Abstract
Lawful and appropriate use of cloud-based globally provided Software-as-a-Service (SaaS) solutions by a public sector organisation (PSO) for data processing and maintenance of digital assets presupposes an investigation of all relevant contract terms. Having obtained, analysed, and filed all relevant contract terms when using a SaaS solution is a prerequisite for good administration. Identifying and obtaining all relevant contract terms for a SaaS solution involves significant obstacles which in practice may be impossible to overcome for each PSO. This paper addresses how PSOs investigate contract terms prior to adoption, and why PSOs use a globally provided SaaS solution without having identified and obtained all relevant contract terms. Through a review of responses to questions and public documents from Swedish PSOs we analysed how each PSO had investigated contract terms and licences for the Microsoft 365 (M365) solution prior to adoption and use of the solution in each PSO. We find that no PSO had investigated all relevant contract terms prior to use of M365, which implies that each PSO uses M365 under unknown contract terms. Further, we find that all PSOs use M365 for data processing of its digital assets under unknown contract terms and that each PSO has significant dependence and trust in its supplier.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Market concentration involving a few dominant global providers of cloud-based Software-as-a-Service (SaaS) solutions has caused concern amongst nations and public sector organisations for disproportionate supplier dependence [30]. When a public sector organisation (PSO) acquires and uses a SaaS solution from a global provider, such as Microsoft 365 and Google Workspace, this implies that data processing and maintenance of the organisation’s digital assets may be exposed to many sets of regulations applicable in different countries and different lock-in effects, which imposes a number of legal, technical and societal challenges [8, 9, 11, 22, 26, 27, 35, 37, 40, 51, 53, 57, 66, 69]. Previous research shows that many Swedish PSOs have acquired a specific globally provided SaaS solution (Microsoft 365) without having addressed critical issues, including the need to identify, analyse, and maintain all contract documents containing all applicable contract terms and the need to obtain all necessary licences, before use of the acquired SaaS solution [34, 35]. Should a PSO have been unable to identify all contract terms governing the use of a specific SaaS solution it follows that it is impossible to assess if use of the specific solution is lawful and appropriateFootnote 1 for the PSO. Such a situation has potentially severe consequencesFootnote 2. The overarching goal of this paper is to report on how a PSO investigates contract terms for a globally provided SaaS solution prior to adoption, and why a PSO uses such a solution without having identified, obtained and analysed all relevant contract terms.
Several studies show a range of technical, economic, and legal issues which cause challenges related to use of cloud based SaaS solutions [10, 28, 35]. Major issues include the use of complex and time limited contract terms for such solutions [1, 37, 70]. In the EU, there are several initiatives that seek to address data sovereignty and concern over lawfulness and appropriateness of using cloud based SaaS solutions from global providers by seeking alternatives. For example, in France, two suppliers have announced plans to establish a new EU-based company (Bleu) for offering a version of Microsoft 365 to the French market. Similarly, a number of Swedish based PSOs have explored the potential for lawful and appropriate provision of Microsoft 365 to the PSOs in the Swedish market and concluded that the provider has, so far, been unwilling to engage in such arrangements [16]. Further, there are also a number of related initiatives at EU (e.g. GAIA-X [24]) and national levels (e.g. the collaborative initiative by eSam [17]).
In Europe, lawfulness and appropriateness concerning data processing and maintenance of a PSO’s digital assets has been an ongoing issue for decades. For example, on 11 May 1973 the Swedish Data Act came into force which implied that data processing outside Sweden was unlawful where protection according to European conventions could not be guaranteed [7]. On 24 May 2014 the EU adopted the General Data Protection Regulation (GDPR) which has applied since 25 May 2018 [14]. With the establishment of the EU and its Charter of Fundamental rights, the GDPR, and the decision in the so called Schrems II case (Case C-311/18) by the Court of Justice of the European Union on 16 July 2020 [5] there is an increasing concern amongst many individuals and organisations related to privacy. The importance of data sovereignty, interoperability and avoiding different types of lock-in effects have also been recognised, and several stakeholders have articulated concern over lawfulness and appropriateness related to use of cloud based SaaS solutions [16, 17, 22, 35, 29, 66, 69, 61]. Further, there are also a number of other technical and legal challenges which become especially challenging when using SaaS solutions in a public sector context, such as requirements for longevity of digital assets over very long life-cycles [35].
This study addresses the following research questions:
-
RQ 1: How do public sector organisations that use commercial globally provided SaaS solutions investigate contract terms prior to adoption?
-
RQ 2: Why do public sector organisations use commercial globally provided SaaS solutions for data processing and maintenance of its digital assets without having identified and obtained all relevant contract terms?
The paper addresses lock-in effects amongst PSOs related to use of globally provided SaaS solutions under unknown and unclear contract terms. First, the study contributes insights and explanations related to how PSOs adopting the Microsoft 365 (M365) solution seek to investigate contract documents containing all relevant contract terms prior to adoption and use of M365. In particular, the study highlights work practices used amongst PSOs related to preconditions for an investigation of all relevant contract terms, which include strategies used for identifying and obtaining all relevant contract documents containing all contract terms prior to adoption. Second, the study presents explanations of why PSOs use the M365 solution for data processing and maintenance of digital assets without having identified and obtained all relevant contract terms that would allow each PSO to investigate under which terms the PSO uses M365.
2 On Standard Essential Patents and Contract Terms for SaaS Solutions
An investigation of all relevant contract terms and conditions for use of cloud based SaaS solutions from global providers illuminates significant challenges [1, 8, 10, 35, 37].
The European Commission has expressed concern for absence of interoperability and lock-in effects when organisations use cloud solutions: “In general, each vendor has an incentive to achieve dominance through lock-in which inhibits interest in standardised, industry-wide approaches. Thus despite numerous attempts to develop standards for clouds, mostly led by suppliers, there is a strong risk that clouds will lack interoperability and data portability (withdrawal of data). The latter is crucial feature for competition as a distributed data environment cannot be easily moved to another platform.” [8].
Research shows that interoperability and avoidance of format lock-in presupposes use of formats which technically and lawfully can be (and has been) implemented in software under different conditions to allow for data processing and maintenance of digital assets [11, 33]. Investigations of several formats that providers of widely used cloud based SaaS solutions have (or claim to have) implemented show that it may be impossible to clarify conditions and acquire all patent licences for standard essential patents (and all necessary rights) to allow for implementation in software [33]. Such circumstances prevent a PSO to establish an effective exit plan that can be executed at short notice. Further, contract terms for the M365 solution require the customer to acquire several third party patent licences for specific formats to allow for lawful use of M365 and to allow for lawful long term maintenance of digital assets exported from M365 [35].
