Personvernnemnda (Norway) - PVN-2023-24: Difference between revisions

From GDPRhub
mNo edit summary
 
(3 intermediate revisions by the same user not shown)
Line 66: Line 66:
}}
}}


The Privacy Appeals Board held that the DPA does not have to carry out further investigations and can dismiss a complaint if the personal data the controller infringes upon is not of the person who lodged the complaint.
The DPA appeal board held that the DPA does not have to carry out further investigations and can dismiss a complaint if the data unlawfully processed does not refer to the person who lodged the complaint.


== English Summary ==
== English Summary ==
Line 75: Line 75:
On 6 July 2023, the DPA replied in a letter that his inquiry had been dealt with. The DPA further stated that it would not carry out further investigations as they found it unlikely that a possible breach of the law would lead to corrective measures. Therefore, the DPA closed the case.
On 6 July 2023, the DPA replied in a letter that his inquiry had been dealt with. The DPA further stated that it would not carry out further investigations as they found it unlikely that a possible breach of the law would lead to corrective measures. Therefore, the DPA closed the case.


On 25 July 2023, the data subject lodged a complaint about the DPA closing the case. The data subject also requested erasure from the controller and other controllers who received personal data from the controller.
On 25 July 2023, the data subject lodged a complaint with the DPA, requesting erasure from the controller and other controllers who received personal data from the controller.
The DPA processed the complaint and upheld its decision to close the case without conducting further investigations.
The DPA processed the complaint and upheld its decision to close the case without conducting further investigations.


Line 89: Line 89:
The Board took into account a similar approach that was taken by the European Court of Human Rights (ECHR) on [https://www.coe.int/en/web/compass/the-european-convention-on-human-rights-and-its-protocols Article 34 ECHR]. This Article holds that the right of appeal exists only for the person who claims to be a victim of a violation of one or more of the rights in the convention. In the ECHR case [https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-98428%22]} Tănase v. Moldova], the Court required that the person "must be directly affected by the impugned measure" in order to be considered a victim within the meaning of the Convention (see §104). Thus, the Court only decides on whether the application of the rules or the practice in question affected the person directly and in such a way that the convention has been violated. The Board stated that even if the ECtHR's practice under [https://www.coe.int/en/web/compass/the-european-convention-on-human-rights-and-its-protocols Article 34 ECHR] is not directly relevant to the interpretation of what constitutes a "complaint" in the sense of the GDPR, it can be applied similarly to the GDPR. The enforcement bodies (the ECtHR under the ECHR and the DPAs under the GDPR) must only deal with real and real cases from persons who can provide concrete and sufficient evidence that there has been a violation of protected rights. Statements of more or less unfounded suspicions or allegations without concrete evidence cannot trigger an obligation for the DPA to initiate investigations with the aim of clarifying whether there has been a GDPR violation of the processing of personal data. In several cases, the Board held that it is the task of the person lodging the complaint to explain the case and present documentation for the relationship complained of (see [https://pvn.no/PVN-2023-15 PVN-2023-15] and [https://pvn.no/PVN-2023-22 PVN-2023-22]).
The Board took into account a similar approach that was taken by the European Court of Human Rights (ECHR) on [https://www.coe.int/en/web/compass/the-european-convention-on-human-rights-and-its-protocols Article 34 ECHR]. This Article holds that the right of appeal exists only for the person who claims to be a victim of a violation of one or more of the rights in the convention. In the ECHR case [https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-98428%22]} Tănase v. Moldova], the Court required that the person "must be directly affected by the impugned measure" in order to be considered a victim within the meaning of the Convention (see §104). Thus, the Court only decides on whether the application of the rules or the practice in question affected the person directly and in such a way that the convention has been violated. The Board stated that even if the ECtHR's practice under [https://www.coe.int/en/web/compass/the-european-convention-on-human-rights-and-its-protocols Article 34 ECHR] is not directly relevant to the interpretation of what constitutes a "complaint" in the sense of the GDPR, it can be applied similarly to the GDPR. The enforcement bodies (the ECtHR under the ECHR and the DPAs under the GDPR) must only deal with real and real cases from persons who can provide concrete and sufficient evidence that there has been a violation of protected rights. Statements of more or less unfounded suspicions or allegations without concrete evidence cannot trigger an obligation for the DPA to initiate investigations with the aim of clarifying whether there has been a GDPR violation of the processing of personal data. In several cases, the Board held that it is the task of the person lodging the complaint to explain the case and present documentation for the relationship complained of (see [https://pvn.no/PVN-2023-15 PVN-2023-15] and [https://pvn.no/PVN-2023-22 PVN-2023-22]).


