Summary of Nordic Privacy Arena 2019
3 min
Summary of Nordic Privacy Arena 2019: Datainspektionen and Cloud hosting for governmental bodies – By Jonas Gharanfoli, Compliance Manager at Complior.
I was a participant at the recent Nordic Privacy Arena in Stockholm and heard some very interesting presentations and panels discussing contemporary privacy issues and data protection legislation. If you are interested in GDPR and privacy, and want a summary of the latest and biggest news since GDPR was implemented in 2018 from leading experts in the field, this overview covers key insights.
Director General, Swedish Data Protection Authority
The head of the Swedish Data Supervisory Authority (DPA), Datainspektionen, spoke about the future of GDPR in Sweden. Datainspektionen has previously received some criticism from legal professionals for being relatively inactive after GDPR’s implementation.
The Director General explained that the organization has more than doubled its staff in a short period and needs time to train before actively imposing sanctions. There is concern that early sanctions may not hold up in court, which is a common situation among DPAs in Europe.
A representative from the Irish Data Protection Commissioner mentioned in another panel that their organization grew from 28 to 170 employees in a short time.
So far, the Swedish DPA has collaborated with other European DPAs on major supervisory cases, including reviewing whether organizations required to appoint a Data Protection Officer have done so. A full report is expected soon, and early indications suggest positive results.
In closing, the Director General stated that the Swedish DPA is gaining confidence and will soon begin actively imposing sanctions, similar to other European authorities.
Cloud Hosting, GDPR and Governmental Bodies
The use of cloud hosting services has been a widely debated topic in Sweden, especially after revelations that a governmental body stored sensitive information in a poorly secured foreign data center. This, along with GDPR, has made legal professionals cautious about cloud solutions.
During a panel discussion, Fredrik Blix, associate professor at Stockholm University, argued that on-premise IT infrastructure is not necessarily safer than cloud services, often the opposite is true. Organizations typically cannot match the level of security provided by specialized cloud providers.
He also emphasized that “cloud hosting” is a broad term, with significant differences between providers, and that many offer secure, private cloud solutions.
Opposing this view, a representative from Arbetsförmedlingen argued that cloud services were not permitted within their organization. However, it was later acknowledged that they do use cloud-based SaaS solutions. Concerns raised included risks, unfavorable agreements with large US providers such as Microsoft, Google, and Amazon, and the complexity of legal frameworks.
Legal professionals are often cautious due to the rapidly changing regulatory environment and uncertainty about future legality. They are also awaiting clearer guidance from the Swedish government.
A representative from Sveriges Kommuner & Landsting (SKL) supported the use of cloud services, stating that it is legal for governmental bodies to use outsourcing partners, provided it is done in a structured way with proper risk assessments during procurement.
A representative from Datainspektionen also confirmed that cloud hosting is acceptable if appropriate precautions are taken.
By the end of the panel, there was general agreement that cloud hosting is both legal and here to stay. However, challenges remain, such as the lack of local providers that meet all governmental requirements and limitations in agreements with large international providers.
Governmental bodies are seeking secure, locally adapted cloud solutions that comply with public sector regulations, a “government cloud.” As Fredrik Blix concluded, risk can never be eliminated entirely; the goal of information security is to manage and balance risk relative to asset value.
Future Outlook
Shortly after the Nordic Privacy Arena 2019, Anders Ygeman announced that the Swedish government had decided to build its own national government cloud solution.