Privacy Corner

One of the most important statements in the Guidance is the following: "[i]n the event of a supervisory case, the Norwegian Data Protection Authority will interpret the law in the same way as the EDPB [European Data Protection Board]." This is neither controversial nor surprising however, it likely spells the end of some parts of the the Directorate of Digitalisation's (DigDir) guide.

The criteria for transfers are well-known to those operating in and responsible for data protection within their organisation and the Guide does not materially alter the recommended process. The Guide also emphasises that where transfers are contemplated and undertaken, it is important to document the process:

"In the event of a supervisory case, the Norwegian Data Protection Authority will pay particular attention to whether the assessments are documented.

…

For the sake of good order, we note that you (read data controllers) have a duty to carry out adequate assessments prior to processing personal data, regardless of whether it later turns out that the processing is not problematic. Failure to carry out assessments in advance may be contrary to the accountability principle, which in itself may be a serious breach of the law."

This is consistent with the decision of the Portuguese Data Protection Authority (CNPD) reported on in the Privacy Corner section of our last newsletter, where a large fine was handed out because neither a Data Protection Impact Assessment (DPIA) nor a Transfer Impact Assessment (TIA) had been completed.

On 14 February, the EDPB presented a much-discussed new Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. The Norwegian Data Protection Authority has incorporated the conclusions from these guidelines in the Guide as follows.

There may be reason to note that the following is stated: If a data controller based in the EU uses a data processor who is also based in the EU, but which is a subsidiary of a company based in a third country, then special assessments must be made. In itself, this is not a transfer to a third country. However, there will be a transfer if the data processor, because of being a subsidiary to for example an American parent company – is subject to the laws of the country where the parent is established and can be ordered to transfer data to the third country in accordance with local laws.

If the data processor complies with this and transfers the data to authorities in the third country, the EDPB considers this a third country transfer. If the data controller has prohibited such a transfer in the data processing agreement, the data processor is acting contrary to the data controller's instructions and is itself considered to be the data controller for this processing in accordance with GDPR Article 28 (10).

The data controller must check in advance whether the suppliers are subject to such access rights from foreign authorities and, if necessary, take appropriate technical and organisational measures to ensure that these types of transfers do not happen. Organisations that store and access date in cloud services will need to carefully consider their position, particularly what access rights the supplier has.

The South-Eastern Norway Regional Health Authority (Helse Sør-Øst) is currently working on an agreement on the storage of patient data in collaboration with Microsoft. The CEO of Helse Sør-Øst, Terje Rootwelt, says that the agreement is necessary in order to make hospital operations more efficient. Helse Sør‑Øst want to replace staffed receptions with screen solutions where patients themselves register their personal information, including health data.

The Norwegian Data Protection Authority has expressed their concerns about this collaboration as the equivalent US legislation does provide as stringent protection of personal data as the GDPR. Their recommendation is therefore to wait with such a change until an agreement between the EU and the US is in place. This is interesting in itself, and in any case shows optimism on the part of our Data Protection Authority about the validity of the new transfer agreement.

Mr Rootwelt, on his part, believes that the processing is already within the legislation, and is the best for the patients. Rune Simensen, Director of Technology and e-Health at Helse Sør-Øst, says they have had extensive dialogue with the Norwegian Data Protection Authority about the choice of solutions and are taking all such recommendations into account.

In a recent article,[1] Mr Simensen is reported as saying:

"It has been assessed whether US legislation is considered problematic, both with regard to whether the legislation can be applied and whether there is reason to believe that the legislation will in practice be applicable to the health logistics solution. The conclusion of the assessment is that problematic US legislation will not be applicable in practice.

- The assessment is supported by statistics that show how the regulations are used in Europe. In the main, collection appears to be linked to criminal individuals or criminal groups. There is one known example where data was obtained from a business, and then from a straw company that was involved in criminal arms trade linked to a terrorist organisation.

In a meeting on 15 February 2022, Microsoft Norway stated that Microsoft has never handed over data from public European bodies in accordance with the FISA regulations, he sums up.

These are important and correct arguments that will factor into the EDPB's 6-step model . This is something that should be looked into more closely if you are a public body that want to use cloud services from Microsoft. I am not aware of reliable statistics from other suppliers that are so detailed, and it is obviously a requirement if you shall be able to rely on it in a TIA. If Helse Sør-Øst has documentation on this, then it seems, from what I know, they have a pretty good case.

NOK 10 million in fines to SATS, but limited right to appeal the decision[2]

SATS, a large Scandinavian gym operator, was recently fined NOK 10 million by the Norwegian Data Protection Authority on the basis that its processing of personal data did not comply with requirements under the GDPR. This included the right to access one's own personal data and the length of time that data is stored. However, if Sats wants to appeal the decision, they will have to go to the courts.

The reason why the Privacy Appeals Board cannot hear an appeal against the decision is that Sats' processing of personal data, is considered to be so-called "cross-border processing". This is, inter alia, because employees in other countries have access to the data, as well as the fact that the same privacy policy is used in different countries. This will also be the case for many other businesses in Norway, as several of those processing personal data in several countries use the same privacy policy for all their customers.

