Data protection versus functionality: the dilemma of German schools

Is data protection an obstacle to innovation? And is its easing in favor of digital educational opportunities inevitable? On the contrary! Nikolai Horn and Philipp Otto (iRights.Lab) describe why data protection is indispensable for schools and what personnel, infrastructural and cooperative prerequisites are needed to educate our children to become digitally literate citizens.

This article is part of our dossier "Digital classrooms - Transatlantic perspectives on lessons from the pandemic".

Ein Schlüssel steckt in einem Türschloss, darunter eine schwarze Türklinke

The education sector is an area of life ever more permeated by digitalization. More and more companies are involved in the development of learning hardware and of programs and software for use in education – so-called edtech. After the sluggish implementation of digital applications in the classroom in Germany, the coronavirus pandemic clearly revealed the need for a broad expansion of digital education offerings across the country. At the same time, as schools tried to remedy the digital deficit by employing ad-hoc measures, the broad public in Germany sounded a warning of possible violations of data privacy protections.

The data protection debate in Germany is often peculiar: at times, data protection seems like an end in itself to which all other areas must be subordinated, but it is also often the scapegoat for a host of past failures. With the digitalization of educational offerings since the coronavirus pandemic, a growing chorus of voices has cited the European Union’s strict data protection regime as an "obstacle to innovation" and has called for its relaxation in favor of digital education opportunities. The successful implementation and use of digital tools in education requires a differentiated, objective approach.

German and European concepts of data protection

First, it is necessary to understand that data protection does not "protect" data, but rather individual self-determination. As a fundamental right, it is enshrined in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the European Union’s Charter of Fundamental Rights. Its aim is not only to protect individuals and their private sphere, but also to empower people with control over their personal data and information and protect them against its misuse by third parties. In Germany – the birthplace of the world's first data protection law in the state of Hesse in 1970 – data protection is expressed in the "right to informational self-determination." Individuals should have control over their own digital images and data traces – not the other way around.

The practical implementation of data protection in the European Union is governed by the General Data Protection Regulation (GDPR), in force since May 2018. This involves in particular the implementation of the following basic principles:

  • The principle of "data minimization" limits data processing to the minimum necessary.
  • "Purpose limitation" allows data processing only for a specific and not for just any purpose.
  • "confidentiality", “integrity” and "accountability" are aimed at ensuring IT security and the error-free functioning of IT systems.
  • The principle of "accuracy" corresponds to individuals' rights to information, rectification and objection with regard to their data.
  • “transparency" includes the ability of individuals to confirm what happens to their data, by whom, for what purpose and how it is processed.


Each of these seven principles serves data protection, without being limited to one singular aspect. For example, compliance with data protection not only occurs when a learning program processes only the necessary data and does not share it for unrelated services, rather the program should also have an appropriate level of IT security. A secure IT environment itself is also no guarantee of compliance if users do not agree with the purpose of the data processing. The practical implementation of data processing therefore involves several interrelated aspects, which are dependent on each other and only make sense when they interact. Data protection is therefore a process that can never be limited to a single aspect.

Education providers have special responsibilities for student data

These principles take on particular importance in regard to digital education offerings. In addition to the personal data of parents and teachers, of the providers of such tools have a special responsibility to protect the data of children and young people. According to the GDPR, minors' data deserves special protection, as minors may be less aware of the risks, consequences and safeguards involved and also of their rights when their personal data is processed (Recital 38 GDPR ). For this reason, implementing safeguards for data protection requires special attention in the education sector. This means specifically that all data collected should only be processed for educational purposes, the IT environment must be secure, subjects must be able to assert their data rights in an uncomplicated manner, and the use of data on learning platforms must be as understandable for parents as for the underage students themselves.

But even if a digital product meets all of the above principles, data protection compliance is far from fulfilled. From the perspective of an individual student, it is of little use if the learning platform is transparent and secure, but the equipment they use is not. A secure learning platform and secure hardware are no guarantee of secure data protection if students and teachers have no contact person to help when problems arise. Data protection must be understood holistically. Platforms, equipment, network access, IT support, and users’ digital skills all belong together. If you focus on just one of these aspects and ignore the others, a digitalization approach will not work. Digitalization in general and data protection in particular are a holistic iterative process in which all of these aspects interact with each other. So that students can exercise informational self-determination and handle their data with confidence, we need to address many issues at the same time.