Many PSOs which use globally provided SaaS solutions for data processing and maintenance of their digital assets are unable to export their assets into formats which can be interpreted by other software applications independently of the specific SaaS solution initially used [35]. Hence, for reasons of data sovereignty and ability for each PSO to maintain full control of its digital assets it follows that ICT standards and their implementation in open source software “are of strategic importance to any organization wishing to address challenges related to lock-in, interoperability, and long-term maintenance” [36].
Across the EU, each PSO is expected to observe the principles of good administration. The notion of good administration originates in Article 41 of the Charter of Fundamental Rights of the European Union [13] and has been further developed, inter alia, in the Committee of Ministers Recommendation to member states on good administration [6]. Good administration encompasses several concepts, including principles of objectivity, proportionality, efficiency and an obligation of availability. Also, and even more importantly, it includes the fundamental principle of the rule of law and a general duty of care. The principles of good administration are codified by various means in many member states. In Sweden, for instance, the principle of the rule of law is codified in Chapter 1, Sect. 1, paragraph 3 of the Constitution [58], and several provisions explicitly labelled “good administration” are contained in Sects. 5 through 8 of the 2017 Administrative Procedure Act [19]. Notably there is also a provision in the following section, Sect. 9, of the same act which stipulates that administrative matters shall be processed in writing [19]. The question of whether it would be in keeping with good administration not to read the contract terms for mission-critical tools is bordering on the rhetorical. A PSO that does not acquire all the contractual documents, studies them thoroughly and preserves them, disregards the concept of good administration in its core. Further, if a PSO does not have access to the contract terms it is impossible to undertake any meaningful analysis of the lawfulness and appropriateness of a particular solution.
During 2020 and 2021 a large PSO, the municipal board of the City of Stockholm, undertook an investigation of the potential adoption of the M365 solution [67, 68] and presents three main reasons for refraining from use of M365 in a report presented on 9 December 2021 [69]. One main reason concerns unknown and dynamic contract terms, which implies that the PSO would use M365 under unclear conditions since the supplier may unilaterally change the conditions any time. As stated in the report (our translation): “It is not possible to check under what conditions the service delivered. The city has no influence over the conditions and the agreement can be changed at any time.” [69].
It should be noted that all dynamic contract terms are not illegal, or even inappropriate. Many types of agreements need to contain provisions that allow for adjustment in relation to external factors. Even clauses that allow one party to unilaterally change the terms to their advantage need not be problematic. For example, price adjustment clauses often give one party the right to increase prices within certain limits. On the other hand, it is very hard to imagine a situation where it is justified to allow one party a broad and far reaching arbitrary right to unilaterally alter central contractual conditions.
Two PSOs (the Swedish Tax Agency and the Swedish Enforcement Authority) decided on 3 May 2021 that Microsoft Teams cannot be lawfully used. The decision presents a detailed analysis which draws from eSam’s group of legal experts who concluded on 23 October 2018 [15] that “if information is made technically available to an IT service provider that is bound by the rules of another country due to ownership conditions, according to which the service provider may be obliged to provide information, the information should be considered divulged” [66]. In addition, the decision stresses that “authorities must accept the terms and conditions of Microsoft Online Services” and highlights concerns related to “risk of unauthorised disclosure through the provision of data to the US authorities by Microsoft”. Specifically, the decision clarifies that this “may occur due to US extraterritorial surveillance legislation – FISA 702 in particular. A request for data by US authorities can entail unauthorised disclosure and data transfer to a third country, in breach of the General Data Protection Regulation” [66].
Over the years, Microsoft has authorised many organisations based in several jurisdictions to access customer data (including personal data) as subprocessors [42, 43, 44, 45, 46, 47, 48, 49]. Further, a recent analysis shows that “Microsoft does not offer a sovereign country cloud to countries, with the exception of the cloud for the federal USA government and the cloud for China.” [52].
Research shows that some Swedish PSOs have recognised that they are bound by contract terms for the M365 solution which imply that a PSO’s data processing and maintenance of digital assets may involve organisations and staff based in several third countries, including China, India, Serbia, USA, and United Arab Emirates [34, 35]. Further, Microsoft’s list of subprocessors that was provided on 23 November 2021 includes organisations based in these (and several other third) countries [48].
3 Research Approach
During research design and conduct of the study we considered validity threats and aspects of trustworthiness, which also considered experiences from prior research on research methods [25, 31]. The research design for the study was informed by experiences from previous research on qualitative techniques conducted in the software systems domain, which includes the first author’s experiences from research on Glaser’s strand of Grounded Theory [32]. Based on previous experiences, it is essential for researchers in the area to be ‘knowledgable’ in conditions for use of the technologies under investigation [32], which for the present study necessitates understanding of both technical and legal issues related to investigations of contract terms for, and conditions for use of, globally provided SaaS solutions in PSOs.
The study considered investigations of contract terms for the M365 solution amongst Swedish PSOs under the government, regional PSOs, and local authorities (municipalities) with a view to explaining why each PSO uses M365 without them having identified and obtained all relevant contract terms.
We undertook a systematic review of how Swedish PSOs that use the M365 solution investigated contract terms prior to adoption and analysed reasons for why the same PSOs use M365 without having identified and obtained all relevant contract terms as follows. First, through an extensive review of publicly available information we identified indications of use of the M365 solution by 140 PSOsFootnote 3. The review considered various types of sources, including information published via websites provided by each Swedish PSO, news articles published by various media (including newspapers and trade press), press releases and promotion material from different suppliers, and public presentations at various practitioner events. Each one of the 140 PSOs for which we identified indication of use of the M365 solution falls into one of the following three categories of PSOs: PSOs under the government (Swe. ‘Statliga förvaltningsmyndigheter’)Footnote 4, regional PSOsFootnote 5, and local authorities (municipalitiesFootnote 6). Second, we requested public documents (supplemented with specific questions in case requested documentation was missing) from each PSO (via email) related to its use of the M365 solution. Data collection focused on obtaining information and documentation of analyses related to contract terms and licences, and other conditions for use of M365 that each PSO had conducted prior to adoption and use of M365. Third, we reviewed the availability of all relevant contract terms, all necessary licences, and other conditions for use of M365 based on documentation we requested from each PSO. Further, we reviewed information obtained in response to specific questions (that were asked to probe reasons for why specific documentation of contract documents and analyses were missing). We analysed the contract terms and licences provided as part of that documentation with a view to considering whether each PSO had obtained (and filed) all relevant contract terms, and all licences necessary for using M365 (as detailed in our broader review of the applicable M365 contract terms).
