Norges Høyesterett - 2021-2403-A: Difference between revisions

From GDPRhub
m (Hyperlinks)
 
(6 intermediate revisions by 3 users not shown)
Line 7: Line 7:
|Court_With_Country=Norges Høyesterett (Norway)
|Court_With_Country=Norges Høyesterett (Norway)


|Case_Number_Name=HR-2021-2403-A
|Case_Number_Name=2021-2403-A
|ECLI=
|ECLI=


Line 63: Line 63:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=Personvernnemda (Norway)
|Appeal_From_Body=Personvernnemnda (Norway)
|Appeal_From_Case_Number_Name=2018-14 (15/01355)
|Appeal_From_Case_Number_Name=2018-14 (15/01355)
|Appeal_From_Status=Appealed - Confirmed
|Appeal_From_Status=Appealed - Confirmed
|Appeal_From_Link=https://gdprhub.eu/index.php?title=Personvernnemda_(Norway)_-_2018-14_(15/01355)
|Appeal_From_Link=https://gdprhub.eu/index.php?title=Personvernnemnda_(Norway)_-_2018-14_(15/01355)
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
Line 76: Line 76:
}}
}}


The Supreme Court of Norway ruled that the [[PVN - 2018-14 (15/01355)|Privacy Appeal Board's decision]] regarding [[Datatilsynet (Norway) - 15/01355|Legelisten.no]] was valid, agreeing that Legelisten had legal grounds in [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for publishing subjective user reviews of healthcare personnel on their website.
The Supreme Court of Norway upheld the [[Personvernnemnda (Norway) - 2018-14 (15/01355)|Privacy Appeal Board's decision]] related to [[Datatilsynet (Norway) - 15/01355|Legelisten.no]] (a website containing reviews of healthcare professionals) confirming that it could publish its reviews relying on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis.


== English Summary ==
== English Summary ==
Line 83: Line 83:
In 2012, a company "Legelisten.no AS" launched a website where people could submit anonymous reviews of healthcare personnel. From the same year, the Norwegian DPA Datatilsynet received multiple complaints from affected individuals.  
In 2012, a company "Legelisten.no AS" launched a website where people could submit anonymous reviews of healthcare personnel. From the same year, the Norwegian DPA Datatilsynet received multiple complaints from affected individuals.  


In [[Datatilsynet (Norway) - 15/01355|one case in 2015, the DPA held]] that Legelisten did not have a legal basis for processing personal data related to the website reviews and, further, that Legelisten had to offer an opt-out arrangement for healthcare personnel not wanting their personal data published on the website. The decision was appealed to the [[PVN - 2018-14 (15/01355)|Norwegian Privacy Appeals Board, who overturned]] parts of the DPA's decision, importantly relating to the (lack of) legal basis and the opt-out arrangement.  
In [[Datatilsynet (Norway) - 15/01355|one case in 2015, the DPA held]] that Legelisten did not have a legal basis for processing personal data related to the website reviews and, further, that Legelisten had to offer an opt-out arrangement for healthcare personnel not wanting their personal data published on the website. The decision was appealed to the [[Personvernnemnda (Norway) - 2018-14 (15/01355)|Norwegian Privacy Appeals Board, who overturned]] parts of the DPA's decision, importantly relating to the (lack of) legal basis and the opt-out arrangement.  


Following this, the Norwegian Medical Association brought an action to the Norwegian courts, claiming that the website had no legal basis as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for registering and publishing subjective user reviews of healthcare personnel.
Following this, the Norwegian Medical Association brought an action to the Norwegian courts, claiming that the website had no legal basis as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for registering and publishing subjective user reviews of healthcare personnel.

Latest revision as of 06:18, 6 March 2022

Norges Høyesterett - 2021-2403-A
Courts logo1.png
Court: Norges Høyesterett (Norway)
Jurisdiction: Norway
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7 GDPR
Article 7(4) GDPR
Article 9 GDPR
Article 9(2)(a) GDPR
Article 85 GDPR
European Convention on Human Rights Article 10
European Convention on Human Rights Article 8
Grunnloven (The Constitution of the Kingdom of Norway) § 100
Personopplysningsloven (Personal Data Act) § 3
Decided: 07.12.2021
Published: 13.12.2021
Parties: Legelisten.no AS
Legeforeningen (The Norwegian Medical Association)
National Case Number/Name: 2021-2403-A
European Case Law Identifier:
Appeal from: Personvernnemnda (Norway)
2018-14 (15/01355)
Appeal to:
Original Language(s): Norwegian
Original Source: Norges Høyesterett (The Supreme Court of Norway) (in Norwegian)
Initial Contributor: Rie Aleksandra Walle

The Supreme Court of Norway upheld the Privacy Appeal Board's decision related to Legelisten.no (a website containing reviews of healthcare professionals) confirming that it could publish its reviews relying on Article 6(1)(f) GDPR as a legal basis.