One feature of digitalization particular to German schools, and thus also of implementing minimum standards for data protection, is German federalism. Education policy in Germany is a matter for Germany’s 16 states (Länder), i.e., it falls under the jurisdiction of the states, whose cooperation is governed by the German Standing Conference of the Ministers of Education and Cultural Affairs. Each state decides on its own curricula, personnel or – as during the pandemic – on the move to so-called distance learning. In turn, individual (mostly public) school authorities – usually the municipalities – are responsible for school equipment. Whether setting up internet access at school or procuring smartboards or tablets, each city, municipality and district acts according to its own capacities and financial resources. With around 11,000 municipalities in Germany, the school authority landscape is fairly heterogeneous. Usually a school itself ultimately decides on a particular education platform – this decision is made by school principals, working groups, and individual teachers. Many schools also have digitalization officers – often teachers who take on this task in addition to other duties.

How can data protection be implemented effectively in digital education?

If we think of digitalization and ensuring minimum data protection standards as a holistic process, then all of these players need to work together. Schools do not become "digital" simply because their administrators decide to use a certain learning platform or a municipality orders new tablets. If teachers and students do not get the support they need in using hardware and software, if there is insufficient internet access, if teachers are left to implement data protection requirements on their own, it will hardly be possible to handle digital education offerings competently

To ensure that digitalization in education complies with data protection laws and is thus successful, curricula must take into account the requirements of digital instruction and the capacities of teaching staff. Hardware requirements must be coordinated with specific software and learning platforms. Internet bandwidth must be aligned with the number and availability of terminals. The choice of tools must be coordinated with the curricula and the hardware available to teachers and students. Compliance with data protection laws must be clarified, and schools need professional IT administrators rather than relying on teachers to supervise their implementation. School administrators, school authorities, state IT service providers, data protection officers and education ministries must therefore also take into account requirements and circumstances outside their own direct areas of responsibility.

Conversely, this means that networks, terminals, servers, IT support, and organizational measures in schools are necessary conditions for data protection compliance and digitalization in the education sector that must be met before decisions are made about specific digital learning tools. The ability to meet basic technical and organizational requirements for digital instruction that complies with data protection laws varies greatly between and within German states, cities and rural areas. A school that already has a well-developed IT infrastructure, suitable terminals, staff trained in IT and data protection, and positions for full-time IT administrators can address data protection compliance at a completely different level than a school that only manages to provide students with 300 used laptops and a 50-megabit-per-second Wi-Fi network.

Since digitalization in general and data protection in particular are a holistic, multi-level process, those responsible for digital education must consider the basic requirements at every level. As described above, a differentiated approach also means the federal education system must pay special attention to local communities whose limited resources make it especially difficult to meet the basic needs for data protection compliance in digital instruction.

When considering how prepared a school is to meet these needs, it is useful to distinguish between organizational requirements, the use of digital learning resources, and the use of digital tools.

"Digital caretakers," data protection officers and training for teachers and students

One organizational prerequisite is a clear definition of competencies and responsibilities for hardware and software in a school, and the availability of professional expertise. Teachers, students and parents need professional support for digital products and IT security – both for IT infrastructure in school (network administration, use of terminals) and for implementing technical and organizational data protection measures.

The role of a "digital caretaker" requires a high level of IT expertise. This person must be a specialist in database structures, networks and in common hardware issues. In an average school with 1,000 students and 100 teachers, this means supporting over a thousand users who are confronted daily with major and minor IT problems. There are many dedicated teachers who take on this task in addition to their primary teaching responsibilities. However, they must be professionally qualified. They must also have enough time to support a large number of people in IT matters in addition to teaching, educating, advising and administering. A company of this size this would require at least one full-time IT specialist position. Otherwise, it is very difficult to provide smooth and secure usage of the IT infrastructure.