The study was initiated on 20 June 2021 and data collection has been ongoing for more than eight months. A large number of requests for information and data sources have been sent (via email and via letters) to representatives for each PSO. Data collection became a tedious and complex process, which to large extent can be explained by the complexity of the subject matter. Several respondents perceived requests difficult to understand which lead to further dialogues, in many cases involving synchronous communication (via phone dialogues, video meetings, and physical meetings) involving different representatives for each PSO. Representatives for many PSOs were curious and eager to learn more about what was being requested which lead to constructive dialogues where several representatives expressed that they have learnt a lot that will be useful for further projects.
However, data collection also experienced that representatives for several PSOs (explicitly or implicitly) expressed frustration and unwillingness to provide requested documentation. In several cases, respondents refused to respond to questions and refused to provide public documentsFootnote 7. Several PSOs even refused to acknowledge whether requested public documents existed in their organisation (or were missing)Footnote 8. During data collection, it became apparent that (in order to be able to respond to questions) several PSOs requested information from other sources, including their licensing partner. PSOs commonly obtain their licences for M365 through a licensing partner: one of a number of authorised Microsoft resellers. The information so obtained often contributed to misconceptions and misunderstandings, partly caused by the fact that several statements provided by licensing partners were incorrect or misleading. During several phone dialogues with respondents for various PSOs we also perceived a sense of frustration over their supplier’s inability to provide them with the information they needed to clarify all applicable contract terms.
4 Observations on Investigations of Contract Terms Prior to Adoption
Based on the information that has been provided during the study, we find that each PSO that uses the M365 solution does so without prior analysis of all relevant contract terms and without having procured all necessary licences that would allow for data processing and maintenance of digital assets over long life cycles. Hence, each PSO that uses the M365 solution do so under unknown and unclear conditions which imposes significant risks for different types of lock-in effects that may prevent sustainable and lawful maintenance of digital assets. Further, we find that no PSO has identified all relevant contract terms for the M365 solution before use. In addition, we find that no PSO maintains documentation of all relevant contract terms they are bound by for their use of the M365 solution. Hence, we find that since no PSO had obtained and filed documentation of all relevant contract terms it follows that each PSO fails to fulfil expectations of good administration.
The study has made a number of observations concerning how PSOs investigate contract terms prior to adoption of the M365 solution which reveal a number of issues that contribute to explain an inappropriate practice related to investigations of contract terms prior to adoption and continued use of the solution.
First, we find that no PSO had investigated the need for acquiring all relevant contract terms and licences prior to adoption and use of the M365 solution. Moreover, no PSO had investigated the need for acquiring all relevant contract terms and licences related to several formats that would allow for data processing and maintenance of digital assets during and after use of the M365 solution. For example, the contract terms for M365 express, concerning the HEVC format standard, [55]: “Customer must obtain its own patent license(s) from any third party H.265/HEVC patent pools or rights holders before using Azure Media Services to encode or decode H.265/HEVC media.” Hence, since H.265/HEVC and many other standards, such as the H.264/AVC format standard [33], are normatively referenced (via other standards) in the ISO/IEC 29500 standard it follows that digital assets that are exported from M365 (and stored locally as ‘.docx’ files) may impinge on patents that have been declared as standard essential for the ISO/IEC 29500 standard (and including all its normative references) in the ISO and ITU-T patent databases. This includes patents which may be standard essential patents (SEPs) for these formats even if those have not been declared in any of these patent databases. In addition we find that no PSO had investigated the need for acquiring all relevant contract terms and licences related to several other format standards, including the PDF/A-3 (ISO/IEC 19005–3) format standard (and including all its normative references), used by M365 prior to adoption and use of the M365 solution. For these reasons, use of M365 for export of digital assets in all these formats without prior having acquired all contract terms for all relevant licences for all formats used would prevent maintenance of digital assets. Further, findings from the study show that no PSO had realised the implications of being unable to use M365 for export of digital assets to the PDF/A-1 format which is the appropriate version of the PDF/A format (that is also required in Sweden for long-term archiving). Hence, it follows that all PSOs that use M365 cannot fulfil Swedish archiving requirements for long-term maintenance of digital assets.
Second, concerning contract terms and conditions for future use of the M365 solution, we find that no PSO had investigated relevant contract terms and conditions that will be (and currently are) applicable for use of M365 during a time frame of less than three yearsFootnote 9. Further, no PSO had access to any contract terms and licences for M365 on perpetual terms (amongst the PSOs that had access to a subset of relevant contract terms we find that all those PSOs had access to time-limited contracts for a time period of three years). Specifically, we find that no PSO had investigated the cost of acquiring all necessary licences (including costs for all necessary patent licences) and considered other technical and legal issues, such as under which jurisdictions future provision of M365 may allow for lawful use by a PSO in Sweden.
Third, we find that no PSO had investigated how each PSO’s contract terms for the M365 solution allow for involvement of external staff and subprocessors (based in different jurisdictions) for data processing and maintenance of digital assets. Further, the vast majority of PSOs seem unaware of that conditions for use of the M365 solution change over time and that each PSO’s contract terms for M365 allow for data processing through use of subsidiaries and subcontractors in numerous jurisdictions, including but not limited to China, Serbia, USA, and United Arab Emirates [45, 46, 47, 48, 49]. We find that only one PSO identified that its relevant contract terms for use of the M365 solution (on 22 September 2021) allowed for data processing through use of specific subcontractors in these (and many other) jurisdictions [45, 46]. However, we observed that the same PSO’s contract terms for use of M365 more recently (on 4 March 2022) referred to a different set of subcontractors [48, 49]. We find that no PSO had investigated under which conditions data processing through use of M365 would be exposed to regulations and laws in these (and several other) jurisdictions under previous, current, and any future contract terms that each PSO is bound by. Further, no PSO had investigated relevant legislation concerning security and privacy issues related to use of M365 for data processing in China and Serbia, including NIL [38, 62] and Säkerhetsskyddslagen [56].
Fourth, we find that the vast majority of PSOs have failed to investigate contract terms and legislation in all countries where data processing may take place. This implies that each PSO’s data processing and maintenance of digital assets take place under unknown conditions. We observe that many PSOs seem to assume that digital assets will be stored in Europe, even though several recognise that each PSO’s contract terms allow for data processing outside the EU. For example, we identified several PSOs that recognised that their data processing will take place outside EU and some PSOs (e.g. [23, 20]) explicitly mention that digital assets may be stored outside EU. We identified several PSOs that expressed uncertainty and concern over lawfulness of data processing outside the EU. For example, a legal analysis presented by a data privacy officer at a PSO identifies Sect. 702 of FISA [18] and EO 12333 [12] as main inhibitors which prevent lawful data processing that involves US-based providers under the GDPR and therefore recommends that no new contracts should be signed with US-based providers before lawful transfer of data to the US is possible.