English Summary

Facts

In 2012, a company "Legelisten.no AS" launched a website where people could submit anonymous reviews of healthcare personnel. From the same year, the Norwegian DPA Datatilsynet received multiple complaints from affected individuals.

In one case in 2015, the DPA held that Legelisten did not have a legal basis for processing personal data related to the website reviews and, further, that Legelisten had to offer an opt-out arrangement for healthcare personnel not wanting their personal data published on the website. The decision was appealed to the Norwegian Privacy Appeals Board, who overturned parts of the DPA's decision, importantly relating to the (lack of) legal basis and the opt-out arrangement.

Following this, the Norwegian Medical Association brought an action to the Norwegian courts, claiming that the website had no legal basis as per Article 6(1)(f) GDPR for registering and publishing subjective user reviews of healthcare personnel.

Holding

After a balancing of the legitimate interests safeguarded by the website operator Legelisten against the interests of the healthcare personnel, the Supreme Court agreed with the Privacy Appeal Board's decision and found that Legelisten had a legal basis for the processing as per Article 6(1)(f) GDPR.

The Court emphasised that Legelisten.no is an important source for the general public to acquire information about healthcare providers. The measures taken to limit privacy concerns also satisfied what could reasonably be expected. Thus, the DPA's initial decision was overturned and the appeal appeal against the Privacy Appeals Board's decision was rejected.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Norwegian Supreme Court - Judgment: HR-2021-2403-A
References: The Personal Data Act (2018) GDPR A6
Proceedings Oslo District Court TOSLO-2019-98312 - Borgarting Court of Appeal LB-2020-18230 - Supreme Court HR-2021-2403-A, (case no. 21-055809SIV-HRET).
Parties The Norwegian Medical Association (lawyer Cecilie Tandberg Hallan - for trial) against the State v / Personvernnemnda (Government Advocate v / lawyer Stein-Erik Jahr Dahl).
Author Judges Erik Thyness, Ingvald Falch, Wilhelm Matheson, Knut H. Kallerud and Jens Edvin A. Skoghøy.
Last updated 2021-12-13
References in the text Menneskerettsloven (1999) §2, EMKN A8 | The Health Personnel Act (1999) | The Personal Data Act (2000) | Disputes Act (2005) §20-2 | The Personal Data Act (2018) §1, GDPR A4, GDPR A5


