Datatilsynet (Norway) - 22/03622: Difference between revisions

From GDPRhub
No edit summary
 
(4 intermediate revisions by 3 users not shown)
Line 67: Line 67:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
 
|
|
}}
}}


The Norwegian DPA has imposed a ban on the national statistical institute's planned real-time mass-processing of nearly all purchase transactions in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.
The Norwegian DPA imposed a ban on the national statistical institute's planned real-time mass-processing of nearly all purchase data in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from Statistics Norway (SSB), the national statistical institute, to submit purchase transaction data to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August.
In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB), to submit purchase data ("bongdata" in Norwegian) to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August.


The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including:
The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including:


* name of item
* name of item
* price per item* total amount of the receipt
* price per item* total amount of the receipt
*payment method
* payment method
*amount per payment method
* amount per payment method
*start and end time of the purchase
* start and end time of the purchase
*ID of returns
* ID of returns
*ID for terminated purchase
* ID for terminated purchase
*ID of offers/discounts
* ID of offers/discounts
The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.


SSB's claimed legal basis for the processing was the Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary.
The data would be reported directly from the point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.


During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents.


On 29 November 2022, the DPA notified SSB of their intention to ban the planned processing. SSB then submitted their comments and a legal consideration by a law firm, in January 2023. This did not, however, affect the DPA's intention to ban the processing.
SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.


=== Holding ===
=== Holding ===
From the first DPIA, the DPA highlighted a section describing that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA noted that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).
From the first DPIA, the DPA highlighted the fact that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA noted that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).


The DPA also noted that SSB's assessments are inadequate and their impression is that SSB had an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy.
The DPA makes an interesting discussion on the right to respect for a private life under the European Convention on Human Rights (ECHR). This right is adopted in Norwegian law, both through ECHR and the Constitution § 102. When public authorities collect and store personal data, this is in ''itself'' interfering with privacy. The DPA emphasizes that in a democratic society, legal certainty is a central foundation and a principle in a democracy is that the state does not inferfere with citizens' private life without a basis in law (the principle of legality, as anchored in the Constitution § 113). The requirements for this basis in law increases with the severity of the interference. So even if SSB has a general basis in law for creating statistics, the interference in privacy in this particular case is so great that the DPA finds it cannot be justified with this only.


Consequently and based on [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]], the DPA held that Statistics Norway did not have a sufficient supplementary legal basis as per [[Article 6 GDPR#3|Article 6(3) GDPR]] to process the transaction personal data ("bongdata" in Norwegian) as intended, and has imposed a ban on the processing.
SSB tried to claim that the DPA was wrong in identifying them as "the state", to which the DPA responds that SSB is a public authority, funded over the National Budget, and despite being an independent authority clearly a part of the Norwegian state.


SSB has three weeks to object to the decision. The DPA will then review the complaint and if they decide to uphold the decision, the case will be sent to the Norwegian Privacy Appeals Board.
On 29 November 2022, the DPA notified SSB of their intention to ban the planned processing. SSB then submitted their comments and a legal consideration by a law firm, in January 2023. This did not, however, affect the DPA's intention to ban the processing.
 
The DPA found that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. The DPA viewed that collection and storage of personal data by public authorities is an intrusion in in itself which must form the basis for the assessment of any interference with privacy.
 
Consequently, the DPA held that SSB did not have a sufficient supplementary legal basis as per [[Article 6 GDPR|Article 6(3) GDPR]] to process the transaction personal data ("bongdata" in Norwegian) as intended, and based on [[Article 58 GDPR|Article 58(2)(f) GDPR]] imposed a ban on the processing.


== Comment ==
== Comment ==
''Share your comments here!''
== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Latest revision as of 08:41, 31 May 2023

Datatilsynet - 22/03622
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(c) GDPR
Article 6(3) GDPR
Article 58(2)(f) GDPR
Statistikkloven (The Statistics Act, in English)
Statistikkloven (The Statistics Act)
Type: Investigation
Outcome: Violation Found
Started: 01.05.2022
Decided: 26.04.2023
Published: 02.05.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 22/03622
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (press release) (in NO)
Datatilsynet (the Norwegian DPA) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA imposed a ban on the national statistical institute's planned real-time mass-processing of nearly all purchase data in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.

English Summary

Facts

In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB), to submit purchase data ("bongdata" in Norwegian) to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August.

The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including:

  • name of item
  • price per item* total amount of the receipt
  • payment method
  • amount per payment method
  • start and end time of the purchase
  • ID of returns
  • ID for terminated purchase
  • ID of offers/discounts

The data would be reported directly from the point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.

The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents.

SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.

Holding

From the first DPIA, the DPA highlighted the fact that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA noted that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).

The DPA makes an interesting discussion on the right to respect for a private life under the European Convention on Human Rights (ECHR). This right is adopted in Norwegian law, both through ECHR and the Constitution § 102. When public authorities collect and store personal data, this is in itself interfering with privacy. The DPA emphasizes that in a democratic society, legal certainty is a central foundation and a principle in a democracy is that the state does not inferfere with citizens' private life without a basis in law (the principle of legality, as anchored in the Constitution § 113). The requirements for this basis in law increases with the severity of the interference. So even if SSB has a general basis in law for creating statistics, the interference in privacy in this particular case is so great that the DPA finds it cannot be justified with this only.

SSB tried to claim that the DPA was wrong in identifying them as "the state", to which the DPA responds that SSB is a public authority, funded over the National Budget, and despite being an independent authority clearly a part of the Norwegian state.

On 29 November 2022, the DPA notified SSB of their intention to ban the planned processing. SSB then submitted their comments and a legal consideration by a law firm, in January 2023. This did not, however, affect the DPA's intention to ban the processing.

The DPA found that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. The DPA viewed that collection and storage of personal data by public authorities is an intrusion in in itself which must form the basis for the assessment of any interference with privacy.

Consequently, the DPA held that SSB did not have a sufficient supplementary legal basis as per Article 6(3) GDPR to process the transaction personal data ("bongdata" in Norwegian) as intended, and based on Article 58(2)(f) GDPR imposed a ban on the processing.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

STATISTICAL CENTRAL BUREAU
PO Box 2633 St. Hanshaugen
0131 OSLO









Your reference Our reference Date
22/993 22/03622-15 26.04.2023



Decision on banning the processing of personal data

The Norwegian Data Protection Authority refers to our control case related to Statistics Norway's decision on
obligation to provide information in the form of handover of bank data for four grocery players.


In its decisions, Statistics Norway (hereafter Statistics Norway) has ordered the four players to transfer
bank data for the customers' goods transactions. The four players are NorgesGruppen ASA, Coop

Norge AS, Rema 1000 AS and Bunnpriskjeden.