In this case, where a controller ran a lawfully regulated business and where the information provided in the inquiry did not in itself provide sufficient reason to suspect unlawful processing of personal data, the inquiry could not be considered a complaint that obligated DPA to carry out further investigations according to [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]]. In such a case, the DPA can dismiss the case. Thus, the Privacy Appeals Board upheld the DPA’s decision to not further investigate the complaint.  
In this case, where the information provided in the inquiry did not in itself provide sufficient reason to suspect unlawful processing of personal data as the data subject is not personally affected, the inquiry could not be considered a complaint that obligated DPA to carry out further investigations according to [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]]. In such a case, the DPA can dismiss the case. Thus, the Privacy Appeals Board upheld the DPA’s decision to not further investigate the complaint.  


== Comment ==
== Comment ==
The Board did state that the ECtHR had admittedly established a certain opening for potential victims to also have a right of appeal under Article 34 of the ECHR. In the case [https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-23765%22]} Senator Lines GmbH against Austria et al]., the ECtHR stated that the right of appeal in such cases is conditional on the person in question presenting "reasonable and convincing evidence of the likelihood that a violation affecting him personally will occur; mere suspicion or conjecture is insufficient [...]." (see p. 11). The person who has made the complaint must therefore present sufficiently good evidence that the person concerned will themselves be exposed to violations of convention rights. Mere suspicions or conjectures are not sufficient, and complaints based only on such will be rejected from substantive processing. In this case, the person who lodged the complaint did not provide sufficiently good evidence according to the Board.
The Board did state that the ECtHR had admittedly established a certain opening for potential victims to also have a right of appeal under Article 34 of the ECHR. In the case [https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-23765%22]} Senator Lines GmbH against Austria et al]., the ECtHR stated that the right of appeal in such cases is conditional on the person in question presenting "reasonable and convincing evidence of the likelihood that a violation affecting him personally will occur; mere suspicion or conjecture is insufficient [...]." (see p. 11). The person who has made the complaint must therefore present sufficiently good evidence that the person concerned will themselves be exposed to violations of convention rights. Mere suspicions or conjectures are not sufficient, and complaints based only on such will be rejected from substantive processing. In this case, the person who lodged the complaint did not provide sufficiently good evidence according to the Board.
There has been a recent [[CJEU - C-768/21 - Land Hessen|European Court of Justice's Advocate General Opinion]] which seems to go against what the Norwegian Privacy Board held. Although the Opinion does not address the requirement of needing to be affected directly by a violation, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. If the DPA would simply ignore the infringement detected, it would be incompatible with their mandate according to the Advocate General.


== Further Resources ==
== Further Resources ==

Latest revision as of 09:28, 21 May 2024

Personvernnemnda - PVN-2023-24
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 57(1)(f) GDPR
Article 77(1) GDPR
Article 34 ECHR
Decided: 16.04.2024
Published: 19.04.2024
Parties: Statistics Norway
National Case Number/Name: PVN-2023-24
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
Appeal to:
Original Language(s): Norwegian
Original Source: PVN (in Norwegian)
Initial Contributor: ec

The DPA appeal board held that the DPA does not have to carry out further investigations and can dismiss a complaint if the data unlawfully processed does not refer to the person who lodged the complaint.