(1) Judge Thyness:
Questions and background of the case
(2) The case concerns the validity of the Privacy Board's decision of 21 January 2019 [PVN-2018-14] 1 item 5, where it has been established that Legelisten.no has a legal basis - so-called treatment basis - for registering and publishing subjective user assessments of health personnel. . The question is whether the decision is in accordance with the EU Privacy Regulation (GDPR) article 6 no. 1 letter f. GDPR applies according to the Personal Data Act § 1 as Norwegian law.
Legelisten.no
(3) Legelisten.no is an online service for sharing information about, among other things, doctors. The purpose is to make it easier for patients to choose a therapist. The website was launched in May 2012 and initially included only information about GPs. Later, the website was expanded to also include dentists, specialists outside the public health service, chiropractors, psychologists and video doctors. The website is owned and operated by Legelisten.no AS - hereinafter referred to as Legelisten.
(4) The website is designed so that a search for the name of, for example, a GP gives access to objective information such as name, contact information, gender, age, etc. This corresponds with information in the overview of GPs on the website helsenorge.no, which is the public health portal. At Legelisten.no you will also find assessments of the relevant health personnel. The assessments are given by persons who state that they have been treated by the relevant therapist.
(5) An individual assessment shall include a heading and a description of at least 100 characters. Furthermore, the user is asked to give a rating on a scale from one to five stars based on specified rating criteria. For example, in addition to an overall assessment, GPs have been asked to assess the following conditions: availability, trust and communication as well as service.
(6) The person who submits an assessment is encouraged to include what is good, what can be improved, and constructive criticism. At the same time, it is encouraged to avoid offensive language, accusations of malpractice or crime, personal attacks and the experiences or rumors of others. The user is asked to confirm by ticking that the assessment is based on their own personal experience, and that the person in question has no close private or professional connection to the assessment to which it applies.
(7) The user is then sent an e-mail from the Medical List, in which he or she is asked to confirm the assessment. The procedure takes place as part of the Medical List's quality control and is intended to ensure that it is a real - and not manipulative - user who has written the assessment, and not, for example, a computer.
(8) The medical list conducts a review of the user's subjective assessment. If an opinion violates the internal guidelines, it is either moderated through a dialogue between the Medical List and the user or excluded from publication. These procedures are referred to as the Doctor's moderation function. All statements that the Medical List considers to be in accordance with the Medical List's internal guidelines are published.
(9) The medical list has stated that as of 28 May 2020, approx. 111,000 assessments, of which approx. 89,000 were published.
The procedure for the supervisory authorities
(10) The case started when a dentist contacted the Data Inspectorate in July 2015 because she had received negative reviews on Legelisten.no. Referring to the current law on personal data, she demanded that all information about her be deleted. The Norwegian Data Protection Authority rejected her request in a decision on 6 October 2016.
(11) The dentist appealed the decision to the Privacy Board, which sent the case back to the Data Inspectorate for new processing.
(12) While the Data Inspectorate was working on the case, there were up to 40 inquiries from health personnel, most of whom wanted to make a reservation for mention on Legelisten.no. During the processing of the case, the Data Inspectorate had also been contacted by users who were positive about the service. The Consumer Council, on its own initiative, gave an account of consumer considerations.
(13) The Data Inspectorate assessed the case in accordance with the current Personal Data Act of 2000 and made a decision on 8 November 2017 where the Medical List received a number of orders that the company had to fulfill in order for the processing of information on health personnel to be in accordance with the law. Among other things, conditions were set that the company had to make arrangements for health personnel to be able to "reserve themselves from being assessed on Legelisten.no and that assessments are displayed on the website".
(14) After Legelisten.no was required to introduce a general reservation access, approx. 1,100 reservation requests - most from GPs.
(15) Both the Medical List and the dentist appealed the Data Inspectorate's decision to the Privacy Board. At the request of the Medical Association, the Data Inspectorate decided to postpone the implementation of the order to introduce a reservation right until after the complaint had been processed.
(16) The Privacy Board dealt with the case on the basis of the GDPR. The majority of five members came to the conclusion that the Medical List had a basis for treatment for collecting and publishing subjective assessments of health personnel pursuant to GDPR article 6 no. 1 letter f, without health personnel being given a general right of reservation. In the opinion of the majority, the legitimate interest in communicating the users' subjective statements outweighed the privacy of the health personnel. The minority of two members, on the other hand, concluded that privacy considerations outweighed consumer considerations. In order to remedy the privacy disadvantages, the minority believed that it was necessary to introduce a general right of reservation, as the Data Inspectorate had assumed. Point 5 of the decision was formulated in line with the majority's conclusion and read as follows:

    "The medical list has a basis for treatment for collecting and publishing subjective assessments of health personnel, cf. Article 6 no. 1 letter f, without health personnel being given a general right of reservation for such assessments."

The proceedings before the courts
(17) The Norwegian Medical Association, hereinafter referred to as the Norwegian Medical Association, brought an action against the state before the Privacy Board with a claim that section 5 of the Privacy Board's decision should be declared invalid.
(18) Oslo District Court ruled on 17 December 2019 with the following conclusion:

    «1. The State v / Privacy Board is acquitted.
    2. The Norwegian Medical Association is sentenced to pay legal costs to the state by the Privacy Board NOK 107,300 - one hundred and seventy thousand three hundred -. The amount is due for payment within 2 - two - weeks from the announcement of the judgment. "

(19) The Norwegian Medical Association appealed the district court's judgment to the Borgarting Court of Appeal, which dealt with the case in writing. The Court of Appeal ruled on 5 February 2021 with the following conclusion:

    «1. The appeal is rejected.
    2. Costs are not awarded, neither to the district court nor to the court of appeal. "

