On December 6, 2023, the Icelandic data protection authority (Persónuvernd) published its decision in Case No. 2022020416, as issued on November 28, 2023, in which it imposed a fine of ISK 2.5 million (approx. $18,210) on Reykjanesbær Municipality, for violations of the Act on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (GDPR), following an audit by the Persónuvernd into the use of Google cloud services in elementary school work in five major municipalities.

Background to the case

The Persónuvernd explained that it conducted an assessment into Reykjanesbær Municipality's use of Google's cloud solution, Google Workspace for Education, in elementary school activities, focusing on the protection of children's personal information. The case was part of a broader initiative by the European Data Protection Board (EDPB) emphasizing the protection of children's personal information in smart solutions. This audit was one of five targeting larger local authorities in Iceland.

Findings of the Persónuvernd

The Persónuvernd found that the processing of children's personal data using the Google student system in primary schools in the Reykjanesbær Municipality was not in accordance with the provisions of the privacy legislation. In particular, Reykjanesbær Municipality was found to be in breach of the following:

• its liability obligations in its decision to use Google as a processor (Articles 8, 23(1), and 25 of the Act and Articles 5(1), 5(2), and 25 of the GDPR);
• its processing agreement with Google is not in accordance with privacy laws (Article 28(3)(a) of the GDPR and Article 25(3) of the Act);
• its failure to specify the purpose for processing and processing with incompatible purposes (Article 8(1) and 8(2) of the Act and Articles 5(1)(b) and 6(4) of the GDPR);
• its failure to uphold the minimization principle and built-in and default personal protection system (Articles 8(1), 8(3), 24(1), and 24(2) of the Act and Articles 5(1), 25(1), and 25(2) of the GDPR);
• its failure to fulfill storage limitation and default personal protection obligations (Articles 8(1), 8(5), and 24(2) of the Act and Articles 5(1)(e), and 25(2) of the GDPR);
• its failure to make a timely impact assessment and failure to comply with minimum requirements for the existing assessment  (Articles 29(1) and 23 and Articles 35(1), 35(11), 24(1), and 35(7) of the GDPR); and
• its failure to ensure safe personal data transfer to the United States (Article 46 of the GDPR).

Outcomes

In light of the above, the Persónuvernd issued an administrative fine of ISK 2.5 million to the Reykjanesbær Municipality and ordered it to bring the processing of children's personal information into compliance in all the elementary schools within the Municipality, by correcting the abovementioned failings.

You can read the press release here and the decision here, both only available in Icelandic.