English Summary

Facts

On 19 February and 4 March 2023, a data subject contacted the Norwegian DPA to notify them about the Statistics Norway's (“the controller”) processing of personal data which they believed to be in violation with the GDPR. The data subject gave several examples on how the controller breached the GDPR, including that the controller collected all mobile data in Norway and that it sold confidential personal data identified by social security number.

On 6 July 2023, the DPA replied in a letter that his inquiry had been dealt with. The DPA further stated that it would not carry out further investigations as they found it unlikely that a possible breach of the law would lead to corrective measures. Therefore, the DPA closed the case.

On 25 July 2023, the data subject lodged a complaint with the DPA, requesting erasure from the controller and other controllers who received personal data from the controller. The DPA processed the complaint and upheld its decision to close the case without conducting further investigations.

On 22 September 2023, the case was forwarded to the Norwegian Privacy Appeals Board (“Personvernnemnda”).

Holding

The Privacy Appeals Board examined whether the DPA fulfilled their duty as supervisory body under the GDPR by closing this case without further investigations. According to Article 57(1)(f) GDPR, the DPA must handle a complaint lodged by a registered person and investigate, to the extent appropriate, the subject matter of the complaint and inform the registered person of the progress and outcome of the investigation within a reasonable period. The Board stated that the DPA has a certain freedom to decide how extensive the individual case requires investigation. In a previous case (PVN-2017-09), the Board stated that the DPA is allowed to prioritise cases “to a certain extent that not all inquiries are treated equally thoroughly.” The DPA is required to fulfil its duty to investigate and provide information so that the parties of the case are sufficiently informed and that their assessment of the legality of the relevant processing of personal data appears sound.

According to the Board, the DPA must take a position on the material question of whether the processing of personal data had been in breach of the GDPR after an investigation which can be quite superficial or in-depth depending on the nature of the case. If the DPA closes a case without taking a position on the material issues, this is a decision dismissing the case which gives the data subject the right to appeal to the Board.

The question in this case was what leeway the DPA had, when it received an inquiry about possible breaches of the GDPR, to choose not to take a decision on whether the processing was in violation or not. It follows directly from the wording in Article 77(1) GDPR that the data subject must claim that an individual's personal data has been processed in a way that is in breach of the GDPR. The Board stated that this provision requires that the infringement must affect the person lodging the complaint. In the absence of this requirement, the notification should not be regarded as a complaint that obliges the DPA to carry out certain investigations. As both Article 57(1)(f) GDPR and Recital 141 state that the “investigation of a complaint should [...] be carried out to the extent that is appropriate in the specific case", the Board held that the case can then be dismissed without further investigation.

The Board took into account a similar approach that was taken by the European Court of Human Rights (ECHR) on Article 34 ECHR. This Article holds that the right of appeal exists only for the person who claims to be a victim of a violation of one or more of the rights in the convention. In the ECHR case Tănase v. Moldova, the Court required that the person "must be directly affected by the impugned measure" in order to be considered a victim within the meaning of the Convention (see §104). Thus, the Court only decides on whether the application of the rules or the practice in question affected the person directly and in such a way that the convention has been violated. The Board stated that even if the ECtHR's practice under Article 34 ECHR is not directly relevant to the interpretation of what constitutes a "complaint" in the sense of the GDPR, it can be applied similarly to the GDPR. The enforcement bodies (the ECtHR under the ECHR and the DPAs under the GDPR) must only deal with real and real cases from persons who can provide concrete and sufficient evidence that there has been a violation of protected rights. Statements of more or less unfounded suspicions or allegations without concrete evidence cannot trigger an obligation for the DPA to initiate investigations with the aim of clarifying whether there has been a GDPR violation of the processing of personal data. In several cases, the Board held that it is the task of the person lodging the complaint to explain the case and present documentation for the relationship complained of (see PVN-2023-15 and PVN-2023-22).