(20) The Court of Appeal ruled, like the district court, that the processing of personal data about health personnel on Legelisten.no safeguarded legitimate interests. The court further found that the processing of personal data was necessary in the interests of legitimate interests. Finally, the court found - after a concrete consideration - that the consideration for freedom of expression and the interest in publication outweighed the interests of health professionals and the right to privacy.
(21) The Norwegian Medical Association has appealed to the Supreme Court. The appeal concerns the application of the law and the assessment of evidence.
The parties' views on the matter
(22) The appellant - the Norwegian Medical Association - has briefly stated:
(23) The central legal question in the case is whether the Medical Association has a basis for treatment according to GDPR article 6 no. 1 letter f when registering and publishing subjective assessments of health personnel. This is due to a broad assessment. The Court of Appeal has erred in linking the legal assessment theme to whether a general right of reservation must be established. The correct assessment theme is whether the conditions for treatment basis according to letter f were met at the time of the decision.
(24) In order for an undertaking to have a processing basis pursuant to Article 6 (1) (f) of the GDPR, there must first be a legitimate interest on the part of the data controller or third parties in processing the relevant personal data. This condition is met in our case.
(25) However, the other two conditions of Article 6 (1) (f) of the GDPR are not met.
(26) The second condition of Article 6 (1) (f) of the GDPR is that the processing of personal data must be "necessary for purposes related to the legitimate interests". This is a high threshold. Interventions in privacy must be kept within what is strictly necessary, and the treatment is not necessary if the purpose can be achieved with less intrusive measures.
(27) The medical list could - without going beyond the purpose of the processing of personal data - ensure that the effects on health personnel were less intrusive. Specifically, reference is made to two possible measures: First, the Medical List could prevent the assessments of the health personnel on Legelisten.no from appearing first by pure name searches on the Internet. Secondly, the Medical List could have more consistently ensured that the guidelines for the website were followed.
(28) When registration and publication in this way go beyond what is necessary, one of the conditions of Article 6 (1) (f) of the GDPR is not met.
(29) In the alternative, the Norwegian Medical Association states that the third condition of Article 6 (1) (f) of the GDPR - that the legitimate interests must outweigh the interests of the data subjects or fundamental rights and freedoms - has not been met.
(30) The Privacy Board and the Court of Appeal have attached great importance to the population's interest in the balance. The information value of the website is in reality very limited. At the same time, the Court of Appeal has attached too little weight to the privacy disadvantages. Furthermore, it must be emphasized that the Medical List has not introduced privacy-promoting measures that significantly reduce the disadvantages for health personnel.
(31) It must also be emphasized that many of the negative comments from users who act anonymously may be due to the fact that they have not received what they want - for example, sick leave, prescription or referral to a specialist. Publication of negative comments can lead to doctors, without sufficient reason, giving in to patients' wishes.
(32) When the right to privacy is to be weighed against the right to freedom of expression, the aim of the assessment will be to find a reasonable balance. In the view of the Norwegian Medical Association, the interests of the health personnel in the specific weighing must outweigh the interests of the Medical List and the users. That is not the case here.
(33) The Norwegian Medical Association has filed the following claim:

    «1. The Privacy Board's decision of 21 January 2019, item 5, is invalid.
    2. The State v / Personvernnemnda is ordered to pay the costs of the case for all instances. "

(34) The respondent - the state at the Privacy Board - has briefly stated:
(35) In judicial review of a decision, the court must necessarily take as its starting point the part of the decision that is under review. There is no error of the Court of Appeal to link the legal issue in the case to the absence of a general right of reservation, as long as this is the relationship on which the decision is based.
(36) Since the parties agree that the first condition of Article 6 (1) (f) of the GDPR is met, the question is whether the other two conditions - necessity and proportionality - are also met.
(37) The condition of necessity is met. The purpose of collecting and publishing subjective assessments is to share the patients' own experiences in order to give the users of the online service a better basis for finding a therapist who is suitable for the individual. To achieve this purpose, it is necessary to publish subjective user reviews.
(38) The publication of subjective assessments does not go beyond what is necessary. The assessments are objectively limited to the users 'own experiences with the therapists' services and apply to aspects of the treatment services that are relevant to the choice of therapist.
(39) The general starting point is not changed by the fact that any incorrect or nonsensical assessments slip through the Medical List's moderator check. The medical list will normally have a basis for treatment in accordance with GDPR article 6 no. 1 letter f for the collection and publication of subjective assessments on Legelisten.no - also in those cases where therapists wish to make a reservation.
(40) In balancing the conflicting interests, an important starting point is that the Medical List's sharing of user experiences is protected by freedom of expression, so that the European Court of Human Rights' practice on the balance between the right to privacy and freedom of expression becomes relevant as an interpreting factor and barrier to balancing interests.
(41) The Court of Appeal has rightly concluded that the balancing of interests must be in favor of the Medical List. In this context, it must be emphasized, among other things, that the subjective user experiences have a public interest and are not available elsewhere. Furthermore, the Medical List takes care, as far as is reasonable, of the consideration for the health personnel, among other things by following up that user assessments are in accordance with the Medical List's guidelines. In the overall assessment, it must be borne in mind that the statements apply to the practice of a profession, and that health personnel are persons with a role in public life. There is little reason to fear that health personnel as a result of the risk of negative publicity may be influenced in connection with the issuance of prescriptions, sick leave reports and so on.
(42) The State at the Privacy Board has filed the following claim:

    «1. The appeal is rejected.
    2. The State v / Personvernnemnda is awarded legal costs for the district court, the Court of Appeal and the Supreme Court. "

