Datatilsynet (Norway) - 22/03622: Difference between revisions
No edit summary |
No edit summary |
||
Line 77: | Line 77: | ||
=== Facts === | === Facts === | ||
In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB) | In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB), to submit purchase data ("bongdata" in Norwegian) to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August. | ||
The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including: | The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including: | ||
Line 90: | Line 90: | ||
* ID of offers/discounts | * ID of offers/discounts | ||
The data would be reported directly from | The data would be reported directly from the point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date. | ||
The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents. | The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents. | ||
SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. | SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022. | ||
During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022. | |||
=== Holding === | === Holding === |
Revision as of 08:19, 31 May 2023
Datatilsynet - 22/03622 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(c) GDPR Article 6(3) GDPR Article 58(2)(f) GDPR Statistikkloven (The Statistics Act, in English) Statistikkloven (The Statistics Act) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 01.05.2022 |
Decided: | 26.04.2023 |
Published: | 02.05.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 22/03622 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (press release) (in NO) Datatilsynet (the Norwegian DPA) (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA imposed a ban on the national statistical institute's planned real-time mass-processing of nearly all purchase data in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.
English Summary
Facts
In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB), to submit purchase data ("bongdata" in Norwegian) to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August.
The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including:
- name of item
- price per item* total amount of the receipt
- payment method
- amount per payment method
- start and end time of the purchase
- ID of returns
- ID for terminated purchase
- ID of offers/discounts
The data would be reported directly from the point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.
The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents.
SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
Holding
From the first DPIA, the DPA highlighted the fact that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA noted that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).
On 29 November 2022, the DPA notified SSB of their intention to ban the planned processing. SSB then submitted their comments and a legal consideration by a law firm, in January 2023. This did not, however, affect the DPA's intention to ban the processing.
The DPA found that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. The DPA viewed that collection and storage of personal data by public authorities is an intrusion in in itself which must form the basis for the assessment of any interference with privacy.
Consequently, the DPA held that SSB did not have a sufficient supplementary legal basis as per Article 6(3) GDPR to process the transaction personal data ("bongdata" in Norwegian) as intended, and based on Article 58(2)(f) GDPR imposed a ban on the processing.
Comment
The DPA makes an interesting discussion on the right to respect for a private life under the European Convention on Human Rights (ECHR). This right is adopted in Norwegian law, both through ECHR and the Constitution § 102. When public authorities collect and store personal data, this is in itself interfering with privacy. The DPA emphasizes that in a democratic society, legal certainty is a central foundation and a principle in a democracy is that the state does not inferfere with citizens' private life without a basis in law (the principle of legality, as anchored in the Constitution § 113). The requirements for this basis in law increases with the severity of the interference. So even if SSB has a general basis in law for creating statistics, the interference in privacy in this particular case is so great that the DPA finds it cannot be justified with this only.
SSB tried to claim that the DPA was wrong in identifying them as "the state", to which the DPA responds that SSB is a public authority, funded over the National Budget, and despite being an independent authority clearly a part of the Norwegian state.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
STATISTICAL CENTRAL BUREAU PO Box 2633 St. Hanshaugen 0131 OSLO Your reference Our reference Date 22/993 22/03622-15 26.04.2023 Decision on banning the processing of personal data The Norwegian Data Protection Authority refers to our control case related to Statistics Norway's decision on obligation to provide information in the form of handover of bank data for four grocery players. In its decisions, Statistics Norway (hereafter Statistics Norway) has ordered the four players to transfer bank data for the customers' goods transactions. The four players are NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden. 1. Resolution Pursuant to the Personal Protection Regulation article 58 no. 2 letter f, the Norwegian Data Protection Authority has today decided the following decision: The Norwegian Data Protection Authority prohibits the processing of bank data on the basis of a decision on obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision basis for the processing, cf. the personal data protection regulation article 6 no. 3. 2. The proceedings The Norwegian Data Protection Authority became aware of the case through inquiries from NorgesGruppen ASA and the payment intermediary Nets Branch Norway in May 2022. The Norwegian Data Protection Authority has also received several complaints and inquiries from private individuals in this matter. We sent a demand for an explanation to Statistics Norway on 02.06.2022. Statistics Norway answered our questions in a letter by 13/06/2022. On 29 August 2022, a meeting was held between the Norwegian Data Protection Authority and Statistics Norway on the occasion of the case. The meeting was reported. Draft minutes were sent to Statistics Norway on 01.09.2022, and Statistics Norway agreed comments on the minutes on 07/09/2022. The final report was sent to Statistics Norway on 21 September 2022. Postal address: Office address: Telephone: Organization number: Website: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLODatatilsynet has also received a copy of correspondence relating to NorgesGruppen ASA and Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know, the complaints are still being processed by the Ministry of Finance as the complaints body. In a letter dated 29 November 2022, we notified Statistics Norway of a decision to ban the processing of personal data in the form of bank data. Statistics Norway has commented on the notice in a letter dated 23.01.2023, attached a legal assessment from Advokatfirmaet Schjødt AS. We have incorporated the comments in the decision where it is considered relevant. 3. More details about SSB's planned processing of bong data 3.1 Statistics Norway's decision on the obligation to provide information In the decisions on the obligation to provide information to the grocery operators, Statistics Norway states that bank data from the grocery trade is considered to be of great use for the production of official statistics which are important to society. Statistics Norway will produce statistics on consumption in Norwegian households and new statistics on diet. Furthermore, it appears from the decisions that the data will be used to investigate the consumer price index and the merchandise trade statistics can have bong data as a data basis. Statistics Norway will also test and develop new methods to ensure even greater confidentiality in statistics production. The voucher data will include, among other things: • product name • price per item • total amount on receipt • method of payment • amount per payment method • start and end time for trading • identifier on return • identifier of completed trade • identifier of the sale/offer Any customer loyalty numbers must not be reported. The voucher data must be reported as streamed data from the cash register systems, so that Statistics Norway receives it the data continuously. NorgesGruppen ASA and Coop Norge AS have appealed against the decisions on the obligation to provide information. SSB has maintained its decisions and forwarded the complaints to the Ministry of Finance on 04.10.2022 for complaint processing. 