1. Resolution
Pursuant to the Personal Protection Regulation article 58 no. 2 letter f, the Norwegian Data Protection Authority has today decided

the following decision:

        The Norwegian Data Protection Authority prohibits the processing of bank data on the basis of a decision on

        obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision
        basis for the processing, cf. the personal data protection regulation article 6 no. 3.

2. The proceedings

The Norwegian Data Protection Authority became aware of the case through inquiries from NorgesGruppen ASA and
the payment intermediary Nets Branch Norway in May 2022.

The Norwegian Data Protection Authority has also received several complaints and inquiries from private individuals in this matter.


We sent a demand for an explanation to Statistics Norway on 02.06.2022. Statistics Norway answered our questions in a letter by
13/06/2022.


On 29 August 2022, a meeting was held between the Norwegian Data Protection Authority and Statistics Norway on the occasion of the case. The meeting
was reported. Draft minutes were sent to Statistics Norway on 01.09.2022, and Statistics Norway agreed
comments on the minutes on 07/09/2022. The final report was sent to Statistics Norway on 21 September 2022.






Postal address: Office address: Telephone: Organization number: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLODatatilsynet has also received a copy of correspondence relating to NorgesGruppen ASA and
Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know,
the complaints are still being processed by the Ministry of Finance as the complaints body.

In a letter dated 29 November 2022, we notified Statistics Norway of a decision to ban the processing of
personal data in the form of bank data. Statistics Norway has commented on the notice in a letter dated
23.01.2023, attached a legal assessment from Advokatfirmaet Schjødt AS. We have incorporated

the comments in the decision where it is considered relevant.

3. More details about SSB's planned processing of bong data
3.1 Statistics Norway's decision on the obligation to provide information
In the decisions on the obligation to provide information to the grocery operators, Statistics Norway states that bank data from
the grocery trade is considered to be of great use for the production of official statistics which are
important to society. Statistics Norway will produce statistics on consumption in Norwegian households and new

statistics on diet.

Furthermore, it appears from the decisions that the data will be used to investigate the consumer price index
and the merchandise trade statistics can have bong data as a data basis.

Statistics Norway will also test and develop new methods to ensure even greater confidentiality in
statistics production.


The voucher data will include, among other things:
    • product name
    • price per item
    • total amount on receipt

    • method of payment
    • amount per payment method
    • start and end time for trading
    • identifier on return

    • identifier of completed trade
    • identifier of the sale/offer

Any customer loyalty numbers must not be reported.

The voucher data must be reported as streamed data from the cash register systems, so that Statistics Norway receives it
the data continuously.


NorgesGruppen ASA and Coop Norge AS have appealed against the decisions on the obligation to provide information. SSB
has maintained its decisions and forwarded the complaints to the Ministry of Finance on 04.10.2022
for complaint processing.









                                                                                              23.2 Statistics Norway's reports to the Norwegian Data Protection Authority
3.2.1 Statement of purpose
In the statement from Statistics Norway dated 13 June 2022, it appears that Statistics Norway considers development, preparation and
dissemination of official statistics as one processing purpose, as the tasks are set out in
the Statistics Act.

This interpretation appears from the legislative preparations, Prop. 72 LS (2018-2019), in the notes to

the purpose provision in § 1 and to § 17 on SSB's tasks. Here is development, preparation and
dissemination of official statistics referred to as one main purpose and one main task. Also in
NOU 2018: 7 New Act on Official Statistics and Statistics Norway appears in point 10.4
that: "Method development is an integral part of the work of producing statistics".

Statistics Norway points out, however, that the assessment of necessity and the result of concrete data minimization will
could turn out differently depending on whether the purpose is development or preparation of current

statistics.

In the letter of 23 January 2023, it appears that Statistics Norway has nevertheless assessed the overall data need under
one (development, preparation and dissemination of official consumption and dietary statistics) and added
up to one data collection instead of collecting several almost identical, parallel data sets.
The background is that Statistics Norway believes that there is one purpose with several statistical products and
associated development work.


3.2.2 Assessment of the privacy intervention
In the letter of 23 January 2023, it appears that Statistics Norway believes that the privacy intervention is proportionate and
justified based on the purpose of the processing, the limited collection period and
the measures that have been established to reduce the privacy disadvantages. Statistics Norway has placed a decisive emphasis on
the purpose of the processing and the measures implemented.


Statistics Norway also points out that it was the data protection commissioner who recommended revising the decision
disclosure obligation time-limited to the period 2022 – 2023. An important part of the methodological work in
the two-year period is described as the assessment and concretization of data-minimizing measures
both before and after the collection, without compromising the quality of the statistical products
is reduced. Relevant measures can be periodic data collection, various forms of selection and
storage limitations.


3.2.3 Quality requirements
In the letter of 23 January 2023, Statistics Norway refers to the quality requirements in Section 5 of the Statistics Act, which correspond to
the requirements of European Parliament and Council Regulation (EU) 223/2009. Compliance with
the quality requirements require data of a certain content and scope.

Section 5 of the Statistics Act states, among other things, that statistics must be "relevant, accurate, up-to-date,

punctual, accessible and clear, comparable and coherent'.

Statistics Norway points to bong data as an example of a data source that has great potential to increase
the quality of several statistics.





                                                                                                33.2.4 Consumption statistics
Statistics Norway has explained what it wants to achieve by using bong data to produce
consumption statistics.

According to Statistics Norway, bong data will improve the quality of consumption statistics. The voucher data will be linked
to self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors
in the self-report. The comparison will provide a basis for supplementing the statistics

improved uncertainty estimates.

The production of statistics will also be made more efficient by classifying grocery purchases
automatic. The methods for automatic classification have been developed with test voucher data from 2018.
This has an impact on the quality of the statistics, but it will also have a great impact on
the resource use that goes into preparing the statistics. Furthermore, the statistics above
grocery consumption is broken down at far more levels than has been possible in the past.


In addition, Statistics Norway will be able to gain valuable knowledge about the strengths and weaknesses of the various data sources,
so that one can further develop the methods for estimating uncertainty and adjusting for biases.
This is one of several possible analyses, which may in turn provide a basis for data minimization in the future
statistics production.

3.2.5 Dietary statistics

Since the beginning of 2020, Statistics Norway has investigated the possibilities for preparing new diet statistics
based on information about which foodstuffs the Norwegian population buys from the largest
the players in the grocery market. The work has been carried out in close collaboration with, among others
The Norwegian Directorate of Health and the large grocery chains.

