It is currently impossible for Sweden’s public sector to purchase web-based office services (word processing, email and text/video chat) that comply with the European General Data Protection Regulation (GDPR), according to a study by the country’s National Procurement Services.
The study concludes that, because of US regulations including the Cloud Act, Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act, cloud office solutions from the current market leaders cannot provide an adequate level of protection under the GDPR.
“The best option would be a web-based office suite that enables compliance with the GDPR and with Swedish rules on long-term archiving and confidentiality,” says Daniel Melin, the study’s project leader working for the National Procurement Services. “It is likely that open source software and open standards are key to make this possible. That also allows public sector users to migrate from one vendor to a competitor, or switch to self-hosting.”
Last Friday, the Kammarkollegiet – Sweden’s Legal, Financial and Administrative Services Agency – published its “Förstudierapport Webbaserat kontorsstöd" (Pre-study report on Web-based office suites). The report concludes that “it appears possible in principle to procure a web-based office suite which is both technically and legally acceptable.”
However, the study at present cannot identify any market actor that can provide a suitable cloud office solution to the Swedish public sector. That is why the Kammarkollegiet is calling on public services and companies to work together to develop solutions that comply with key legal requirements.
The report brought together legal experts from inside and outside the government, central government agencies, regions and municipalities, and representatives from IT vendors. It reviews legal discussions between the US and the European Commission, opinions of the European Data Protection Board, and Ireland’s High Court decision on the impact of US regulations on EU use of cloud services from American companies.
The report also considered developments in other countries. For example, it notes that Germany’s current Bundescloud, a document sharing service based on NextCloud, will this year offer additional features including tools for word processing, spreadsheets, presentations, chat and videoconferencing. Bundescloud complies with the GDPR and the German Secrecy Act, and is reviewed by the German Security Authority, the Bundesamt für Sicherheit in Information Technology.
Pre-study report Web-based office support (in Swedish, PDF)
Publikt news item (in Swedish)
IDG/Computer Sweden news item (in Swedish)
OSOR news item
It's good to see that at least Sweden has officially recognised an issue that for many working in IT and information security has been obvious for a long time.
The Open Source and secure alternatives to insecure, and expensive, platforms like Office365 are available and they are already being used by European Institutions so it should be an easy task for the Swedish Government to find a suitable candidate.