Swedish information technology privacy watchdog Datainspektionen has stepped in and banned a local authority from using Google Apps, saying its policies are not compatible with privacy laws in the country.
The regulator told Salem council that the cloud provider contract it intended to sign with Google did not fulfill requirements when it comes to protecting and deleting sensitive personal data. [PDF - Swedish] Furthermore, Datainspektionen said the Salem council executive wasn't provided with enough oversight in to which sub-contractors Google may engage. It demanded that both these points were addressed, or the local authority would cease to use the US cloud service provider.
Datainspektionen's decision applies to other local councils in Sweden as well, and also to government departments.
In particular, Datainspektionen is unhappy that the policy does not specifiy immediate deletion of individuals' data if so requested.
Instead, deletion takes place "after a commercially reasonable period of time" and Google "may not immediately delete residual copies from our active servers and may not remove information from our backup system".
Datainspektion said individuals should feel safe in the knowledge that deleted sensitive personal data had in fact been erased, and wasn't kept or used for processing by a cloud service provider. There is also no indication as to how long data is retained by Google after it's been requested for deletion by the council, Datainspektionen said, making the contract between Salem Council and the web services giant incompatible with Swedish privacy law.
The watchdog also said the contract needed to clarify which, if any, third-party subcontractors may be given access to and process sensitive personal information.
Such data could lawfully be stored in the US or another country however, the watchdog said.