Statistics Norway plans to publish official diet statistics based on information on sales

food from grocery chains and information on the nutritional content of food obtained from others
sources, based on test voucher data from 2018. From 2023, the diet statistics will be further developed with
new bong data and information from other data sources, including information on households
from registers SSB already uses in other statistical production.

Access to all information that the grocery chains can supply (so-called full count) is as of today
crucial for Statistics Norway to be able to produce dietary statistics. Complete data will provide

basis for development work that may lead to future data minimization. This work will
could not be done without obtaining data on all purchases, where one looks at occurrences in and
variations between smaller groups. Statistics Norway also considers it necessary to use a full count for
to observe basic statistical principles such as quality awareness, cost-effectiveness,
relevance, accuracy and reliability.

3.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway

In the meeting held in August 2022, Statistics Norway explained its mandate: Develop, prepare and
disseminate official statistics. Furthermore, Statistics Norway explained that they, through political guidance and
assignment letter, is required to look for and use new data sources as a basis for statistics, i
in addition to developing new methods for statistics production.





                                                                                                  4SSB explained its work with consumption statistics, that is, statistics on what the country's
households spend money on. The last survey was carried out in 2012. Statistics Norway has had problems
with obtaining acceptable data quality as the survey has been based on volunteers
reporting, with a significant task burden for the participants and high drop-out rates. Furthermore, have
The Norwegian Directorate of Health expressed a need for dietary statistics as a basis for public health work,
and Statistics Norway has an established collaboration with the grocery chains to develop a data base.


Barcode data is already collected today from, among other things, grocery chains for use in
the consumer price index (CPI), but in an aggregated format. Furthermore, Statistics Norway has received bank data and
bank transaction data in a development project where it was investigated whether bank data can be used for
the desired purpose – consumption and diet statistics. Parallel to the collection of new
bongdata, Statistics Norway will collect data through self-reports, where consumers, among other things,
can scan receipts.


SSB described in more detail the planned processing of bong data internally at SSB. The goods which
are purchased will be classified into product groups. Furthermore, consumers will be classified according to
household size/type (about 10 groups in total) and other background variables, such as
household income (grouped), level of education and region/region. This presupposes a
link to transaction data/account number and then national ID number.

All use of information, including linking bank data to bank transaction data and

account number, is done with pseudonymous data, so that the individual receipt cannot be linked
directly against an individual. The receipts as they are received are stored in the system as raw data, that is
that is, without the link to the individuals who have made the purchases. Systems for
access management has been established, and access to raw data is strictly regulated. In principle it is
however, it is possible to make the connection again at a later time.


For the further processing of the bank data internally at Statistics Norway, the individual transaction will therefore
be aggregated at household group level. As the treatment is now planned and
presented, you will not be able to follow an individual household over time - only
household groups. Statistics Norway focuses on removing the data you do not need as early as possible
in the process. A statutory confidentiality requirement applies to the publication of official statistics,
that is to say that individuals/households should neither directly nor indirectly be able to
are identified.


Statistics Norway plans an evaluation of the solution in 2023, where, among other things, the level of detail of the data,
frequency and extent will be assessed.

3.4 The cost-benefit assessment
Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they
decides to adopt an order on the obligation to provide information.










                                                                                                5SSB has published the cost-benefit assessment on its website. We will summarize them below
the parts of the assessment that relate to consequences for data subjects' privacy.

Statistics Norway states in its assessment that bong data from the grocery chains does not contain

personal data in itself. Through links to other sources, bongdata will still be able to
be linked to a person. By connecting a bong to a payment transaction (a payment by bank card),
purchases of goods can be linked to individuals and households via data from the Norwegian Tax Agency and the National Register of Citizens.
The connection to a person will be possible for more than 70% of the vouchers.

Statistics Norway considers that the bong data acquires the character of being sensitive personal data when they

linked to an individual and a household. It is emphasized that the bong data are distinctive both on
because of the large amount of data and because the information is not already available in public
register. In addition, Statistics Norway will receive the data in near real time and with a high degree of detail. They connected
the data will include information about where and when the individual has shopped for groceries, and that
detailed information will appear about which goods and quantity of goods you have bought.

This applies to all purchases from the four grocery operators that are not paid in cash.
The players together cover 99% of the market.

Statistics Norway recognizes that the individual consumer cannot be expected to be aware that Statistics Norway wants to
use the electronic tracks from current purchases, and forward these with
personally identifiable data, to create statistics. Statistics Norway states that it is therefore important that

the bong data is treated with extra care, and Statistics Norway will implement extra measures to
safeguard privacy and information security.

The privacy deficiencies must be remedied through the general security measures that apply to everyone
processing of statistical information. Statistics Norway must ensure confidentiality in all dissemination of

statistics. Furthermore, SSB's employees and contractors are subject to a duty of confidentiality, and SSB must
implement measures to achieve a satisfactory level of security. This includes, among other things
to ensure adequate access management, logging and subsequent control as well as regular
risk and vulnerability analyzes and threat simulations.

Statistics Norway will pseudonymise the personal data upon receipt, and aggregations of data adapted

the individual statistical needs will be an important measure. An important part of the investigative work will
be aimed at the development of new methods for data minimization and promoting privacy
production processes when processing this type of data.

Furthermore, the information shall only be used for statistical purposes within the framework of

the Statistics Act. According to Statistics Norway, statistical use is generally a purpose that has a low
privacy risk.

In its assessment of whether the information is necessary and relevant, cf. the principle of
data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been
sufficient for some of the relevant statistical purposes. Daily reporting of bong data on



2
rema-1000-norgesgruppen-coop-and-bottom-price



                                                                                                However, product level 6 will also enable many forms of development work, both for new ones
statistical products and methods for processing this type of data. This work will not be
possible with sample surveys, aggregations or less frequent data deliveries.

Statistics Norway assesses that there are no conditions in the bong data that indicate limitations in
secondary use.


3.5 The assessment of privacy consequences
The Norwegian Data Protection Authority has received two assessments of privacy consequences (DPIA) from Statistics Norway, one
dated 27.01.2021 and the other from the period October 2021 to June 2022.

The first assessment relates to the completed development project where testing has been carried out
out the use of bong data, while the second assessment concerns the planned treatment.
The Norwegian Data Protection Authority nevertheless considers several of the assessments in the privacy impact assessment to be dated

27.01.2021 as relevant for the planned use of bong data.

On page 4 of the assessment from 27.01.2021, it is explained why a need has been identified
for such a privacy impact assessment:

        "Data from the grocery chains contains detailed information about which products are
        purchased, location and time. Bank transaction data includes all purchases with

        debit cards, of all types, in addition to the location and time of transaction. In that these two
        sources are linked to bank account and bank account owner, it will be possible to do
        compilations so that we can link individuals to both time, place and what these are
        buyer of goods and services. The potential to be able to make such connections suggests that
        the data is considered to contain personally identifiable and sensitive information, and they
        must be dealt with accordingly".


