Open Digital cites a report dated 16 January which suggests that corporate use of Google cloud services under standard terms violates Norwegian data protection laws. In what it calls a 'Notice of Decision' the Inspectorate states that the EU-US Safe Harbor agreement does not adequately guarantee data protection in the face of the US Patriot Act. The Patriot Act gives the US government the right and ability to demand personal data on any person anywhere in the world if that data is held anywhere in the world by a US company - such as Google.
The Decision apparently follows a complaint from an inhabitant of Narvik. Narvik is using Google's cloud services (specifically its email services), and the inhabitant demanded to know what data protection safeguards were in place. The Inspectorate’s conclusion is that there are insufficient safeguards to comply with Norway's Personal Data Act 2000.
The Inspectorate’s report points out that the US Patriot Act was enacted after the Safe Harbor agreement was established, and that it “must be considered to be a challenge with regard to protection of privacy, even within the Safe Harbor scheme.” It further concludes that it cannot see “how any data processor outside the [European] Community that does not specify which country the data will be processed can comply with the requirements for adequate protection under § 29 of the Personal Data Act.”
Open Digital points out that Norway is not a full member of the EU, “but as a member of the European Economic Area, complies to all relevant EC directives.” Since the EC tends to fall in line with US wishes, it is unclear whether this ‘Notice of Decision’ will have any serious effect either within Norway or Europe generally. Open Digital “assumes some complex international diplomacy is in play with respect to US-Norway relations, with the US making a fuss about a perceived or actual problem with copyright infringement and Norway making a stand against a perceived or actual problem with overarching anti-terrorist legislation.”