23.2 Statistics Norway's reports to the Norwegian Data Protection Authority 3.2.1 Statement of purpose In the statement from Statistics Norway dated 13 June 2022, it appears that Statistics Norway considers development, preparation and dissemination of official statistics as one processing purpose, as the tasks are set out in the Statistics Act. This interpretation appears from the legislative preparations, Prop. 72 LS (2018-2019), in the notes to the purpose provision in § 1 and to § 17 on SSB's tasks. Here is development, preparation and dissemination of official statistics referred to as one main purpose and one main task. Also in NOU 2018: 7 New Act on Official Statistics and Statistics Norway appears in point 10.4 that: "Method development is an integral part of the work of producing statistics". Statistics Norway points out, however, that the assessment of necessity and the result of concrete data minimization will could turn out differently depending on whether the purpose is development or preparation of current statistics. In the letter of 23 January 2023, it appears that Statistics Norway has nevertheless assessed the overall data need under one (development, preparation and dissemination of official consumption and dietary statistics) and added up to one data collection instead of collecting several almost identical, parallel data sets. The background is that Statistics Norway believes that there is one purpose with several statistical products and associated development work. 3.2.2 Assessment of the privacy intervention In the letter of 23 January 2023, it appears that Statistics Norway believes that the privacy intervention is proportionate and justified based on the purpose of the processing, the limited collection period and the measures that have been established to reduce the privacy disadvantages. Statistics Norway has placed a decisive emphasis on the purpose of the processing and the measures implemented. Statistics Norway also points out that it was the data protection commissioner who recommended revising the decision disclosure obligation time-limited to the period 2022 – 2023. An important part of the methodological work in the two-year period is described as the assessment and concretization of data-minimizing measures both before and after the collection, without compromising the quality of the statistical products is reduced. Relevant measures can be periodic data collection, various forms of selection and storage limitations. 3.2.3 Quality requirements In the letter of 23 January 2023, Statistics Norway refers to the quality requirements in Section 5 of the Statistics Act, which correspond to the requirements of European Parliament and Council Regulation (EU) 223/2009. Compliance with the quality requirements require data of a certain content and scope. Section 5 of the Statistics Act states, among other things, that statistics must be "relevant, accurate, up-to-date, punctual, accessible and clear, comparable and coherent'. Statistics Norway points to bong data as an example of a data source that has great potential to increase the quality of several statistics. 33.2.4 Consumption statistics Statistics Norway has explained what it wants to achieve by using bong data to produce consumption statistics. According to Statistics Norway, bong data will improve the quality of consumption statistics. The voucher data will be linked to self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors in the self-report. The comparison will provide a basis for supplementing the statistics improved uncertainty estimates. The production of statistics will also be made more efficient by classifying grocery purchases automatic. The methods for automatic classification have been developed with test voucher data from 2018. This has an impact on the quality of the statistics, but it will also have a great impact on the resource use that goes into preparing the statistics. Furthermore, the statistics above grocery consumption is broken down at far more levels than has been possible in the past. In addition, Statistics Norway will be able to gain valuable knowledge about the strengths and weaknesses of the various data sources, so that one can further develop the methods for estimating uncertainty and adjusting for biases. This is one of several possible analyses, which may in turn provide a basis for data minimization in the future statistics production. 3.2.5 Dietary statistics Since the beginning of 2020, Statistics Norway has investigated the possibilities for preparing new diet statistics based on information about which foodstuffs the Norwegian population buys from the largest the players in the grocery market. The work has been carried out in close collaboration with, among others The Norwegian Directorate of Health and the large grocery chains. Statistics Norway plans to publish official diet statistics based on information on sales food from grocery chains and information on the nutritional content of food obtained from others sources, based on test voucher data from 2018. From 2023, the diet statistics will be further developed with new bong data and information from other data sources, including information on households from registers SSB already uses in other statistical production. Access to all information that the grocery chains can supply (so-called full count) is as of today crucial for Statistics Norway to be able to produce dietary statistics. Complete data will provide basis for development work that may lead to future data minimization. This work will could not be done without obtaining data on all purchases, where one looks at occurrences in and variations between smaller groups. Statistics Norway also considers it necessary to use a full count for to observe basic statistical principles such as quality awareness, cost-effectiveness, relevance, accuracy and reliability. 3.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway In the meeting held in August 2022, Statistics Norway explained its mandate: Develop, prepare and disseminate official statistics. Furthermore, Statistics Norway explained that they, through political guidance and assignment letter, is required to look for and use new data sources as a basis for statistics, i in addition to developing new methods for statistics production. 4SSB explained its work with consumption statistics, that is, statistics on what the country's households spend money on. The last survey was carried out in 2012. Statistics Norway has had problems with obtaining acceptable data quality as the survey has been based on volunteers reporting, with a significant task burden for the participants and high drop-out rates. Furthermore, have The Norwegian Directorate of Health expressed a need for dietary statistics as a basis for public health work, and Statistics Norway has an established collaboration with the grocery chains to develop a data base. Barcode data is already collected today from, among other things, grocery chains for use in the consumer price index (CPI), but in an aggregated format. Furthermore, Statistics Norway has received bank data and bank transaction data in a development project where it was investigated whether bank data can be used for the desired purpose – consumption and diet statistics. Parallel to the collection of new bongdata, Statistics Norway will collect data through self-reports, where consumers, among other things, can scan receipts. SSB described in more detail the planned processing of bong data internally at SSB. The goods which are purchased will be classified into product groups. Furthermore, consumers will be classified according to household size/type (about 10 groups in total) and other background variables, such as household income (grouped), level of education and region/region. This