If the Norwegian Data Protection Authority concludes that an organisation carries out "cross-border processing", it will likely mean far fewer such organisations will appeal these decisions. Bringing such a case before the court is both expensive and risky, which probably means that only the cases with the largest fines will be heard. This will in turn mean that compliance with the GDPR will become more important, but probably also more challenging, for businesses.

On the one hand, the case may be a reason to be more careful about streamlining the use of personal data in Norway and other countries. However, this is probably so impractical that the end result will be that organisations will need to be extremely careful and thorough in handling non-conformance cases, inspections and other inquiries from the Norwegian Data Protection Authority.

EDPB with statements on the application of the Binding Corporate Rules

In December 2022, the EDPB presented a draft guide with updated interpretations and requirements for the application of the Binding Corporate Rules ("BCR"). The EDPB could have done more to simplify everyday life for companies that have made the effort to acquire a BCR, or at least could simplify the approval process.

As it is now, there are probably a small number of companies that will want to go to the effort of introducing BCR. Those that do are primarily motivated by the credibility it adds to their business as it is an area of increasing interest from suppliers. It is easier and safer to choose a supplier that has BCR.

Companies that have an approved BCR according to the old regulations must continue to use it, but they must update the BCR documents in accordance with the GDPR. There are a number of changes that need to be made. The Norwegian Data Protection Authority must be notified of the changes which can be done in connection with the annual reporting obligation for BCR.

New law to streamline the enforcement of the GDPR[2]

The EU Commission will propose a new law to regulate how member states safeguard the GDPR. The new law has been prompted by the long-expressed frustration among experts and activists regarding the (in)effectiveness of existing systems for handling major cases, particularly those involving Big Tech companies.

The new legislation will improve the so-called one-stop shop rule, which has received a lot of criticism. The rule requires most major investigations to go through the Irish system because companies such as Meta, Google, Apple and others use Ireland as their European base. Ireland has been criticised for lax enforcement of the GDPR. In order to make the system more efficient, proposals have been made to set deadlines in the enforcement procedure.

Whether the proposed new laws will ever come into effect remains uncertain. From another point of view, I hear that they "don't want to touch" the GDPR because it is difficult to reach agreement between the countries and then one has to live with the rules as they are, for better or for worse.

Recommendations to avoid "dark patterns"[3]

The EDPB has issued guidelines with recommendations for those who use social media, with tips on how to avoid so-called "misleading designs" or what are often called "dark patterns". The EU has focused on "dark patterns" for some time and we see that there will be rules about this in new regulations, among other things in what is called the DSA, Digital Services Act.

In this newsletter, we considered these guidelines a little over a year ago, when they were a draft from the EDPB. The final version of these guidelines sets out a non-exhaustive list of conditions that will constitute a breach of the GDPR. Many of the examples are also graphically illustrated. In a separate appendix, they have created a separate checklist on various forms of "dark patterns". The guide should be mandatory reading for anyone working with UX (User Experience).

Some of the recommendations are, for example, to avoid "overloading", where the user receives too much information and too many requests. This can cause the user to give consent without the user having familiarised him or herself with what is being accepted. So-called "stirring" is also highlighted as problematic. Stirring involves playing on the emotions of the user to influence their choice. In addition, the guidelines also refer to "obstructing" where users are prevented or it is made more difficult to get the information they are looking for. The user may also be forced into unnecessarily long processes to, for example, opt out of an agreement. They also mention what they call "fickling", a word that does not sound very legalistic, which describes a user interface that is not consistent and unclear, so that it becomes difficult for the user to apply privacy settings. Examples of this include a lack of hierarchy, an inconsistent user interface and different languages in the user interface.

Many of us have experienced systems that use this type of technique to obtain information about us and to prevent us from exiting a service. The new guidelines and recommendations represent a positive step by the EDPB to tighten up this aspect of the GDPR.

Are dog names personal data?[4]

Those who know me know that I love dogs. So, it's a good day when I can write about dog privacy! It is also very unusual.

This case concerned a person who had been bitten by a police dog. The question was whether the name of a dog could be considered personal data. The Data Protection Authority in England, Information Commissioner's Office (ICO), responded affirmatively to this but due to the specific circumstances of the case. The information in question concerned not only the dog, but also the name of its handler and an overview of the dog's training. Information about the dog could thus identify the dog handler which was found to be the decisive factor. On this basis, the ICO concluded that it was in breach of the GDPR to release the dog's name. The ICO emphasised that dog names generally fall outside the concept of personal data but that the data in cases like this may be covered.

^{[1] "Norske sykehus skal lagre data hos amerikansk gigant: − Det er ikke trygt, sier Datatilsynet", Martin Braathen Røise, 22 March 2023. Available here. 
[2] "10 millioner i bot til Sats, men de får ikke klage til Personvernnemnda", Eva Jarbekk and Sondre Arora Aaserud, 25 February 2023. Available here. 
[3] "Brussels sets out to fix the GDPR", Clothilde Goujard, 20 February 2023. Available here.
[4] Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them, Version 2.0, adopted on 14 February 2023. Available here.
[5] ICO Freedom of Information Act 2000 Decision Notice Reference IC-80804-J7C6. Available at here.}