Local municipalities in Norway have been cleared to use cloud email services such as Google Apps - but only for communication between staff and not dealings with the public.
After a lengthy standoff over Norway's Narvik municipalities' adoption in 2011 of Google Apps email, the country's Data Protection Authority (DPA) this week gave qualified approval to all local municipalities to use Google Apps and Microsoft's rival productivity suite, Office 365.
"This does not constitute an open-ended permit for unlimited use of cloud computing services, but conditional upon certain prerequisites and a thorough and good risk analysis of the enterprise, cloud computing may be an acceptable solution," said Bjørn Erik Thon, Norway's data protection commissioner.
The clearance frees up Narvik to use Google Apps to process communications between staff and other authorities but forbids it from using Apps to handle information about the public, the DPA's senior legal advisor, Jørgen Skorstad, told Norse Code.
"The municipality will not be using Google Apps when handling cases vis-à-vis the citizens of the municipality. Personal information normally included in these cases could be information related to taxation issues, public school, and other public services such as health care. These will not be processed with Apps," said Skorstad.
A win for Google
Still, it's a win for Google after the DPA in January argued it should be outright banned from offering its cloud services to municipalities because users could not know where in the world personal information was stored. Back then, it said "in practise, Google dictates the solutions they supply to customers", noting that customers were unable to sufficiently audit Google's technology or create an adequate "processor agreement".
"As long as the data is processed in the US under the Safe Harbor principles and in the EU/EEA, we have said that we are satisfied" — Jørgen Skorstad, DPA
The DPA's qualified support for Google Apps and Microsoft Office 365 came in spite of previous reservations (PDF) that the US Patriot Act's would undermine protections under the 2000 US-EU Safe Harbor Agreement. Google has committed only to transfer Narvik's data to the US and none of its other datacentres.
"Originally we needed to know whether these data were being stored outside the EU or EEA [European Economic Area], and we expressed some concerns about the Safe Harbor principals. But in the latest documents, as long as the data is processed in the US under the Safe Harbor principles and in the EU/EEA, we have said that we are satisfied, and that this would be in compliance with Norwegian legislation," said Skorstad.
The Google Apps question arose in mid-2011 after Narvik signed a deal to replace its Lotus Notes email system with Google Apps. Another municipality, Moss, came forward after the DPA raised its concerns and said it had adopted Microsoft Office 365.
The watchdog wanted municipalities to have a detailed account of Google's security practices, "a description of the information system's design and physical location", how Google does back-up, who has access to the data and an explanation of how local authorities would audit Google’s security.