Datatilsynet (Norway) - 22/03622: Difference between revisions
No edit summary |
m (→Facts) |
||
Line 81: | Line 81: | ||
The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including: | The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including: | ||
name of item | |||
price per item | * name of item | ||
total amount of the receipt | * price per item | ||
payment method | * total amount of the receipt | ||
amount per payment method | * payment method | ||
start and end time of the purchase | * amount per payment method | ||
ID of returns | * start and end time of the purchase | ||
ID for terminated purchase | * ID of returns | ||
ID of offers/discounts | * ID for terminated purchase | ||
* ID of offers/discounts | |||
The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date. | The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date. | ||
SSB's legal basis for the processing is the Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be necessary. | SSB's legal basis for the processing is the [https://www.ssb.no/en/omssb/ssbs-virksomhet/styringsdokumenter/statistikkloven/_/attachment/inline/15f00d0d-322a-4b96-bfcb-a0159f76e2c2:165eaa37f1aae978f2a570066c4ad86830ae2094/Statistikklov_ENGELSK_red29des2020.pdf Statistics Act] § 10 ''Duty to provide information'', which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be ''necessary''. | ||
During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022. | During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022. | ||
Line 102: | Line 103: | ||
The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. | The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. | ||
Based on Article 58(2)(f), the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per Article 6(3) to process the personal data as intended, and consequently imposed a ban on the processing. | Based on [[Article 58(2)(f)]], the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per [[Article 6 GDPR|Article 6(3)]] to process the personal data as intended, and consequently imposed a ban on the processing. | ||
Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision. | Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision. |
Revision as of 08:33, 1 December 2022
Datatilsynet - 22/03622 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(c) GDPR Article 6(3) GDPR Article 58(2)(f) GDPR Statistikkloven (The Statistics Act, in English) Statistikkloven (The Statistics Act) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 01.05.2022 |
Decided: | 28.11.2022 |
Published: | 30.11.2022 |
Fine: | n/a |
Parties: | Statistisk sentralbyrå (Statistics Norway) |
National Case Number/Name: | 22/03622 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (the Norwegian DPA) (in NO) Datatilsynet (the Norwegian DPA) (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA has notified the national statistical institute of an intention to ban their planned real-time mass-processing of nearly all purchase transactions in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.
English Summary
Facts
In May 2022, the Norwegian DPA Datatilsynet was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from Statistics Norway (SSB), the national statistical institute, to submit purchase transaction data to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the parties had a meeting in August.
The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including:
- name of item
- price per item
- total amount of the receipt
- payment method
- amount per payment method
- start and end time of the purchase
- ID of returns
- ID for terminated purchase
- ID of offers/discounts
The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.
SSB's legal basis for the processing is the Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be necessary.
During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
Holding
From the first DPIA, the DPA highlights a section describing that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA notes that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).
The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy.
Based on Article 58(2)(f), the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per Article 6(3) to process the personal data as intended, and consequently imposed a ban on the processing.
Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
STATISTICAL CENTRAL BUREAU PO Box 2633 St. Hanshaugen 0131 OSLO Your reference Our reference Date 22/03622-10 28.11.2022 Notice of decision on banning the processing of personal data The Norwegian Data Protection Authority refers to previous contact and correspondence in connection with our control case linked to Statistics Norway's decision on the obligation to provide information in the form of handing over bank data for four grocery players. Statistics Norway (hereafter Statistics Norway) has ordered the players to transfer the bank data for the customers commodity transactions. The four players are NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and the Bottom Price Chain. 1. The proceedings The Norwegian Data Protection Authority became aware of the case through inquiries from NorgesGruppen ASA and the payment intermediary Nets Branch Norway in May 2022. The Norwegian Data Protection Authority has also received several complaints and inquiries from private parties in this matter. We sent a demand for an explanation to Statistics Norway on 02.06.2022. Statistics Norway answered our questions in a letter by 13/06/2022. On 29 August 2022, a meeting was held between the Norwegian Data Protection Authority and Statistics Norway on the occasion of the case. The meeting was reported. Draft minutes were sent to Statistics Norway on 01.09.2022, and Statistics Norway agreed comments on the minutes on 07/09/2022. The final report was sent to Statistics Norway on 21 September 2022. The Norwegian Data Protection Authority has also received copies of correspondence relating to NorgesGruppen ASA and Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know, the complaints are being processed by the Ministry of Finance as the complaints body. 2. Notice of decision Pursuant to the personal data protection regulation, article 58 no. 2 letter f, the Norwegian Data Protection Authority notifies the following decision: Postal address: Office address: Telephone: Org. no: Website: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO The Norwegian Data Protection Authority bans the processing of Bong data on the basis of a decision on obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision basis for the processing, cf. the personal data protection regulation article 6 no. 3. 3. More details about SSB's planned processing of bong data 3.1 The decisions on the obligation to provide information In the decisions on the obligation to provide information to the grocery operators, Statistics Norway states that bank data from the grocery trade is considered to be of great use for the production of official statistics which are important to society. Statistics Norway will produce statistics on consumption in Norwegian households and new statistics on diet. Furthermore, the data will be used to investigate the consumer price index and merchandise trade statistics can have bong data as a data base. Statistics Norway will also test and develop new methods to ensure even greater confidentiality in statistics production. The voucher data will include, among other things: product name price per item total amount on receipt method of payment amount per payment method start and end time for trading identifier on return identifier of completed trade identifier of the sale/offer Any customer loyalty numbers must not be reported. The voucher data must be reported as streamed data from the cash register systems, so that Statistics Norway receives it the data continuously. NorgesGruppen ASA and Coop Norge AS have appealed against the decisions on the obligation to provide information. SSB has maintained its decisions and forwarded the complaints to the Ministry of Finance on 04.10.2022 for complaint processing. 3.2 Statistics Norway's report to the Norwegian Data Protection Authority 3.2.1 Statement of purpose In the statement dated 13 June 2022, it appears that Statistics Norway considers the development, preparation and dissemination of official statistics as one processing purpose, as the tasks are set out in the Statistics Act. This interpretation appears from the legislative preparations, Prop. 72 LS (2018-2019), in the notes to the purpose provision in § 1 and to § 17 on SSB's tasks. Here is development, preparation and dissemination of official statistics referred to as one main purpose and one main task. Also in 2NOU 2018: 7 New Act on Official Statistics and Statistics Norway is stated in point 10.4 that: "Method development is an integral part of the work of producing statistics". Statistics Norway nevertheless points out that the assessment of necessity and the result of concrete data minimization will be able to turn out differently depending on whether the purpose is development or preparation of current statistics. 3.2.2 Consumption statistics Statistics Norway has explained what it wants to achieve by using bong data to produce consumption statistics. Voucher data will improve the quality of consumption statistics. The voucher data will be connected self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors in the self-report. The comparison will provide a basis for supplementing the statistics with improved uncertainty estimates. The production of statistics will also be made more efficient by classifying grocery purchases automatic. The methods for automatic classification have been developed with test voucher data from 2018. This has an impact on the quality of the statistics, but it will also have a great impact on the use of resources to prepare the statistics. Furthermore, the statistics on grocery consumption can broken down on far more levels than has been possible in the past. In addition, Statistics Norway will be able to gain valuable knowledge about the strengths and weaknesses of the various data sources, so that one can further develop the methods for estimating uncertainty and adjusting for biases. This is one of several possible analyses, which may in turn provide a basis for data minimization in the future statistics production. 