This interview was conducted by SafeGov with Norwegian Data Protection Commissioner Director Bjørn Erik Thon in Oslo in early October 2012. Thon has been the Commissioner for two years. Prior to that he worked for the Norwegian equivalent of the Federal Trade Commission.

The Norwegian Data Protection Authority was created 30 years ago. It has 40 employees and conducts approximately 60 audits per year. It receives some 10,000 queries from the Norwegian public per year. About 2/3 are from ordinary citizens who may have experienced a privacy breach. About 1/3 are from businesses typically inquiring to see if their practices comply with the law. In addition to the DPA’s activity in enforcing Norway’s data protection laws, it also participates in the public policy debate concerning privacy and security on the Internet.

Norway is not a member of the EU, but it participates as an observer in the Article 29 Working Party of the EU Data Protection Authorities. Norway is a member of the European Economic Area or EAA, which consists of the 27 members of the EU plus Iceland, Liechtenstein and Norway. It is also a member of the Berlin Group, which is a broader association of DPAs including non-EU members that studies data protection issues.

What follows is an edited transcript of our conversation. We thank Commissioner Thon for kindly taking the time to talk with us.


Q: Your agency has recently approved deployment of cloud email solutions by two Norwegian cities after first conducting an investigation of privacy and data protection issues. Since these were among the first cases in Europe where a DPA has approved public sector use of U.S.-based cloud providers, could you explain the background on these cases?

A: Yes, certainly. The two cases you mention involve the city of Narvik, which is deploying Google Apps, and the city of Moss, which is deploying Microsoft Office 365. You can read English translations of our letters to these cities here (Narvik) and here (Moss). The Narvik case started with a citizen complaint that Google Apps did not comply with Norway’s data protection law. The Moss case started a few months later, when that city came to us for advice about how to make sure they were in compliance with the law. We issued our rulings on both cases at the same time this past October in order to remain neutral between the two cloud providers.

Q: Your initial assessment of the Narvik case said that the city’s contract with Google did not comply with Norwegian law. In your most recent ruling you have revised that assessment. Can you explain what changed?

A: Yes, our initial assessment of the Narvik contract with Google was that it failed to comply with Norwegian law on a number of points. The city had not conducted a proper risk assessment. It wasn’t clear where Google was going to store the city’s data, or who inside Google could access it, or how it would be separated from other users’ data. We were also very concerned by the U.S. Patriot Act. So we instructed the city to suspend its deployment of Google Apps until it could provide answers to our questions.

Q: And what answers did the city provide?

A: They made changes in their contract with Google and got additional assurances from Google. For example, the original contract gave Google the right to store the city’s data at any of its data centers in the world [note: according to Google’s web site, in addition to its U.S. installations the search firm operates data centers in Finland, Belgium, Ireland in the EU, and in Hong Kong, Taiwan and Singapore in Asia.] But Google agreed to make an exception for Narvik and only store the city’s data in the EU or the U.S. They also promised to keep the data logically separate from other users. And they agreed to 3rd party audits of their data centers that let Narvik verify that Norwegian data protection laws are being respected.

Q: What about the other city, Moss?

A: We had similar concerns about their contract with Microsoft, especially regarding where the data were going to be stored. Microsoft agreed to make the same commitment as Google to store the city’s data only in the EU or the U.S.

Q: The CNIL (French DPA) is currently conducting an investigation on behalf of the Article 29 Group to determine whether Google’s privacy policy complies with EU laws. Did your investigation of the contract between Google and the City of Narvik consider this privacy policy? [Note: this interview was conducted in early October before the CNIL released its findings.]

A: We are of course aware of the CNIL investigation. However, our investigation of the Narvik case did not involve the Google privacy policy. We believe that it would not be appropriate for a Norwegian city to use a cloud service governed by such a policy, which is designed for consumers. Our position is that the city must have an individual contract with the cloud provider that has supremacy over the privacy policy. In our analysis we are obliged to assume that the city is acting as the data controller and the cloud provider is acting as the data processor. If a company acting as a data processor is also processing data for its own purposes rather than just for the customer’s purposes, that would make it a data controller, which is unacceptable. It is the obligation of the customer (i.e. the data controller) to make sure that this is not happening. Otherwise it would be a violation of Norwegian privacy law.

Q: You mentioned that you were also worried about the U.S. Patriot Act. Can you explain those concerns and whether they were addressed in these two cases?