presupposes a link to transaction data/account number and then national ID number. All use of information, including linking bank data to bank transaction data and account number, is done with pseudonymous data, so that the individual receipt cannot be linked directly against an individual. The receipts as they are received are stored in the system as raw data, that is that is, without the link to the individuals who have made the purchases. Systems for access management has been established, and access to raw data is strictly regulated. In principle it is however, it is possible to make the connection again at a later time. For the further processing of the bank data internally at Statistics Norway, the individual transaction will therefore be aggregated at household group level. As the treatment is now planned and presented, you will not be able to follow an individual household over time - only household groups. Statistics Norway focuses on removing the data you do not need as early as possible in the process. A statutory confidentiality requirement applies to the publication of official statistics, that is to say that individuals/households should neither directly nor indirectly be able to are identified. Statistics Norway plans an evaluation of the solution in 2023, where, among other things, the level of detail of the data, frequency and extent will be assessed. 3.4 The cost-benefit assessment Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they decides to adopt an order on the obligation to provide information. 5SSB has published the cost-benefit assessment on its website. We will summarize them below the parts of the assessment that relate to consequences for data subjects' privacy. Statistics Norway states in its assessment that bong data from the grocery chains does not contain personal data in itself. Through links to other sources, bongdata will still be able to be linked to a person. By connecting a bong to a payment transaction (a payment by bank card), purchases of goods can be linked to individuals and households via data from the Norwegian Tax Agency and the National Register of Citizens. The connection to a person will be possible for more than 70% of the vouchers. Statistics Norway considers that the bong data acquires the character of being sensitive personal data when they linked to an individual and a household. It is emphasized that the bong data are distinctive both on because of the large amount of data and because the information is not already available in public register. In addition, Statistics Norway will receive the data in near real time and with a high degree of detail. They connected the data will include information about where and when the individual has shopped for groceries, and that detailed information will appear about which goods and quantity of goods you have bought. This applies to all purchases from the four grocery operators that are not paid in cash. The players together cover 99% of the market. Statistics Norway recognizes that the individual consumer cannot be expected to be aware that Statistics Norway wants to use the electronic tracks from current purchases, and forward these with personally identifiable data, to create statistics. Statistics Norway states that it is therefore important that the bong data is treated with extra care, and Statistics Norway will implement extra measures to safeguard privacy and information security. The privacy deficiencies must be remedied through the general security measures that apply to everyone processing of statistical information. Statistics Norway must ensure confidentiality in all dissemination of statistics. Furthermore, SSB's employees and contractors are subject to a duty of confidentiality, and SSB must implement measures to achieve a satisfactory level of security. This includes, among other things to ensure adequate access management, logging and subsequent control as well as regular risk and vulnerability analyzes and threat simulations. Statistics Norway will pseudonymise the personal data upon receipt, and aggregations of data adapted the individual statistical needs will be an important measure. An important part of the investigative work will be aimed at the development of new methods for data minimization and promoting privacy production processes when processing this type of data. Furthermore, the information shall only be used for statistical purposes within the framework of the Statistics Act. According to Statistics Norway, statistical use is generally a purpose that has a low privacy risk. In its assessment of whether the information is necessary and relevant, cf. the principle of data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been sufficient for some of the relevant statistical purposes. Daily reporting of bong data on 2 rema-1000-norgesgruppen-coop-and-bottom-price However, product level 6 will also enable many forms of development work, both for new ones statistical products and methods for processing this type of data. This work will not be possible with sample surveys, aggregations or less frequent data deliveries. Statistics Norway assesses that there are no conditions in the bong data that indicate limitations in secondary use. 3.5 The assessment of privacy consequences The Norwegian Data Protection Authority has received two assessments of privacy consequences (DPIA) from Statistics Norway, one dated 27.01.2021 and the other from the period October 2021 to June 2022. The first assessment relates to the completed development project where testing has been carried out out the use of bong data, while the second assessment concerns the planned treatment. The Norwegian Data Protection Authority nevertheless considers several of the assessments in the privacy impact assessment to be dated 27.01.2021 as relevant for the planned use of bong data. On page 4 of the assessment from 27.01.2021, it is explained why a need has been identified for such a privacy impact assessment: "Data from the grocery chains contains detailed information about which products are purchased, location and time. Bank transaction data includes all purchases with debit cards, of all types, in addition to the location and time of transaction. In that these two sources are linked to bank account and bank account owner, it will be possible to do compilations so that we can link individuals to both time, place and what these are buyer of goods and services. The potential to be able to make such connections suggests that the data is considered to contain personally identifiable and sensitive information, and they must be dealt with accordingly". Furthermore, it appears on page 6 et seq. that information will be collected on virtually everyone grocery purchases for the entire Norwegian population, and the data must be stored permanently. The registered persons cannot exercise their rights either, as exceptions to these have been made the rights in the regulations. As regards how the processing will be perceived from the data subject's point of view, it appears the following on pages 10 and 11: “The data described in this DPIA contains directly identifiable personal data. It must be assumed that the registered person experiences this as intrusive and basically offensive. We are talking about large amounts of data that apply to information that does not exist in it public records. This means that those to whom the information applies are neither prepared or have an expectation that this information will be collected and processed by one public authority. However, the data subject is aware that the information is registered and is available to the grocery chains. 7 In our opinion, the privacy disadvantage consists of perceived discomfort when a public authority sits on this type of information which is perceived by many to belong to it private sphere. Correspondingly, it can be experienced as a disadvantage for traders, among others otherwise based on competitive assessments. The privacy disadvantage increases when the information is compiled with other sources. Receipt data for persons are planned to be linked with account holder information from the tax authorities and transaction data from banks, as well as the household register. The disadvantages described above are partially remedied by general security measures that apply to everyone processing of statistical information in Statistics Norway. In addition, SSB's special security measures that have been established for this data in particular. It is also emphasized that the purpose is the development of statistics, that the processing is regulated in the Statistics Act, and that information about the individual registered shall not be processed separately'. 