Privacy Corner

A new guide on cookies has been published by the Norwegian Data Protection Authority. It doesn't contain any surprises, but the reality is that far from all Norwegian websites have practices that are in line with the rules. Many have probably thought that you can wait to adjust your practices until you know how the Norwegian Data Protection Authority and the Norwegian Communications Authority (NKOM) will interpret the rules. In any case, we now know how the Data Protection Authority views many of the issues. 

Among other things, it seems that the Data Protection Authority is sceptical about so-called multi-purpose cookies that collect data for several purposes. The most exciting thing going forward will be how and whether the Data Protection Authority actually intends to enforce the rules. It will be a slightly strange situation if they don't and keep a relaxed interpretation of the rules, when at the same time they have criticised the Irish Data Protection Authority for having too market-friendly interpretations of the GDPR.

Is this the last we hear of cookies? Probably not. NKOM will soon be issuing its guidance on which cookies can be considered necessary. And after that, I'm guessing there will be a lot of legal activity on this in the future. 

Telenor was recently fined NOK 4,000,000 as a reaction to a fairly lengthy audit of how the company's DPO scheme has been organised. The audit found significant deficiencies in the company's internal controls and ability to document key assessments, but it is probably the specific aspects of the DPO's role that interest most people. 

The criticism was that the DPO was not sufficiently independent and that there was a potential conflict of interest because the DPO had several roles. Nor was a direct reporting line established and documented for the DPO to the highest management level. The Data Protection Authority coordinated its decision with Telenor in both Denmark and Sweden, which means that any appeal cannot be made to the Norwegian Privacy Appeals Board, but must be made to the District Court. Normally, such a case would have been appealed to the Privacy Appeals Board, but I am unsure whether the case will be taken to the District Court when the amount is so low. 

Specific matters that were criticised about the DPO function

The DPO was an associate lawyer and organisationally belonged to the company's legal department. The DPO had a 50% position as Data Protection Officer and a 50% position as associate lawyer. Telenor pointed out that since October 2020, the person in question had in practice spent most of his working hours on tasks related to the role of DPO, but this was not formalised. The Data Protection Authority emphasises that the DPO must not have tasks that entail a conflict of interest and that this must be ensured in the job description and internal guidelines. They emphasised that a Data Protection Officer who does not work full-time as a DPO may be particularly vulnerable to a conflict of interest between time spent on DPO duties and other work duties.

It was also emphasised that a reference in the job description to the DPO reporting directly to senior management is not in itself sufficient to ensure compliance with Article 38(3), which states that "[t]he data protection officer shall directly report to the highest management level of the controller or the processor".

The Data Protection Authority was of the opinion that the DPO should be able to report to the highest management level in an organisation, which in practice will be the board of directors, but may also be the CEO or management team. Such routines were not established or documented. They emphasised that the lack of formalised routines for reporting means that the DPO has no practical opportunity to claim his right to report. The DPO is then left to bypass hierarchical levels on his own initiative in order to reach senior management. 

The Data Protection Authority illustrates the problem with lack of established routines with Telenor's own report from an external DPO who held the role for a period and who wrote the following:

"DPO reporting, access & independence – The DPO is unable to perform the role effectively and independently due lack of proper implementation of the role in the organization, including clarified reporting lines, access to highest level of management and interference in reporting.”

In order to be able to make an assessment of the employee's duties and whether there is a clear enough distinction between the roles of Data Protection Officer and associate lawyer, the Data Protection Authority adopted a practical approach. Among other things, they looked at the employee's job description. It had the following wording in an excel sheet – where there were spaces between the description of the work as an associate lawyer and the role as DPO:

"Implement and/or develop as necessary policies, manuals, best practices, provide legal advice (including contribute in relation to Authority Requests) and provide support during negotiations of contracts and liase with external legal counsel. Cooperate closely with other experts in Group Legal and other Group functions as required to support high risk or critical processes. Share information and best practice with colleagues in Group Legal. 