3.2.3 Dietary statistics Since the beginning of 2020, Statistics Norway has investigated the possibilities for preparing new diet statistics based on information about which foodstuffs the Norwegian population buys from the largest the players in the grocery market. The work has been carried out in close collaboration with, among others The Norwegian Directorate of Health and the large grocery chains. Statistics Norway plans to publish official diet statistics based on information on sales food from grocery chains and information on the nutritional content of food obtained from others sources, based on test voucher data from 2018. From 2023, the diet statistics will be further developed with new bong data and information from other data sources, including information on households from registers SSB already uses in other statistical production. Access to all information that the grocery chains can supply (so-called full count) is as of today crucial for Statistics Norway to be able to produce dietary statistics. Complete data will provide basis for development work that may lead to future data minimization. This work will could not be done without obtaining data on all purchases, where one looks at occurrences in and variations between smaller groups. Statistics Norway also considers it necessary to use a full count for to observe basic statistical principles such as quality awareness, cost-effectiveness, relevance, accuracy and reliability. 33.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway In the meeting, Statistics Norway explained its mandate, which is to develop, prepare and disseminate official statistics. Through political guidelines and assignment letters, Statistics Norway is required to look for and adopt new data sources as a basis for statistics, in addition to developing new methods for statistics production. Statistics Norway explained their work with consumption statistics, that is, statistics on what the country's households spend money on. The last survey was carried out in 2012. Statistics Norway has had problems with obtaining acceptable data quality as the survey has been based on volunteers reporting, with a significant task burden for the participants and high drop-out rates. Furthermore, have The Norwegian Directorate of Health expressed a need for dietary statistics as a basis for public health work, and Statistics Norway has an established collaboration with the grocery chains to develop a data basis. Barcode data is already collected today from, among other things, grocery chains for use in the consumer price index (CPI), but in an aggregated format. Furthermore, Statistics Norway has received bank data and bank transaction data in a development project where it was investigated whether bank data can be used for the desired purpose – consumption and diet statistics. In parallel with the collection of new bongdata, Statistics Norway will collect data through self-reports, where consumers, among other things, can scan receipts. SSB explained in more detail the planned processing of bong data internally at SSB. The goods which are purchased will be classified into product groups. Furthermore, consumers will be classified according to household size/type (about 10 groups in total) and other background variables, such as household income (grouped), level of education and region/region. This presupposes a link to transaction data/account number and then national ID number. All use of information, including linking bank data to bank transaction data and account number, is done with pseudonymous data, so that the individual receipt cannot be linked directly against an individual. The receipts as they are received are stored in the system as raw data, that is that is, without the link to the individuals who have made the purchases. Systems for access management has been established, and access to raw data is strictly regulated. In principle it is however, it is possible to make the connection again at a later time. For the further processing of the bank data internally at Statistics Norway, the individual transaction will therefore be aggregated at household group level. As the treatment is now planned and presented, you will not be able to follow an individual household over time - only household groups. Statistics Norway focuses on removing the data you do not need as early as possible in the process. A statutory confidentiality requirement applies to the publication of official statistics, that is to say that individuals/households should neither directly nor indirectly be able to are identified. Statistics Norway plans an evaluation of the solution in 2023, where, among other things, the level of detail of the data, frequency and extent will be assessed. 43.4 The cost-benefit assessment Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they decides to adopt an order on the obligation to provide information. 1 Statistics Norway has published the cost-benefit assessment on its website. We will summarize them below the parts of the assessment that are linked to consequences for data subjects' privacy. Statistics Norway states that bank data from grocery chains does not contain personal information in itself. Through links to other sources, bong data can still be linked to a person. By connecting a voucher for a payment transaction (a payment by bank card), purchases of goods can be linked person and household via data from the Swedish Tax Agency and the National Register of Citizens. The link to person will could be done for more than 70% of the bonds. Statistics Norway considers that the bong data acquires the character of being sensitive personal data when they linked to an individual and a household. It is emphasized that the bong data are distinctive both on because of the large amount of data and because the information is not already available in public register. In addition, Statistics Norway will receive the data in near real time and with a high degree of detail. They connected the data will include information about where and when the individual has shopped for groceries, and that