3.6 Legal assessment from Statistics Norway Statistics Norway has sent an undated assessment prepared by Advokatfirmaet Schjødt AS at lawyers Eva Jarbekk and Inge Kristian Brodersen, with the heading "The principle pages when collecting detailed information about individual citizens - the relationship with the Constitution and the ECHR and the requirement for proportionality'. The assessment states, among other things, the following: "Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to be contrary to basic human rights, the specific use of the authority is assessed in each individual case. Statistics Norway believes that legally regulated purpose/use limitation and the data minimization measures that have been implemented to a sufficient extent reduces the inconvenience for the individual, so that the treatment is considered not to be in breach with Section 102 of the Constitution or Article 8 of the ECHR. Special reference is made here to the fact that Bong data is not at any time stored or processed with personal identifiers characteristic, that bong data is only handled aggregated at group level (in reality a two- dimensional aggregation in that bong data is aggregated on different product groups and collated with households aggregated to different socio-social groups). The result of the link are anonymous statistics”. According to this, Statistics Norway believes that the established data minimization and security measures i sufficiently takes care of both the grocery chains and the customers. SSB still wants to to further develop new methods and tools that can further reduce the privacy disadvantage. 4. Relevant legal rules The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Article 57 of the regulation and § 20 of the Personal Data Act. Below, we will explain the legal rules that we believe are relevant in the present case. 84.2 The right to privacy 4.2.1 Privacy as a human right Everyone has the right to protection of their privacy. This is a right protected by the European the Human Rights Convention (ECHR) as well as a constitutional right. A central part of the dish to privacy is the right to protection of one's personal data. The ECHR has been made Norwegian law through the Human Rights Act of 1999. In the ECHR article 8 no. 1 it appears that "[e]veryone has the right to respect for his private life and family life, his home and his correspondence". Furthermore, Article 8 no. 2 of the ECHR states that interventions in citizens' privacy must be "in accordance with the law". The intervention must be necessary in a democratic society for reasons of importance societal interests. The right to privacy is recognized as a central human right by being taken into Section 102 of the Constitution, where it is stated, among other things, that "[e]veryone has the right to respect for his privacy and family life, one's home and one's communication" and that "[t]he state authorities shall ensure protection of personal integrity". As regards the relationship between the human right to privacy and the privacy regulations, we also refer to the preparations for the Personal Information Act, Prop. 56 LS (2017-2018), point 6.4. Here it appears on page 34: "In its practice, the EMD has assumed that public authorities' storage of personal data that is linked to private life within the meaning of the provision constitutes a intervention in the court pursuant to ECHR article 8 no. 1, see Amann v. Switzerland 16.2.2000 [ECHR- 1995-27798] paragraph 65 and S. and Marper v. Great Britain 4.12.2008 [EMD-2004- 30562] section 67”. That public authorities' collection and storage of personal data is an intervention in itself itself is therefore indisputable and must be the basis for the assessment of any privacy intervention. 4.2.2 The principle of legality In a democratic society, legal certainty is a central foundation. It is a fundamental principle in a democracy that the state does not interfere with citizens without authority. This is called the principle of legality and is anchored in § 113 of the Constitution, which specifies that "[t]he authorities' intervention against the individual must have a basis in law". As mentioned above, the ECHR also states article 8 no. 2 that interventions in citizens' privacy require sufficient authority. Such protection in the form of legal protection against arbitrary and unpredictable interventions is an important guarantee of legal certainty. The requirement for the clarity of the law is tightened in line with the size of the intervention. The most serious the interventions must be based on law rather than regulations or administrative decisions. In case of significant intervention in the citizens' legal sphere, it must be clear from the wording of the law that the intervention is covered of the relevant statutory provision. Enshrining privacy intrusions in the legal text itself creates 2In the personal protection regulation, this is expressed through article 6 no. 3, see point 4.6 below. 9 greater predictability for the general public, and laws are adopted through a thorough democratic process process where trade-offs between the individual's privacy and the state's need for processing of personal information must be done. In Section 113 of the Constitution, there is a further requirement that there must be intervention towards the citizens necessary to fulfill legitimate purposes. This means that an intervention in privacy must have a useful value for society. The requirements for legal regulation are also evident from our human rights obligations according to Den the international convention on civil and political rights (SP), which has been made Norwegian law through the Human Rights Act from 1999. In Norwegian law, it is assumed that national legislation is in line with our international obligations in the area of human rights. 4.3 The principle of data minimization The basic principles for processing personal data are set out in Article 5 of the Personal Data Protection Regulation. Particularly central to this case is the principle of data minimization. The principle of data minimization appears in the personal data protection regulation article 5 no. 1 letter c, according to which personal data must be "adequate, relevant and limited to what is necessary for the purposes for which they are processed”. According to the principle of data minimization, it is not sufficient that it is practical or desirable to process personal data; the processing must be necessary for the purpose to be achieved. The requirement of necessity will naturally become more stringent the greater the invasion of privacy. The principle of data minimization also includes an overarching assumption that the processing of personal data contributes to achieving a specific purpose. The purpose description will be that natural starting point for assessments of the utility value of a treatment. The more the more invasive the measure, the greater the requirements for the purpose description and a documented usefulness of the measure. 4.4 The concept of personal data The term personal data is defined in the Personal Data Protection Regulation Article 4 No. 1 as "any information about an identified or identifiable natural person (the registered"); an identifiable natural person is a person who directly or indirectly can is identified, in particular by means of an identifier, e.g. a name, a identification number, location information, an online identifier or one or more elements that are specific to said natural person's physical, physiological, genetic, mental, economic, cultural or social identity". Paragraph 26 of the regulation states: "When determining whether a natural person is identifiable, everyone should be taken into account means that it can reasonably be thought that the data controller or another 10 person can use to identify the person concerned directly or indirectly, e.g. designation. To determine whether funds can reasonably be expected to be used to identify the natural person, all objective factors should be taken into account, e.g. the cost of and the time necessary to make the identification, when it is taken taking into account the technology available at the time of processing, as well as the technological development". 