The Norwegian Supreme Court's decision on what constitutes a "Legitimate Interest" under Article 6(1)(f) of the GDPR

The website "Legelisten.no" allows users to share information relating to doctors, dentists and other health professionals. The purpose of this website is to make it easier for patients to choose an appropriate doctor, dentist, or other health professional. The website provides the opportunity to write and read other patients' reviews after visiting a health professional. The review is based on various criteria, such as availability, communication and service and the user is asked to rate the applicable health professional from one to five stars.

This case was brought by a dentist who demanded that the website delete all information (which included various negative reviews) relating to her. After assessments by both the Norwegian Data Protection Authority ("NDPA") and the Norwegian Privacy Board ("NPB"), it was concluded that "Legelisten.no" had a legal right to collect and publish subjective reviews of health professionals pursuant to GDPR Article 6(1)(f) (Legitimate Interests). The Norwegian Medical Association ("NMA") disagreed and decided to take legal action against the website. Both the District Court and the Court of Appeal found in favour of the website. The NMA appealed the Court of Appeal's decision to the Supreme Court.

The parties agreed before the Supreme Court that the website did have a legitimate interest in processing the data. However, the NMA argued that the NMA and its members also had interests worthy of protection, including the right to privacy and a right of reservation against unfair and defamatory reviews.

The Supreme Court held that there was a significant need for the general public to have information to assist them when choosing providers of health services. Even though the website was a platform, based on patients' subjective reviews, the Supreme Court held that "Legelisten.no" enabled important information to be provided to the general public.

The Supreme Court acknowledged that receiving negative, and to some extent unreasonable, reviews could be burdensome for health professionals. However, most reviews on the website were positive, and it was inevitable that some health professionals would get less positive reviews than others. The Supreme Court also relied on the Norwegian Consumer Council's view that members of the public understood the mechanisms of such websites, and thus would read unreasonable reviews critically. Although some reviews violated the website's guidelines, the Supreme Court found that the website had implemented reasonable measures to ensure the privacy rights of health professionals.

The Supreme Court concluded that it was in the website's legitimate interest to publish the reviews because the general public's need to know this information outweighed the privacy interests of the health professionals referred to on the website.

The Supreme Court's decision does not come as a surprise, as it is consistent with decisions of the European Court of Justice and the European Data Protection Board's guidelines.

Importantly, the Supreme Court clarified that whilst individuals are protected under the GDPR, other interests can be considered more important when these are in conflict. This is especially relevant where the conflicted interest concerns fundamental human rights such as freedom of speech. The general public may also have a strong interest in exchanging information about certain professional groups and these groups must therefore accept that they have less privacy in certain situations.

The Supreme Court made it clear that the position would be different if the relevant data was personal data that related to a professional in their capacity as a private individual. As a result, when reading the Supreme Court's judgment, it is important to keep in mind that "Legelisten.no" only facilitates the sharing of personal data related to health professionals and providers of health services. Accordingly, it is necessary for such websites to implement appropriate procedures to censor the comments that are made, in order to prevent any harassment of the relevant professionals as private individuals.

As a result of the judgment, providers of similar websites and forums should consider how legitimate it is to exchange and share the relevant information. This is necessary in order to determine whether there is a legal basis under the GDPR for publishing this information, and whether the processing of this information lawful.

There are various other requirements, under the GDPR, which also apply to websites. It is important that privacy policies are implemented, in accordance with GDPR Article 14, when the personal data has not been obtained directly from the data subject. Websites should inform users about the right to access, delete and correct personal data, and their right to file a complaint to the national DPA. Additionally, a website's privacy policy should state why the processing of personal data is legitimate under Article 6(1)(f) of the GDPR and what that website's rules are for the retention and deletion of personal data. It is also essential that the website complies with the general principles set out in GDPR Article 5 and implements an appropriate level of security as provided in GDPR Article 32.

A website also needs to provide clear and concise information, e.g., to show whether a review is based on a user's subjective opinion or contains an advertisement as per E-Commerce Act Section 9.

If providers of websites undertake the necessary precautions, and have sufficient procedures in place, the risk of conflict with data subjects and the authorities may be reduced.