Cloud computing is all the rage at the moment. According to IDC, an analysis firm, in 2012, turnover from cloud-based solutions will globally exceed more than USD 42b. In Denmark, too, moving applications “into the cloud” has become more and more popular. Not just private companies, but increasingly also public authorities look at cloud-based solutions in order among other things to save IT costs.
The local Danish municipality of Odense (Odense is the third largest city in Denmark) has wished to use Google Apps which is a cloud-based office suite that involves among other things calendars, e-mails and document management, as part of a plan to manage so-called pupil plans for the municipal schools. As part of these individual plans for pupils, the municipality would be processing personal information about the pupils’ health, potential social problems and other strictly private matters.
In order to comply with the Danish Act on Processing of Personal Data, the municipality of Odense asked the Danish Data Protection Agency for permission to use Google Apps for managing the mentioned pupils’ plans.
The Danish Data Protection Agency monitors compliance with the Act on Processing of Personal Data. The Act implements directive no 95/46/EC on the protection of individuals with regard to the processing of personal data and on free movement of such data.
The decision by the Danish Data Protection Agency is the first decision specifically on the use of Google Apps in the public sector by an European national data protection agency under the EU directive.
In its decision published 3 February 2011, the Danish Data Protection Agency rejects as non-compliant with the Danish Act the planned use of Google Apps by the Danish municipality.
The Data Protection Agency gives five reasons for its rejection.
1. The municipality has not documented that the data to be processed with Google Apps will not be transferred to data centres outside of the EU covered by the EU Commission’s safe harbour regime.
2. The risk assessment done by the municipality with respect to the security of the data is not deemed satisfactory, e g with respect to encryption of data.
3. The data processing agreement between the municipality and Google does not comply with the requirements under the Danish Act that the terms of the agreement can only be altered on the instruction by the municipality.
4. The Data Protection Agency considers that the municipality is not able to comply with the rule under the Danish Act that requires the municipality to be in efficient control with respect to whether the security measures to be observed by Google as data processor are in fact complied with.
5. The Data Protection Agency considers that the municipality has not shown that the requirements under the Danish Act will be complied with, among other things with respect to that data after use shall be deleted and no recreation possible.
The decision by the Danish Data Protection Agency will have significant importance for the use of cloud-based solutions, not only in the public sector, but also in the private sector, as the requirements for compliance under the Danish Act are more or less the same for the public and the private sector.
The decision does not only impact the use of cloud-based solutions with respect to processing of sensitive personal information, but also personal data in general.
To hear more about the decision, its ramifications and how to make sure that your cloud based solutions remains with the boundaries of Danish personal data protection regulation, please contact me at firstname.lastname@example.org or even better our privacy and cloud computing expert at Bender von Haller Dragsted, my colleague and co-partner Jesper Langemark at email@example.com or at +45 7224 1212.