4.5 Legal basis 4.5.1 The Personal Data Protection Regulation Any processing of personal data must have a legal basis to be legal. The Personal Protection Regulation Article 6 No. 1 provides an exhaustive overview of which legal grounds (authorities) that may be the basis for processing personal data - and thus an intervention in privacy. Article 6 no. 1 letter c (fulfilment of a legal obligation) and e (exercise of public authority or performance of a task in the public interest) are the most relevant the provisions for the cases where public authorities intervene in citizens' privacy. When applying the above-mentioned authorities, there must be an additional authority in national law or in EU law that imposes duties or tasks on public authorities. This follows from Article 6 No. 3 of the Personal Protection Ordinance and is described as supplementary legal basis. 4.5.2 The Statistics Act Statistics Norway's tasks and area of authority are regulated in the Statistics Act with regulations. SSB access to order other businesses to hand over information for statistical purposes is regulated in Section 10 of the Statistics Act. The provision reads: "1) Anyone must, without being hindered by the duty of confidentiality and by order from Statistics Norway provide information that is necessary for the development, preparation or dissemination of official statistics. The duty applies to information about the person obliged to provide information and others information over which the person obliged to provide information has the right to dispose of it. A deadline can be set to provide information. Confidentiality as mentioned in the Criminal Procedure Act § 119 first and second paragraph and the Disputes Act section 22-5 first paragraph precede the obligation to provide information according to the first dot. (2) Statistics Norway can issue regulations on the obligation to provide information and order obligation to provide information in individual cases. (3) Information can be refused to be disclosed in accordance with the first paragraph when an exception is required for reasons to national defense and security interests or police crime-fighting business. (4) Statistics Norway may determine the manner in which the information is to be provided and which documentation must be included. No remuneration can be required for this costs of fulfilling the obligation to provide information. 11 (5) Before Statistics Norway decides to impose an obligation to provide information, there must be a assessment of the usefulness of receiving the information, weighed against the costs for it subject to disclosure and how invasive the treatment is considered to be for it the information applies. The assessment must be made public. (6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision, among other things about limitations in the obligation to provide information". In the preparations for the Statistics Act, Prop. 72 LS (2018-2019), the relationship with the Constitution and ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on pages 41 and 42: "The special regulation in the Personal Data Protection Regulation on the processing of personal data to among other things, statistical purposes, see below, indicate that this type of treatment is considered as minimally invasive. Article 5 of the Personal Data Protection Regulation deals with the principles for the processing of personal data. It follows from article 5 no. 1 letter b that further processing of personal data for archival, research or statistical purposes in accordance with article 89 no. 1, shall be considered compatible with the collection purpose. Furthermore, it follows of recital 50 that the data controller does not need a new legal basis to further process personal data for compatible purposes. The Personal Data Protection Regulation Article 5 no. 1 letter c establishes the principle of data minimization, which implies that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The ministry indicates that the personal data to be provided according to the proposal are relevant and necessary for that Statistics Norway must be able to develop, prepare or disseminate statistics as it pleases be covered by the national statistics programme. (…) Statistics Norway's collection of personal data will also constitute an intervention in the right to privacy according to Section 102 of the Constitution and Article 8 of the ECHR. The processing is then only permitted if it has sufficient authority, pursues a legitimate purpose and is proportionately. For a general discussion of these requirements, reference is made to Prop. 56 LS (2017–2018) point 6.4. As it appears there, Section 102 of the Constitution has clear similarities with Article 8 of the ECHR, and must be interpreted in the light of this, cf. Rt-2015-93. It is not evidence that Section 102 of the Constitution sets stricter requirements than Article 8 of the ECHR legal basis for processing personal data. Statistics Norway can follow The proposal collects a large amount of personal data. According to the Ministry's assessment is this necessary for the agency to be able to fulfill its societal task of developing, prepare and disseminate official statistics. This is a legitimate purpose. Statistically centralbyrå must process the information in a reassuring manner and only for them the purposes mentioned in the bill § 10. Further processing of information is discussed in chapters 6 and 7.2. The ministry also refers to the discussion in chapter 4 of statistical confidentiality, non-disclosure and information security. On this background consider the ministry the proposal for a statutory provision as proportionate. 12 According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and Article 8 of the ECHR". 4.6 Requirements for the supplementary legal basis Article 6 no. 3 of the Personal Protection Regulation contains several additional requirements the legal basis. The supplementary legal basis – whether it is a legal authority, a regulation or an administrative decision – must therefore meet certain criteria. According to Article 6 No. 3, it must be clearly stated that the processing of personal data is necessary to carry out a publicly beneficial task or exercise public authority. Furthermore, it is required that the supplementary legal basis must "meet an objective in the public interest interest and stand in a reasonable relationship to the legitimate aim sought to be achieved". It is laid i.e. up to a proportionality assessment, to which the intervention in privacy must be in relation to the social good that is achieved. The preamble to the Personal Data Protection Regulation in many cases provides guidance for the specifics the provisions of the regulation, including Article 6 No. 3. Although a supplementary legal basis does not have to be in the form of a law, it appears from recital 41 that the legal basis should be "clear and precise". It further states that the application of the legal basis should be predictable for citizens. The requirements for the supplementary legal basis are discussed by the Ministry of Justice and Emergency Preparedness in the preparations for the Personal Data Act, Prop. 56 LS (2017-2018). Section 6.3.2 states: "It follows from recital 41 that "when this regulation refers to a legal basis or a legislative measure, this does not necessarily require one regulatory act adopted by a parliament'. In the ministry's view, it must be added reason that in any case statutory and regulatory provisions may constitute supplementary legal basis. The Ministry assumes that also decisions made in accordance with law or regulations are covered, as there is also a legal or regulatory basis in these cases". However, this is nuanced in the following: "If the processing of personal data constitutes an intrusion into the right to privacy according to Section 102 of the Constitution or Article 8 of the ECHR, it may however be