After nine months of deliberations and some changes on Google's side, the Norwegian Data Protection Authority lifted a ban on the use of Google Apps by municipalities.
However, the decision does not give city authorities carte blanche to use all cloud services, according to the Norwegian Data Protection Commissioner.
The use of Google Apps was banned in January by the Norwegian Data Protection Authority, which is known to keep a short leash on use of technology from U.S. IT companies, because the cloud application was violating Norwegian privacy law.
One of the main issues is that local governments that use services like Google Apps have no idea where in the world their data is stored and who is able to access it, the authority said at the time. If Google or other international companies wish to offer cloud computing services to Norwegian enterprises, they need to develop services that take Norwegian and European data protection legislation into consideration, the authority said.
Since then, however, "there has been a lot of water under the bridge," said Data Protection Commissioner Björn Erik Thon.
In the past few months the use of cloud computing services by the municipalities of Narvik, which uses Google Apps, and Moss, which uses Microsoft Office 365, were reviewed.
"The conclusion is that the Data Protection Authority will allow use of the services," it said on its website. Google and Microsoft, however, have to comply with conditions set by the authority.
Google has made its cloud service more secure and was able to show where data sent via email by the Narvik government is stored, Thon said.
The emails are either stored within the E.U -- where they are protected by European data protection regulation -- or in the U.S., where they are protected by "safe harbor" certified data centers, said Thon. While this is not a perfect solution, this complies with Norwegian law, he added.
The Data Protection Authority said that while it investigated Narvik's use of Google Apps after receiving a complaint, Moss contacted the privacy agency on its own initiative and requested guidelines. The guidelines for use of Office 365 were the same as those issued for Google Apps, the authority said.
"We do not distinguish between Google, Microsoft and others," Thon said.
Before a cloud service can offer its services to a Norwegian government, it must undergo a thorough risk and vulnerability assessment. In addition, the cloud vendor has to sign a data processing agreement that is in compliance with Norwegian regulations and the use of cloud services must be audited on regular basis. These regulations apply to all cloud vendors that want to provide services to Norwegian authorities.
Sign up for CIO Asia eNewsletters.