Sweden’s data protection Authority bans Google cloud services over privacy concerns
In a landmark ruling, Sweden’s data protection authority (the Swedish Data Inspection Board) this week issued a decision that prohibits the nation’s public sector bodies from using the cloud service Google Apps.
A risk assessment by the Board determined that the contract gives Google too much covert discretion over how data can be used
The ruling – which bans Google cloud products such as calendar services, email and data processing functions – is based on inadequacies in the Google contract. A risk assessment by the Board determined that the contract gives Google too much covert discretion over how data can be used, and that public sector customers are unable to ensure that data protection rights are protected.The assessment gives several examples of this deficiency, including uncertainty over how data may be mined or processed by Google and lack of knowledge about which subcontractors may be involved in the processing. The assessment also concluded that there was no certainty about if or when data would be deleted after expiration of the contract.
The decision comes at a critically important moment for Google. A group of EU data protection regulators is currently deciding how to respond to the company’s controversial new privacy policy which allows the company to amalgamate data across all its products and services for whatever purposes it sees fit. Regulators are concerned that this condition is perilous to data protection rights. The Swedish decision reflects many of these anxieties.
The decision may also trigger a disintegration of trust across Europe over the use by schools of such services.
The decision may also trigger a disintegration of trust across Europe over the use by schools of such services. A recent survey revealed that schools are adopting cloud services at speed but that there is widespread concern over loss of control over the data.
The effect of the ruling against Salem will apply immediately across all Swedish municipal authorities, but will also by default extend to national government departments.
By way of background, in 2011 the Board criticized the Salem municipality for its use of the Google cloud service. That initial view focused on deficiencies in the agreement which meant that the contract did not comply with the rules in the Personal Data Act (PuL). The arrangement gave Google too much space to process personal data for its own purposes.
The Salem municipality was requested to produce a new agreement, but following a review of the new wording the Board concluded that the previous shortcomings remained.
Earlier this year the Norwegian data protection authority also demanded amendments to contract conditions for Cloud services, highlighting similar concerns
The decision runs headlong into Google’s “one size fits all” policy and throws out a challenge to the advertising giant to provide more specific terms and protections for its services. Other EU regulators will be closely monitoring the Swedish decision.