necessary a more specific legal basis for the processing than the wording of the regulation can indicate. It also follows expressly from recital 41 that there should be a legal basis "clear and precise, and its application should be predictable to persons who covered by it, in accordance with the case law of the Court of Justice of the European Union (the "Court") and the European Court of Human Rights. In other words, must the regulation's requirement for a supplementary legal basis for the processing is interpreted and applied in line with the human rights requirements for a legal basis for interference with the right to privacy. This means that a closer assessment of the legal basis must be made and the treatment, where, among other things, emphasis must be placed on how invasive 13 the treatment is. Depending on the circumstances, the outcome of such an assessment may be that a more specific basis than what might appear to be the minimum requirements is required the wording of the regulation". In point 6.4 of the preparatory work it also appears: "At the same time, there is no doubt that the regulation's general rules, possibly i combination with a supplementary legal basis that only meets the minimum requirements according to the wording in Article 6 no. 3, will not always provide a sufficiently specific legal basis or necessary guarantees in line with the Constitution and the ECHR. It will then be necessary to design more specific legal bases and additional guarantees in national law, and that will i in many cases be necessary with express authority in special legislation. In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR. (...) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can in the circumstances imply that the supplementary legal basis must contain such more specific provisions that Article 6 nos. 2 and 3 allow for. What is required of the supplementary legal basis, cannot be answered in general, but must be decided according to one concrete assessment". The European Court of Justice states the following in case C-175/20 in section 83: "In this regard, it is nevertheless noted that the legislation which forms basis for the processing, in order to fulfill the requirement of proportionality, such as Article 5, item 1, letter c) (…) is an expression of (…), must lay down clear and precise rules, where regulates the scope and application of the measure in question, and which lays down minimum requirements, so that the persons whose personal data are affected prevail over sufficient guarantees, which make it possible to effectively protect this information against the risk of abuse. This legislation must be legally binding in national law and in particular state, under what circumstances and on what conditions that may a measure is adopted on the processing of such information, whereby it is ensured, that the intervention is limited to what is strictly necessary'. For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice from the European Court of Justice will still have significance in the area of privacy as it is a basic assumption that the rules of the Personal Data Protection Regulation are understood and practiced equally throughout EU/EEA. 5. The Norwegian Data Protection Authority's sanctioning authority The Norwegian Data Protection Authority's authority to impose administrative sanctions is regulated in the privacy the regulation, article 58. Article 58 no. 2 states which corrective measures the supervisory authority can take adopt. The relevant parts of the provision read: 14 «2. Each supervisory authority shall have the authority to decide on the following corrective measures measures: a. issue warnings to a data controller or data processor that they the planned processing activities are likely to be in breach of the provisions of this regulation, (…) d. instruct the controller or data processor to ensure that the processing activities take place in accordance with the provisions of this regulation and, if relevant, in a specific manner and within a specific deadline, (…) f. introduce a temporary or permanent restriction of, including a ban on, treatment". 6. The Norwegian Data Protection Authority's assessment 6.1 Assessment of the size of the privacy intrusion If privacy is to be encroached upon, it is a requirement according to both our human rights laws obligations under the ECHR, the Constitution and the privacy regulations that a thorough investigation is carried out assessment of the proportionality of the measure that constitutes the intervention. The disadvantages of citizens in that personal information about them is collected must be weighed against that of the authorities need for personally identifiable data to provide citizen services and carry out their duties. We emphasize again that an invasion of privacy already occurs during the actual collection of personal data and not until the data is further processed. The European one In the cases Amann v. Switzerland (case 1995-27798) and S. and Marper v. United Kingdom (Case 2004-30562) clearly established that states intervene against the citizens already when collecting personal data as such. 3 In the response to the notice of decision and in dialogue with us, Statistics Norway has stated that the Norwegian Data Protection Authority is wrong when we refer to SSB as "the state". In addition, we would like to note that Statistics Norway is a public authority, financed through the state budget. Although SSB is an independent body, SSB is still a part of the state apparatus. In our view, there is no doubt that Statistics Norway falls under the term "the state", although that term may be imprecise. In any case, the use of the term "the state" has not had significance for our assessments in the case. The Norwegian Data Protection Authority recognizes the societal benefit of consumption and diet statistics. For example dietary statistics are the basis for national public health work. We see that data with the same quality that cannot be obtained from other sources, for example the consumers themselves. Statistics on a area like this is undoubtedly a legitimate and socially beneficial purpose. We have also noticed that SSB has good internal routines and systems for fast pseudonymisation and aggregation of data, strict internal access management, etc. SSB is good equipped to also handle bong data in a reassuring manner internally. Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can lead to quality improvement and future data minimization through more precise data extraction, etc. 3 See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX:62012CJ0293. 15As we understand it, however, the utility value of the development work will be unknown at the time when the data is collected. We cannot therefore attach decisive importance to the objective of future data minimization. Bong data in itself does not contain any personal data, but the bong data must be linked transaction data, which makes it possible to link the information to an individual. The connection takes place with relatively simple means for SSB and within a short time after they The continuously streamed data is received at SSB. The Danish Data Protection Authority is therefore of the opinion that the right thing is to consider the bong data as personal data already from the time the collection takes place, cf. point 26 of the Personal Data Protection Ordinance. In all cases will the bank data will be personal data as soon as the link to transaction data has been made internally at SSB. It is thus the intervention of the collection of bong data that must be assessed in this case. The planned collection of bong data for statistics involves the processing of enormous amounts amounts of transactional data about a significant part of the population. It is also a brand new one form of data collection by the authorities from private actors. SSB as public authorities will gain completely new knowledge about which grocery purchases a large majority of Norwegians make the population does in real time. The citizens cannot be said to have any expectation that a public authorities will receive information about which groceries they buy from a completely private company prosecutor. Statistics Norway also points out that the average citizen will not be able to predict that the state will collect information about their purchases of groceries. The individual data subjects have no real opportunity to oppose the collection of personal data, except through trading with cash and avoiding the big ones the grocery players. Nor do those registered receive targeted and individual information that the collection takes place, as public authorities can typically make use of the data the exceptions from the obligation to provide information according to the personal protection regulations. 