By Simon Davies
In a landmark ruling, Sweden’s data protection authority (the Swedish Data Inspection Board) this week issued a decision that prohibits the nation’s public sector bodies from using the cloud service Google Apps.
A risk assessment by the Board determined that the contract gives Google too much covert discretion over how data can be used
The assessment gives several examples of this deficiency, including uncertainty over how data may be mined or processed by Google and lack of knowledge about which subcontractors may be involved in the processing. The assessment also concluded that there was no certainty about if or when data would be deleted after expiration of the contract.
The decision may also trigger a disintegration of trust across Europe over the use by schools of such services.
The decision may also trigger a disintegration of trust across Europe over the use by schools of such services. A recent survey revealed that schools are adopting cloud services at speed but that there is widespread concern over loss of control over the data.
The effect of the ruling against Salem will apply immediately across all Swedish municipal authorities, but will also by default extend to national government departments.
By way of background, in 2011 the Board criticized the Salem municipality for its use of the Google cloud service. That initial view focused on deficiencies in the agreement which meant that the contract did not comply with the rules in the Personal Data Act (PuL). The arrangement gave Google too much space to process personal data for its own purposes.
The Salem municipality was requested to produce a new agreement, but following a review of the new wording the Board concluded that the previous shortcomings remained.
Earlier this year the Norwegian data protection authority also demanded amendments to contract conditions for Cloud services, highlighting similar concerns
The decision runs headlong into Google’s “one size fits all” policy and throws out a challenge to the advertising giant to provide more specific terms and protections for its services. Other EU regulators will be closely monitoring the Swedish decision.