Fifth, we find that PSOs have limited understanding of relevant contract terms that apply to each PSO and that there is far reaching dependence and significant trust in recommendations provided by each PSO’s supplier. For example, several PSOs do not maintain any contract documents and instead refer to the supplier’s current website when trying to identify which contract terms they are bound by. This is despite having signed a contract (‘Program Signature Form’) which states that they have received several contract documents and information provided via websites and referenced documents: “By signing below, Customer and the Microsoft Affiliate agree that both parties (1) have received, read and understand the above contract documents, including any websites or documents incorporated by reference and any amendments and (2) agree to be bound by the terms of all such documents.” Further, we find that several PSOs have negotiated with the Swedish company Microsoft AB which for several years has been wholly owned by the Bermuda-based company MBH Limited [41]. Hence, PSOs have been engaged in such negotiations despite the fact that Bermuda has been listed on the “EU list of non-cooperative jurisdictions for tax purposes” [3, 4].
Sixth, we observed a widespread practice amongst PSOs to adopt the M365 solution by explicitly referring to the solution when renewing old contracts and when using framework contracts. We find that no PSO had investigated alternative solutions by public procurement prior to renewal of contract terms for the M365 solution. In one case, we identified that adoption of the M365 solution through explicit reference to the solution for a new PSO which was established during conduct of the study actually preceded the formal establishment of the PSO that handles very sensitive personal data. We approached the new PSO just after it became operational and found the relevant contract terms for the newly established PSO’s M365 solution had not been obtained and investigated prior to adoption and use of M365.
5 Observations on why SaaS Solutions are Used Without Having Obtained All Contract Terms
Based on the information that has been provided during the study, we find a range of different explanations as to why each PSO that uses the M365 solution agreed to sign (or renew) contracts without having investigated all relevant contract terms and without having procured all necessary licences that would allow for data processing and maintenance of digital assets over long life cycles. Overall, amongst the vast majority of PSOs we find stark dependence and trust in recommendations from the supplier and significant unawareness related to risks associated with different types of lock-in effects.
The study has made a number of observations concerning why PSOs use the M365 solution for data processing and maintenance of its digital assets without having identified and obtained all relevant contract terms prior to adoption and use of M365.
First, we note widespread misconceptions among PSOs concerning the importance of obtaining (and filing) all relevant contract terms and acquiring all relevant licences (including all necessary patent licences) prior to adoption and use of the M365 solution by each PSO in order to investigate opportunities for lawful data processing and maintenance of digital assets during and after use of M365. No PSO had investigated the need for obtaining (and filing) all relevant contract terms and licences related to several formats prior to use of M365. During conduct of the study, we found that many PSOs acknowledged (and elaborated through many discussions by phoneFootnote 10 with representatives for many PSOs) that they were unaware of the implications of the contract terms for M365 each PSO had accepted. However, many PSOs also conveyed misleading information concerning patents (related to several formats used by M365) that had been provided to them by their suppliers. Several PSOs also passed on misleading and incorrect information, which we find may have contributed to severe misunderstandings of how standard essential patents (SEPs) may impinge on various formats used for representing digital assets. During dialogues with representatives for several PSOs we found significant unawareness of the implications of formats used and contract terms for M365, and in particular related to how various stakeholders have declared SEPs related to several format standards (including ITU-T H.264/AVC, ITU-T H.265/HEVC, ISO/IEC 29500, ISO 32000–1, and ISO 19005–3) in several patent databases maintained by various standard setting organisations (including ITU-T and ISO). Some PSOs expressed stark frustration over the misleading information provided by their suppliers when they realised that they had been misled, whereas some PSOs insisted in their beliefs. For example, several PSOs (who upon request provided digital assets in the “docx-format”) insisted on the incorrect belief that the ITU-T H.264/AVC and ITU-T H.265/HEVC formats are not normatively referenced (via other standards) by ISO/IEC 29500 and some PSOs had even been misled to believe that the ITU-T H.264/AVC format is provided under royalty-free conditions. Overall, we find that these misconceptions may have contributed to the incorrect belief that there is no need for acquiring licences for all these formats used, despite the fact that all PSOs need to maintain digital assets over very long time periods (i.e. both during and after use of M365). We note that some PSOs expressed that they will never stop using M365, a view which we find to be peculiar in light of legislation concerning public procurement and requirements for long-term maintenance of digital assets each PSO needs to account for.
Second, we find that, with few exceptions, PSOs seem unconcerned over the fact that they lack access to and have omitted to investigate relevant contract terms and conditions (including cost for all necessary licences) that will be (and currently are) applicable for use of M365 during a time frame of less than three years. A majority of PSOs express that they do not plan to abandon M365. Overall, we note that most PSOs seem to be confident with the supplier and licensing partner for the M365 solution they use. Some even express how grateful and satisfied they are as part of marketing material for the solution. However, there are also several PSOs which express concern over the contract terms and licences they are bound by. For example, representatives for several PSOs expressed stark concern for being locked-in and they lack (and cannot comprehend how to establish) an effective exit plan from M365. One representative for a large PSO that already uses the M365 solution expressed during a meeting that for a PSO that has not yet adopted M365 it would be “completely insane” (Swe. ‘helt vansinnigt’) to adopt and use the solution under current conditions as it is “unlawful” (Swe. ‘inte lagligt’).Footnote 11
Third, we find that no PSO had investigated and documented any decisions concerning whether or not applicable contract terms for each SaaS solution used for the PSO’s data processing and maintenance of its digital assets allow or forbid exposure to laws and regulations in jurisdictions such as Bermuda, China, India, North Korea, Russia, Serbia, USA, and United Arab Emirates. Further, we also find that no PSO seemed concerned over the fact that applicable contract terms for the M365 solution may unilaterally be changed by the supplier and that current contract terms for M365 allow for data processing in countries which (for privacy, security, and tax reasons) are seen highly inappropriate by the EU and the Swedish Security Service. Overall, we find that many PSOs seem totally unaware of the conditions under which they use M365.
Fourth, we find that many PSOs are unaware of how a PSO’s own use of the M365 solution for data processing may cause issues in light of the Schrems-II case [5]. We note that many PSOs are unaware of the contract terms and conditions under which they use M365, some justify their use with the explanation that they need the M365 solution. Many PSOs consider their use of the M365 solution unproblematic and they have no intention of abandoning use of M365 as a consequence of the Schrems-II case. However, several PSOs also express concern over continued data processing through use of US-based providers. For example, the outcome of a legal analysis conducted by a data protection officer recommended that the PSO should not sign any new contracts for continued use of M365. Overall, we note that many PSOs seem to hope for changed legislations and several seem to rely on the recommendations from their supplier.
Fifth, we find that several PSOs have accepted and signed contracts for the M365 solution without having obtained all relevant contract terms in all applicable contract documents. Further, no PSO had investigated and documented any decisions which prohibit procurement of SaaS solutions provided by suppliers that have business operations in countries that have been included in the EU list of non-cooperative jurisdictions for tax purposes in tax havens.
