Use of Google Apps' cloud solution

The Norwegian Data Inspectorate (NDI) recently issued a notice to a Norwegian municipal agency to prohibit use of Google Apps' cloud solution.

A local government in the town of Narvik entered into an agreement with Google Apps with the aim to run a cloud-based software-as-a-service, including a complete e-mail solution and possibly file sharing of internal documents.

However, the NDI concluded that the solution provided by Google Apps was not in accordance with the Norwegian Personal Data Act and regulations (PDA).

The main reason was that Narvik lost control of the personal data due to the fact that Google Apps use the cloud to process information from Narvik. The NDI pointed out that if Google Apps, or any other international company, would offer cloud solution services to Norwegian entities, they must implement a solution that comply with the Norwegian and European privacy legislation.

The legal issues raised by the NDI included lack of valid data processing contract, problematic data transfer to third countries and missing information on security level and measures. The reasoning of the NDI was based on a specific legal assessment based on documentation provided by Narvik.

The NDI argued that Narvik could not ensure that no sensitive personal data will be involved in the processing. Google Apps' cloud solution will process both personal data and sensitive personal data. Thus, in relation to the requirements of PDA, the NDI could not see that adequate security measures had been implemented by Narvik.

Further, the NDI criticized the risk assessment performed by Narvik as incomplete and lacking sufficient background material, which was not in accordance with the requirement of PDA.

Thirdly, the NDI argued that Google Apps' standard contract was not according to the levels prescribed by PDA. Also, Narvik could not provide information about the location of the physical data processing, which was not according to the security requirements of PDA.

Lastly, Narvik used Google Apps' white paper in response to the NDI's question about security concerns of the system. There was no description about Googles Apps' security system design, and there was no description about who will have access to Narvik's personal data. The NDI thus concluded that the information security requirements of PDA were not complied with.

Moreover, the NDI argued that a data processor cannot process personal data without a data processing contract with the data controller. According to the NDI, if a data processor process personal data for several different data controllers, the data processor must process the information separately for each controller. The NDI concluded that Google Apps failed to clarify how this will be handled in its cloud solution.

A final decision by the NDI is expected 1 March 2012.