In this case, where the information provided in the inquiry did not in itself provide sufficient reason to suspect unlawful processing of personal data as the data subject is not personally affected, the inquiry could not be considered a complaint that obligated DPA to carry out further investigations according to Article 57(1)(f) GDPR. In such a case, the DPA can dismiss the case. Thus, the Privacy Appeals Board upheld the DPA’s decision to not further investigate the complaint.

Comment

The Board did state that the ECtHR had admittedly established a certain opening for potential victims to also have a right of appeal under Article 34 of the ECHR. In the case Senator Lines GmbH against Austria et al., the ECtHR stated that the right of appeal in such cases is conditional on the person in question presenting "reasonable and convincing evidence of the likelihood that a violation affecting him personally will occur; mere suspicion or conjecture is insufficient [...]." (see p. 11). The person who has made the complaint must therefore present sufficiently good evidence that the person concerned will themselves be exposed to violations of convention rights. Mere suspicions or conjectures are not sufficient, and complaints based only on such will be rejected from substantive processing. In this case, the person who lodged the complaint did not provide sufficiently good evidence according to the Board.

There has been a recent European Court of Justice's Advocate General Opinion which seems to go against what the Norwegian Privacy Board held. Although the Opinion does not address the requirement of needing to be affected directly by a violation, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. If the DPA would simply ignore the infringement detected, it would be incompatible with their mandate according to the Advocate General.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Privacy Board's decision on 16 April 2024 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 6 July 2023 not to carry out further investigations into whether Statistics Norway (SSB) processes personal data illegally.
Background of the case
A contacted the Norwegian Data Protection Authority on 19 February and 4 March 2023 and notified several matters regarding Norwegian Statistics Norway's processing of personal data which he believed to be illegal. In the inquiry, A mentions several different examples which he perceives to represent breaches of the Personal Data Act and the Personal Data Protection Ordinance. He refers in particular to two conditions; that SSB collects all mobile data in Norway, and that SSB sells confidential personal data identified by social security number.
In a letter to A on 6 July 2023, the Danish Data Protection Authority stated that his inquiry had been dealt with, that the Danish Data Protection Authority did not consider it appropriate to carry out further investigations into the matter, and that the Danish Data Protection Authority considered it unlikely that a possible breach of the law would lead to corrective measures from the Danish Data Protection Authority. The supervisory authority therefore closed the case and referred to the Personal Protection Ordinance, Article 57 No. 1 letter f. It appears from the letter that the decision not to carry out further investigations can be appealed under Section 28 of the Public Administration Act.
A complained about the Norwegian Data Protection Authority's closing of the case on 25 July 2023. In the complaint, a demand is also made for the deletion of information from Statistics Norway, and from other data controllers who have received information from Statistics Norway.
The Norwegian Data Protection Authority processed the complaint and upheld its decision to close the case without conducting further investigations.
The case was forwarded to the Personal Protection Board on 22 September 2023. A was informed about the case in a letter from the board, and was given the opportunity to make comments. A has given his comments by email on 4 April 2024.
The case was dealt with in the committee's meeting on 5 March and 16 April 2024. The privacy committee had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Hans Marius Tessem and Malin Tønseth. Investigation leader Anette Klem Funderud and first consultant Emilie Winther Løvli were also present.
The Norwegian Privacy Board's assessment
The tribunal will first say something about the legal basis for Statistics Norway's processing of personal data.
Any processing of personal data must have a legal basis to be legal. Article 6 no. 1 of the Personal Data Protection Regulation provides an exhaustive overview of which legal bases (authorities) may be the basis for processing personal data - and which may justify an intervention in privacy.
Article 6 no. 1 letter c (fulfilment of a legal obligation) and letter e (exercise of public authority or performance of a task in the public interest) are the most relevant provisions for cases where public authorities encroach on citizens' privacy.
