Are there any restrictions applicable to cloud-based services?
There are no restrictions or specific legislation in respect of cloud-based services. However, local authorities follow closely the developments and initiatives taken at EU level especially the EU Commission Strategy for Unleashing the Potential of Cloud Computing in Europe, the EU Parliament resolution and the EU Commission Staff Working Document.
Norwegian law imposes several restrictions on the provision and use of cloud-based services.
Cloud-based services that processes personal data are governed by the Personal Data Act, cf. question 7 for further information. A common issue with cloud-based services is their conformity with the rules and regulations on the transfer of personal data to another country, cf. question 8 on the restrictions pertaining to such transfer.
Where an administrative body utilises cloud-based services in its internal administrational work or to communicate with private individuals or other administrative bodies, the Regulation on Electronic Communication with and in the Government Administration of 25 June 2004 no. 988 provides certain rules on security. Of interest to an administrative body’s use of cloud-based services, the Regulation prescribes requirements pertaining to risk assessment, access control, and the safeguard of confidential information.
Furthermore, the Norwegian National Archive has stated that Act no. 126 on Archives of 4 December 1992 Section 9 letter b prohibits the transfer or storage of the archive databases or security copies thereof by cloud providers who store the material in another country, without prior consent from the Norwegian National Archive.
Act no. 73 of 19 November 2004 relating to Bookkeeping (the Bookkeeping Act) Section 13 second paragraph prescribes that as a main rule, accounting materials must be stored within Norway. Exceptions are provided for the permanent storage of such materials in Denmark, Finland, Sweden or Iceland. Where entities are subject to the rules for the financial management of administrative bodies, the storage of accounting materials outside of Norway is strictly prohibited.
There aren’t any specific restrictions applicable to cloud-based services however if the server of the cloud service provider is located outside of Turkey, this is accepted as an international transfer and restriction mentioned in Question 9 would apply.