Sixth, we find a widespread practice amongst PSOs is to express explicit preference for the M365 solution when accepting new contract terms and renewing contracts for M365. We find that no PSO had investigated changes between old and new contract terms and conditions for use of the M365 solution when renewing contracts for M365. Overall, we identified no reasonable explanation as to why many PSOs seem to use the M365 solution under conditions that were unknown to each PSO and without having acquired all necessary licences that would allow for data processing and maintenance of the PSO’s digital assets over long life cycles independently of the M365 solution.
6 Analysis
Findings show that many PSOs have significant trust and stark dependence on their suppliers of the M365 solution, especially with respect to interpretations and filing of contract terms and conditions for use of the solution. For example, no PSO had investigated conditions for use of different formats prior to adoption and use of the M365 solution. Further, many PSOs seem to rely exclusively on recommendations from their suppliers and lack independent documentation from investigations of contract terms and conditions for a PSO’s opportunities for lawful use of M365 for its data processing and maintenance of digital assets. Some PSOs even acknowledged that they only trust recommendations from their supplier, with reference to the huge resources large companies have. Overall, we identified no indication of that any representative for any PSO had read all contract terms for the M365 solution before signing the contract. Hence, we find that each PSO uses the solution under contract terms that are unknown to them. This suggests significant deficiencies in terms of adherence to administrative regulations and public procurement laws [21].
The study confirms and extends previous research which has identified work practices amongst PSOs that omit to investigate contract terms and licences for several formats used, which cause format lock-in and other types of problematic lock-in effects. This imposes significant risks since format lock-in prevents long-term maintenance of digital assets [33]. Further, such lock-in also causes interoperability problems, which in turn may significantly inhibit competition in public procurement projects. To allow for competition in the context of public procurement, it is critical to only express mandatory requirements for specific standards and formats provided under conditions which allow for implementation by software projects under different licences, including all open source software licences. Previous studies have recognised concern for absence of interoperability and different types of lock-in effects, specifically format lock-in, as particularly challenging in the context of cloud based SaaS solutions [8, 29, 33, 35]. For these reasons, it may be unsurprising that the Swedish National Procurement Services stipulates that when organisations use their framework agreements “they are allowed only to reference open standards when expressing a mandatory requirement which refer to a standard in public procurement projects” [36].
For every PSO, the importance of ensuring data processing and maintenance of its digital assets beyond the time frame for its current contract with any provider of a SaaS solution must be recognised. This presupposes that a PSO has obtained all necessary licences on perpetual terms for all formats used for representing the PSO’s digital assets. It is critical that each format used for representing a PSO’s digital assets can be interpreted by software applications that are available for many decades. For this reason, a PSO that uses a format for which there is no software application that can process its digital assets independently of the SaaS solutions currently used is exposed to significant risks.
Legal and privacy issues have been ongoing concerns related to potential use of outsourcing and cloud-based SaaS solutions for data processing and maintenance of digital assets amongst stakeholders in large organisations for several years (e.g. [1, 29, 56]). For example, a study which investigated adoption of M365 in two large organisations “raised the question of data integrity, such as patent and loss of data” and highlighted concern over privacy issues as follows: ‘The following citation describes the issue of data integrity at UniSwed [anonymised name for a Swedish University]: “Privacy and data integrity are important issues – can we rely on the service providers to safeguard our data? Can we read different logs from here; can others read the information, US government (referring to the reports of NSA surveillance of data centres)?” (IT Manager, UniSwed, September, 2013)’ [39].
Further, we find that contract terms for the M365 solution express rather broad rights which may cause issues if a PSO wishes to process digital assets for which they lack copyright or sub-licensing rights. For example, in case copyrighted material sent to a PSO should be processed by the M365 solution since the provider of M365 requires a royalty-free licence for the digital assets being processed. Specifically, the contract terms state: “To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve Microsoft products and services, you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services. If you publish Your Content in areas of the Service where it is available broadly online without restrictions, Your Content may appear in demonstrations or materials that promote the Service. Some of the Services are supported by advertising.” [50] We find that such contract terms may inhibit use of M365 by a PSO which seeks to process digital assets for which they lack all copyright or sub-licensing rights.
Findings from the study show that several decision makers representing different PSOs are uneasy with their observation that the provider of the M365 solution can unilaterally change the contract terms and conditions for use of M365, potentially implying data processing of a PSO’s data in unknown and problematic jurisdictions. Further, the study shows that only one PSO recognised that a PSO’s data processing may involve staff and organisations in several countries (through use of subcontractors and subprocessors), such as China and Serbia. Many PSOs have identified that a PSO’s data will be transferred to a country outside the EU. In addition, we note that only one Swedish PSO that investigated possibilities for lawful use of the M365 solution had approached IMY (the Swedish Data Protection Authority) for advice [67, 68, 69, 27]. Specifically, during 2020 and 2021 the municipal board of the City of Stockholm undertook an investigation of the potential adoption of M365 and presented three main reasons for refraining from using M365 in a report presented on 9 December 2021 [69]. One main reason concerns legal and privacy issues: “Due to current legislation in the field of intelligence, US cloud service providers cannot provide sufficient guarantees for the protection of personal data and are therefore deemed not to be able to be used at present.” ([69] (our translation)) Further, the City of Stockholm also finds that contract terms for M365 can “be changed at any time” and that it is impossible for the PSO to determine if a tool can or cannot be lawfully used [69]. The observation that the provider of M365 unilaterally can change the contract terms confirms previous research, which has reported that cloud service providers “typically reserve the right to change contract terms and policies unilaterally” [37].
Related to contract terms issued by the provider of the M365 solution, we find that besides the City of Stockholm there are also other PSOs that have reached similar conclusions when observing that acceptance of such contract terms “would necessitate the continuous review” of contract terms as the provider continuously changes the solution [66]. For these reasons, we note that several PSOs seek alternative solutions and have identified that there are lawful alternative solutions which may be appropriate for PSOs. For example, as identified by a group of Swedish PSOs: “it is clear that suitable legal alternatives to US-based cloud services are available” [17].
Finally, the plans to establish a new EU-based company (Bleu) that seeks to offer a lawful provision of Microsoft 365 to the French market [2] has so far not received any public attention in Sweden. Hence, we find that it is an open question as to if (and if so when) a new Swedish-based company (which is 100% independent of the US-based current provider of M365) will be established and if such a company will be able to provide a special version of M365 which would fulfil Swedish PSOs’ requirements for lawful and appropriate data processing and maintenance of digital assets. Besides having obtained all licences and all necessary rights as a licensor, one example of a necessary customisation of the special version of M365 will be to provide support for export of digital assets to the PDF/A-1 format.