Furthermore, it appears on page 6 et seq. that information will be collected on virtually everyone
grocery purchases for the entire Norwegian population, and the data must be stored permanently. The
registered persons cannot exercise their rights either, as exceptions to these have been made
the rights in the regulations.

As regards how the processing will be perceived from the data subject's point of view, it appears

the following on pages 10 and 11:

        “The data described in this DPIA contains directly identifiable
        personal data. It must be assumed that the registered person experiences this as intrusive and
        basically offensive.

        We are talking about large amounts of data that apply to information that does not exist in it

        public records. This means that those to whom the information applies are neither prepared
        or have an expectation that this information will be collected and processed by one
        public authority. However, the data subject is aware that the information
        is registered and is available to the grocery chains.





                                                                                                7 In our opinion, the privacy disadvantage consists of perceived discomfort when a public
        authority sits on this type of information which is perceived by many to belong to it
        private sphere. Correspondingly, it can be experienced as a disadvantage for traders, among others
        otherwise based on competitive assessments. The privacy disadvantage
        increases when the information is compiled with other sources. Receipt data for
        persons are planned to be linked with account holder information from the tax authorities and
        transaction data from banks, as well as the household register.


        The disadvantages described above are partially remedied by general security measures that apply to everyone
        processing of statistical information in Statistics Norway. In addition, SSB's special
        security measures that have been established for this data in particular. It is also emphasized that the purpose
        is the development of statistics, that the processing is regulated in the Statistics Act, and that
        information about the individual registered shall not be processed separately'.


3.6 Legal assessment from Statistics Norway
Statistics Norway has sent an undated assessment prepared by Advokatfirmaet Schjødt AS at
lawyers Eva Jarbekk and Inge Kristian Brodersen, with the heading "The principle pages
when collecting detailed information about individual citizens - the relationship with the Constitution and the ECHR
and the requirement for proportionality'. The assessment states, among other things, the following:

        "Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to

        be contrary to basic human rights, the specific use of
        the authority is assessed in each individual case. Statistics Norway believes that legally regulated purpose/use
        limitation and the data minimization measures that have been implemented to a sufficient extent
        reduces the inconvenience for the individual, so that the treatment is considered not to be in breach
        with Section 102 of the Constitution or Article 8 of the ECHR. Special reference is made here to the fact that
        Bong data is not at any time stored or processed with personal identifiers

        characteristic, that bong data is only handled aggregated at group level (in reality a two-
        dimensional aggregation in that bong data is aggregated on different product groups and
        collated with households aggregated to different socio-social groups). The result
        of the link are anonymous statistics”.

According to this, Statistics Norway believes that the established data minimization and security measures i
sufficiently takes care of both the grocery chains and the customers. SSB still wants to

to further develop new methods and tools that can further reduce the privacy disadvantage.

4. Relevant legal rules
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
Article 57 of the regulation and § 20 of the Personal Data Act.

Below, we will explain the legal rules that we believe are relevant in the present case.










                                                                                               84.2 The right to privacy
4.2.1 Privacy as a human right
Everyone has the right to protection of their privacy. This is a right protected by the European
the Human Rights Convention (ECHR) as well as a constitutional right. A central part of the dish
to privacy is the right to protection of one's personal data.


The ECHR has been made Norwegian law through the Human Rights Act of 1999. In the ECHR article 8 no. 1
it appears that "[e]veryone has the right to respect for his private life and family life, his home and his
correspondence".

Furthermore, Article 8 no. 2 of the ECHR states that interventions in citizens' privacy must be "in accordance with

the law". The intervention must be necessary in a democratic society for reasons of importance
societal interests.

The right to privacy is recognized as a central human right by being taken into
Section 102 of the Constitution, where it is stated, among other things, that "[e]veryone has the right to respect for his
privacy and family life, one's home and one's communication" and that "[t]he state authorities shall
ensure protection of personal integrity".


As regards the relationship between the human right to privacy and the privacy regulations,
we also refer to the preparations for the Personal Information Act, Prop. 56 LS (2017-2018), point 6.4.
Here it appears on page 34:

        "In its practice, the EMD has assumed that public authorities' storage of

        personal data that is linked to private life within the meaning of the provision constitutes a
        intervention in the court pursuant to ECHR article 8 no. 1, see Amann v. Switzerland 16.2.2000 [ECHR-
        1995-27798] paragraph 65 and S. and Marper v. Great Britain 4.12.2008 [EMD-2004-
        30562] section 67”.

That public authorities' collection and storage of personal data is an intervention in itself

itself is therefore indisputable and must be the basis for the assessment of any privacy intervention.

4.2.2 The principle of legality
In a democratic society, legal certainty is a central foundation. It is a fundamental
principle in a democracy that the state does not interfere with citizens without authority. This is called
the principle of legality and is anchored in § 113 of the Constitution, which specifies that "[t]he authorities'

intervention against the individual must have a basis in law". As mentioned above, the ECHR also states article
8 no. 2 that interventions in citizens' privacy require sufficient authority. Such protection in the form of
legal protection against arbitrary and unpredictable interventions is an important guarantee of legal certainty.

The requirement for the clarity of the law is tightened in line with the size of the intervention. The most serious
the interventions must be based on law rather than regulations or administrative decisions. In case of significant

intervention in the citizens' legal sphere, it must be clear from the wording of the law that the intervention is covered
of the relevant statutory provision. Enshrining privacy intrusions in the legal text itself creates


2In the personal protection regulation, this is expressed through article 6 no. 3, see point 4.6 below.



                                                                                                 9 greater predictability for the general public, and laws are adopted through a thorough democratic process
process where trade-offs between the individual's privacy and the state's need for processing of
personal information must be done.

In Section 113 of the Constitution, there is a further requirement that there must be intervention towards the citizens
necessary to fulfill legitimate purposes. This means that an intervention in privacy must have
a useful value for society.


The requirements for legal regulation are also evident from our human rights obligations according to Den
the international convention on civil and political rights (SP), which has been made Norwegian law
through the Human Rights Act from 1999. In Norwegian law, it is assumed that national legislation
is in line with our international obligations in the area of human rights.

4.3 The principle of data minimization

The basic principles for processing personal data are set out in
Article 5 of the Personal Data Protection Regulation. Particularly central to this case is the principle of
data minimization.