detailed information will appear about which goods and quantity of goods you have bought. This applies to all purchases from the four grocery operators that are not paid in cash. The players together cover 99% of the market. The individual consumer cannot be expected to be aware that Statistics Norway will use the electronic ones the traces from ongoing purchases, and forward these with personally identifiable data, to create statistics. Statistics Norway states that it is therefore important that the bong data is processed extra caution, and Statistics Norway will implement extra measures to safeguard privacy and information security. The privacy deficiencies must be remedied through the general security measures that apply to everyone processing of statistical information. Statistics Norway must ensure confidentiality in all dissemination of statistics, is subject to a duty of confidentiality and must implement measures to achieve a satisfactory security level. This includes, among other things, ensuring adequate access management, logging and subsequent control as well as regular risk and vulnerability analyzes and threat simulations. Statistics Norway will pseudonymise the personal data upon receipt, and aggregations of data adapted the individual statistical needs will be an important measure. An important part of the investigative work will be aimed at the development of new methods for data minimization and promoting privacy production processes when processing this type of data. Furthermore, the information shall only be used for statistical purposes within the framework of the Statistics Act. According to Statistics Norway, statistical use is generally a purpose that has a low privacy risk. 1 https://www.ssb.no/omssb/ssbs-versiktom/kost-nyttevuderning/leveranse-av-bongdata-fra-dagligvarekjedene- rema-1000-norgesgruppen-coop-and-bottom-price 5 In its assessment of whether the information is necessary and relevant, cf. the principle of data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been sufficient for some of the relevant statistical purposes. Daily reporting of bong data on However, product level will also enable many forms of development work, both for new ones statistical products and methods for processing this type of data. This work will not be possible with sample surveys, aggregations or less frequent data deliveries. Statistics Norway assesses that there are no conditions in the bong data that indicate limitations in secondary use. 3.5 The assessment of privacy consequences The Norwegian Data Protection Authority has received two assessments of privacy consequences (DPIA) from Statistics Norway, one dated 27.01.2021 and the other from the period October 2021 to June 2022. The first assessment relates to the completed development project where testing has been carried out out the use of bong data, while the second assessment concerns the planned treatment. We nevertheless considers several of the assessments in the privacy impact assessment dated 27.01.2021 as relevant to the planned use of bong data. On page 4 of the assessment from 27.01.2021, it is explained why a need has been identified for such a privacy impact assessment: "Data from the grocery chains contains detailed information about which products are purchased, location and time. Bank transaction data includes all purchases with debit cards, of all types, in addition to the location and time of transaction. In that these two sources are linked to bank account and bank account owner, it will be possible to do compilations so that we can link individuals to both time, place and what these are buyer of goods and services. The potential to be able to make such connections suggests that the data is considered to contain personally identifiable and sensitive information, and they must be dealt with accordingly". Furthermore, it appears on page 6 et seq. that information will be collected on virtually everyone grocery purchases for the entire Norwegian population, and the data must be stored permanently. The registered persons cannot exercise their rights either, as exceptions to these have been made the rights in the regulations. As regards how the processing will be perceived from the data subject's point of view, it appears the following on pages 10 and 11: “The data described in this DPIA contains directly identifiable personal data. It must be assumed that the registered person experiences this as intrusive and basically offensive. We are talking about large amounts of data that apply to information that does not exist in it public records. This means that those to whom the information applies are neither prepared or have an expectation that this information will be collected and processed by one 6 public authority. However, the data subject is aware that the information is registered and is available to the grocery chains. In our opinion, the privacy disadvantage consists of perceived discomfort when a public authority sits on this type of information which is perceived by many to belong to it private sphere. Correspondingly, it can be experienced as a disadvantage for traders, among others otherwise based on competitive assessments. The privacy disadvantage increases when the information is compiled with other sources. Receipt data for persons are planned to be linked with account holder information from the tax authorities and transaction data from banks, as well as the household register. The disadvantages described above are partially remedied by general security measures that apply to everyone processing of statistical information in Statistics Norway. In addition, SSB's special security measures that have been established for this data in particular. It is also emphasized that the purpose is the development of statistics, that the processing is regulated in the Statistics Act, and that information about the individual registered shall not be processed separately'. 