7 Discussion and Conclusions
Lawful and appropriate use of a cloud-based Software-as-a-Service solution by a public sector organisation presupposes full control over the organisation’s data processing and maintenance of its digital assets during and beyond the life cycle for the specific cloud-based solution currently used. Full control of an organisation’s data processing includes an ability to export the organisation’s own digital assets in formats which can be lawfully and appropriately processed independently of the solution initially used to create and process the exported assets.
The study shows that all public sector organisations have omitted to obtain and investigate the relevant contract terms for the specific Software-as-a-Service solution (Microsoft 365) they use. Further, prior to adoption and use of the Microsoft 365 solution no public sector organisation had investigated if contract terms and conditions for their use of Microsoft 365 would allow for lawful and appropriate data processing and maintenance of digital assets over long life cycles.
Findings show that public sector organisations place significant dependence and trust in their suppliers, which may have contributed to the observation that no organisation had identified and obtained all relevant contract terms and licences prior to their adoption and use of the Microsoft 365 solution. Hence, all relevant contract terms are unknown to all investigated organisations that use the solution. In particular, the study identified significant unawareness and misconceptions amongst representatives for public sector organisations concerning the role of standard essential patents which may impinge on formats implemented and used by organisations that use the Microsoft 365 solution for data processing and maintenance of digital assets. Further, the study also identified misconceptions amongst some suppliers and licensing partners which some public sector organisations had consulted during conduct of the study.
The study reveals a, potentially very, concerning situation for public sector organisations since the investigation identified no organisation which has been able to establish that its use of the adopted SaaS solution is lawful and appropriate. Based on the information that has been provided by respondents during conduct of the study, findings from the study show a distinct risk that many public sector organisations are dependant upon solutions which do not allow them to adhere to all legal requirements and the principles of good administration. They are thereby experiencing a dilemma, where they have to choose between systematically violating the law or neglecting tasks they have been entrusted with. Our findings suggest that there may be different reasons for a public sector organisation not analysing the contract terms before deploying a particular solution. In some instances, a public sector organisation has blindly trusted the advice of its partner or the supplier, and actively chosen not to perform any analysis of their own. In other cases, the public sector organisation has tried but not succeeded in acquiring all applicable contract terms, or have not had access to the competence necessary to analyse these. With regard to the Microsoft 365 solution, the study shows that it is extremely difficult, if at all possible, for a user to identify and obtain all applicable contract terms, and contract terms are difficult to analyse even for specialists. Obviously, such difficulties does not excuse the omission by a public sector organisation to act under the laws but it may explain how and why this occurs on such a large scale.
We find that a conceivable, and potentially very effective, policy implication from the study would be to propose and introduce, in law or policy, an obligation for any provider offering a Software-as-a-Service solution to a public sector organisation, to always provide all contract terms at one and the same time in a cohesive format. A corresponding obligation for a public sector organisation in connection with adoption of such a solution to ascertain that all contact terms have been obtained and filed, would clarify the responsibilities of all parties involved.
We acknowledge that requests for public information sent to the official register at each public sector organisation have been handled differently by different organisations. Moreover, we note that there has been interactions and communications between different public sector organisations and their suppliers, which have caused that responses and reactions from some organisations have been influenced by views expressed by other organisations (such as other public sector organisations and suppliers). For example, instead of providing requested documents containing contract terms, some public sector organisations have been influenced by other organisations that have referred to their supplier or declined to provide requested documents. In some such cases we conjecture that the behaviour of a public sector organisation (and its supplier) during data collection may have been an attempt to hide an absence of good administration.
Finally, findings from the study show an overwhelming and rather worrying unawareness of how contract terms for the Microsoft 365 solution allow for involvement of staff representing various subcontractors and subprocessors based in different countries when a public sector organisation uses the solution for its own data processing of digital assets.
Notes
- 1.
Throughout this paper, the phrase ‘lawful and appropriate’ refers to all the requirements imposed on each PSO within the EU in accordance with all applicable law and regulation, and also the principles of good administration whether codified or not. The concept of ‘good administration’ originates in the Charter of Fundamental Rights of the European Union [13] and has been further developed in the Committee of Ministers Recommendation to member states on good administration [6]. Good administration encompasses the fundamental principle of the rule of law and a general duty of care. In Sweden, the principle of the rule law is codified in the Constitution [58] and the principles of good administration in the 2017 Administrative Procedure Act [19].
- 2.
For example, adoption and use of a SaaS solution under unknown contract terms may involve data processing and maintenance of digital assets under conditions which violate (one or several) laws and regulations, including the Swedish Public Access to Information and Secrecy Act [54], the 2017 Administrative Procedure Act [19], regulations provided by the Swedish National Archives [59, 60], GDPR [14], and the Constitution [58].
- 3.
None of the 140 PSOs constitute a publicly owned company.
- 4.
There were 251 governmental agencies (Swe. ‘Statliga förvaltningsmyndigheter’) in Sweden on 24 May 2022 according to Statistics Sweden [63].
- 5.
There were 21 regions in Sweden on 31 December 2020 [64].
- 6.
There were 290 municipalities in Sweden on 30 December 2020 [65]. Most municipalities own several publicly owned companies and may be organised into several different agencies.
- 7.
In Sweden, the “constitutional right of access to public documents is delineated by the Swedish Public Access to Information and Secrecy Act (OSL) (2009:400)” [22]. We find that the vast majority of PSOs made a serious effort to provide the requested public documents they had access to within a six month time period, whereas some PSOs did not respond at all. In fact, despite a strong emphasis on transparency for public sector organisations (and in particular related to research studies) in Sweden some PSOs devoted significant efforts in arguing for why they were not obliged to provide the requested public documents as required under Swedish law [54].
- 8.
In acknowledging the depth of the data collection, we find that several PSOs lacked requested information (including documents containing decisions, licenses, and contract terms). Instead, PSOs referred to their supplier since requested information were not maintained by each specific PSO.
- 9.
The data collection during conduct of the study obtained responses from PSOs (in response to requests for public documents and supplementary questions) during the time frame after 20 June 2021 and until 14 March 2022 (when the manuscript was prepared).
- 10.
From in-depth discussions with more than twenty representatives for different PSOs we find that each PSO’s initial adoption of the M365 solution was preceded by stark trust in the supplier and note that these representatives (with few exceptions) acknowledged that they had no issue with continued use of the solution despite the fact that they lack access to all contract terms. However, some representatives expressed concern over the fact that they lack access to (and are unable gain access to) all relevant contract terms and perceived they (and their PSO) had been misled by the supplier.
- 11.
The meeting was held in Swedish. During the meeting, the representative elaborated on several unresolved legal issues of which the essence was that for a PSO it would now be completely reprehensible to adopt the M365 solution for use in a PSO.