Act as DPO in accordance with the GDPR which entail the following activities as examples: - Develop and maintain Privacy Management Tools and Data Transfer Mechanisms - Contribute to Training and Awareness Program - Contribute to embed Data Privacy Into Operations - Inform and Advise on Data Protection Impact Assessments - Inform and Advise on Integrating Privacy by Design into Data Processing Operations - Contribute to management of Third-Party Privacy Risks - Contribute to Privacy Notices - Inform and Advise on Requests and Complaints from Data Subjects - Monitor for New Operational Practices - Develop and Evolve the Relevant Guidelines and Templates to Support Telenor ASA in Matters Regarding Protection of Personal Data - Liaise with Group Compliance on related compliance activities".

The assessment of the Norwegian Data Protection Authority is as follows:

"Although there is a blank line in the Excel sheet separating the two sections, we believe that this is not sufficient to clearly distinguish between the tasks to be performed as Data Protection Officer and associate lawyer, respectively."

The Data Protection Authority problematised whether the role of DPO was at all compatible with the position of associate lawyer, but did not reach a conclusion on this, which would have been desirable. Arguments they pointed to were that an associate lawyer is dependent on his or her principal and that an associate lawyer's desire to obtain a lawyer's licence may conflict with the exercise of the DPO role. Nevertheless, it may be the case that if the legal advice relates to areas of law other than privacy, it is easier to distinguish between the roles. 

It was also emphasised that if the DPO is also part of the legal department, organisational measures must be in place to separate the roles of DPO and lawyer. This could, for example, involve having a separate email for tasks related to the DPO role. This is necessary so that recipients of an email can understand whether the content and advice in an email is given in the capacity of DPO or legal adviser. That makes a lot of sense. 

Just as interestingly, the audit found that the DPO had not been given sufficient resources to fulfil his duties. This includes both time and money. 

In this case, the Data Protection Authority was of the opinion that the formal allocation of a 50% FTE to a person is not sufficient time, given the size of the company (approx. 1,500 employees). Regardless of the number of employees, a company should probably pay attention to whether a DPO is signalling or reporting that he or she is significantly understaffed/overworked. 

It appears from the decision that the DPO did not have a separate budget. Data protection-related expenses were allocated on a case-by-case basis by the DPO's line manager. The Data Protection Authority is of the opinion that this weakens the position of the DPO, because the superiors are not obliged to comply with data protection in the same way as a DPO. It is therefore a good tip to ensure that the DPO has his or her own budget item, rather than applying for funds when needed. 

The Data Protection Authority also emphasises that Telenor generally lacked organisational measures to ensure general compliance with the GDPR, and refers to the following email correspondence which – as far as I understand – was sent to the Data Protection Authority in connection with the audit (emphasis added). 

"__ wrote the following in an email to __ dated 12 April 2021: 

"Regarding Data Protection/Transfer Impact Assessments, the current backlog is quite big and I believe the organization is struggling a bit to get up to speed. There is currently little capacity/competency to conduct proper impact assessments among the ASA colleagues". 

The external Data Protection Officer was copied on the above e-mail and replied, among other things: 

"True. However, the lack of capacity/competence to conduct assessments is also a symptom of a more general issue of immature privacy compliance governance and performance at ASA, and a lack of foundational building blocks for privacy compliance, such as e.g. inventory, awareness and competence, operational capacity, implemented processes and unclear roles/responsibilities for group initiatives".

In connection with a discussion about outsourcing of operational tasks concerning compliance with data protection requirements, the external Data Protection Officer wrote the following: 

"However, more generally than simply discussing outsourcing of some operational privacy compliance activities (which also would have a time- (in terms of followup/involvement) and monetary cost to ASA), this discussion/issue between the mentioned entities foundationally has to do with defining each entity’s role (privacy wise) and corresponding accountability, responsibilities and operational capacity in initiatives with group dependencies"."

There are relatively strong allegations of a lack of resources in this correspondence, and it is no wonder that the Data Protection Authority has included this in its decision. 

