Swedish watchdog: Google's chocolate cloud? Nej, not private
Bans official use of ad giant's apps suite
The Google bods who sell the ad giant's software services in Europe have been banned from flogging their wares to Sweden's public sector due to unresolved privacy concerns.
The ruling came after a local council was prohibited from using Mountain View's cloud services, and applies to Sweden's local and central government, though not to private sector firms.
Salem, a town of around 16,000 about 30km southwest of Stockholm, wanted to sign a licence to use Google Apps, but Sweden's data protection authority blocked the deal.
The judgment is not linked to the recent controversy over the NSA's surveillance web-snooping scheme but reflective instead of deep-seated concerns about the security and privacy implications of using US-based cloud service providers.
This is not the first time Sweden has expressed its concerns. The issue first came up in 2011 when Swedish Datainspektionen (data protection regulators) ruled that Google's terms and conditions, which allow it to do what it likes with customer data "for the purposes of providing, maintaining and improving the services" was unacceptable.
In particular there were concerns about Google handing customer data to third-party subcontractors as well as what would happen with potentially sensitive data if and when the contract was terminated for any reason.
Datainspektionen ordered Salem to renegotiate a contract incorporating tougher privacy protections. Salem returned with a revised deal last month but that too was judged as deficient. The decision leaves Salem with the option of either going through another round of renegotiation, with an uncertain outcome, or looking for another way to deliver IT services.
UK-based privacy expert and campaigner Simon Davis tipped us off about Google Apps' second knock-back in Salem. The ruling prohibits Sweden's public sector bodies from using Google Apps cloud services, according to Davis.
"Google was the only service cited in the judgment. It will apply to all cloud providers, but Google is the one with the deficient contract," Davis told El Reg.
In a blog post, Davis said other regulators across Europe may take a close interest in the Swedish ruling.
IT security industry veteran Paul Ducklin, writing on Sophos's Naked Security blog, said that Swedish regulators were entitled to take a stricter line about taxpayer data held by local councils than they would for private businesses in similar circumstances.
"It's one thing to outsource your own IT services - personal email, blogging, website and so forth - to save time and money," Ducklin writes. "That's your own choice to make."
"And it's fair enough if you're a company whose customers can vote with their chequebooks if they don't like the service provider you've chosen. But as a 'customer' of a local government, you don't have that liberty, so you are stuck with the privacy-related decisions made by your council," he added. ®