The principle of data minimization appears in the personal data protection regulation article 5 no. 1 letter c,
according to which personal data must be "adequate, relevant and limited to what is
necessary for the purposes for which they are processed”.


According to the principle of data minimization, it is not sufficient that it is practical or desirable to
process personal data; the processing must be necessary for the purpose to be achieved.
The requirement of necessity will naturally become more stringent the greater the invasion of privacy.

The principle of data minimization also includes an overarching assumption that the processing of

personal data contributes to achieving a specific purpose. The purpose description will be that
natural starting point for assessments of the utility value of a treatment. The more
the more invasive the measure, the greater the requirements for the purpose description and a documented
usefulness of the measure.

4.4 The concept of personal data
The term personal data is defined in the Personal Data Protection Regulation Article 4 No. 1 as


     "any information about an identified or identifiable natural person (the
     registered"); an identifiable natural person is a person who directly or indirectly can
     is identified, in particular by means of an identifier, e.g. a name, a
     identification number, location information, an online identifier or one or more
     elements that are specific to said natural person's physical, physiological, genetic,
     mental, economic, cultural or social identity".


Paragraph 26 of the regulation states:

     "When determining whether a natural person is identifiable, everyone should be taken into account
     means that it can reasonably be thought that the data controller or another




                                                                                                10 person can use to identify the person concerned directly or indirectly, e.g.
     designation. To determine whether funds can reasonably be expected to be used to
     identify the natural person, all objective factors should be taken into account, e.g.
     the cost of and the time necessary to make the identification, when it is taken
     taking into account the technology available at the time of processing, as well as the
     technological development".


4.5 Legal basis
4.5.1 The Personal Data Protection Regulation
Any processing of personal data must have a legal basis to be legal.
The Personal Protection Regulation Article 6 No. 1 provides an exhaustive overview of which legal
grounds (authorities) that may be the basis for processing personal data - and
thus an intervention in privacy.


Article 6 no. 1 letter c (fulfilment of a legal obligation) and e (exercise of public
authority or performance of a task in the public interest) are the most relevant
the provisions for the cases where public authorities intervene in citizens' privacy.

When applying the above-mentioned authorities, there must be an additional authority in national law
or in EU law that imposes duties or tasks on public authorities.
This follows from Article 6 No. 3 of the Personal Protection Ordinance and is described as supplementary

legal basis.

4.5.2 The Statistics Act
Statistics Norway's tasks and area of authority are regulated in the Statistics Act with regulations. SSB access
to order other businesses to hand over information for statistical purposes is regulated in
Section 10 of the Statistics Act. The provision reads:


        "1) Anyone must, without being hindered by the duty of confidentiality and by order from Statistics Norway
        provide information that is necessary for the development, preparation or dissemination of
        official statistics. The duty applies to information about the person obliged to provide information and others
        information over which the person obliged to provide information has the right to dispose of it. A deadline can be set
        to provide information. Confidentiality as mentioned in the Criminal Procedure Act § 119 first and
        second paragraph and the Disputes Act section 22-5 first paragraph precede the obligation to provide information according to the first

        dot.

        (2) Statistics Norway can issue regulations on the obligation to provide information and order
        obligation to provide information in individual cases.

        (3) Information can be refused to be disclosed in accordance with the first paragraph when an exception is required for reasons
        to national defense and security interests or police crime-fighting

        business.

        (4) Statistics Norway may determine the manner in which the information is to be provided and
        which documentation must be included. No remuneration can be required for this
        costs of fulfilling the obligation to provide information.




                                                                                                11 (5) Before Statistics Norway decides to impose an obligation to provide information, there must be a
        assessment of the usefulness of receiving the information, weighed against the costs for it
        subject to disclosure and how invasive the treatment is considered to be for it
        the information applies. The assessment must be made public.

        (6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision,

        among other things about limitations in the obligation to provide information".

In the preparations for the Statistics Act, Prop. 72 LS (2018-2019), the relationship with the Constitution and
ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on pages 41 and 42:

        "The special regulation in the Personal Data Protection Regulation on the processing of personal data to
        among other things, statistical purposes, see below, indicate that this type of treatment is considered

        as minimally invasive.

        Article 5 of the Personal Data Protection Regulation deals with the principles for the processing of
        personal data. It follows from article 5 no. 1 letter b that further processing of
        personal data for archival, research or statistical purposes in accordance with
        article 89 no. 1, shall be considered compatible with the collection purpose. Furthermore, it follows
        of recital 50 that the data controller does not need a new legal basis

        to further process personal data for compatible purposes. The Personal Data Protection Regulation
        Article 5 no. 1 letter c establishes the principle of data minimization, which implies that
        personal data must be adequate, relevant and limited to what is
        necessary for the purposes for which they are processed. The ministry indicates that
        the personal data to be provided according to the proposal are relevant and necessary for that
        Statistics Norway must be able to develop, prepare or disseminate statistics as it pleases

        be covered by the national statistics programme.
        (…)
        Statistics Norway's collection of personal data will also constitute an intervention in
        the right to privacy according to Section 102 of the Constitution and Article 8 of the ECHR. The processing is then only
        permitted if it has sufficient authority, pursues a legitimate purpose and is
        proportionately. For a general discussion of these requirements, reference is made to Prop. 56 LS
        (2017–2018) point 6.4. As it appears there, Section 102 of the Constitution has clear similarities

        with Article 8 of the ECHR, and must be interpreted in the light of this, cf. Rt-2015-93. It is not
        evidence that Section 102 of the Constitution sets stricter requirements than Article 8 of the ECHR
        legal basis for processing personal data. Statistics Norway can follow
        The proposal collects a large amount of personal data. According to the Ministry's assessment
        is this necessary for the agency to be able to fulfill its societal task of developing,
        prepare and disseminate official statistics. This is a legitimate purpose. Statistically
        centralbyrå must process the information in a reassuring manner and only for them

        the purposes mentioned in the bill § 10. Further processing of information is
        discussed in chapters 6 and 7.2. The ministry also refers to the discussion in chapter 4 of statistical
        confidentiality, non-disclosure and information security. On this background consider
        the ministry the proposal for a statutory provision as proportionate.





                                                                                               12 According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and
        Article 8 of the ECHR".

4.6 Requirements for the supplementary legal basis
Article 6 no. 3 of the Personal Protection Regulation contains several additional requirements
the legal basis. The supplementary legal basis – whether it is a legal authority, a
regulation or an administrative decision – must therefore meet certain criteria.


According to Article 6 No. 3, it must be clearly stated that the processing of personal data is
necessary to carry out a publicly beneficial task or exercise public authority.