My view on the matter
Some legal points of departure
(43) The case concerns the validity of the Privacy Board's decision of 21 January 2019 point 5, which was made on the basis of Regulation (EU) 2016/679 of 27 April 2016 (Privacy Regulation) Article 6 No. 1 letter f. The Regulation, which is often referred to with the English abbreviation GDPR, applies according to the Personal Data Act § 1 directly as Norwegian law.
(44) The validity of the Privacy Board's decision depends solely on legal and factual issues. The courts can therefore fully review the decision.
(45) The case concerns what in the GDPR is described as "processing of personal data".
(46) "Personal data" is defined in Article 4 (1) and includes "any data relating to an identified or identifiable natural person". The personal information may, for example, apply to the person's health, finances, work or social relations. The persons to whom the information applies are referred to as the "registered".
(47) "Processing" is defined in Article 4 (2) as "any operation or series of operations carried out on personal data ...". Such operations may typically consist of collection, registration, compilation, storage and delivery, or a combination of such uses.
GDPR Article 6 No. 1 letter f
(48) The collection and publication of subjective user assessments by the doctor's list requires a legal basis - so-called treatment basis - according to the GDPR. The central provision in the case is Article 6 (1) (f), which reads as follows:

    Article 6 Legality of treatment

    1. The treatment is only lawful if and to the extent that at least one of the following conditions is met:

    ...
    (f) the processing is necessary for purposes related to the legitimate interests pursued by the controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedence and require the protection of personal data, in particular if the data subject is a child. "

(49) Article 6 continues the corresponding provision in the previously applicable Directive 95/46 / EC of 24 October 1995. Practices related to the repealed Directive are thus relevant to the interpretation of the current provision, cf. the judgment of the European Court of Justice of 17 June 2021 in Case C-597/19 MICM section 107.
(50) In order for there to be a basis for treatment under Article 6 (1) (f) of the GDPR, three conditions must be met: First, there must be legitimate interests - in English "legitimate interests" - which justify the treatment. Secondly, the treatment must be necessary to safeguard these interests. Thirdly, after a balancing of interests, the legitimate interests must outweigh the interests of the data subjects or fundamental rights and freedoms.
Legitimate interests
(51) The parties agree that there are legitimate interests in the case here. The judgment of the district court states the following about this criterion:

    "The 'legitimate interests' are several, including patients' freedom of expression, consumer interests, competition considerations, other non-profit considerations such as the possibility of better health services and the Medical List's financial purpose."

(52) Like both the parties and the Court of Appeal, I agree with this. I return to the weight of the individual elements during the balancing of interests.
The necessity requirement
(53) In order for the conditions of Article 6 (1) (f) to be met, the treatment in question must be 'necessary for the purposes of the legitimate interests'.
(54) This condition is expressed in somewhat different ways in different sources. As I understand it, the word "necessary" does not imply a requirement that all aspects of the treatment must be absolutely required. I refer to the judgment of the European Court of Justice of 11 December 2019 in case C-708/18 Asociația de Proprietari. The case concerned the use of video surveillance equipment in a condominium, which the owner of one of the apartments opposed. After reference is made here in section 46 to a statement in a previous judgment that «exceptions to and restrictions on the protection of personal data must be kept within the strictly necessary», it is stated in section 47:

    'That condition implies that the referring court must ascertain whether the legitimate interest pursued in the processing of personal data by the video surveillance at issue in the main proceedings, which essentially consist in providing security for property and persons and preventing offenses, is not reasonable; may be protected just as effectively by other means which are less intrusive to the fundamental freedoms and rights of data subjects, in particular the right to respect for privacy and the protection of personal data as ensured by Articles 7 and 8.2 of the Charter. "

(55) I understand this to mean that the assessment theme is whether the legitimate interests can reasonably be realized equally effectively in another way that is less intrusive towards the fundamental freedoms guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (2012). / C 326/02). Article 7 of the Charter corresponds to Article 8 of the European Convention on Human Rights (ECHR) on the right to respect for private and family life, including personal reputation, which according to the Human Rights Act § 2 no. 1 applies as Norwegian law. Article 8 of the Pact concerns the protection of personal data and has the following wording in the Danish version:

    «Protection of personal data
    1. Everyone has the right to the protection of personal data concerning him or her.
    2. This information shall be treated reasonably, for the purposes expressly stated and on the basis of the consent of the persons concerned or on another justifiable basis provided by law. Everyone has the right to access and to the collection of information relating to the person concerned.
    Compliance with these rules shall be subject to the control of an independent authority. "

