Reports are only just emerging (in Norwegian) that a "Notice of Decision" dated 16th January (pdf, Norwegian) states that Norwegian companies that make use of Google "cloud" services, (known locally nettskyløsning - essentially Google Apps) with its standard terms "violate the law".
It is unclear at this stage whether the opinion will be challenged in the courts.
The Norwegian authorities cite the US Patriot Act, which gives "U.S. authorities the ability to monitor terrorist suspects without charge or trial" amongst the reasons why a US-led data protection initiative known as US-EU Safe Harbor was insufficient in itself to guarantee compliance with strict Norwegian data protection laws.
Readers are reminded that Norway is not a full member of the EU, but, as a member of the European Economic Area, complies to all relevant EC directives.
Readers are reminded that Norway is not a full member of the EU, but, as a member of the European Economic Area, complies to all relevant EC directives.
The Norwegian ruling comes 18 months after Danish Data Protection Agency reportedly ruled that sensitive personal information could not be stored on Google's cloud platform (Danish) when Odense Municipality planned to use the service to manage student schedules.
It also comes at a difficult juncture for Google after revelations cloud data was improperly accessed by Google employees in Kenya in order to "boost its own business".
Complaint
Complaint
The intervention of the Data Inspectorate stems from a complaint "by an individual" against the municipality of Narvik, a relatively small city whose administrative body was the first government agency in Norway to move to Google Apps, according to Digi.no, an Oslo-based tech blog.
The main issues of the complaint seem to relate to:
- Where in the world data will be stored, including backup copying, and what protection is available in these countries
- Whom at Google has access to the stored data
- Whether it is possible for Narvik Municipality to conduct data "safety" audits for the data stored in the Google cloud - essentially what co-operation from Google was required for a satisfactory audit to be conducted
Inspectorate opinion
The ruling relates to the use of Google's email service by the municipality of Narvik, but the principles outlined extend to other Google cloud services.
To summarise, the Inspectorate found Google does not offer terms and conditions that meet Norwegian law, has no mechanism in place to offer local or customised Ts & Cs, plus the Inspectorate did not have access to sufficient technical information to show adequate data protection measures were in place to allow personal data to be exported to countries outside the European Economic Area.
Therefore the use of Google Apps by Norwegian companies (plus, presumably, any foreign-owned company with a Norwegian presence) to process personal data would put those companies in contravention of three sections (13, 15 and 29) of Norway's Personal Data Act 2000.
From my own reading of the opinion it appears as though there is some wiggle room for companies who can be sure they do not store or process sensitive personal data, as defined under Norwegian, but please don't take my word on this.
The quoted sections of Norway's Personal Data Act deal with:
Therefore the use of Google Apps by Norwegian companies (plus, presumably, any foreign-owned company with a Norwegian presence) to process personal data would put those companies in contravention of three sections (13, 15 and 29) of Norway's Personal Data Act 2000.
From my own reading of the opinion it appears as though there is some wiggle room for companies who can be sure they do not store or process sensitive personal data, as defined under Norwegian, but please don't take my word on this.
The quoted sections of Norway's Personal Data Act deal with:
§13 - Data security of stored information, obliging data controllers to conduct systematic inspections of data storage facilities and document such audits.
§15 - Data processing of personal data, essentially looping-in S.13 as a prerequisite, as well as informed consent
§29 - Sets out basic conditions for transfer of personal data abroad
Inspectorate Assessment: is personal data being stored by Narvik Municipality?
The Inspectorate first established that personal data was being handled by Google Apps on behalf of Narvik Municipality. Narvik responded that it only currently used Google's email services, but it was considering using more services for drafting spreadsheets, drawings and documents.
Furthermore the Municipality claimed in defence of its decision to use Google's email servers that its own rules forbid the sending of sensitive personal information via email.
The Inspectorate limited its findings to the use of email by nevertheless ruled:
- There is still a risk of unauthorized transmission of sensitive or confidential personal information
- Notes that this is not an issue that is limited to Google Apps, however...