Furthermore, it is required that the supplementary legal basis must "meet an objective in the public interest
interest and stand in a reasonable relationship to the legitimate aim sought to be achieved". It is laid
i.e. up to a proportionality assessment, to which the intervention in privacy must be in relation to

the social good that is achieved.

The preamble to the Personal Data Protection Regulation in many cases provides guidance for the specifics
the provisions of the regulation, including Article 6 No. 3.

Although a supplementary legal basis does not have to be in the form of a law, it appears from
recital 41 that the legal basis should be "clear and precise". It further states that

the application of the legal basis should be predictable for citizens.

The requirements for the supplementary legal basis are discussed by the Ministry of Justice and Emergency Preparedness in
the preparations for the Personal Data Act, Prop. 56 LS (2017-2018). Section 6.3.2 states:

        "It follows from recital 41 that "when this regulation refers to a legal

        basis or a legislative measure, this does not necessarily require one
        regulatory act adopted by a parliament'. In the ministry's view, it must be added
        reason that in any case statutory and regulatory provisions may constitute supplementary
        legal basis. The Ministry assumes that also decisions made in accordance with law or regulations
        are covered, as there is also a legal or regulatory basis in these cases".

However, this is nuanced in the following:


        "If the processing of personal data constitutes an intrusion into the right to privacy
        according to Section 102 of the Constitution or Article 8 of the ECHR, it may however be necessary
        a more specific legal basis for the processing than the wording of the regulation can
        indicate. It also follows expressly from recital 41 that there should be a legal basis
        "clear and precise, and its application should be predictable to persons who
        covered by it, in accordance with the case law of the Court of Justice of the European Union

        (the "Court") and the European Court of Human Rights. In other words, must
        the regulation's requirement for a supplementary legal basis for the processing is interpreted and applied
        in line with the human rights requirements for a legal basis for interference with the right to
        privacy. This means that a closer assessment of the legal basis must be made
        and the treatment, where, among other things, emphasis must be placed on how invasive




                                                                                                13 the treatment is. Depending on the circumstances, the outcome of such an assessment may be that
        a more specific basis than what might appear to be the minimum requirements is required
        the wording of the regulation".

In point 6.4 of the preparatory work it also appears:

        "At the same time, there is no doubt that the regulation's general rules, possibly i

        combination with a supplementary legal basis that only meets the minimum requirements
        according to the wording in Article 6 no. 3, will not always provide a sufficiently specific legal basis
        or necessary guarantees in line with the Constitution and the ECHR. It will then be necessary to
        design more specific legal bases and additional guarantees in national law, and that will i
        in many cases be necessary with express authority in special legislation.
        In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR.


        (...) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can
        in the circumstances imply that the supplementary legal basis must contain such
        more specific provisions that Article 6 nos. 2 and 3 allow for. What is required of
        the supplementary legal basis, cannot be answered in general, but must be decided according to one
        concrete assessment".

The European Court of Justice states the following in case C-175/20 in section 83:


        "In this regard, it is nevertheless noted that the legislation which forms
        basis for the processing, in order to fulfill the requirement of proportionality, such as Article 5,
        item 1, letter c) (…) is an expression of (…), must lay down clear and precise rules, where
        regulates the scope and application of the measure in question, and which
        lays down minimum requirements, so that the persons whose personal data are affected prevail

        over sufficient guarantees, which make it possible to effectively protect this information
        against the risk of abuse. This legislation must be legally binding in national law
        and in particular state, under what circumstances and on what conditions that may
        a measure is adopted on the processing of such information, whereby it is ensured,
        that the intervention is limited to what is strictly necessary'.

For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice

from the European Court of Justice will still have significance in the area of privacy as it is a
basic assumption that the rules of the Personal Data Protection Regulation are understood and practiced equally throughout
EU/EEA.

5. The Norwegian Data Protection Authority's sanctioning authority
The Norwegian Data Protection Authority's authority to impose administrative sanctions is regulated in the privacy
the regulation, article 58. Article 58 no. 2 states which corrective measures the supervisory authority can take

adopt.

The relevant parts of the provision read:






                                                                                              14 «2. Each supervisory authority shall have the authority to decide on the following corrective measures
        measures:
           a. issue warnings to a data controller or data processor that they
              the planned processing activities are likely to be in breach of the provisions of

              this regulation, (…)
           d. instruct the controller or data processor to ensure that
              the processing activities take place in accordance with the provisions of this regulation
              and, if relevant, in a specific manner and within a specific deadline, (…)
           f. introduce a temporary or permanent restriction of, including a ban on,
              treatment".


6. The Norwegian Data Protection Authority's assessment
6.1 Assessment of the size of the privacy intrusion
If privacy is to be encroached upon, it is a requirement according to both our human rights laws
obligations under the ECHR, the Constitution and the privacy regulations that a thorough investigation is carried out

assessment of the proportionality of the measure that constitutes the intervention. The disadvantages of
citizens in that personal information about them is collected must be weighed against that of the authorities
need for personally identifiable data to provide citizen services and carry out their duties.

We emphasize again that an invasion of privacy already occurs during the actual collection of
personal data and not until the data is further processed. The European one

In the cases Amann v. Switzerland (case 1995-27798) and S. and
Marper v. United Kingdom (Case 2004-30562) clearly established that states intervene against
the citizens already when collecting personal data as such. 3

In the response to the notice of decision and in dialogue with us, Statistics Norway has stated that the Norwegian Data Protection Authority is wrong when

we refer to SSB as "the state". In addition, we would like to note that Statistics Norway is a public authority,
financed through the state budget. Although SSB is an independent body, SSB is still a part
of the state apparatus. In our view, there is no doubt that Statistics Norway falls under the term "the state",
although that term may be imprecise. In any case, the use of the term "the state" has not had
significance for our assessments in the case.


The Norwegian Data Protection Authority recognizes the societal benefit of consumption and diet statistics. For example
dietary statistics are the basis for national public health work. We see that data with the same
quality that cannot be obtained from other sources, for example the consumers themselves. Statistics on a
area like this is undoubtedly a legitimate and socially beneficial purpose.


We have also noticed that SSB has good internal routines and systems for fast
pseudonymisation and aggregation of data, strict internal access management, etc. SSB is good
equipped to also handle bong data in a reassuring manner internally.

Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can
lead to quality improvement and future data minimization through more precise data extraction, etc.



3 See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX:62012CJ0293.



                                                                                               15As we understand it, however, the utility value of the development work will be unknown at the time
when the data is collected. We cannot therefore attach decisive importance to the objective of
future data minimization.


