Should Europe's schools adopt a code banning cloud companies from data mining?

A US lobby group is proposing a new code of conduct that outlaws user profiling and data mining by cloud services used by European schools.
Written by Liam Tung, Contributing Writer

Google's free Google Apps for Education suite can save millions of dollars for Europe's schools, but its terms of service have put the product under a cloud of doubt for some — uncertainty which a US group whose members include Microsoft is using to promote a code of conduct that would ban cloud providers from data mining and ad-serving in schools.

A number of cost-conscious educational institutions across the world have begun using Google's free alternative to Microsoft's paid-for Office suite. Malaysia earlier this year began moving 10 million students, teachers and parents to Google Apps in a deal that also included using Google's Chromebooks for secondary and primary schools, for example - joining the 20 million students, faculty and staff across the world that were on Google Apps for Education by late 2012.

But for schools in the Sollentuna municipality of Stockholm, Google Apps could soon be off the menu after the country's Data Inspection Board ruled last week that the terms of service governing the use of the cloud service at Rudbecks school in the municipality didn’t comply with Sweden's Data Protection Act.

While the decision directly impacts Rudbecks school, Andreas Cassne, who manages the use of ICT for education in the Sollentuna municipality, told ZDNet that around 9,000 students and 2,500 staff across 16 schools in the area have been using Google Apps since 2010.

Its switch from Microsoft Office to Google Apps was prompted by government pressure to cut budgets and the first item it tackled was software licensing, said Cassne, who estimates the move has saved the schools SEK 5m (€580,000) over three years in desktop Office licensing costs.

"Before we had the Microsoft Office suite for all the students and all the staff. We saved all our documents on a local server that was stored in a basement. There was no integration, no collaboration or anything," said Cassne.

The Data Inspector Board's decision also casts doubt over several Chromebook pilot programs at schools in Sollentuna, which could lead to schools eventually replacing Windows-based PCs with the Google laptops.

"That would help us even more and it's looking really good but it’s the same issue there — we have to have everything in place with Google," said Cassne.

According to Cassne, Sollentuna will now opt in to the set of model contract clauses that Google published late last year that was meant to offer Google Apps customers "additional compliance" with Europe's 1995 Data Protection Directive.

But, he admits, opting in probably won't address the regulator's problem with its use of Google Apps. The Data Inspection Board earlier this year banned the Salem Municipality from using Google Apps in government. It too opted in to Google's additional contract, but a final decision on whether it can continue to use the service depends on the outcome of an appeal in a Swedish district court.

It's not clear yet whether Sollentuna will appeal the Data Inspection Board's decision, which requires that it either sign a contract with Google that complies with the Data Protection Act, or stop using the service altogether. Sollentuna is working with Google to resolve the issue, said Cassne, but it's unlikely Google will amend its contracts to comply with Swedish law.

Ingela Alverfors, a lawyer for Sweden's data protection authority, confirmed to ZDNet that opting in to the model clauses definitely will not enable compliance with Sweden's Data Protection Act. And if the school persists in using Google Apps, she said the watchdog does have the right to issue fines.

Can a code of conduct end uncertainty over the cloud in the EU?

Uncertainty over cloud services in schools in Sweden comes as Europe considers overhauling its data protection directive and addressing heightened concerns in Europe over the controversial US FISA Amendments Act 2008.

Consumer privacy rights in the cloud, in particular around Google's new consolidated privacy policy, have come under scrutiny from Europe's data protection authorities. However, schools' privacy has been somewhat overlooked, according to SafeGov, a US-based group that advises governments on how to mitigate data protection risks around cloud services.

SafeGov on Monday released a report focusing on data protection in the cloud at schools based on discussions with over a dozen European data protection authorities. The organisation is urging Europe to consider adopting a code of conduct — tailored to certain sectors — that would contain a promise from cloud providers not to mine student data and not to serve ads to children at schools.

"We found strong agreement within the DPAs [data protection authorities] that in addition to consumer rights, you need to look at people inside these institutions, such as this school in Sollentuna," SafeGov's president, Jeff Gould told ZDNet.

"We don't want advertising to get a foot in the door in schools and we want to have a kind of 'permanent sanctuary' that is completely protected from advertising, even if it's a free service." 

Notably, one of SafeGov's partners is Microsoft, but Gould said the company does not influence its research or ambitions.

"For the record Microsoft is one of our members, but we are not representing the point of view of Microsoft," Gould told ZDNet. "We think this is an industry-wide problem that both Microsoft and Google and all the other players in this space can and should abide by a simple set of rules regarding the privacy protection and data protection rights of students who use cloud services in schools."

"We think Microsoft and Google should be absolutely on an equal footing."

The code might apply to all cloud providers equally, but the issues the report raises and SafeGov's recommendations for the content of such a code do focus more heavily on Google's business in schools. It also comes shortly after Microsoft's US launch of ad-free Bing for schools aimed at K-12 students, while its Office products haven't ever had an ad-supported business model.

SafeGov may draft a code of conduct for schools in Europe, according to Gould, which would ask cloud providers to not ever data mine the content of students' emails; remove — not just turn off — all advertising related functionality from cloud services; and contain a pledge to not make it a condition in the future for renewing a contract that the school might have to accept ads.

"In the case of Google and schools, they've come in with this consumer product that's designed for online behavioural advertising and they said 'OK, we know that you don't want advertising in schools, and we'll voluntarily turn off the ad-serving — but by the way, we’ll leave the option to turn ad-serving back on at any time'," said Gould.

The problem, according to Gould, is that ads are only disabled for core services like Gmail, Docs and collaboration.

"They don’t say if this student goes out and uses Google search or videos on YouTube that you won’t get ads then. On the contrary, they do serve ads when that same student is logged into their same school account using a Google consumer service like YouTube."

But why would a code of conduct address Sweden's issue with Google Apps any better than Google's own model contract clauses?

According to Gould, Google's model clauses, designed for the whole of Europe, are "too vague", whereas a code of conduct could address data protection issues specific to each nation and serve as a form of due dillegence. 

"So in the case of Sollentuna, they could go to the DPA and say look, 'we adopted a code of conduct which applies to the standards we use when we choose a cloud service'."

The code of conduct, which would likely be drafted country by country, might not be as efficient for the cloud provider as Google's model contract clauses for the whole of Europe, but it would be better than addressing issues on a school-by-school basis.  

"Google, Microsoft and Amazon are probably not eager to have individual contract negotiations with schools in Sweden. It's not cost-effective and they probably have local sales teams which are not set up to have that kind of negotiation and probably are not even authorised to do so. So you need a broad general solution," said Gould. 

"Google and Microsoft should put a standard set of clauses in all of their standard off the shelf contract for every school in Europe that addresses — because the EU data protection laws are by and large the same."

Google did not respond to request for comment.

Further reading

Editorial standards