3.6 Legal assessment from Statistics Norway Statistics Norway has sent an undated assessment with the heading "The principle aspects of collection of detailed information on individual citizens – the relationship with the Constitution and ECHR and the requirement of proportionality'. The assessment states, among other things, the following: "Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to be contrary to basic human rights, the specific use of the authority is assessed in each individual case. Statistics Norway believes that legally regulated purpose/use limitation and the data minimization measures that have been implemented to a sufficient extent reduces the inconvenience for the individual, so that the treatment is considered not to be in breach with Section 102 of the Constitution or Article 8 of the ECHR. Special reference is made here to the fact that Bong data is not at any time stored or processed with personal identifiers characteristic, that bong data is only handled aggregated at group level (in reality a two- dimensional aggregation in that bong data is aggregated on different product groups and collated with households aggregated to different socio-social groups). The result of the link are anonymous statistics”. Statistics Norway believes that the established data minimization and security measures are sufficient takes care of both the grocery chains and the customers. Statistics Norway still wants to develop further new methods and tools that can further reduce the privacy disadvantage. 4 Relevant legal rules The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Article 57 of the regulation and § 20 of the Personal Data Act. Below, we will explain the legal rules that we believe are relevant in the present case. 74.1 The right to privacy 4.1.1 Privacy as a human right Everyone has the right to protection of their privacy. This is a right protected by the European the Human Rights Convention (ECHR) as well as a constitutional right. A central part of the dish to privacy is the right to protection of one's personal data. The ECHR has been made Norwegian law through the Human Rights Act of 1999. In the ECHR article 8 no. 1 it appears that "[e]veryone has the right to respect for his private life and family life, his home and his correspondence". Furthermore, Article 8 no. 2 of the ECHR states that interventions in citizens' privacy must be "in accordance with the law". The intervention must be necessary in a democratic society for reasons of importance societal interests. The right to privacy is recognized as a central human right by being taken into Section 102 of the Constitution, where it is stated, among other things, that "[e]veryone has the right to respect for his privacy and family life, one's home and one's communication" and that "[t]he state authorities shall ensure protection of personal integrity". As regards the relationship between the human right to privacy and the privacy regulations, we also refer to the preparations for the Personal Information Act, Prop. 56 LS (2017-2018), point 6.4. Here it appears on page 34: "In its practice, the EMD has assumed that public authorities' storage of personal data that is linked to private life within the meaning of the provision constitutes a intervention in the court pursuant to ECHR article 8 no. 1, see Amann v. Switzerland 16.2.2000 [ECHR- 1995-27798] paragraph 65 and S. and Marper v. Great Britain 4.12.2008 [EMD-2004- 30562] section 67”. That states' collection and storage of personal data is an intervention in itself must be recognized reason when assessing privacy intrusions. 4.1.2 The principle of legality In a legally secure and democratic society, it is crucial that the state does not intervene the citizens without authorization. This is called the principle of legality and is anchored in Section 113 of the Constitution, which specifies that "[t]he intervention of the authorities towards the individual must have a basis in law". As mentioned above, ECHR Article 8 no. 2 also states that interference with citizens' privacy requires sufficient authority. Such protection against arbitrary and unpredictable interventions is an important one guarantee of legal certainty. The requirement for the clarity of the law is tightened in line with the size of the intervention. The most serious the interventions must be based on law rather than regulations or administrative decisions. In case of significant intervention in the citizens' legal sphere, it must be clear from the wording of the law that the intervention is covered of the relevant statutory provision. Enshrining privacy intrusions in the legal text itself creates greater predictability for the general public, and laws are adopted through a thorough democratic process 8process where trade-offs between the individual's privacy and the state's need for treatment of personal information must be done. In Section 113 of the Constitution, there is a further requirement that there must be intervention towards the citizens necessary to fulfill legitimate purposes. This means that an intervention in privacy must have a useful value for society. The requirements for legal regulation are also evident from our human rights obligations according to Den the international convention on civil and political rights (SP), which has been made Norwegian law through the Human Rights Act from 1999. In Norwegian law, it is assumed that national legislation is in line with our international obligations in the area of human rights. 4.2 The principle of data minimization The basic principles for processing personal data are set out in Article 5 of the Personal Data Protection Regulation. Particularly central to this case is the principle of data minimization. The principle of data minimization appears in the personal data protection regulation article 5 no. 1 letter c, according to which personal data must be "adequate, relevant and limited to what is necessary for the purposes for which they are processed”. According to the principle of data minimisation, it is not sufficient that it is practical or desirable to process personal data; the processing must be necessary for the purpose to be achieved. The requirement of necessity will naturally become more stringent the greater the invasion of privacy. The principle of data minimization also includes an overarching assumption that the processing of personal data contributes to achieving a specific purpose. The purpose description will be that natural starting point for assessments of the utility value of a treatment. The more the more invasive the measure, the greater the requirements for the purpose description and a documented usefulness of the measure. 