Another topic that is relevant to many was that the DPO was criticised for owning shares in the company. Here too, the Data Protection Authority did not reach a conclusion, but pointed out that advice from an DPO can influence and change a company's business model. This in turn can affect the share value. In other words, the Data Protection Authority has not ruled that it is incompatible for an DPO to own shares in a company. The main criticism was that this had not been considered by Telenor. This is actually quite easy to understand. Telenor argued that the DPO owned very few shares. So – if you have a DPO with shares – make sure to make an assessment of whether the DPO can still make independent decisions. And if the DPO owns a lot of shares, I think it's a challenge to let them be a DPO.

Another interesting aspect is that Telenor believed that they were not obliged to have a Data Protection Officer. It was completely voluntary that they had a DPO in the parent company. Here, too, the Data Protection Authority did not conclude, but wrote that it is censurable that Telenor ASA had not documented the assessment of whether they were obliged to have a Data Protection Officer. Secondly, and this is fairly easy to understand, the Data Protection Authority was of the opinion that Telenor ASA actually had to follow the rules for Data Protection Officers once they had established such a function. Even though it was voluntary. This shows that there is reality in the title of Data Protection Officer. 

If you want someone who works with data protection, but should not be subject to the formal obligations, you should call them something other than "Data Protection Officer". This is the reason why many companies actually operate with several, or other, titles. 

When you are audited by the Data Protection Authority, you can expect your internal control documentation to be carefully scrutinised. The audit found that Telenor's Article 30 protocol was both incomplete and confusing. This meant that the company did not have a clear overview of which processing operations it was responsible for. I think it's fair to say that very few companies actually have a complete and up-to-date processing protocol. And in corporate groups, I think there are many who do not have a full overview of which company has the formal responsibility for what. The fact that things can be a little unclear in a group, I don't think is a very big privacy risk. I therefore find it a little unrealistic that the Data Protection Authority, in its decision against Telenor ASA, writes that they impose the following on the company: 

To revise the GDPR Article 30 processing protocol and implement organisational measures to ensure that it at all times provides an up-to-date description of the processing activities in Telenor ASA, the number of data subjects and the roles of Telenor ASA.

I don't think that requiring someone to have an "up-to-date description of processing activities and the number of data subjects" actually strengthens privacy. I also doubt that that part of the decision will stand up if tried. On the other hand, this is a reminder that group DPOs must actually focus on whether the group has a good enough overview of who is responsible for which processing activities.

Another interesting point is that the parties disagreed on whether the processing was cross-border or not. Article 3(1) emphasises that the GDPR applies to the processing of personal data regardless of where the processing takes place, as long as it relates to the activities of an establishment within the EU. The Data Protection Authority was of the opinion that Telenor Group, with operations both within and outside the EEA, thus has cross-border processing activities. Telenor ASA argued against the case being cross-border, because the case did not concern specific processing activities. The Data Protection Authority maintained that the processing fulfils the requirements of Article 4(23), as it affects data subjects in several EEA countries, including the 15,000 employees of Telenor. In addition, Telenor had internal routines and guidelines that were the same in all countries Telenor Group operates in. 

Is there anything to learn from this case? Absolutely.

If you don't want your Data Protection Officer to have to follow the fairly strict rules of the GDPR – give them a different title. This only applies if you are not required to have a DPO.

Mind the means of communication. The DPO should have an email address that contains "Data Protection Officer", "privacy" or similar. Especially if the DPO also has other functions and roles.

For DPOs who have several roles – associate lawyer, shareholder, advisor, other – document an assessment that the person is independent. A person who partly has a DPO function should not for the rest of their career have a role that determines the use of personal data. In other words, he or she should not hold any of the functions that are typically incompatible with being a DPO.

Give your DPO sufficient resources. Recognise that it actually costs money and time. Especially if you are a large company. 

And state clearly and explicitly who the DPO should report to.

Since President Trump took office in the US, times have become more uncertain in Europe. This is also noticeable in the tech and privacy sectors. Recently, there have been many opinions about Europe's dependency on US tech companies and what happens if it becomes unlawful to transfer personal data to the US. 

