We previously told you about the Norwegian Data Protection Authority’s, Datatilsynet (Norwegian DPA) finding that Google Analytics breached that country’s data protection laws. In an about face, Norwegian DPA has now decided to hold off its ban on the use of Google’s and Microsoft’s cloud computing services by the Municipalities of Narvik and Moss, respectively. The Norwegian DPA had originally concluded that Google Apps and Microsoft 365 failed to comply with the Norwegian Data Protection Act because the municipalities lost control over the storage and access restrictions to personal data being processed by Google and Microsoft through their Cloud Computing services. The main concern the Norwegian DPA had was the failure to establish a valid data processor agreement in accordance with Section 15 of the Personal Data Act, which did not fulfill information security requirements according to Section 13 and did not adhere to regulations on the transfer of personal data abroad in section 29. The Norwegian DPA was also concerned that the U.S. Patriot Act represented a challenge with regard to the safeguarding of personal privacy, even within the Safe Harbor scheme.
The Norwegian DPA is now satisfied that Google and Microsoft have increased their cloud computing security and that the data stored in the EU/EEA and in the United States under the safe harbor regime are protected by adequate safeguards. This fundamental reversal of regulatory policy suggests that the DPA is reassessing the significance of cloud computing in light of its growing popularity. However, the use of cloud computing services in Norway will be made conditional upon strict prerequisites:
- A thorough risk and vulnerability analysis must be carried out in advance.
- The enterprise must have established a satisfactory data processor agreement in compliance with Norwegian regulations. The municipality will be responsible for ensuring compliance with statutory requirements.
- The use of cloud computing services must be audited on a regular basis. An independent third party must carry out a security audit on behalf of the municipality to ensure compliance with the data processor agreement.
- The data processor agreement must be enforced, and the supplier’s general privacy policy must be in compliance with the agreement.
- In relation to the transfer of personal data; unless the countries transferred to have been approved as a safe destination by the EU Commission, the transfer must be regulated by standard agreements.