- Google Apps puts the data management outside the direct control of the data controller, meaning that data may be stored "for a long time", and in particular deleted emails may not be deleted at all replication points within Google's cloud.
"The municipality can not exclude that it will process sensitive personal data [via email], and must therefore take into account that the system will process both sensitive personal data and personal information in general"
Inspectorate Assessment: is Google's solution compatible with obligations on data controllers under Norwegian law
Narvik Municipality argued a thorough risk assessment concluded the switch-over to Google's email solution offered a similar risk profile to its existing solution. I can't find concrete evidence but it appears Narvik formerly used in-house email servers.
The Inspectorate disagreed, saying the authority lacked sufficient documentation to support the risk assessment.
It was also noted that once the supplier was chosen - Google - the authority had little if any control over the way data would be processed. It therefore follows that the authority had to ensure not only that Google Apps was compliant, but also that the solution would remain compliant.
Of course a new supplier could be chosen in the event that a dispute arises, but the authority, as a minimum, must ensure [further] migration is practical if required.
Inspectorate Assessment: Safe Harbor and physical location
The municipality cited a Google's self-certified Safe Harbor compliance as sufficient safeguards to meet rules on exporting personal data outside the EU.
The Safe Harbor framework was developed by the U.S. Department of Commerce "in consultation with the European Commission" to streamline compliance with the EU Data Protection Directive (95/46/EC) which requires EU data controllers only export personal data to countries that "ensure an adequate level of protection"
The Inspectorate found there was no way of auditing Google's self-certified compliance, since Google "[does] not wish for safety reasons to release details of provider data centers", noting:
"When the data handler does not want to release information about the countries in which their data centers are placed, this creates challenges with regard to the requirements of a data processing agreement under the §15 and §29 of the Personal Data Act. The city will not be in agreement to clarify security in the solution in a sufficient manner, without being able to know that states information transferred to a sufficient protection for personal data"The Inspectorate then delved into Safe Harbor:
"The [Safe Harbor] scheme includes U.S. companies considered to provide adequate protection for personal data they receive from the EU / EEA, in that they voluntarily implement a set of rules for the treatment of the information. After Safe Harbor was established, the U.S. has adopted the law "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act", abbreviated USA Patriot Act, as a result of the terrorist attack 11 September 2001. The law is very complicated and extensive. This law gives the U.S. authorities ability to monitor terrorist suspects without charge or trial.
The Authority wishes in this context to point out that the U.S. Patriot Act must be considered to be a challenge with regard to protection of privacy, even within the Safe Harbor scheme."Concluding:
"In light of the above the Inspectorate does not see that Google's 'standard agreement' is adequate in relation to what is expected of a data processing agreement, see Personal Data Act, § 15. In the Authority's opinion, the absence of an [adequate] contract with a data processor is a deviation from the requirements of the Personal Data Act § 15.
"The Inspectorate can not see how any data processor outside the [European] Community that does not specify which country the data will be processed can comply with the requirements for adequate protection under § 29 of the Personal Data Act."The Inspectorate raised more concerns where the municipality was unable to provide adequate documentation to support its claims of compliance with the Personal Data Act for other areas of the complaint, such as who at Google can access the municipality's data and whether Google provided sufficient information for the municipality to carry out mandatory data protection audits.
Bootnote:
Before leaping to the praise of Norway's strict data protection laws, Norway last year proposed a new law to exempt organisations investigating copyright infringement from obtaining a license to process personal information under their Data Protection Act. The same proposed law allows ISPs to block web pages containing copyright-infringing content.
One assumes some complex international diplomacy is in play with respect to US-Norway relations, with the US making a fuss about a perceived or actual problem with copyright infringement and Norway making a stand against a perceived or actual problem with overarching anti-terrorist legislation.
Go Microsoft Private Cloud!
ReplyDelete@Anonymous
ReplyDeleteWho do you think the "individual" complainant works for?