«

»

Why Norway’s rigorous stance on Cloud computing highlights the primacy of strong privacy policies

By Simon Davies

A spate of press articles is appearing at the moment on the topic of regulation of Cloud services, one of the more interesting of which has just been published on ZDNet. This story is noteworthy because it highlights a regulatory trend that will doubtless have a huge impact on Cloud and it provides illustration of why strong privacy policies and safeguards are so crucial to the viability of the technology.

The ZDNet piece discusses a Norwegian regulatory decision that affects public sector use of Cloud services. The ruling this month by the country’s Data Protection Authority, Datatilsynet, follows a 2011 complaint about the use by a local authority of Google Apps.

the shift from an outright prohibition probably reflects a view within Datatilsynet that Cloud has significant potential and that emerging data protection issues must be dealt with head-on.

In response, Datatilsynet earlier this year decided to issue an Order against the municipality of Narvik, Norway’s third largest municipal region, requiring it to cease using Google Apps. A number of grounds were set out, including concerns over loss of control over sensitive personal information. The Order would inevitably have established a prohibition across the Norwegian public sector.

On reflection, Datatilsynet then decided to review its decision and subsequently held off the Order, choosing instead to issue strict guidance on the use of Cloud services. This includes a restriction on the use of those services when dealing with the public. No detailed reasoning was provided to explain the change of direction, but the shift from an outright prohibition probably reflects a view within Datatilsynet that Cloud has significant potential and that emerging data protection issues must be dealt with head-on.

However both the documentation and the judgment that emerged focused almost exclusively on security issues, and intentionally sidestepped the more complex and unresolved privacy aspects. I’ll explain the circumstances later in this blog, but for the moment I will offer the teaser that this issue is far from resolved.

ZDNet perhaps instinctively describes the Norwegian decision as a “win” for Google Apps and for Cloud. On closer inspection I’m not so sure the outcome is so clear-cut.

It’s tempting to view this case from an adversarial standpoint, crystallising in a clear “win” or “lose”. In reality, the Norwegian decision is a harbinger of tighter and more restrictive regulation of Cloud services. The decision also reflects and reinforces long held privacy and security concerns, many of which relate to the inadequacy of current privacy policies.

Any interpretation that the Datatilsynet decision is a “green light” for Cloud would be simplistic and misjudged

.

Any interpretation that the Datatilsynet decision is a “green light” for Cloud would be simplistic and misjudged. A closer look at the conditions imposed by the regulator reveals a much more complex picture. What Datatilsynet has in fact done is to set out a wide spectrum of procedures and limitations that vary only slightly from the original proposed prohibition. In short, Cloud may only be used in the narrowest of circumstances and with the tightest possible controls. This is a far cry from the view that Google Apps has been given the all-clear.

For a regulator to rule that a Cloud service cannot be used in dealings with the general public is a matter of no small significance. Restricting the use of a service to internal public sector communications is the equivalent of confining the use of a car to the owner’s back garden. It is hardly a ringing endorsement of trust, nor is it a sign of an easy road ahead for the service.

The Norwegian decision is in effect a restrictive licence that is contingent upon a number of prerequisites being satisfied. A risk analysis must first be conducted, followed by the establishment of a specific data processor agreement. Regular third-party audits are also required. Such conditions impose a financial and management overhead significant enough to compromise the economic viability of the service. Any hope that Google Apps could convincingly argue a one-stop solution that contained embedded, trusted internal checks and safeguards has been dented.

The Norwegian decision is in effect a restrictive licence that is contingent upon a number of prerequisites being satisfied.

I’m struggling to see how under those circumstances this outcome could ever be interpreted as a “win” for Google Apps. It is, in my view, more a call to action for the company to think carefully about its privacy policies.

However, as I mentioned earlier, the ruling by Datatilsynet is based principally on security parameters, not privacy. A determination based on privacy considerations is yet to emerge, and will hinge on the French privacy authority’s (CNIL) current investigation into Google’s new privacy policy, which allows the firm to assemble everything it knows about individual users into detailed profiles that can be used for ad targeting. Thus the fate of Google Apps in Norway and elsewhere is far from clear.

Once Datatilsynet does sink its teeth into the privacy issue it will open a Pandora’s Box of complexity. The key problem here – which the Datatilsynet mentions but does not dwell on – is whether Google’s privacy policy allows the company to process customer data for purposes other than those expressly agreed to by the customer. As written, the policy appears to allow this. The question is, does the customer’s specific agreement with Google unambiguously override the generic privacy policy?

For a regulator to rule that a Cloud service cannot be used in dealings with the general public is a matter of no small significance. Restricting the use of a service to internal public sector communications is the equivalent of confining the use of a car to the owner’s back garden.

The regulator admits that it has not assessed the new Google policy and defers judgment to the findings of the French CNIL. However, the Datatilsynet implicitly acknowledges that the Google policy may not comply with Norwegian law and may conflict with local authority privacy standards, noting in elliptical fashion that: “If there is a conflict between the Google Privacy Policy and the individual agreements being covered by assessment in this case, we presuppose that the latter agreements take priority. We assume that the municipality makes sure that this is the case.”

My reading of this wording and its implication is that Datatilsynet has not determined that the Google policy is acceptable and it has left the door open for reconsideration of this issue once the Article 29 Group has published the CNIL’s findings. After that report has been published (probably later this year) some core privacy issues must be determined relating to Google Apps and related privacy safeguards.

One such issue goes to the heart of Google’s business model. By way of practical example, my understanding is that although Google Apps for Business turns off advertising by default, it provides an Admin console that allows an IT administrator in the customer organization to turn it back on at any time. If ad serving is enabled, then presumably the data mining algorithms that read user emails and documents to decide which ads to serve, will also be enabled. This will be of some concern to Norway, and the regulator is likely to demand additional safeguards against such a contingency.

The big picture here relates to the nature of the privacy policies that establish how Cloud data is used. Part of the solution to such concerns may – at the very least – be to require all cloud service providers which serve customers in sensitive areas (government, education, etc.) to publish and adhere to dedicated privacy policies that expressly ban any exploitation of customer content for purposes such as advertising that are not clearly enumerated in the customer’s contract. It is only through specific protections such as those that the privacy of users can be better assured. This is only a partial solution, but it’s a starting point.

Such a requirement would not destroy the online advertising industry, but it would help build trust in emerging services by drawing a clear line between areas where ad-related processing is permitted and those where it is not.