Bong data in itself does not contain any personal data, but the bong data must be linked
transaction data, which makes it possible to link the information to an individual.
The connection takes place with relatively simple means for SSB and within a short time after they
The continuously streamed data is received at SSB. The Danish Data Protection Authority is therefore of the opinion that
the right thing is to consider the bong data as personal data already from the time
the collection takes place, cf. point 26 of the Personal Data Protection Ordinance. In all cases will

the bank data will be personal data as soon as the link to transaction data has been made internally
at SSB.

It is thus the intervention of the collection of bong data that must be assessed in this case.


The planned collection of bong data for statistics involves the processing of enormous amounts
amounts of transactional data about a significant part of the population. It is also a brand new one
form of data collection by the authorities from private actors. SSB as public
authorities will gain completely new knowledge about which grocery purchases a large majority of Norwegians make
the population does in real time. The citizens cannot be said to have any expectation that a
public authorities will receive information about which groceries they buy from a completely private company

prosecutor. Statistics Norway also points out that the average citizen will not be able to predict that the state will collect
information about their purchases of groceries.

The individual data subjects have no real opportunity to oppose the collection of
personal data, except through trading with cash and avoiding the big ones

the grocery players. Nor do those registered receive targeted and individual information that
the collection takes place, as public authorities can typically make use of the data
the exceptions from the obligation to provide information according to the personal protection regulations. 4

It is therefore of less importance for our assessment of the size of the privacy intervention that
Statistics Norway's mandate is the production, dissemination and development of statistics, which in itself is not

linked to individuals. Whether the intervention is proportionate based on, among other things
purpose considerations, is another consideration.

The relationship with Section 102 of the Constitution and Article 8 of the ECHR is affected in the preparations for the Statistics Act.
The Ministry of Finance's assessment here is that section 10 of the Statistics Act in itself is not contrary to

the requirements of Section 102 of the Constitution and Article 8 of the ECHR and that statistics must generally be considered small
interfering with privacy. At the same time, the ministry also emphasizes that the individual interventions in
privacy must be proportionate to the social good that is achieved.

The Norwegian Data Protection Authority believes that there are weaknesses in the specific privacy impact assessments which
Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers



4 See the Personal Data Protection Ordinance, Article 14 No. 5 letter c. We do not go into the assessment of whether this specific
the collection is "expressly provided for in Union law or the national law of the Member States".



                                                                                               16SSB to a "perceived discomfort". This may indicate a lack of understanding of
the concept of privacy, privacy as a fundamental right and the value of good
privacy. Privacy as a societal value is a matter of trust and values. The assessments of
which personal data it is necessary for a public authority to process must therefore
considered in a broader perspective. Information security and other remedial measures are important
measures, but they do not reduce the size of the privacy intervention itself; the
the fundamental breach of privacy is the same regardless of how Statistics Norway handles the data

further. We also refer here to the fact that the intervention in privacy is already taking place
collection of personal data, cf. the decisions of the European Court of Justice and the European Court of Human Rights mentioned above.

As a data protection authority, we also believe that the Ministry of Finance's conclusion in the preparatory work
to the Statistics Act stating that processing for statistical purposes should generally be considered to be small
invasive is too unvarnished. The data collection that forms the basis for the preparation of
statistics can constitute a significant intrusion into data subjects' privacy. Although the end result

are anonymous statistics, large amounts of personal data could be processed by a government
body (SSB) in the process.

In this case, the dietary statistics are requested by the health authorities, and
The consumption statistics will be of much better quality if bong data is used. The statistics must
is based, among other things, on information about which grocery purchases individual individuals make, such as
Statistics Norway will get through bank data combined with transaction data.


As stated above, this is a completely new data collection from private actors, and there is agreement
that citizens cannot expect or anticipate that a public authority will do this
the type of data collection.

Although Statistics Norway has good internal processes and measures for pseudonymisation and screening of

personal data, and the data must be quickly aggregated, the underlying raw data
(voucher data and transaction data) remain available at Statistics Norway for at least a two-year period. The
means that the intervention persists, even if the statistical product is anonymous and only pseudonymous
data is used in the development work.

The Norwegian Data Protection Authority is of the clear opinion that the privacy intrusion when collecting Bong data is
very large. It must be questioned whether it is necessary for Statistics Norway to collect these

the data to carry out its social mission. We believe that the intervention cannot be considered as
proportional if the purpose can be achieved in a sufficiently good way through others,
less invasive means.

An important factor in this specific weighing will be the achievement of SSB's objectives. The Norwegian Data Protection Authority
believes that, after a concrete assessment of the proportionality of the privacy intervention, one must
accept that not all statistical purposes can be fully achieved. In such cases it is necessary to

accept that data must be collected from other sources with the consequence that the statistics get a
lower level of precision and quality.

In this matter, we believe that Statistics Norway's mandate to utilize new, digital sources to prepare and
developing statistics on the one hand, and the encroachment on privacy on the other, is i




                                                                                              17 conflict. Privacy is not an absolute right, but there is still an outer limit to which
interference with privacy that can be accepted.

In a case like this, the right to privacy is primarily about trust in the public sector
Norway, and less about the fear of misuse of personal data. In our view, the core of
the assessment of the privacy intervention in this case what is necessary for the public
authorities to know about the individual citizen.


Public authorities have enormous amounts of data about citizens through various
socio-economic registers and health registers. Through social security numbers, this data can be linked
up against each other. The result of such connections is something more than just the sum of the individual parts
the information; it can give a more or less complete picture of a single individual's life from
cradle to grave.


Public Norway has exclusively a mandate and authority that is linked to good
purposes and objectives, be it crime fighting, public health, good
welfare services or other. In many cases, it is absolutely essential to treat
personal data to perform public tasks. The Norwegian Data Protection Authority believes that it is still possible
limit on which data public authorities can process about individuals, even there
the purpose is good. It is at the core of the Norwegian Data Protection Authority's tasks as a supervisory authority to assess
where this boundary is to be drawn.


A serious, long-term consequence of disproportionately large intrusions into privacy can be
weakened trust in public authorities and lower willingness to share data with the public; it
the so-called cooling effect. Ultimately, this can affect the view of Norway as
democratic society. We would like to point out that both the Norwegian Data Protection Authority and Statistics Norway have received many negatives
reactions from individuals in this case.


6.2 Statement of purpose and data minimization
In the cost-benefit assessment, Statistics Norway has made an assessment of whether bong data are necessary and
relevant information for the purposes, cf. the principle of data minimisation. Here SSB states that
different forms of selection of bong data probably could have been sufficient for some of them
relevant statistical purposes. When it comes to development work, however, will not
sample surveys, aggregations or less frequent data deliveries are sufficient.


Statistics Norway has therefore itself pointed out that the assessment of necessity will be different for the different people
the purposes.