When applying the above-mentioned authorities, there must be an additional authority in national law or in EU law that imposes duties or tasks on public authorities. This follows from the personal protection regulation article 6 no. 3 and is described as a supplementary legal basis.
Statistics Norway is the central authority for the development, preparation and dissemination of official statistics in Norway, cf. Statistics Act § 17. Statistics Norway's tasks and area of authority are further regulated in the Statistics Act with regulations. Statistics Norway's right to order other businesses to hand over information for statistical purposes is regulated in Section 10 of the Statistics Act.
Article 5 of the Personal Data Protection Regulation deals with the principles for processing personal data. It follows from article 5 no. 1 letter b that further processing of personal data for archival, research or statistical purposes in accordance with article 89 no. 1 shall be considered compatible with the collection purpose. Furthermore, it follows from recital 50 that the controller does not need a new legal basis to further process personal data for compatible purposes.
The tribunal then moves on to assess whether the Norwegian Data Protection Authority in this case, when they have closed the case without carrying out further investigations, have fulfilled their duty as a supervisory body under the Personal Data Protection Regulation. The Danish Data Protection Authority has indicated that the Danish Data Protection Authority considers it unlikely that a possible breach of the law would lead to corrective measures from the Danish Data Protection Authority, but has chosen not to take a position on this until they have closed the case. The tribunal perceives this as a rejection of the case.
The Norwegian Data Protection Authority's tasks follow from Article 57 of the Personal Data Protection Ordinance. According to the provision, the Data Protection Authority must process a complaint submitted by a registered person and investigate, to the extent that it is appropriate, the subject of the complaint and notify the complainant of the course and outcome of the investigation within a reasonable period, cf. the Personal Data Protection Ordinance article 57 no. 1 letter f.
In a number of cases, the tribunal has assumed that the supervisory authority has a certain freedom to decide how extensive investigations the individual case requires. In PVN-2017-09, the tribunal states:
"The Privacy Board assumes that the Norwegian Data Protection Authority, as a supervisory authority under the Personal Data Act, has the opportunity to prioritize cases to a certain extent in the form that not all inquiries are treated equally thoroughly. Such a prioritization requires that the Norwegian Data Protection Authority in the relevant case has fulfilled its duty to investigate and provide information so that the case is sufficiently informed, cf. Norwegian Administrative Procedure Act § 17, and that the Norwegian Data Protection Authority's exercise of discretion with regard to how thoroughly they assess the legality of the relevant processing of personal data appears sound . In this soundness assessment, privacy considerations will be central, cf. the purpose of the Act in § 1."
Based on the inspectorate's more detailed investigations - which can vary between being quite superficial to being in-depth depending on the nature of the case etc. - has it been the tribunal's view that the supervisory authority must take a position on the material question of whether the processing of personal data has been in breach of the regulation. The fact may be well explained or it may be poorly explained, but the inspectorate must take a position based on the investigations of the fact that have been carried out.
If the supervisory authority has closed the case without taking a position on the substantive issues, the tribunal has seen this as a decision on rejection which gives the registered person the right to appeal to the tribunal. The tribunal has anchored this in the Public Administration Act. Preamble point 141 is based on the same:
"Any data subject should have the right to ... effective remedy in accordance with Article 47 of the Covenant ... if the supervisory authority does not respond to a complaint, rejects or dismisses a complaint in whole or in part or does not intervene when necessary to protect the rights of the data subject."
The data subject's right to complain is stated in Article 77 no. 1:
"Without prejudice to other administrative or judicial review, any data subject shall have the right to complain to a supervisory authority, in particular in the Member State where the person concerned has his or her habitual residence, has his place of work or where the alleged infringement took place, if the data subject considers that the processing of personal data concerning the person concerned is contrary to this regulation."