4 It is therefore of less importance for our assessment of the size of the privacy intervention that Statistics Norway's mandate is the production, dissemination and development of statistics, which in itself is not linked to individuals. Whether the intervention is proportionate based on, among other things purpose considerations, is another consideration. The relationship with Section 102 of the Constitution and Article 8 of the ECHR is affected in the preparations for the Statistics Act. The Ministry of Finance's assessment here is that section 10 of the Statistics Act in itself is not contrary to the requirements of Section 102 of the Constitution and Article 8 of the ECHR and that statistics must generally be considered small interfering with privacy. At the same time, the ministry also emphasizes that the individual interventions in privacy must be proportionate to the social good that is achieved. The Norwegian Data Protection Authority believes that there are weaknesses in the specific privacy impact assessments which Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers 4 See the Personal Data Protection Ordinance, Article 14 No. 5 letter c. We do not go into the assessment of whether this specific the collection is "expressly provided for in Union law or the national law of the Member States". 16SSB to a "perceived discomfort". This may indicate a lack of understanding of the concept of privacy, privacy as a fundamental right and the value of good privacy. Privacy as a societal value is a matter of trust and values. The assessments of which personal data it is necessary for a public authority to process must therefore considered in a broader perspective. Information security and other remedial measures are important measures, but they do not reduce the size of the privacy intervention itself; the the fundamental breach of privacy is the same regardless of how Statistics Norway handles the data further. We also refer here to the fact that the intervention in privacy is already taking place collection of personal data, cf. the decisions of the European Court of Justice and the European Court of Human Rights mentioned above. As a data protection authority, we also believe that the Ministry of Finance's conclusion in the preparatory work to the Statistics Act stating that processing for statistical purposes should generally be considered to be small invasive is too unvarnished. The data collection that forms the basis for the preparation of statistics can constitute a significant intrusion into data subjects' privacy. Although the end result are anonymous statistics, large amounts of personal data could be processed by a government body (SSB) in the process. In this case, the dietary statistics are requested by the health authorities, and The consumption statistics will be of much better quality if bong data is used. The statistics must is based, among other things, on information about which grocery purchases individual individuals make, such as Statistics Norway will get through bank data combined with transaction data. As stated above, this is a completely new data collection from private actors, and there is agreement that citizens cannot expect or anticipate that a public authority will do this the type of data collection. Although Statistics Norway has good internal processes and measures for pseudonymisation and screening of personal data, and the data must be quickly aggregated, the underlying raw data (voucher data and transaction data) remain available at Statistics Norway for at least a two-year period. The means that the intervention persists, even if the statistical product is anonymous and only pseudonymous data is used in the development work. The Norwegian Data Protection Authority is of the clear opinion that the privacy intrusion when collecting Bong data is very large. It must be questioned whether it is necessary for Statistics Norway to collect these the data to carry out its social mission. We believe that the intervention cannot be considered as proportional if the purpose can be achieved in a sufficiently good way through others, less invasive means. An important factor in this specific weighing will be the achievement of SSB's objectives. The Norwegian Data Protection Authority believes that, after a concrete assessment of the proportionality of the privacy intervention, one must accept that not all statistical purposes can be fully achieved. In such cases it is necessary to accept that data must be collected from other sources with the consequence that the statistics get a lower level of precision and quality. In this matter, we believe that Statistics Norway's mandate to utilize new, digital sources to prepare and developing statistics on the one hand, and the encroachment on privacy on the other, is i 17 conflict. Privacy is not an absolute right, but there is still an outer limit to which interference with privacy that can be accepted. In a case like this, the right to privacy is primarily about trust in the public sector Norway, and less about the fear of misuse of personal data. In our view, the core of the assessment of the privacy intervention in this case what is necessary for the public authorities to know about the individual citizen. Public authorities have enormous amounts of data about citizens through various socio-economic registers and health registers. Through social security numbers, this data can be linked up against each other. The result of such connections is something more than just the sum of the individual parts the information; it can give a more or less complete picture of a single individual's life from cradle to grave. Public Norway has exclusively a mandate and authority that is linked to good purposes and objectives, be it crime fighting, public health, good welfare services or other. In many cases, it is absolutely essential to treat personal data to perform public tasks. The Norwegian Data Protection Authority believes that it is still possible limit on which data public authorities can process about individuals, even there the purpose is good. It is at the core of the Norwegian Data Protection Authority's tasks as a supervisory authority to assess where this boundary is to be drawn. A serious, long-term consequence of disproportionately large intrusions into privacy can be weakened trust in public authorities and lower willingness to share data with the public; it the so-called cooling effect. Ultimately, this can affect the view of Norway as democratic society. We would like to point out that both the Norwegian Data Protection Authority and Statistics Norway have received many negatives reactions from individuals in this case. 6.2 Statement of purpose and data minimization In the cost-benefit assessment, Statistics Norway has made an assessment of whether bong data are necessary and relevant information for the purposes, cf. the principle of data minimisation. Here SSB states that different forms of selection of bong data probably could have been sufficient for some of them relevant statistical purposes. When it comes to development work, however, will not sample surveys, aggregations or less frequent data deliveries are sufficient. Statistics Norway has therefore itself pointed out that the assessment of necessity will be different for the different people the purposes. Furthermore, statistics production and method development are two different processes, although statistical production is based on methods that have been developed using the basic data. In our view, this illustrates the weaknesses of the necessity assessment that has been carried out. The need for complete bong data for development purposes plays into the assessment that SSB considers the collection necessary - also for the purpose of producing statistics. 