Furthermore, statistics production and method development are two different processes, although
statistical production is based on methods that have been developed using the basic data.


In our view, this illustrates the weaknesses of the necessity assessment that has been carried out.
The need for complete bong data for development purposes plays into the assessment that SSB
considers the collection necessary - also for the purpose of producing statistics.






                                                                                               18 Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics
and development work must be defined as different processing purposes in the Personal Data Protection Regulation
understanding.

Nor can we see that Statistics Norway has assessed the dietary statistics and the consumption statistics separately.
These are different forms of statistics that have different purposes, underlying considerations and
societal functions. As a result, the necessity assessment will be able to beat

also different for the two forms of statistics.

The Danish Data Protection Authority has chosen not to go into further detail in the assessment of the necessity of the bong data
the purposes. In this supervisory case, we have chosen to concentrate on the assessment of that
supplementary legal basis for the collection of bong data, cf. point 6.3 below. It may
nevertheless there is a need to make a thorough assessment of necessity at a later stage.


6.3 The supplementary legal basis
Through Section 10 of the Statistics Act, Statistics Norway has been given almost a blank authorization to make decisions or
adopt regulations on the obligation to provide information. Section 10 of the Statistics Act is thus a framework provision
which presupposes that the detailed access to process personal data is determined in a
other legal basis. Statistics Norway's processing of personal data must nevertheless be in line with
the privacy regulations.


In the preparations for the Personal Data Act, Prop. 56 LS (2017-2018), it appears that a
administrative decisions can constitute a supplementary legal basis in the personal data protection regulation
understanding. Whether an administrative decision is considered a sufficiently clear and predictable legal one
basis must, however, be assessed concretely.

In this case, Statistics Norway has decided to obtain enormous amounts of information about Norwegians

consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is
considerably larger than what Statistics Norway seems to have assumed. That the collection of bong data is done
for statistical purposes is of secondary importance in this assessment as the intervention itself i
privacy already occurs at the time of data collection.

As we assume that the breach of privacy when collecting bong data is very large,
this sets stricter requirements for the supplementary legal basis, cf. the Personal Data Protection Ordinance

article 6 no. 3.

Section 10 of the Statistics Act stipulates that Statistics Norway itself shall carry out the cost-benefit assessment and determine
individual decisions, possibly adopting regulations, on the obligation to provide information.

From what we know, it is unusual for such an extensive collection and processing of
personal data to which this case applies is based on administrative decisions as supplementary

legal basis.

For comparison, we will refer to the system established for medical and healthcare professionals
research projects. In medical and healthcare research, decisions on exemption from
confidentiality and/or ethical approval decisions are the basis for the processing. In these




                                                                                                In the 19 cases, the assessment of whether data should be used for research is added to an external one
third party (respectively the Norwegian Directorate of Health and the regional committees for medical and
health research ethics, REK) and not to the institution responsible for the research.

Medical and healthcare research usually involves handling large amounts of health data and
other personal data. The third-party assessment is considered a guarantee for safeguarding
the research participants' rights and interests. The regional ethics committees can for

for example, set conditions for the collection, storage and use of data.

It appears in the letter of 23 January 2023 that Statistics Norway considers this comparison to be a
external considerations. Statistics Norway points out that the Storting has adopted the Statistics Act without it
is set up for an external third-party assessment and that this type of arrangement is therefore not possible
is given weight in the case.


We nevertheless believe that extensive processing of personal data pursuant to
administrative decisions are so unusual that the comparison above is not irrelevant to ours
assessment. As there is no external third-party assessment, and the Statistics Act §
10, which sets the framework, is so broadly designed, the Norwegian Data Protection Authority's control function will be the same
more important.

A natural consequence of SSB's purpose and social mission is that they must facilitate for

performance of the tasks assigned to them in the best possible way. Statistics Norway's operations are also regulated
partly of strategic guidance nationally and internationally. In highly invasive treatments
of personal data, it is therefore particularly important that the privacy impact assessment which
is the basis for the processing of personal data is good.

As mentioned in point 6.1, we believe that the assessments made by Statistics Norway in connection with collection

of bong data are lacking. As a consequence, the process harmonises towards Statistics Norway's decision
on the obligation to provide information does not meet the requirements of the privacy regulations. The ratings that
is settled against the principle of data minimization in the personal protection regulation article 5 no. 1
letter c and the principle of purpose limitation in letter b are not good enough in our view.
This means that it is not possible to make a fully sound proportionality assessment, like this
the privacy regulation article 6 no. 3 requires.


For Statistics Norway's operations, Statistics Norway alone can assess and decide that data should be collected. Any actor,
private as well as public, may be required to hand over personal data on a large scale.
Decisions on the obligation to provide information can be appealed to the Ministry of Finance, but we consider that such
complaint handling has a different function than an external third-party assessment at a business
with purposes other than just the preparation and development of statistics.

The Norwegian Data Protection Authority has assumed that the invasion of privacy when collecting Bong data is very serious

large. We believe that an administrative decision made by Statistics Norway pursuant to section 10 of the Statistics Act does not
is a sufficiently clear and predictable legal basis for such extensive processing.
Statistics Norway's decision also does not provide sufficient guarantees for those registered for such an intervention
processing such as collection of bong data. We believe that this view has support in





                                                                                                20 wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and case law from
ECtHR and the European Court of Justice.

The Norwegian Data Protection Authority is therefore of the opinion that Statistics Norway's decision on the obligation to provide information to
the grocery operators do not meet the requirements of the supplementary legal basis i
the personal protection regulation article 6 no. 3.


6.4 Conclusion: Decision on banning the processing of personal data
The Norwegian Data Protection Authority has come to the conclusion that Statistics Norway's decision on the obligation to provide information to the grocery operators
NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden, comprised of
authority in Section 10 of the Statistics Act, does not meet the requirements for a supplementary legal basis i
the personal protection regulation article 6 no. 3.

We have therefore decided to adopt a ban on the processing of personal data in the form of

bong data, cf. the personal data protection regulation article 58 no. 2 letter f.

7. Right of appeal
This decision can be appealed within three weeks after you have received this letter, cf.
Sections 28 and 29 of the Administration Act. A possible complaint is sent to the Norwegian Data Protection Authority.

If we uphold our decision, the case will be sent to the Norwegian Personal Protection Board for

complaint processing, cf. Personal Data Act § 22.


With best regards



Line Coll
director
                                                                   Susan Lie
                                                                   legal professional director

The document is electronically approved and therefore has no handwritten signatures



Copy to: STATISTICS CENTRAL BYRÅ, Thorleiv Valen















                                                                                              21