After nine months of deliberations and some changes on Google's side, the Norwegian Data Protection Authority lifted a ban on the use of Google Apps by municipalities.
However, the decision does not give city authorities carte blanche to use all cloud services, according to the Norwegian Data Protection Commissioner.
The use of Google Apps was banned in January by the Norwegian Data Protection Authority, which is known to keep a short leash on use of technology from U.S. IT companies, because the cloud application was violating Norwegian privacy law.
One of the main issues is that local governments that use services like Google Apps have no idea where in the world their data is stored and who is able to access it, the authority said at the time. If Google or other international companies wish to offer cloud computing services to Norwegian enterprises, they need to develop services that take Norwegian and European data protection legislation into consideration, the authority said.
Since then, however, "there has been a lot of water under the bridge," said Data Protection Commissioner Björn Erik Thon.
In the past few months the use of cloud computing services by the municipalities of Narvik, which uses Google Apps, and Moss, which uses Microsoft Office 365, were reviewed.
"The conclusion is that the Data Protection Authority will allow use of the services," it said on its website. Google and Microsoft, however, have to comply with conditions set by the authority.
Google has made its cloud service more secure and was able to show where data sent via email by the Narvik government is stored, Thon said.
The emails are either stored within the E.U -- where they are protected by European data protection regulation -- or in the U.S., where they are protected by "safe harbor" certified data centers, said Thon. While this is not a perfect solution, this complies with Norwegian law, he added.
The Data Protection Authority said that while it investigated Narvik's use of Google Apps after receiving a complaint, Moss contacted the privacy agency on its own initiative and requested guidelines. The guidelines for use of Office 365 were the same as those issued for Google Apps, the authority said.
"We do not distinguish between Google, Microsoft and others," Thon said.
Before a cloud service can offer its services to a Norwegian government, it must undergo a thorough risk and vulnerability assessment. In addition, the cloud vendor has to sign a data processing agreement that is in compliance with Norwegian regulations and the use of cloud services must be audited on regular basis. These regulations apply to all cloud vendors that want to provide services to Norwegian authorities.
There are still some possible pitfalls, though. "We are not exactly happy with the possibilities of the Patriot Act," Thon said.
The Patriot Act can be used by U.S. law enforcement agencies to seize data stored by companies that are based in the U.S. "There is nothing we can do about that," Thon said.
While the safe harbor principles currently provide enough protection to comply with Norwegian law, the Patriot Act is something that needs to be dealt with by the Norwegian government, Thon said.
While the Data Protection Authority allows local governments to store email in the cloud, it is unlikely that the it would allow municipalities to store social welfare or health care data on the servers of a U.S. based cloud service. The regulations for cloud providers are "not a carte blanche," to use any cloud service, said Thon, adding that use of cloud services should be dealt with on a case-by-case basis.
A Google spokesperson stated in an email that the company is "delighted that the Norwegian DPA approved Narvik's deployment of Google Apps." Google declined to comment on specifics.
The Norwegians are also investigating the use of Google Analytics by the local Tax Administration and the State Educational Loan Fund. The data protection watchdog concluded in late August that Google Analytics violates the country's privacy laws, because the agencies have no control over how Google uses information about users. The conclusion was reached after a preliminary investigation. A full report on that the matter is expected to be published before Christmas, Thon said.