(56) The Norwegian Medical Association has stated before the Supreme Court that the link between Legelisten.no and widely used search engines - which means that the assessment of, for example, a GP comes high on the hit list when searching by name only - is an aspect of the website that does not meet the necessity. Name searches are performed on the Internet for various reasons. Many of the applications are therefore not motivated by a desire for knowledge about the health services offered by the persons applied for. It is stated that the consequence is a significantly increased spread of, among other things, derogatory assessments on Legelisten.no, which has a very burdensome effect both on those directly affected, and on the person's children and other families.
(57) As I understand the actual circumstances after the procedure before the Supreme Court, the relevant measure in this context is to decouple the assessments on Legelisten.no completely from the relevant search engines. Anyone seeking information about, for example, a specific doctor would, with such a restriction, first have to find Legelisten.no, and then find the mention of the specific doctor there.
(58) I assume that such a decoupling from search engines would lead to a significant decrease in traffic on Legelisten.no and thus have a significant negative effect on Legelisten's revenues and growth opportunities. The medical list has limited financial resources; operating revenues in 2020 were NOK 770,000, which was a modest increase from the two previous years. Such a measure would thus entail a real risk that the website would have to be shut down. In addition, restrictions on the ability to find the assessments on Legelisten.no by simple searches on the web would also mean that people who actually want the type of information found there would more often than today end their searches with an unsolved case.
(59) I find it clear on this background that a decoupling of the user ratings on Legelisten.no from the most used search engines would mean that the legitimate interests behind the website could not be safeguarded as effectively as today. Today's link to search engines consequently meets the necessity requirement. I add that this could possibly have been different if there were adaptation options that would only to a limited extent reduce the information - seeking audience's benefit of Legelisten.no. However, some such possibilities have not been presented to the Supreme Court.
(60) The Norwegian Medical Association does not have significant objections to the control schemes that the Norwegian Medical Association has established to prevent the publication of statements that are in conflict with the guidelines on the website. However, the Norwegian Medical Association claims that the enforcement of the control schemes is so deficient that the privacy disadvantages in practice become unnecessarily large.
(61) The requirement of necessity relates to the measures required to realize purposes related to the legitimate interests. More comprehensive control would have a different and almost opposite purpose, namely to limit the negative side effects of measures used to realize the justified purposes. In my opinion, the relevance and weight of such measures are best treated as part of the balancing of interests, to which I will return immediately.
(62) My conclusion after this is that the necessity requirement is met.
The balance of interests
Generally
(63) A concrete assessment remains to be made with a view to finding the right balance - "a fair balance" - between the conflicting fundamental rights and freedoms protected by European law, cf. the judgment of the European Court of Justice of 24 November 2011 in joint cases C-468/10 ASNEF and C-469/10 FECEMD section 43. The methodological approach here is similar to that in cases where freedom of expression stands against the right to privacy, but there is only partial coincidence in which considerations should be weighed against each other .
(64) As I have explained in connection with the requirement of necessity, the fundamental rights in question in our context, in particular the right to respect for private and family life, including personal reputation, and the right to the protection of personal data, which include the principle of data minimization in GDPR Article 5 No. 1 letter d.
(65) Section 54 of the Asociația de Proprietari Decision states that a relevant aspect of the assessment is whether the information is already publicly known. Furthermore, it follows from sections 56-57 that the seriousness of the violation of the data subjects' rights and freedoms is an essential element in the assessment, and that in this connection it must be considered, among other things, how sensitive the personal data is, the number of people who have gained access to them , and how to access them.
The legitimate interests of the medical list and the general public
(66) In isolation, the doctor's financial interests have a relatively limited weight measured against the health personnel's privacy interests.
(67) The interests of the public are therefore central to the assessment of legitimate interests. An important starting point here is that Legelisten.no gives users of health services the opportunity to exercise their basic right to freedom of expression.
(68) I further consider it clear that Legelisten.no covers an important information need. The health personnel mentioned on Legelisten.no offer services in competition with others based on the principle of free user choice. The users of the services have few other sources of information about the quality of the services, apart from what they become acquainted with through family, friends and acquaintances. For the users, the health personnel's professional competence and interpersonal abilities are important. The users' information needs are therefore significant.
(69) It can be argued that the information value of the user assessments is limited because they only express subjective perceptions and are not based on professional knowledge. Some assessments will also be characterized by the users not receiving the desired result, for example by being denied sick leave or a desired prescription. Although such circumstances mean that the information does not fully cover the needs of the general public, I believe that the assessments have significant information value.
(70) The written explanation from Marit Hermansen, who until recently was president of the Norwegian Medical Association, states that the doctor must "maintain the patient relationship - the most important thing is the personal meeting and dialogue with the patient". Despite the fact that most users' basis for assessing the health personnel's professional competence is limited, there is reason to assume that the user assessments are a fairly good indicator of how satisfied other possible users will be. This is reinforced by the fact that there are gradually quite a few assessments of the individual therapist. It appears from the Privacy Board's decision that at that time 67,000 assessments of a total of 12,000 doctors and other health personnel had been published, ie an average of approx. 5.6 assessments per therapist. The overall picture of the individual can thus be relatively nuanced.
(71) Finally, I point out that user reviews can have a positive effect on competition in the market and provide those who are rated with useful feedback.
(72) The Consumer Council has in a note to the Patient Complaints Board on 26 January 2018 stated that Legelisten.no has an important function. In the memo, the council writes the following about the need for information:

