No personal data on Google Apps, Norway tells its councils as it clears cloud use

No personal data on Google Apps, Norway tells its councils as it clears cloud use

Summary: Norway's Data Protection Authority has given the all clear for councils to use Google Apps, so long as they do not use it to communicate private data about the public.

SHARE:

Local municipalities in Norway have been cleared to use cloud email services such as Google Apps - but only for communication between staff and not dealings with the public.

Narvik
Narvik's council can continue using Google Apps, with caveats, the country's data protection agency has decided. Image: TimoOK/Flickr

After a lengthy standoff over Norway's Narvik municipalities' adoption in 2011 of Google Apps email, the country's Data Protection Authority (DPA) this week gave qualified approval to all local municipalities to use Google Apps and Microsoft's rival productivity suite, Office 365. 

"This does not constitute an open-ended permit for unlimited use of cloud computing services, but conditional upon certain prerequisites and a thorough and good risk analysis of the enterprise, cloud computing may be an acceptable solution," said Bjørn Erik Thon, Norway's data protection commissioner.

The clearance frees up Narvik to use Google Apps to process communications between staff and other authorities but forbids it from using Apps to handle information about the public, the DPA's senior legal advisor, Jørgen Skorstad, told Norse Code. 

"The municipality will not be using Google Apps when handling cases vis-à-vis the citizens of the municipality. Personal information normally included in these cases could be information related to taxation issues, public school, and other public services such as health care. These will not be processed with Apps," said Skorstad. 

A win for Google

Still, it's a win for Google after the DPA in January argued it should be outright banned from offering its cloud services to municipalities because users could not know where in the world personal information was stored. Back then, it said "in practise, Google dictates the solutions they supply to customers", noting that customers were unable to sufficiently audit Google's technology or create an adequate "processor agreement".

"As long as the data is processed in the US under the Safe Harbor principles and in the EU/EEA, we have said that we are satisfied" — Jørgen Skorstad, DPA

The DPA's qualified support for Google Apps and Microsoft Office 365 came in spite of previous reservations (PDF) that the US Patriot Act's would undermine protections under the 2000 US-EU Safe Harbor Agreement. Google has committed only to transfer Narvik's data to the US and none of its other datacentres.

"Originally we needed to know whether these data were being stored outside the EU or EEA [European Economic Area], and we expressed some concerns about the Safe Harbor principals. But in the latest documents, as long as the data is processed in the US under the Safe Harbor principles and in the EU/EEA, we have said that we are satisfied, and that this would be in compliance with Norwegian legislation," said Skorstad. 

The Google Apps question arose in mid-2011 after Narvik signed a deal to replace its Lotus Notes email system with Google Apps. Another municipality, Moss, came forward after the DPA raised its concerns and said it had adopted Microsoft Office 365. 

The watchdog wanted municipalities to have a detailed account of Google's security practices, "a description of the information system's design and physical location", how Google does back-up, who has access to the data and an explanation of how local authorities would audit Google’s security.

Topics: Google, Cloud, Microsoft, EU, Google Apps

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • So they don't trust Google

    not surprised.
    William Farrel
    • Reading/comprehension challenged?

      I know. You are one of the local MS shills. Trouble is, the Norwegians do not trust MS either. The issue was the cloud.

      Nice spin attempt though.
      D.T.Long
    • bla?

      bla bla!
      Watchmen247
    • They don't trust the US Government...

      Under EU Law, data on EU citizens cannot be handed over to entities outside the EU without the written permission of the affected person (i.e. the Norwegian authority cannot hand over information about one of their citizens to the US Government, without first obtaining written permission from that citizen to do so).

      Under the US Patriot Act, Google have a responsibility to hand over data to the US Government, without informing the affected parties (Norwegian authority and Norwegian Citizen in this case). That leaves the Nowegian authority open to prosecution by the data protection agency in Norway and a civil suit from the Norwegian Citizen, if it comes out that Google handed over the data to the US Government.

      The problem is, Google have complied with the Patriot Act, so they are in the clear. The Norwegian authority (or any Google user in Europe) is however still liable for ensuring the personal data is not handed out to third parties vis-a-vie the US Government.

      By handing their data over to Google (i.e. using Google's cloud services - or Microsoft's or any other Cloud Provider that has a presence in the USA), they are essentially opening themselves up to prosecution, because they cannot guarantee that the Cloud Provider won't hand their data over to the US Government.

      That is why they can use Google's services for inter-department communications, as long as no personally identifiable information is stored or transmitted (PII = name + phone number or e-mail address, postal address, social security number etc.).
      wright_is