References
Bradshaw, S., Millard, C., Walden, I.: Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services. Int. J. Law Inf. Technol. 19(3), 187–223 (2011)
Capgemini: Capgemini and Orange announce plan to create “Bleu”, a company to provide a “Cloud de Confiance” in France. Capgemini, Orange, Joint Press Release, 27 May 2021
CEU: The EU list of non-cooperative jurisdictions for tax purposes, 15429/27, Council of the European Union, 5 December (2017)
CEU: The revised EU list of non-cooperative jurisdictions for tax purposes ‒ Council conclusions, 12 March 2019, 7441/19, Council of the European Union, 12 March (2019)
CJEU: The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. Judgment in Case C-311/18, Press Release No 91/20, Court of Justice of the European Union, Luxembourg, 16 July (2020)
CM: Recommendation CM/Rec(2007)7 of the Committee of Ministers to member states on good administration, The Council of Europe, 20 June 2007
Datalag: Datalag (1973:289), SFS 1973:289, 11 May 1973. http://rkrattsbaser.gov.se/sfst?bet=1973:289
EC: Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Unleashing the Potential of Cloud Computing in Europe, SWD(2012) 271 final, European Commission, Brussels (2012)
EC: Shaping Europe’s Digital Future, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. European Commission, Communication, COM (2020) 67 final, 19 February 2020
EDPS: Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services. European Data Protection Supervisor, European Union, 2 July 2020
Egyedi, T.: Standard-compliant, but incompatible?! Comput. Stan. Interfaces 29(6), 605–613 (2007)
EO: Executive Order 12333 - As amended by Executive Orders 13284 (2003), 13355 (2004), and 13470 (2008). The White House, 4 December 1981
EU: Charter of the Fundamental Rights of the European Union, C 326/392, Official Journal of the European Union, 26 October (2012)
EU: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, 4 May (2016)
eSam: Rättsligt uttalande om röjande och molntjänster, VER 2018:57, eSamverkansprogrammet, 23 October 2018
eSam: Uppföljning av möten mellan eSam och Microsoft (letter to Microsoft Sverige AB, sent by the chair of eSam), Dnr. 8–731121, eSamverkansprogrammet, 27 October 2021
eSam: Digital collaboration platform for the public sector, eSamverkansprogrammet, 18 November 2021
FISA: Section 702 FISA, The Senate of the United States, Congressional Bills 110th Congress, U.S. Government Publishing Office, 20 June 2008
FL: Förvaltningslag (2017:900), SFS nr: 2017:900, 28 September 2017. https://rkrattsbaser.gov.se/sfst?bet=2017:900
Forte: Personuppgiftspolicy för Forte.se, Forskningsrådet för hälsa, arbetsliv och välfärd, Stockholm. https://forte.se/om-webbplatsen/personuppgiftspolicy-for-forte-se/. Accessed 8 Mar 2022
Furberg, P., Westberg, M.: Måste myndigheter följa lagarna? Om utkontraktering och legalitet i digital miljö. Juridisk tidskrift, 2, 406–417 (2020/21)
Försäkringskassan: Cloud Services in Sustaining Societal Functions–Risks, Appropriateness and the Way Forward. Swedish Social Insurance Agency, Dnr. 013428–2019, Version 1.0, 18 November 2019
Försvarsmakten: Behandling av personuppgifter i Mitt Försvarsmakten. Försvarsmakten, Stockholm. https://www.forsvarsmakten.se/sv/information-och-fakta/for-dig-som-privatperson/personuppgifter/behandling-av-personuppgifter-i-mitt-forsvarsmakten/. Accessed 8 Mar 2022
GAIA: Project GAIA-X: A Federated Data Infrastructure as the Cradle of a Vibrant European Ecosystem. Federal Ministry for Economic Affairs and Energy (BMWi), Berlin, October 2019
Guba, E.G.: Criteria for assessing the trustworthiness of naturalistic inquiries. Educ. Commun. Technol. 29(2), 75–91 (1981)
IMY: Integritetsskyddsrapport 2020: redovisning av utvecklingen på it-området när det gäller integritet och ny teknik. Integritetsskyddsmyndigheten, IMY rapport no. 1, Stockholm, 28 January 2021
IMY: Förhandssamråd om Azure AD och Teams. Dnr. DI-2021–1513, Integritetsskyddsmyndigheten, Stockholm, 2 June 2021
Kahn Pedersen: Public cloud services for private businesses in Sweden. Kahn Pedersen, Advokatfirman Kahn Pedersens skriftserie 2020, 3 (2020)
Kammarkollegiet: Förstudierapport: Webbaserat kontorsstöd. Dnr 23.2–6283–18, National Procurement Services, 22 February 2019
Lianos, I., McLean, A.: Competition Law, Big Tech and Financialisation: The Dark Side of the Moon. Centre for Law, Economics and Society, Research Paper Series: 5/2021, Faculty of Laws, UCL, London (2021). ISBN 978–1–910801–39–0
Lings, B., Lundell, B.: On transferring a method into a usage situation. In: Kaplan, B. et al. (eds.) Information Systems Research: IFIP Working Group 8.2 – IS Research Methods Conference – “Relevant Theory and Informed Practice: looking forward from a 20 year perspective on IS research”, Kluwer, Boston, pp. 535–553 (2004)
Lings, B., Lundell, B.: On the adaptation of grounded theory procedures: insights from the evolution of the 2G method. Inf. Technol. People 18(3), 196–211 (2005)
Lundell, B., Gamalielsson, J., Katz, A.: Implementing IT standards in software: challenges and recommendations for organisations planning software development covering IT standards. Eur. J. Law Technol. 10(2) (2019)
Lundell, B., Gamalielsson, J., Katz, A.: Addressing lock-in effects in the public sector: how can organisations deploy a SaaS solution while maintaining control of their digital assets? In: Virkar, S. et al. (eds.) CEUR Workshop proceedings: EGOV-CeDEM-ePart 2020, vol. 2797, pp. 289–296 (2020). ISSN 1613–0073
Lundell, B., Gamalielsson, J., Katz, A., Lindroth, M.: Perceived and actual lock-in effects amongst Swedish public sector organisations when using a Saas solution. In: Scholl, H.J., Gil-Garcia, J.R., Janssen, M., Kalampokis, E., Lindgren, I., Rodríguez Bolívar, M.P. (eds.) EGOV 2021. LNCS, vol. 12850, pp. 59–72. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84789-0_5
Lundell, B., et al.: Effective strategies for using open source software and open standards in organizational contexts – experiences from the primary and secondary software sectors. IEEE Softw. 39(1), 84–92 (2022)
