Summary of Nordic Privacy Arena 2019: Datainspektionen and Cloud hosting for governmental bodies – By Jonas Gharanfoli, Compliance Manager at Complior
I was a participant at the recent Nordic Privacy Arena in Stockholm and heard some very interesting presentations and panels discussing contemporary privacy issues and data protection legislation. If you are interested in the GDPR and privacy, and want a summary of the latest and biggest news since GDPR was implemented in 2018 from the biggest names in the business, stick around.
Director General, Swedish Data Protection Authority
The head of the Swedish Data Supervisory Authority (DPA), Datainspektionen, spoke to the future of GDPR in Sweden. Datainspektionen has previously received slight criticism from legal professionals in Sweden for being a bit too quiet and somewhat inactive after GDPR’s implementation. The Director General of the DPA mentions that her organisation has more than doubled their staff in a short amount of time and that the DPA needs time to train and learn before they can actively start imposing sanctions, as they are a bit afraid that the sanctions they may impose won’t hold up in a court of law. This is a very common occurrence amongst DPAs in Europe. A representative of the Irish Data Protection Commissioner shared in another panel that the Irish DPA has grown from 28 to 170 employees in a very short amount of time.
So far the Swedish DPA has collaborated with other DPAs across Europe when performing their larger supervisory cases, the first being a review of organisations that are required to hire a Data Protection Officer and if they have done so. According to the DPA the full report will be released soon, including the result from all the 7 DPAs but I managed to get some spoilers. Apparently, she already knows the results and“it looks good”. As a closing statement, she said that the Swedish DPA is now amassing courage, but will soon actively impose sanctions like many other DP:s around Europe.
Cloud hosting, GDPR and governmental bodies
The use of cloud hosting services has been a hot topic in Sweden, especially after a whistleblower showed the media that a Swedish governmental body stored top secret government information in a Romanian data center with very poor security. It was also uncovered that top political figures in Sweden knew of these issues without thinking it appropriate to take any immediate action. GDPR has also frightened lawyers working for governmental bodies of cloud hosting services.
There was a panel were Fredrik Blix, associate professor at Stockholm University (and my former professor) spoke about cloud hosting services for governmental organizations. His arguments were that having on-premise IT-infrastructure is by no means a safer option than cloud services, often it is quite the opposite. Organisations usually can’t afford the level of physical security that an outsourcing partner can provide, since their core business is cloud hosting. Fredrik also mentions that cloud hosting is a very broad term and cloud services can vary significantly. There are a lot of information security driven hosting providers out there with private cloud solutions.
Arguing against him was a representative from Arbetsförmedlingen, a quite infamous governmental body in Sweden that is responsible for helping the unemployed find work. He stated that it is forbidden to use cloud services in his government body. Shortly after saying that he admitted that they actually use a purchasing system that is a cloud based SaaS-solution. Regardless, his argument against cloud solutions was the risks, bad hosting agreements with big American companies like Microsoft, Google and Amazon. It was also stated that lawyers are generally against these type of services since the legal frameworks surrounding these solutions are complex and change quickly. It is difficult to predict if this will be legal in the near future. Lawyers also await more guidance on the issue from the Swedish government and the actions they will take for their own local cloud services for governmental bodies.
There was also a representative from Sveriges kommuner & Landsting (SKL) in the panel, a Swedish interest group that, amongst everything else, provides guidance to municipalities and counties in Sweden. They agreed with Fredrik, it is totally legal for governmental bodies today to use IT-outsourcing partners.
However, it should be done in an organized manner and a risk assessment must be conducted during the procurement process. She also mentioned that SKL is soon to release new guidelines for cloud hosting services on their website. A representative from Datainspektionen also agreed that it is legal and fine to use cloud hosting if you take the right precautions.
By the end of the panel, it seemed that everyone was in agreement that cloud hosting solutions are legal and here to stay. However, there is no denying that there are difficulties in place such as few local hosting providers that can meet all of the requirements of governmental bodies. The agreements of the big American companies are for now not that good for governmental bodies. What government bodies want is local cloud hosting with a focus on security that is adapted to public law requirements – a type of gov-cloud solution. As a closing statement Fredrik said that the risk is never at 0%, the point of information security has never been to provide zero risk but rather to mitigate the risk in proportion to the value of the assets and achieve balance.
Shortly after the Nordic Privacy Arena of 2019 was over Anders Ygeman, the Swedish minister of energy and digitalization who was present at the event, announced that the government has decided that Sweden shall build their own government cloud solution.