The Data Inspectorate has considered a case against Narvik Municipality, which has chosen to use Google’s Cloud Computing services to process the municipality’s e-mails. The Data Inspectorate has concluded that Google Apps fail to comply with the Norwegian Personal Data Act, among other things because the municipality loses control of the information Google processes through the Cloud Computing services. In practice, Google dictates the solutions they supply to their customers.
«If Google, or other international companies, wish to offer Cloud Computing services to Norwegian enterprises, they will need to develop services that take Norwegian and European data protection legislation into consideration», says Thon.
Strict requirements for use
Enterprises that use Google Apps has in actual fact no possibility of checking that security and data protection are sufficiently safeguarded. For example, they have no idea where in the world the personal information is stored or who is able to access it. Therefore, the Data Inspectorate is of the opinion that Google may not offer this type of service to Norwegian municipalities, public bodies or certain other enterprises.
«As a custodian of data protection, we need to impose strict requirements on the type of Cloud Computing services Norwegian enterprises may use. Enterprises cannot accept the conditions set by Google in their standard contracts,» Thon stresses.
Must terminate the agreement
Unless Google presents a solution that complies with the law, the Data Inspectorate would urge Narvik Municipality to terminate their agreement with Google. The municipality was one of the first public authorities to use Google Apps, but several others have considered following suit. The municipality can appeal the Data Inspectorate’s decision, and in that event the case will go to the Data Protection Tribunal.
Download:
Notification of decision – New e-mail solution within Narvik local authority (Narvik kommune) – Google Apps (pdf)