Furthermore, under current law, schools – as public entities that process personal data in an automated manner – are required to appoint a data protection officer. Data protection officers have a number of responsibilities: they advise the school, monitor the data protection and are contact persons for parents, students and teachers. Today, this task is also often performed by dedicated teachers. However, it is anything but trivial. It includes comprehensive documentation duties, keeping a register of processing activities, commissioned data processing, deciding on and implementing suitable technical and organizational measures, providing data protection impact assessments, fulfilling the rights of data subjects, and much more. This therefore also requires specialist expertise and considerable time resources. Many state data protection authorities offer good support in the form of templates and advice, but the teacher responsible must also have the capacity and knowledge to implement these requirements and to undergo continuous training.

Organizational requirements ultimately also include data protection training for teachers and students. In order to conceive of data protection and informational self-determination as fundamental rights, user competency must be expanded, because many IT security and data protection mishaps have their roots in users’ careless handling of data. There are a number of initiatives in Germany, such as, that have taken up this challenge on behalf of the European Commission. However, this must happen across the board in schools in order to turn young people into digitally literate citizens. Well-trained users are an important part of implementing digitalization and data protection measures.

Integrity versus functionality: the dilemma of choosing tools and platforms

Implementing organizational requirements for digital instruction that complies with data protection laws must go hand in hand with appropriate digital learning tools. This is true for end devices as well as certain tools. Unfortunately, teachers and students still frequently use (often private) devices for digital instruction with an inadequate level of IT security for processing sometimes sensitive data. Ad hoc digitalization has also meant recourse to digital tools for communication and teaching whose data protection standards are, to say the least, controversial. The data protection aspects described at the beginning – data minimization; purpose limitation; transparency; accuracy, and the three IT security principles of confidentiality, integrity, and accountability – must be taken into account when selecting suitable digital learning tools.

One of the major challenges in the use of digital devices is that teachers and students are de facto solely responsible for IT security when using their own devices. Whether their antivirus programs are adequate and regularly updated is often left to chance. Even when digital end devices are procured by the school authorities, hardware features are often the only consideration, without ensuring sufficient cybersecurity through suitable security programs. But whether parents and teachers buy and install security software at their own expense cannot be left to chance. The principle of "data protection by design and by default" (Art. 25 GDPR) must already be taken into account in the procurement process.

Data protection principles must also be considered in the selection of digital tools and learning platforms. Many IT service providers of German state governments are developing their own platforms, such as Mebis in Bavaria, LOGINEO in North Rhine-Westphalia, NiBiS in Lower Saxony or Lernraum Berlin. The advantage of these is that they take data protection requirements, such as European Union data storage requirements, very seriously. In addition, state data protection officers and civil society are helping to identify and close data protection and security gaps in the development phase. The disadvantage, however, is that these platforms are often unsophisticated and lack functionality. They lag behind  those of commercial providers, which is why many schools use tools (including fee-based ones) that are highly controversial from an EU and German data protection perspective. Schools should not be left alone to select digital teaching and learning tools, which is a legally and technically complex task. Here too, digitalization must be seen as a complex, cross-institutional task.

Schools and places of learning need a digital sea change. They are a valuable repository of a knowledge society. Data protection is Janus-faced: On the one hand, it involves complex technical and organizational requirements for legal conformity in data processing, for which non-compliance can be severely sanctioned. On the other hand, the implementation of these requirements is necessary for well-functioning IT systems in schools and to enable digital learning. Finally, understanding the technological and constitutional background of data protection is a prerequisite for confidence in digital learning spaces.

Data protection and online use are not opposed to each other, but go hand in hand. The problem lies neither with the students nor with the teachers, but rather in the lack of digital literacy and prioritization by those in positions of political responsibility. The challenge of data protection compliance should be seen as a driver for establishing digitalization measures that are long overdue. The future is only as good as those who can shape it through the power of their office.

This article is part of our dossier "Digital classrooms - Transatlantic perspectives on lessons from the pandemic".

Translated from German by Ellen Thalmann.