It is currently impossible for Sweden’s public sector to purchase web-based office services (word processing, email and text/video chat) that comply with the European General Data Protection Regulation (GDPR), according to a study by the country’s National Procurement Services.
The study concludes that, because of US regulations including the Cloud Act, Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act, cloud office solutions from the current market leaders cannot provide an adequate level of protection under the GDPR.
“The best option would be a web-based office suite that enables compliance with the GDPR and with Swedish rules on long-term archiving and secrecy,” says Daniel Melin, the study’s project leader working for the National Procurement Services. “It is likely that open source software and open standards are key to make this possible. That also allows public sector users to migrate from one vendor to a competitor, or switch to self-hosting.”
Last Friday, the Kammarkollegiet – Sweden’s Legal, Financial and Administrative Services Agency – published its “Förstudierapport Webbaserat kontorsstöd" (Pre-study report on Web-based office suites). The report concludes that “it appears possible in principle to procure a web-based office suite which is both technically and legally acceptable.”
However, the study at present cannot identify any market actor that can provide a suitable cloud office solution to the Swedish public sector. That is why the Kammarkollegiet is calling on public services and companies to work together to develop solutions that comply with key legal requirements.
The report brought together legal experts from inside and outside the government, central government agencies, regions and municipalities, and representatives from IT vendors. It reviews legal discussions between the US and the European Commission, opinions of the European Data Protection Board, and Ireland’s High Court decision on the impact of US regulations on EU use of cloud services from American companies.
The report also considered developments in other countries. For example, it notes that Germany’s current Bundescloud, a document sharing service based on NextCloud, will this year offer additional features including tools for word processing, spreadsheets, presentations, chat and videoconferencing. Bundescloud complies with the GDPR and the German Secrecy Act, and is reviewed by the German Security Authority, the Bundesamt für Sicherheit in Information Technology.