    «Legelisten.no ... appears to be the only measure in Norway that gives consumers the opportunity to orientate themselves and to obtain relevant information about GPs. We therefore believe that there is a strong public interest in the dissemination of such information. In addition, it is our opinion that the Medical List is the only measure that meets patients' desire for a feedback service, which was one of the main findings in our Patient Survey from 2016. »

(73) With regard to frivolous and unreasonable statements, the Consumer Council states that its experience with similar services shows that "consumers have a great understanding of what such 'assessment sites' are, and that there are strengths and weaknesses with such services".
(74) The Norwegian Medical Association has pointed out that Legelisten.no can have a negative effect on society as a whole, in that doctors for fear of negative publicity may be influenced in their role as "gatekeepers" for public services, for example when it comes to requests about sick leave, certificates and the like.
(75) The study "Rumor has it: How do patients respond to patient-generated physician ratings" conducted by Bensnes and Huitfeldt, both researchers at Statistics Norway, included in the Journal of Health Economics 76 (2021), to some extent supports the usefulness of Legelisten.no and indicates that the website has no negative effect on the doctors' "gatekeeper role". Two of the findings in the survey are thus that there is a coincidence between the assessments on Legelisten.no and the choice of doctor, and that there are no signs that the doctors are affected by the user assessments in the exercise of the «gatekeeper role». On the other hand, there are no findings in the study that indicate that doctors change their way of working as a result of the assessments.
Considerations for the health personnel's privacy
(76) The Norwegian Medical Association claims that very many GPs and other health personnel experience negative reviews on Leglisten.no as very burdensome. Examples of such mention are:

    - «Miserable doctor. Arrogant and icy cold. Totally devoid of humanity. "
    - «This man should retire. He has a nasty and slippery appearance ... »
    - «a disrespectful, rude, arrogant and angry doctor»
    - «arrogant, outdated and degrading doctor who neither listens nor follows up»
    - "is only concerned with getting paid and getting the patient out as soon as possible"
    - "grumpy old man"

(77) It is also pointed out that Legelisten.no, in violation of its own guidelines, has published assessments that appear as specific accusations of incorrect treatment or misdiagnosis. Among other things, reference is made to the following statements:

    - "Irresponsible, assembly line treatment, fast, sloppy and poor work with unsuccessful results."
    - "Only cares about blood test results and ignores symptoms and evidence of various conditions that occur."
    - «She removed a mole on my shoulder and sewed it together. It turned out to end catastrophically. First, she could not sew it together properly, so the wound was open and I got an intense infection. "