The question in this case is what leeway the supervisory authority, when it receives an inquiry about possible breaches of the Personal Data Act, has to choose not to decide whether the processing described in the inquiry is illegal or not.
It follows directly from the wording of Article 77 No. 1 that the data subject must assert that the person's personal data has been processed in a manner that is in breach of the regulation. In other words, it can be inferred that there is a requirement for a certain specification of the alleged illegality, and that the alleged illegality must affect the person making the complaint. to complain to a national supervisory authority "... if the person concerned considers his rights in accordance with this regulation to have been violated..." (board's italics).
In the absence of some specification that it is the person concerned's own personal data that has been processed in a way that is contrary to the regulation, it can be argued in the tribunal's view that the inquiry should not be considered a complaint that obliges the supervisory authority to carry out certain investigations, cf. article 57 no. 1 letter f and the statement in recital 141 that "The investigation of a complaint should [...] be carried out to the extent that is suitable in the individual case." The case can then be rejected by the supervisory authority on the grounds that the inquiry cannot be considered a complaint.
A similar approach has been taken as a basis by the European Court of Human Rights (ECHR) in practice under Article 34 of the ECHR, which determines that the right of appeal only accrues to the person who claims to be a victim ("a victim") of a violation of one or more of the rights in the convention . In the Grand Chamber judgment Tănase v. Moldova (application no. 7/08) of 27 April 2010, the ECtHR formulated a requirement that the person "must be directly affected by the impugned measure" in order to be considered a victim within the meaning of the Convention (section 104) . It is in this that the court will not make an assessment of legal rules or practice per se, but only decide whether the application of the rules or the practice in question affected the complainant directly and in such a way that the convention has been violated. The ECtHR has admittedly established a certain opening for potential victims ('potential victim') to also have the right to appeal under Article 34 of the ECHR. In the Grand Chamber decision SENATOR LINES GmbH against Austria et al. (application no. 56672/00) of 10 March 2004, the ECtHR stated that the right of appeal in such cases is conditional on the person in question presenting "reasonable and convincing evidence of the likelihood that a violation affecting him personally will occur; mere suspicion or conjecture is insufficient ... » (p. 11). The person who has made the complaint must therefore present sufficiently good evidence that the person concerned will themselves be exposed to violations of convention rights. Mere suspicions or conjectures are not sufficient, and complaints based only on such will be rejected from substantive processing.
Although the ECtHR's practice under Article 34 of the ECHR is not directly relevant to the interpretation of what constitutes a "complaint" in the sense of the Personal Data Protection Regulation, the same considerations that underlie the limitations interpreted by the ECtHR in Article 34 in a similar way and with the same weight also applies to the interpretation of what constitutes a complaint according to the regulation. The enforcement bodies (EMD under the ECHR and the national supervisory and complaints bodies under the Personal Data Protection Regulation) shall only have to deal with real and genuine cases from persons who can provide concrete and sufficient evidence that there has been a violation of protected rights. Statements of more or less unfounded suspicions or allegations without concrete evidence cannot trigger an obligation for the Norwegian Data Protection Authority to initiate investigations with the aim of clarifying whether there has been processing of personal data contrary to the regulation. In several cases, the tribunal has assumed that it is basically the complainant's task to explain the case and present documentation for the relationship complained of, see among others PVN-2023-15 and PVN-2023-22.
In this case, where Statistics Norway runs a legally regulated business and where the information provided in the inquiry does not in itself give sufficient reason to suspect illegal processing of personal data, the inquiry cannot be considered a complaint that obligates the supervisory authority to carry out further investigations according to article 57 no. 1 letter f. In such a case, the Norwegian Data Protection Authority can reject the case. This rejection decision can be appealed to the Personal Protection Board.
The complaint has not been successful.
The decision is unanimous.
Conclusion
The Norwegian Data Protection Authority's decision is upheld.
Oslo, 16 April 2024
Mari Bø Haugstad
Manager