European school Luxembourg 2 set up their email service on Google.com as Gmail for business services. This is a deviation from standard practice in all other European institutions which are all using their own servers because of security and personal data protection.
Opening a Gmail account is a standard practice in European school Luxembourg 2 and all the secondary pupils are getting one. When opening a Gmail account pupils have to provide mobile numbers to confirm the account. The school does that without any permission from parents. Parents are even not informed their children have to give their personal information (like date of birth and mobile phone number). The second point is that when the child has a Google account he/she can access all the services Google is offering like Youtube, Google Play where they can watch and play everything without any restrictions. Since parents are responsible for our children until they are 18 years old this is a very serious concern and school should have written permission from each and every parent.
Google Terms of Service states that opening an account for children below the age of 13 is not allowed: https://support.google.com/accounts/answer/1350409?hl=en. When they get this account they are able to access all the services Google is offering (Youtube, Google apps, Music, Hangouts etc.) This is a highly questionable practice and the school would definitely need parents permission before opening an account since children are 11 years old when they enter Secondary.
Google Terms of Service http://www.google.com/intl/en/policies/terms/ says: When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. So all the information our children and other school employees are sending around is stored and monitor on servers in the United stated.
Hosting email server outside of Institution is also against European Commission’s current internal IT rules that require all the information to be stored on servers inside the Institutions.
European school Luxembourg 2 is also regularly checking children email communication (email spying) and they punish them if they find inappropriate words or content. Children are sending emails to each other so anybody who reads this kind of emails should have explicit written permission from the account owner. This is standard procedure for all European Institutions.
In my complaint to EDPS -European Data Protection Supervisor I asked that European school Luxembourg 2 should immediately move all the infrastructure to a locally hosted Exchange server or use one of the European Commission’s servers. They should also inform all the parents about their action and delete all the data stored on Google servers. For the second point about checking children’s email school should immediately stop monitoring the account without the account owner’s written permission and apologies for the current spying on all the affected children.
European school Luxembourg should only hope parents won’t pursue legal actions against them.
UPDATE 19.10.2017
As of 01.09.2017, all users on European school Luxembourg 2 are using Microsoft Office 365 account. Although many pupils can’t access their accounts since “experts” in Brussels can’t prepare their accounts properly. Also, first-time passwords are not working properly.
On the other side, it’s very reassuring that incidents like described above are not present any more. It is very positive that the new school administration strictly follows all the required personal data protection regulation.