A: The U.S. and European economies are highly integrated. It is inevitable that data will be transferred across the Atlantic in both directions all the time, especially consumer data. So of course we need a solution that allows this to happen in a smooth way while still respecting our European data protection laws. The Safe Harbor agreement has served this purpose well for a long time. Both Google and Microsoft adhere to it. But we are troubled by the role of the U.S. Patriot Act, which in some ways seems to undermine the protections offered by Safe Harbor. We are not happy with the idea that the U.S. authorities could use the Patriot Act to access the data of Norwegian citizens in data centers belonging to Google or Microsoft.

Q: What conclusion did you reach in your investigation of these Patriot Act concerns?

A: Although we are not entirely satisfied with the status quo, we ultimately concluded that Norway cannot act on its own on this issue. We are obliged to follow the decisions of the EU on this matter, even though we are not a member of the EU. We also concluded that our attitude had to depend on the risk analysis. In this particular case, which involved email and calendar data created by municipal employees of two small Norwegian cities, we determined that the data that would be stored in the cloud were not highly sensitive. However, we might have reached a different conclusion if the risk analysis had been different. For example, I don’t think Norway will ever allow the health data of Norwegian citizens to be stored on servers located in the U.S., given the differences in legal frameworks.

Q: Are you saying that certain kinds of data can never go outside of Norway?

A: Certainly that might be the case for data that concerns national security. But we do believe in the market and in the benefits of cloud consolidation. Perhaps one day there will be a European health cloud. In that case, we might see Norwegian health data stored on servers located outside of Norway in the EU, with the proper safeguards.

Q: Some other European DPAs such as the French CNIL have recommended encryption as a possible response to concerns over unauthorized or undesirable access to cloud data. Could encryption address your concerns about the Patriot Act? [On this topic see also SafeGov’s recent interview with executives of encryption startup CipherCloud.]

A: Certainly encryption could provide a technical solution to concerns about cloud data confidentiality. However, it would not necessarily address all the legal issues. For example, in the case we just mentioned of Norwegian health data, Norwegian law does not currently allow this data to be stored outside of Norway. So encryption alone would not be a complete solution.

Q: The EU is currently debating a new Data Protection Regulation which is a major revision and updating of the 1995 Directive. How do you view the proposed regulation?

A: While the existing Directive is old, perhaps surprisingly it has worked quite well for a long time. But we agree that a new law is necessary. We like many of the ideas in the proposed regulation. We’re not sure which provisions will survive the lobbying from the big Internet companies.

Q: What do you consider are the best and worst features of the new regulation?

A: We like privacy by design. This is vital, it’s one of our main strategies to promote it. We also like the right to be forgotten. This is a very important problem that didn’t really exist before the Internet. We also support data portability, though of course there are questions about how it can be implemented, as there are also for the right to be forgotten. You can compare data portability to mobile number portability. When that was introduced it was a big benefit for consumers, because it made it much easier to change mobile phone services. We hope for the same benefits for users of cloud services.

Q: What are some of the problem areas you see in the law?

A: What we don’t like so much is the one stop shop provision. The idea is that you will have your complaint handled by only one national DPA, and then there will be some kind of consultation process with the other European DPAs to ensure that the rulings are consistent. This sounds good in principle, but in practice it could be very cumbersome and bureaucratic, especially when you are talking about regulating technology that changes so quickly. We need a mechanism that can also change very quickly. Before becoming the Norwegian Data Protection Inspector I worked in the area of consumer regulations. Here the EU has a special commission to coordinate regulations between countries, and sometimes this work proved to be impossibly complicated.

Q: What about the division of labor proposed by the new law between the European Commission in Brussels and the national Data Protection Authorities?

A: The text of the regulation in its current form does give perhaps too much power to the EC to make rulings by means of delegated acts [note: a form of rule making authority that legislation passed by the European Parliament may grant to the EC]. We will have to see how this works out.

Q: What impact will the new law have on U.S. Internet companies operating in Europe?

A: Under existing law we can’t order a U.S. Internet firm to stop doing things that we don’t approve of, such as collecting information about users without their consent. For example, if a Norwegian company uses the Facebook Like function on its web page in an inappropriate manner, we can’t order Facebook to stop what it is doing, because Facebook is under Irish jurisdiction in Europe. We can however hold the Norwegian company responsible for its conduct. But the new regulation would provide for an extension of the territorial scope of our authority. U.S. companies that track or gather information about European consumers would have to comply with European rules requiring consent. We think this is a step forward.

Q: When do you think the new EU regulation will take effect?

A: This might take longer than people expect. Right now there are working groups that are reviewing the law article by article. People say that implementation could occur anywhere between 2013 and 2016. I think it will be later rather than sooner.

–Interview conducted by SafeGov expert Jeff Gould.

Author :