The decision (in Swedish) notes that the proposed agreement between the City of Salem and Google does not conform to data protection requirements over “the treatment and disposal of personal information,” and does not provide “sufficient insight into the subcontractors who are hired” by Google. Unless these deficiencies are remedied, Salem is instructed that it cannot proceed with the contract.
“The assessment gives several examples of this deficiency,” explains Simon Davies, privacy advocate and founder of Privacy International, “including uncertainty over how data may be mined or processed by Google and lack of knowledge about which subcontractors may be involved in the processing... [and] there was no certainty about if or when data would be deleted after expiration of the contract.” Although the decision applies to the City of Salem, “The effect of the ruling against Salem will apply immediately across all Swedish municipal authorities, but will also by default extend to national government departments,” says Davies.
The ruling comes at a difficult time for Google in Europe in general, and Scandinavia in particular. Last year Norway declared use of Google Apps to contravene the Norwegian Data Protection laws. It specifically warned that since the the Safe Harbor agreement with the US predated the US PATRIOT ACT, the latter “must be considered to be a challenge with regard to protection of privacy, even within the Safe Harbor scheme.”
That particular ruling now seems remarkably prescient following Edward Snowden’s revelations of the NSA PRISM surveillance program, which includes Google, and is believed to be justified in the US by a secret interpretation of the PATRIOT ACT. US Attorney General Eric Holder is currently meeting with the EU in Dublin, where it is believed that EU officials will press for clarification on PRISM and Verizon’s phone meta (traffic) data collection programs. A memo issued by the EU yesterday says, “Vice-President Reding [the EU Justice Commissioner] is also seeking clarifications as to whether and how United States authorities are accessing and processing the data of European Union citizens using major U.S. online service providers.”
Meanwhile, the EU national data protection bodies (the Article 29 Working Party) are considering their next step over Google’s privacy rules. They have already decided that the privacy rules contravene EU data protection laws and asked Google to amend them. Google declined, and the working party is now considering its next move. The whole issue is complicated by the EU’s General Data Protection Regulation proposals that have been struggling under the weight of US lobbying. This is at a critical point where Snowden’s revelations (over US cloud providers that include but are far from limited to Google), and individual rulings such as the one from Sweden, might strengthen the hand of the privacy advocates.