Sweden’s Data Inspectorate “Datainspektionen”, which oversees the nation’s Personal Data Act, this week ruled that the Salem Municipality in Stockholm must stop using Google Apps email and calendar services.
The main problem is that the data processor, Google, sets the ground rules for handling personal information, and, according to the inspectorate, has too much room to use the data for purposes other than what is specified by the municipality.
Ingela Alverfors, a lawyer for the inspectorate investigating the case, told ZDNet that cloud contracts in general posed a problem for municipalities because the municipality was supposed to stipulate how data was processed.
“Usually the one responsible for the data is the powerful party. Now it’s the cloud provider who writes the contract,” Alverfors said.
The contract should, for example, include limits on how data is used, but Google’s contract allowed it to process the data for maintaining and providing services, which was too open-ended in her view.
“You could do lots of things with the data. Our view is that Salem is probably not handling sensitive data in the cloud service, but still they are handling personal data,” she said.
Salem Municipality has three weeks to appeal against the decision. IT chief Tony Söderlund told ZDNet Salem would appeal — for the second time since an initial probe in 2011 — and had no plans to abandon Google Apps.
“We are working with our response and it’s too early to say what the response will be, but we are confident that our agreement with Google applies to Swedish and European laws,” Söderlund said.
“We are not thinking about abandoning Google Apps, partially because there is no alternative to Google’s excellent services.”
Google said: “We believe that Google Apps complies with Swedish law and we’ll continue to work with all involved parties. Over five million organisations worldwide, including well over one million in Europe, are already using Google Apps and enjoy the increased productivity, innovation and collaboration that internet computing offers.”
The decision on Salem does not automatically prevent all municipalities from using Google Apps, but Alverfors said it would make the same decision if it found others with the same contract in place.
Alverfors said the inspectorate had not investigated Microsoft’s Office 365, adding that cloud email services did not appear to be that widely adopted by Swedish municipalities.
Schools, however, were a different story and the inspectorate is currently investigating the use of Google Apps at schools in Sollentuna Kommun, another municipality in Stockholm, which migrated to the cloud platform in 2009.
“There’s an open case [on the use of Google Apps] in Sollentuna Kommun. We hope to have decision at the end of the year,” said Alverfors, who noted that the concerns are also primarily around the data processing terms.
Alverfors said the inspectorate will soon kick off a project to uncover how many schools across Sweden are using Google Apps and other cloud services like it.
Norway’s data protection authority last year gave qualified clearance for local councils to use Google Apps and Microsoft Office 365 after initially intending to block it. The Narvik municipality, which adopted Google Apps, is permitted to use Google’s cloud so long as it is not used to transmit personal information about citizens.