Reports are only just emerging (in Norwegian) that a "Notice of Decision" dated 16th January (pdf, Norwegian) states that Norwegian companies that make use of Google "cloud" services, (known locally nettskyløsning - essentially Google Apps) with its standard terms "violate the law".
It is unclear at this stage whether the opinion will be challenged in the courts.
The Norwegian authorities cite the US Patriot Act, which gives "U.S. authorities the ability to monitor terrorist suspects without charge or trial" amongst the reasons why a US-led data protection initiative known as US-EU Safe Harbor was insufficient in itself to guarantee compliance with strict Norwegian data protection laws.
Readers are reminded that Norway is not a full member of the EU, but, as a member of the European Economic Area, complies to all relevant EC directives.
Readers are reminded that Norway is not a full member of the EU, but, as a member of the European Economic Area, complies to all relevant EC directives.
The Norwegian ruling comes 18 months after Danish Data Protection Agency reportedly ruled that sensitive personal information could not be stored on Google's cloud platform (Danish) when Odense Municipality planned to use the service to manage student schedules.
It also comes at a difficult juncture for Google after revelations cloud data was improperly accessed by Google employees in Kenya in order to "boost its own business".
Complaint
Complaint
The intervention of the Data Inspectorate stems from a complaint "by an individual" against the municipality of Narvik, a relatively small city whose administrative body was the first government agency in Norway to move to Google Apps, according to Digi.no, an Oslo-based tech blog.
The main issues of the complaint seem to relate to:
- Where in the world data will be stored, including backup copying, and what protection is available in these countries
- Whom at Google has access to the stored data
- Whether it is possible for Narvik Municipality to conduct data "safety" audits for the data stored in the Google cloud - essentially what co-operation from Google was required for a satisfactory audit to be conducted
Inspectorate opinion
The ruling relates to the use of Google's email service by the municipality of Narvik, but the principles outlined extend to other Google cloud services.
To summarise, the Inspectorate found Google does not offer terms and conditions that meet Norwegian law, has no mechanism in place to offer local or customised Ts & Cs, plus the Inspectorate did not have access to sufficient technical information to show adequate data protection measures were in place to allow personal data to be exported to countries outside the European Economic Area.
Therefore the use of Google Apps by Norwegian companies (plus, presumably, any foreign-owned company with a Norwegian presence) to process personal data would put those companies in contravention of three sections (13, 15 and 29) of Norway's Personal Data Act 2000.
Therefore the use of Google Apps by Norwegian companies (plus, presumably, any foreign-owned company with a Norwegian presence) to process personal data would put those companies in contravention of three sections (13, 15 and 29) of Norway's Personal Data Act 2000.
