far nothing has happened. In order to be a successful human being living in the digital age, we will need a far better understanding of technology, and it needs to be taught in the classroom, and not left to parents.

Imagine if we had a subject in schools where children learned not only how to use digital technology, including coding, but were also taught the history and culture of information technology. Just like we teach the history of the 20th Century, we should also teach the history of the Internet, the first social media company, what data and data harvesting are, the history of Microsoft, the impact of the iPhone, when streaming began, what social impact YouTube has had, and so on.

When it comes to being ready for the digital age, do we really need to compromise young people's data?

What advice would you give to concerned parents reading this?

Check the device given to your children by the school.
Check the school's digital policies. Discuss the subject with school board; it's a discussion that is constantly developing.
Ask for informative guidelines from the local school authorities when receiving a digital device from school.
Never use a school device for anything other than school-related work.
Approach NGOs such as Save The Children or other national organisations that are focused on the subject of data privacy for advice and help.
Exercise your right to be private on a daily basis. It is not about being a nerd or an extremist. Instead, it's about developing awareness.
When sharing content such as a photo of your children online, remember this is not just photo. It is data, and everybody can use it as soon its public, and it can be used for anything.
Make children's digital lives and rights a topic for discussion in school among other parents and teachers by bringing it up at school meetings.
Talk often with your children about being a human in the digital world. Teach them to use digital devices responsibly.
Educate yourself and stay updated on the subject of digital privacy.
Spend less time online and more time offline with your children.

Any final thoughts?

First, let me state that I have nothing against the companies that sell digital services. This is not a fight against corporations. For me, it's a fight for privacy and digital rights.

As a modern digital society, we need to understand the basic needs for privacy and the legal rights we have. The digital age makes these rights more complex and more delicate because the line between what is private and public is blurring; digital services today have such extensive ways to collect data. This can make it difficult to see when our private sphere is breached. But when this does happen, highly personal data is often collected, which we subsequently cannot withdraw, don't own, and which we no longer have rights over.

What is decisive for me is that we as a society become better at understanding both the immaterial and material value of data. Data is part of us, our identity, our personality, and we have a right to have these protected on an equal footing with other fundamental human rights. Especially when it comes to children in a school system. This is to ensure their future rights are not violated until they are old enough to give consent.

Unfortunately, at it stands today, it is the parents who have the right to consent until the child is 18 years old, but parents often do not have the knowledge to make these types of decisions. Parents send their children to primary school, uninformed about their children's rights, and uninformed about the data collection that takes place. This is because, unfortunately, they often do not understand or have not familiarized themselves with these concepts. It has become too complex.

We have to change that, that's what the Chromebook case is about.

Join the Conversation

If this post has sparked an idea or motivated you to get involved, there is no better next step then to join the conversation here at freedom.tech! Subscribers can jump straight into the comments below, or you can join our community SimpleX group:

If you have feedback for this post, have something you'd like to write about on freedom.tech, or simply want to get in touch, you can find all of our contact info here: