Privacy Corner

On 8 September, the Helsingør case took a new turn. In July, the Danish Data Protection Authority banned Helsingør municipality from using Google Workspace in schools. At the same time, they started a dialogue with the municipality to gain better insight into how they use Google Workspace. As a preliminary result of this dialogue, the Danish Data Protection Authority has allowed the municipality to continue with Google for two months, provided that a number of specific measures are implemented.

It may be difficult for the municipality to implement the imposed measures. For example, they must provide a detailed description of their entire technological data infrastructure, as well as the data flow internally and externally, renegotiate the terms of the agreement with Google so that it becomes clearer when Google is actually to be considered the data controller and for what purposes they use personal data, and ensure that transfers to third countries take place in accordance with the requirements of the GDPR. Furthermore, they must clearly describe what personal data is forwarded to the data processors. If they are unable to implement this within the two months, they must submit for approval a specified timetable for when the remaining measures are to be implemented.

As Google is the central third-party actor for the municipality, there is no doubt that there will be a lot of contact with them in the future. To what extent Google will be willing to adjust its terms of agreement remains to be seen. Aarhus municipality has received the same orders from the Danish Data Protection Authority, so Google must deal with the fact that their customers are increasingly likely to make such demands. I probably wouldn't bet on this being resolved in two months. In any case, it is good that there are some cases that clarify the room for manoeuvre and hopefully the case ends with legal solutions that can be implemented more widely.

On Thursday 15 September, new guidelines on third-country transfers from DFØ finally arrived. Many have been waiting for it and several public agencies have contributed to writing it. The most striking aspect is that the Norwegian Data Protection Authority has not contributed.

Among the data protection specialists, there is lively discussion about whether the guidelines convey the correct law and the correct interpretation of the Schrems II judgment. It is quite clear that the guidelines create more room for maneuver than those provided by the European Data Protection Board (EDPB) , and many are happy about that.

However, only the one day after the publication of the guideline, the Norwegian Data Protection Authority published a statement that their original guidelines for transfers are to be followed and that they will have discussions with DFØ on the content of their new guideline. The statement even mentions "legal disagreements". This statement was co-signed by the director of the Directorate on Digitalization. It would be an understatement to say that this is unusual. So for the time being, it is very clear one should rather use the guidelines from the DPA and from the EDPB.

The new guidelines have also attracted great interest beyond Norway's borders – already the day after publication, I received inquiries from lawyers abroad who had heard about it and were wondering what the guidelines say and who is behind it.

On 5 September, the Irish Data Protection Authority announced a fine of 405 million euros to Instagram for not having complied with the GDPR's regulations on the processing of personal data about children. For the parent company Meta, the fine comes on top of the 225 million euro fine that the Irish Data Protection Authority issued to WhatsApp last year. Thus, the total fines have exceeded 600 million euros – almost NOK 6.5 billion – in less than two years.

Instagram has allowed children between the ages of 13 and 17 to run businesses and/or influencer accounts where they were earning income from the platform. In these cases, the default setting in Meta was that the children's e-mail addresses and phone numbers were openly available to others. It didn't help that Meta changed the default setting.

The fine is the second largest in GDPS's history ever and it is of course expected that Meta will appeal it. There is no official statement from the Irish Data Protection Authority yet.

Marketing is still a hot topic within data protection. Sephora – a French multinational retailer of personal care and beauty products – has had two decisions against it very recently. In Romania, the company has been fined €2,000 for continuing to send SMS marketing even after an individual exercised the right to object. At the same time, Sephora has been fined $1.2 million in California for selling customer data. The ruling is the first to be handed down under California's Consumer Privacy Act. Sephora had not made it clear to its customers that it was selling data about them to third parties. The company also failed to handle requests to opt out of receiving advertising.

Here at home, it is reported that the Norwegian Consumer Authority will soon publish a new report on so-called Dark Patterns. We will come back to that, again we see that the consumer authorities are a strong driving force in the field of data protection.

The Norwegian Data Protection Authority has presented a new report on monitoring at work. And it is not particularly pleasant reading for those concerned with data protection:

More than half (55 per cent) of employees respond that they have "little", "very little" or "no" overview of what data employers collect about them.

Services from technology companies such as Google, Microsoft and Zoom have built-in additional functions that allow the employer to monitor the employee's activities without the employee noticing.

Such software has become advanced with capabilities to collect very detailed and specific information about the individual. Many of the functionalities can therefore be highly intrusive and pose clear challenges for employees' data protection.

This is a problematic activity and may be an infringement of the employee's right to data protection. Three percent have also seen signs that the employer has taken invasive measures, such as access to e-mail or PC/screen use (logging of keyboard use and/or screen recording), without notification.

In addition, we see that there are further challenges regarding control measures relating to the home office. The report is an interesting read.

The type of monitoring employees must accept is quite different in different European countries. Employment law aspects of data protection are one of the areas where the GDPR allows countries to have different rules. A recent case from the Netherlands illustrates this:

An employee of a Dutch company left the company. After the employment ended, the former employee still had the employer's computer. The former employee had personal data on it. In connection with the computer being returned to the former employer, she requested that all personal data be deleted from the computer. The employer objected because they argued that the computer contained work-related, privileged data that the former employee should no longer have access to. There was a court case, and the court ruled that the data should be deleted from the computer. The former employee had the right to be present while this happened.

From a Norwegian perspective, the judgment is not surprising, as employees in Norway have a significant right to be able to control personal data, even in a work-related context. This right is obviously not equally strong in all European countries.

As mentioned previously, there are several proposals for changes to data protection legislation in England. There are more than 80 specific proposals that will make it easier for companies – many argue that the changes weaken data protection in England. Many in England are anxious that these changes may result in England losing its status as an approved third country from the EU. A request has therefore now been sent to Parliament that a number of these changes should not be carried out.

Canada is one of the countries that the EU considers having adequate data protection legislation, and personal data can therefore be transferred there without particular problems. Now they have decided to further strengthen their data protection legislation. The changes enter into force on 22 September this year and bring the Canadian regulations even closer to the provisions of the GDPR. E.g., there will be a requirement for companies to have a dedicated person who ensures data protection compliance . There will be stricter obligations for handling deviations and an obligation to have a register of deviations that have occurred. The level of fines for infringements will be even higher than under the GDPR, they allow companies to be fined as much as 5% of global turnover.

Russia has also begun to focus on data protection and is now introducing a deadline for reporting deviations: the obligation involves giving Roskomnadzor, the regulator of personal data in Russia, two notifications within given deadlines. The first notification must be given within 24 hours and must contain information about the type of breach that has taken place, and a subsequent notification must be sent within 72 hours, stating the results of the investigation into the incident and the measures taken. Although this looks good on paper, there is perhaps no reason to believe that this change will bring any significant strengthening of data protection in Russia.