NOK 10 million in fines to SATS, but limited right to appeal the decision
SATS, a large Scandinavian gym operator, was recently fined NOK 10 million by the Norwegian Data Protection Authority on the basis that its processing of personal data did not comply with requirements under the GDPR. This included the right to access one's own personal data and the length of time that data is stored. However, if Sats wants to appeal the decision, they will have to go to the courts.
If the Norwegian Data Protection Authority concludes that an organisation carries out "cross-border processing", it will likely mean far fewer such organisations will appeal these decisions. Bringing such a case before the court is both expensive and risky, which probably means that only the cases with the largest fines will be heard. This will in turn mean that compliance with the GDPR will become more important, but probably also more challenging, for businesses.
On the one hand, the case may be a reason to be more careful about streamlining the use of personal data in Norway and other countries. However, this is probably so impractical that the end result will be that organisations will need to be extremely careful and thorough in handling non-conformance cases, inspections and other inquiries from the Norwegian Data Protection Authority.
EDPB with statements on the application of the Binding Corporate Rules
In December 2022, the EDPB presented a draft guide with updated interpretations and requirements for the application of the Binding Corporate Rules ("BCR"). The EDPB could have done more to simplify everyday life for companies that have made the effort to acquire a BCR, or at least could simplify the approval process.
As it is now, there are probably a small number of companies that will want to go to the effort of introducing BCR. Those that do are primarily motivated by the credibility it adds to their business as it is an area of increasing interest from suppliers. It is easier and safer to choose a supplier that has BCR.
Companies that have an approved BCR according to the old regulations must continue to use it, but they must update the BCR documents in accordance with the GDPR. There are a number of changes that need to be made. The Norwegian Data Protection Authority must be notified of the changes which can be done in connection with the annual reporting obligation for BCR.
New law to streamline the enforcement of the GDPR
The EU Commission will propose a new law to regulate how member states safeguard the GDPR. The new law has been prompted by the long-expressed frustration among experts and activists regarding the (in)effectiveness of existing systems for handling major cases, particularly those involving Big Tech companies.
The new legislation will improve the so-called one-stop shop rule, which has received a lot of criticism. The rule requires most major investigations to go through the Irish system because companies such as Meta, Google, Apple and others use Ireland as their European base. Ireland has been criticised for lax enforcement of the GDPR. In order to make the system more efficient, proposals have been made to set deadlines in the enforcement procedure.
Whether the proposed new laws will ever come into effect remains uncertain. From another point of view, I hear that they "don't want to touch" the GDPR because it is difficult to reach agreement between the countries and then one has to live with the rules as they are, for better or for worse.
Recommendations to avoid "dark patterns"
The EDPB has issued guidelines with recommendations for those who use social media, with tips on how to avoid so-called "misleading designs" or what are often called "dark patterns". The EU has focused on "dark patterns" for some time and we see that there will be rules about this in new regulations, among other things in what is called the DSA, Digital Services Act.
In this newsletter, we considered these guidelines a little over a year ago, when they were a draft from the EDPB. The final version of these guidelines sets out a non-exhaustive list of conditions that will constitute a breach of the GDPR. Many of the examples are also graphically illustrated. In a separate appendix, they have created a separate checklist on various forms of "dark patterns". The guide should be mandatory reading for anyone working with UX (User Experience).
Some of the recommendations are, for example, to avoid "overloading", where the user receives too much information and too many requests. This can cause the user to give consent without the user having familiarised him or herself with what is being accepted. So-called "stirring" is also highlighted as problematic. Stirring involves playing on the emotions of the user to influence their choice. In addition, the guidelines also refer to "obstructing" where users are prevented or it is made more difficult to get the information they are looking for. The user may also be forced into unnecessarily long processes to, for example, opt out of an agreement. They also mention what they call "fickling", a word that does not sound very legalistic, which describes a user interface that is not consistent and unclear, so that it becomes difficult for the user to apply privacy settings. Examples of this include a lack of hierarchy, an inconsistent user interface and different languages in the user interface.
Many of us have experienced systems that use this type of technique to obtain information about us and to prevent us from exiting a service. The new guidelines and recommendations represent a positive step by the EDPB to tighten up this aspect of the GDPR.
Are dog names personal data?
Those who know me know that I love dogs. So, it's a good day when I can write about dog privacy! It is also very unusual.
This case concerned a person who had been bitten by a police dog. The question was whether the name of a dog could be considered personal data. The Data Protection Authority in England, Information Commissioner's Office (ICO), responded affirmatively to this but due to the specific circumstances of the case. The information in question concerned not only the dog, but also the name of its handler and an overview of the dog's training. Information about the dog could thus identify the dog handler which was found to be the decisive factor. On this basis, the ICO concluded that it was in breach of the GDPR to release the dog's name. The ICO emphasised that dog names generally fall outside the concept of personal data but that the data in cases like this may be covered.
 "Norske sykehus skal lagre data hos amerikansk gigant: − Det er ikke trygt, sier Datatilsynet", Martin Braathen Røise, 22 March 2023. Available here.
 "10 millioner i bot til Sats, men de får ikke klage til Personvernnemnda", Eva Jarbekk and Sondre Arora Aaserud, 25 February 2023. Available here.
 "Brussels sets out to fix the GDPR", Clothilde Goujard, 20 February 2023. Available here.
 Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them, Version 2.0, adopted on 14 February 2023. Available here.
 ICO Freedom of Information Act 2000 Decision Notice Reference IC-80804-J7C6. Available at here.