18 Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics and development work must be defined as different processing purposes in the Personal Data Protection Regulation understanding. Nor can we see that Statistics Norway has assessed the dietary statistics and the consumption statistics separately. These are different forms of statistics that have different purposes, underlying considerations and societal functions. As a result, the necessity assessment will be able to beat also different for the two forms of statistics. The Danish Data Protection Authority has chosen not to go into further detail in the assessment of the necessity of the bong data the purposes. In this supervisory case, we have chosen to concentrate on the assessment of that supplementary legal basis for the collection of bong data, cf. point 6.3 below. It may nevertheless there is a need to make a thorough assessment of necessity at a later stage. 6.3 The supplementary legal basis Through Section 10 of the Statistics Act, Statistics Norway has been given almost a blank authorization to make decisions or adopt regulations on the obligation to provide information. Section 10 of the Statistics Act is thus a framework provision which presupposes that the detailed access to process personal data is determined in a other legal basis. Statistics Norway's processing of personal data must nevertheless be in line with the privacy regulations. In the preparations for the Personal Data Act, Prop. 56 LS (2017-2018), it appears that a administrative decisions can constitute a supplementary legal basis in the personal data protection regulation understanding. Whether an administrative decision is considered a sufficiently clear and predictable legal one basis must, however, be assessed concretely. In this case, Statistics Norway has decided to obtain enormous amounts of information about Norwegians consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is considerably larger than what Statistics Norway seems to have assumed. That the collection of bong data is done for statistical purposes is of secondary importance in this assessment as the intervention itself i privacy already occurs at the time of data collection. As we assume that the breach of privacy when collecting bong data is very large, this sets stricter requirements for the supplementary legal basis, cf. the Personal Data Protection Ordinance article 6 no. 3. Section 10 of the Statistics Act stipulates that Statistics Norway itself shall carry out the cost-benefit assessment and determine individual decisions, possibly adopting regulations, on the obligation to provide information. From what we know, it is unusual for such an extensive collection and processing of personal data to which this case applies is based on administrative decisions as supplementary legal basis. For comparison, we will refer to the system established for medical and healthcare professionals research projects. In medical and healthcare research, decisions on exemption from confidentiality and/or ethical approval decisions are the basis for the processing. In these In the 19 cases, the assessment of whether data should be used for research is added to an external one third party (respectively the Norwegian Directorate of Health and the regional committees for medical and health research ethics, REK) and not to the institution responsible for the research. Medical and healthcare research usually involves handling large amounts of health data and other personal data. The third-party assessment is considered a guarantee for safeguarding the research participants' rights and interests. The regional ethics committees can for for example, set conditions for the collection, storage and use of data. It appears in the letter of 23 January 2023 that Statistics Norway considers this comparison to be a external considerations. Statistics Norway points out that the Storting has adopted the Statistics Act without it is set up for an external third-party assessment and that this type of arrangement is therefore not possible is given weight in the case. We nevertheless believe that extensive processing of personal data pursuant to administrative decisions are so unusual that the comparison above is not irrelevant to ours assessment. As there is no external third-party assessment, and the Statistics Act § 10, which sets the framework, is so broadly designed, the Norwegian Data Protection Authority's control function will be the same more important. A natural consequence of SSB's purpose and social mission is that they must facilitate for performance of the tasks assigned to them in the best possible way. Statistics Norway's operations are also regulated partly of strategic guidance nationally and internationally. In highly invasive treatments of personal data, it is therefore particularly important that the privacy impact assessment which is the basis for the processing of personal data is good. As mentioned in point 6.1, we believe that the assessments made by Statistics Norway in connection with collection of bong data are lacking. As a consequence, the process harmonises towards Statistics Norway's decision on the obligation to provide information does not meet the requirements of the privacy regulations. The ratings that is settled against the principle of data minimization in the personal protection regulation article 5 no. 1 letter c and the principle of purpose limitation in letter b are not good enough in our view. This means that it is not possible to make a fully sound proportionality assessment, like this the privacy regulation article 6 no. 3 requires. For Statistics Norway's operations, Statistics Norway alone can assess and decide that data should be collected. Any actor, private as well as public, may be required to hand over personal data on a large scale. Decisions on the obligation to provide information can be appealed to the Ministry of Finance, but we consider that such complaint handling has a different function than an external third-party assessment at a business with purposes other than just the preparation and development of statistics. The Norwegian Data Protection Authority has assumed that the invasion of privacy when collecting Bong data is very serious large. We believe that an administrative decision made by Statistics Norway pursuant to section 10 of the Statistics Act does not is a sufficiently clear and predictable legal basis for such extensive processing. Statistics Norway's decision also does not provide sufficient guarantees for those registered for such an intervention processing such as collection of bong data. We believe that this view has support in 20 wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and case law from ECtHR and the European Court of Justice. The Norwegian Data Protection Authority is therefore of the opinion that Statistics Norway's decision on the obligation to provide information to the grocery operators do not meet the requirements of the supplementary legal basis i the personal protection regulation article 6 no. 3. 6.4 Conclusion: Decision on banning the processing of personal data The Norwegian Data Protection Authority has come to the conclusion that Statistics Norway's decision on the obligation to provide information to the grocery operators NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden, comprised of authority in Section 10 of the Statistics Act, does not meet the requirements for a supplementary legal basis i the personal protection regulation article 6 no. 3. We have therefore decided to adopt a ban on the processing of personal data in the form of bong data, cf. the personal data protection regulation article 58 no. 2 letter f. 7. Right of appeal This decision can be appealed within three weeks after you have received this letter, cf. Sections 28 and 29 of the Administration Act. A possible complaint is sent to the Norwegian Data Protection Authority. If we uphold our decision, the case will be sent to the Norwegian Personal Protection Board for complaint processing, cf. Personal Data Act § 22. With best regards Line Coll director Susan Lie legal professional director The document is electronically approved and therefore has no handwritten signatures Copy to: STATISTICS CENTRAL BYRÅ, Thorleiv Valen 21