Lynn, T.: Dear cloud, I think we have trust issues: cloud computing contracts and trust. In: Lynn, T., Mooney, J.G., van der Werff, L., Fox, G. (eds.) Data Privacy and Trust in Cloud Computing. PSDBET, pp. 21–42. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-54660-1_2
Mannheimer Swartling: Applicability of Chinese National Intelligence Law to Chinese and non-Chinese Entities, Mannheimer Swartling AB, Stockholm, January 2019
Melin, U., Sarkar, P., Young, L.: Fashions in the cloud – a case of institutional legitimacy. In: Proceedings of the Twentieth Americas Conference on Information Systems (AMCIS 2014), Savannah, pp. 7–10, August 2014. https://aisel.aisnet.org/amcis2014/
Michels, J.D., Millard, C., Turton, F.: Contracts for Clouds, Revisited: An Analysis of the Standard Contracts for 40 Cloud Computing Services. Queen Mary University of London, School of Law, Legal Studies Research Paper No. 334/2020 (2020)
Microsoft: Årsredovisning Microsoft Aktiebolag: Räkenskapsår 2016–07–01 – 2017–06–30. Microsoft Aktiebolag, Org.nr 556233–4804, 23 February 2018
Microsoft: Microsoft Core Online Services Subprocessor List. Microsoft, 22 February 2019
Microsoft: Microsoft Online Services Subprocessors List. Microsoft, 5 September 2019
Microsoft: How does Microsoft handle your data in the cloud? Subprocessors and Data Privacy. Microsoft, 2 March 2020
Microsoft: Microsoft Online Services Subprocessors List. Microsoft, 31 July 2020
Microsoft: Microsoft Commercial Support Subcontractors. Microsoft, 13 August 2021
Microsoft: Microsoft Online Services Subprocessors List. Microsoft, 24 September 2021
Microsoft: Microsoft Online Services Subprocessors List. Microsoft, 23 November 2021
Microsoft: Microsoft Commercial Support Subcontractors. Microsoft, 28 January 2022
Microsoft: Microsoft Services Agreement. Published 1 April 2021, Effective 15 June 2021 (2022). https://www.microsoft.com/en-us/servicesagreement. Accessed 7 Mar 2022
Mitchell, A.D., Samlidis, T.: Cloud services and government digital sovereignty in Australia and beyond. Int. J. Law Inf. Technol. 29(4), 364–394 (2022)
Nas, S., Terra, F.: DPIA report Diagnostic Data processing in Microsoft Teams, OneDrive, SharePoint and Azure AD, Privacy Company, Version 1.1, 16 February 2022
Opara-Martins, J.: A decision framework to mitigate vendor lock-in risks in cloud (SaaS category) migration, Ph.D. thesis, Bournemouth University (2017)
OSL: Offentlighets- och sekretesslag (2009:400), SFS nr: 2009:400, 20 May 2009
OST: Volume Licensing: Online Services Terms, June, Microsoft (2020)
Regeringskansliet: Granskning av Transportstyrelsens upphandling av it-drift, Ds 2018:6, February 2018. ISBN 978–91–38–24768–6, ISSN 0284–6012
Regeringskansliet: Säker och kostnadseffektiv it-drift: rättsliga förutsättningar för utkontraktering. Delbetänkande av It-driftsutredningen, Statens Offentliga Utredningar, SOU 2021:1, Stockholm (2021). ISBN 978–91–525–0001–9, ISSN 0375–250X
Kungörelse, R.F.: (1974:152) om beslutad ny regeringsform, SFS nr: 1974:152, 28 February 1974. https://rkrattsbaser.gov.se/sfst?bet=1974:152
Riksarkivet: Riksarkivets föreskrifter och allmänna råd om elektroniska handlingar (upptagningar för automatiserad behandling), Riksarkivets författningssamling, RA-FS 2009:1, Riksarkivet (2009). ISSN 0283–2941
Riksarkivet: Riksarkivets föreskrifter och allmänna råd om tekniska krav för elektroniska handlingar (upptagningar för automatiserad behandling), Riksarkivets författningssamling, RA-FS 2009:2, Riksarkivet (2009). ISSN 0283–2941
Roshanbin, S., Melin, D.: Digital samarbetsplattform för offentlig sektor. eSam, 24 November 2021
Säpo: Säkerhetspolisens årsbok 2019. Säkerhetspolisen, Stockholm 2019. ISBN: 978–91–86661–17–5
SCB: Välkommen till det allmänna myndighetsregistret, Statistiska Centralbyrån (Statistics Sweden), Örebro (2022). https://myndighetsregistret.scb.se/. Accessed 24 May 2022
SKR: Länskod, regioner och folkmängd, Sveriges Regioner och Kommuner, Stockholm (2022). https://catalog.skl.se/catalog/1/datasets/77. Accessed 24 May 2022
SKR: Kontaktuppgifter till kommunerna, Sveriges Regioner och Kommuner, Stockholm (2022). https://catalog.skl.se/catalog/1/datasets/38. Accessed 24 May 2022
SKV/KFM: Decision: Memorandum regarding the replacement of Skype in the Swedish Tax Agency’s and Swedish Enforcement Authority’s operations. The Swedish Tax Agency, Reference no.: 8–958696, The Swedish Enforcement Authority, Reference no.: KFM 10419–2021, 3 May 2021
Stockholm: Konsekvensbedömning avseende dataskydd för tjänsten Azure AD och Teams med begränsad funktionalitet. Stadsledningskontoret, Stockholm Stad, 18 February 2021
Stockholm: Kompletteringar till förhandssamråd med IMYs dnr DI-2021–1513. Dnr KS 2021/232, Stadsledningskontoret, Stockholm Stad, 13 March 2021
Stockholm: Underlag för inriktningsbeslut avseende Microsoft 365 och andra molntjänster. Dnr KS 2021/581, Stadsledningskontoret, Stockholm Stad, 9 December 2021
Wagle, S.S.: Cloud Computing Contracts. In: Leh-mann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity Man-agement. Facing up to Next Steps. Privacy and Identity 2016. IFIP Advances in Information and Commu-nication Technology(), vol. 498, pp. 182–198. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-55783-0_13
Acknowledgement
This research has been financially supported by the Swedish Knowledge Foundation (KK-stiftelsen) and participating partner organisations in the SUDO project. The authors are grateful for the stimulating collaboration and support from colleagues and partner organisations.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2022 The Author(s)
About this paper
Cite this paper
Lundell, B., Gamalielsson, J., Katz, A., Lindroth, M. (2022). Use of Commercial SaaS Solutions in Swedish Public Sector Organisations under Unknown Contract Terms. In: Janssen, M., et al. Electronic Government. EGOV 2022. Lecture Notes in Computer Science, vol 13391. Springer, Cham. https://doi.org/10.1007/978-3-031-15086-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-15086-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15085-2
Online ISBN: 978-3-031-15086-9
eBook Packages: Computer ScienceComputer Science (R0)