Danish IT experts have stated that if the US shuts down its cloud services, Denmark will "shut down within an hour". Our Minister of Digitisation, Karianne Tung, was the first to ask Norwegian companies to "have a plan", but corrected herself shortly afterwards by saying that she had never said that Norwegian companies must have an exit strategy. The Norwegian Data Protection Authority, on the other hand, writes that you should have an exit strategy if the transfer agreement with the US collapses. 

But what does it really mean to have an "exit strategy"? And what practical options can you implement?

When people talk about "exit strategies", it is partly because there are currently rules in place that make it easy to transfer personal data to the US. This is called the "Data Privacy Framework" ("DPF"). The background to the DPF was that the previous rules on transfers to the US were ruled invalid by the European Court of Justice in the so-called "Schrems II" judgement. Following this, President Biden signed a presidential order that is a prerequisite for DPF. When personal data is transferred to a company that is DPF-certified, the European Commission considers that this company adequately protects personal data. Although the DPF is not perfect, it is far more practical than the state of affairs between the Schrems II judgement and before the DPF entered into force. 

At present, there is no clear answer as to whether Trump plans to withdraw the DPF. Nor whether the EU itself might decide that it can no longer be used. If, for example, Trump were to take certain measures against Danish data, albeit targeted, it's not inconceivable that the Commission would say that the DPF cannot be trusted. 

Even if Trump himself does not withdraw the DPF or the EU says it can no longer be used, it is conceivable that the issue will be legally tried by a complaint. 

The question that many businesses are now asking themselves is therefore: What if the DPF collapses? What do we do then? 

Firstly, you can still use what is commonly referred to as Standard Contractual Clauses (SCC). The advantage of SCCs is that they are a standardised framework for the transfer of personal data that has been pre-approved by the European Commission. At the same time, transfers based on SCCs are a far more time-consuming process than is the case today, where the transfer is based on DPF. 

The EDPB has issued guidelines on how to use SCCs. In particular, there are four key steps that are crucial to using SCCs correctly and legally. A quick recap may be in order. 

Firstly, you need to map the transfers. It is important to have an overview of where the personal data is located, including all processes, systems, services, data processors and subcontractors that transfer personal data out of the EEA. It's also a good idea to know which information is most important.

Next, you need to identify the basis for the transfer, which could be SCC, consent or Binding Corporate Rules ("BCR"). 

Thirdly, you need to examine whether the transfer basis is effective, i.e. whether the laws and practices in the recipient country are acceptable. If local laws and practices go further than what is proportionate under EU legislation, you may have a problem with transfers to the country in question. I think it's fair to say that it has become somewhat more difficult to accept that there is a predictable and stable legal situation in the US at the moment. If it becomes relevant to make such assessments again, we will have to come back to this. Then we'll have to take a closer look at the CLOUD Act as well.

The fourth step applies if it is concluded that the level of protection in the recipient country is lower than required. After Schrems II, key measures included encryption, pseudonymisation and sometimes confidential computing. The reason for this was to ensure confidentiality – the supplier was to be prevented from "breaking into" the customer's data. 

With the new President of the United States, we have also begun to look at whether it is conceivable that someone could break access to our data. It's a completely different type of assessment where the measures previously taken (encryption, pseudonymisation, etc.) don't play such a big role. I think it will make a big difference which sector you operate in. Actors in socially critical sectors and suppliers to these will have to place great emphasis on security to ensure that data remains accessible.

In light of the uncertainty surrounding the DPF, it is important to consider how this may affect contracts and agreements. There is an increased focus on the need for contracts to include clauses that allow for changes in delivery models and technological solutions to ensure that they are GDPR compliant at all times. Another element is for data processing agreements to include provisions that allow for a change of location for data storage and a change of supplier if necessary. We are already hearing about data processing agreements that state that a contract can be cancelled (!) if you are not compliant with DPF or SCC.

It's also crucial to have a robust backup strategy that ensures that important data is stored outside the sphere of control of the cloud provider you use.