(78) It appears from the written testimony of the Court of Appeal from Roger Kristiansen, technical manager of the Medical List, that the website has around 2.2 million unique users per year. When you also know that you get a link to Legelisten.no high in the hit list when searching with the most used search engine on the Internet, this means that the assessments can be widely spread. This applies not only to those who apply to make a choice of, for example, a GP, but also to those who apply for the person's name for other reasons.
(79) This means that the burden of negative publicity on Legelisten.no can be perceived as significant, not only in a professional context, but also in the local community and among family, friends and acquaintances. The Norwegian Medical Association has emphasized that the burden feels particularly great for GPs, who have recently been assigned constantly new tasks with the consequent increased work pressure. They also experience the mentioned "gatekeeper role" as demanding.
(80) However, most of the reviews on Legelisten.no are positive. It appears from the aforementioned testimony from Roger Kristiansen that the average of all assessments is 4.1 out of 5 achievable stars. Only one in five reviews is on one or two stars. This may mean that mentioning Legelisten.no for many is first and foremost a positive experience. For some, however, fear of negative publicity can be stressful, even if they have not yet been affected by it.
(81) The Medical Association has, with reference to, among other things, point 47 in the preamble to the GDPR, emphasized that emphasis must be placed on whether the health personnel must have a "reasonable expectation" about the Medical List's use of personal data. This criterion can provide guidance where the data subject actively discloses personal information, for example as a customer to a supplier or as an employee or jobseeker to an employer. In a case like this, the criterion provides less guidance. Healthcare professionals must undoubtedly be prepared to be assessed and discussed by their users. However, in terms of the form and extent of the spread, they can hardly base reasonable expectations on anything other than what is generally accepted, including the privacy regulations. Thus, one is largely back to the assessments I have already accounted for.
(82) The weight of the burden on health personnel must be seen in the light of the fact that the assessments on Legelisten.no are related to their practice of a profession. Negative publicity then hits less hard than if it had been purely personal matters. Factual criticism must be tolerated by health personnel. In addition, there will normally be several assessments of the individual, so that individual unreasonable or unreasonable assessments in many cases are balanced by other more positive reviews.
Measures to limit the privacy disadvantages
(83) The Norwegian Medical Association has also emphasized during the balancing of interests that it is important that personal information is obtained through the use of Google and other search engines. It is true that the Medical List does not use privacy-enhancing technology that shields the subjective assessments from the search engines, and I agree that this in isolation points in the direction of a lack of treatment basis. I still believe that the moment has limited weight in the balance of interests. As I mentioned during the discussion of the condition of necessity, a decoupling from the search engines will reduce the accessibility for the users, which will reduce the legitimate interests that the website safeguards.
(84) As mentioned, the Norwegian Medical Association argues that inadequate control of compliance with the guidelines on Legelisten.no means that the privacy disadvantages are unnecessarily great. In this context, reference is made to an auxiliary document with 181 published assessments which the Norwegian Medical Association believes is contrary to the guidelines. The examples of statements that I have already referred to are taken from this help document. The Norwegian Medical Association has emphasized that the list is based on random examples found on Legelisten.no - there has in no way been a complete review of the large number of user assessments.
(85) The Norwegian Medical Association has also pointed out that there is no general reservation access for health personnel who do not want reviews on Legelisten.no, and that the many examples of abuse in user assessments show that the control schemes are not sufficiently effective.
(86) I have initially outlined the Medical List's guidelines for user assessments and procedures for verifying users' identities and ensuring that they are familiar with and accepting the guidelines, as well as the Medical List's moderating function, which aims to weed out assessments that do not comply the guidelines. As stated earlier, statements that are in breach of the guidelines do not pass through. At the same time, there is a high number of trampling that is followed up by the Medical List, and is not published.
(87) In order to detect abuse, healthcare professionals and others can mark assessments to which they respond with a flag message. Health personnel also have the opportunity to contribute to a balancing of the information on Legelisten.no by providing a response. The duty of confidentiality and lack of knowledge about who has given the assessment, and thus which situation is described, make this scheme rather ineffective. However, it does not appear to be relevant to revoke the users' anonymity, which for many must be assumed to be a prerequisite for contributing sincere reviews to the website.
(88) Healthcare professionals can also request the deletion of statements, and the Medical List practices a right for healthcare professionals to reserve themselves from being included on the list "if compelling reasons so require". The scheme is practiced so that it is assumed that the disadvantages must be greater than any other doctor, etc. will be able to invoke. It therefore takes a lot to get an application for a dispensation upheld. At the time of the Data Inspectorate's decision in 2017, just under 50 reservation requests had been received, of which only eleven had been granted. The reservation scheme thus has limited practical significance.
Balance of interests and conclusion
(89) There is a significant need for information to the population as a basis for choosing doctors and other providers of health services. Legelisten.no appears to be by far the most effective offer of such information today, even though a system that is based solely on subjective user reviews has clear weaknesses.
(90) It is natural that people who receive negative reviews and to some extent unreasonable criticism on a website with a very high number of users, perceive this as burdensome. However, most assessments are positive, and any evaluation system must necessarily mean that some get weaker results than others. I also trust what the Consumer Council states that most people understand what such "assessment sites" are, and thus read unreasonable assessments with a critical eye.
(91) In my opinion, the doctor's measures to limit privacy disadvantages satisfy what can reasonably be expected, even if it does not allow assessments to be made in violation of the guidelines.
(92) After an overall balance of the relevant factors, my assessment is that the justified considerations underlying Leglisten.no - and in particular the public's need for information about health service providers - must outweigh the consideration for the health personnel's privacy.
(93) I therefore agree with the Privacy Board, when it concluded that there was a basis for treatment.
Conclusion and legal costs
(94) I have come to the conclusion that the Privacy Board's decision of 21 January 2019 is valid, and the appeal must therefore be rejected.
(95) The case has raised questions of principle that have not been dealt with by the Supreme Court before, and it concerns questions that are due to difficult considerations of a discretionary nature. These are compelling reasons that make it reasonable not to award legal costs, cf. the Disputes Act § 20-2 third paragraph.
(96) I vote in favor

JUDGMENT:
1. The appeal against the judgment of the Court of Appeal, the conclusion of the judgment, point 1, is rejected.
2. Legal costs are not awarded for any instance.
(97) Judge Falch: I essentially and in the result agree with the first voter.
(98) Judge Matheson: Likewise.
(99) Judge Kallerud: Likewise.
(100) Judge Skoghøy: Likewise.
(101) Following the vote, the Supreme Court dismissed this

JUDGMENT:
1. The appeal against the judgment of the Court of Appeal, the conclusion of the judgment, point 1, is rejected.
2. Legal costs are not awarded for any instance.
1 Added by Lovdata.

User guide

    Information in English

    Adjust text size Hold down the Ctrl key (Cmd key on Mac). Simultaneously press + to enlarge or - to decrease. Help Contact