Renowned technology lawyer, expert speaker and author, Andrew Katz has co-authored the newly published paper – “Data processing and maintenance in different jurisdictions when using a SaaS Solution in a public sector organisation”, alongside Björn Lundell, Jonas Gamalielsson and Mathias Lindroth, from the University of Skövde in Sweden.

The study examines factors that a public sector organisation (PSO) should take into account when acquiring a software as a service (SaaS) solution to process their documents and data, looking at both lawful data processing, and the obligations that those PSOs have to maintain their digital assets.

A case study was carried out on the City of Gothenburg in Sweden and their process in selecting (adoption and implementation) of Microsoft 365. The study identifies challenges and presents an analysis of the organisational implementation of that SaaS solution, exposing legal issues that arose in that context.

Findings show an absence of a documented risk analysis related to the PSO’s use of that SaaS solution, covering data processing and maintenance of its digital assets; as well as establishing that the procurement process was flawed and that it’s too easy to transition from an on-premise deployment of software such as Microsoft Office to a cloud-based equivalent without considering the legal, practical and societal ramifications. Although the functionality may appear to be similar, the difference in the way that functionality is delivered has very significant differences from a legal perspective.

The paper focuses on the effect of GDPR on the new arrangements, and, in view of the ongoing effect of the judgments of the Court of Justice in the “Schrems” cases, this paper provides a timely addition to the discussion.

The paper is one of a series of analyses by the same team covering different aspects of the same City of Gothenburg case study, which focus on aspects such as lock in, patent licensing of media format standards, procurement law, Swedish administrative law, competition law issues and the importance of being able to access, process and write documents and files after termination of the SaaS agreement, something for which the authors argue an open source software solution is essential.

Andrew Katz, Moorcrofts Head of Technology and IP and Co-Author, said:

“There are significant risks in adopting a SaaS solution, and our research shows that many public sector bodies, including Sweden’s second city, Gothenburg, failed to take appropriate steps to consider these risks before deploying the SaaS. The paper provides important advice for anybody – public sector or otherwise – wishing to adopt and implement a SaaS solution”.

Andrew is one of the UK’s leading free and open source software lawyers, is a Fellow of the Free Software Foundation Europe and a Fellow of the Open Forum Academy,  has been a visiting lecturer on Free and Open Source Software at Queen Mary, University of London and is currently a visiting researcher at the University of Skövde, Sweden where he has co-authored a number of papers, mainly on the interrelationship between standards and open source software. One of the papers has formed part of the Swedish government’s procurement policy.

He regularly advises companies worldwide, including global multinationals, on issues relating to open source software and software supply chain compliance. Both Moorcrofts and Orcro are partners of the Linux Foundation’s OpenChain compliance programme, and Andrew is heavily involved in the development of the OpenChain specification: ISO/IEC 5230:2020 processes and materials. He sits on the core drafting team of the CERN Open Hardware Licence. He led the Open Hardware section of the European Commission’s published report on Open Source Software and Hardware in the European Union.

The paper, which was part of the eJournal of eDemocracy & Open Government, (JeDEM), owned and published by the Department for E-Governance and Administration, Danube University Krems, Austria and can be accessed online.