4.3 Legal basis 4.3.1 The Personal Data Protection Regulation Any processing of personal data must have a legal basis to be legal. The Personal Protection Regulation Article 6 No. 1 provides an exhaustive overview of which legal grounds (authorities) that may be the basis for processing personal data - and thus an intervention in privacy. Article 6 no. 1 letter c (fulfilment of a legal obligation) and e (exercise of public authority or performance of a task in the public interest) are the most relevant the provisions for the cases where public authorities intervene in citizens' privacy. When applying the above-mentioned authorities, there must be an additional authority in national law or in EU law that imposes duties or tasks on public authorities. This follows from Article 6 No. 3 of the Personal Protection Ordinance and is described as supplementary legal basis. 94.3.2 Statistics Act Statistics Norway's tasks and area of authority are regulated in the Statistics Act with regulations. SSB access to order other businesses to hand over information for statistical purposes is regulated in Section 10 of the Statistics Act. The provision reads: "1) Anyone must, without being hindered by the duty of confidentiality and by order from Statistics Norway provide information that is necessary for the development, preparation or dissemination of official statistics. The duty applies to information about the person obliged to provide information and others information over which the person obliged to provide information has the right to dispose of it. A deadline can be set to provide information. Confidentiality as mentioned in the Criminal Procedure Act § 119 first and second paragraph and the Disputes Act section 22-5 first paragraph precede the obligation to provide information according to the first dot. (2) Statistics Norway can issue regulations on the obligation to provide information and order obligation to provide information in individual cases. (3) Information can be refused to be disclosed in accordance with the first paragraph when an exception is required for reasons to national defense and security interests or police crime-fighting business. (4) Statistics Norway may determine the manner in which the information is to be provided and which documentation must be included. No remuneration can be required for this costs of fulfilling the obligation to provide information. (5) Before Statistics Norway decides to impose an obligation to provide information, there must be a assessment of the usefulness of receiving the information, weighed against the costs for it subject to disclosure and how invasive the treatment is considered to be for it the information applies. The assessment must be made public. (6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision, among other things about limitations in the duty to provide information". In the preparations for the Statistics Act, Prop. 72 LS (2018-2019), the relationship with the Constitution and ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on page 42: "Statistics Norway's collection of personal data will also constitute an intervention in the right to privacy according to Section 102 of the Constitution and Article 8 of the ECHR. The processing is then only permitted if it has sufficient authority, pursues a legitimate purpose and is proportionately. For a general discussion of these requirements, reference is made to Prop. 56 LS (2017–2018) point 6.4. As it appears there, Section 102 of the Constitution has clear similarities with Article 8 of the ECHR, and must be interpreted in the light of this, cf. Rt-2015-93. It is not evidence that Section 102 of the Constitution sets stricter requirements than Article 8 of the ECHR legal basis for processing personal data. Statistics Norway can follow The proposal collects a large amount of personal data. According to the Ministry's assessment is this necessary for the agency to be able to fulfill its societal task of developing, prepare and disseminate official statistics. This is a legitimate purpose. Statistically 10 Central Agency must process the information in a reassuring manner and only for them the purposes mentioned in the bill § 10. Further processing of information is discussed in chapters 6 and 7.2. The ministry also refers to the discussion in chapter 4 of statistical confidentiality, non-disclosure and information security. On this background consider the ministry the proposal for a statutory provision as proportionate. According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and Article 8 of the ECHR". Furthermore, it is stated in point 6.2.4.7 on pages 61 and 62: "If disclosure would constitute an intrusion into the right to privacy pursuant to Section 102 of the Constitution and Article 8 of the ECHR, it must nevertheless be assessed whether more specific ones are necessary legal or regulatory provisions and/or guarantees to fulfill the Constitution and ECHR's requirements for a legal basis for invasion of privacy. (…) The special regulation on the processing of personal data in the Personal Data Protection Ordinance to among other things, research purposes and statistical purposes indicate that this type of treatment considered to be minimally invasive'. 4.4 Requirements for the supplementary legal basis Article 6 no. 3 of the Personal Protection Regulation contains several additional requirements the legal basis. The supplementary legal basis – whether it is a legal authority, a regulation or an administrative decision – must therefore meet certain criteria. According to Article 6 No. 3, it must be clearly stated that the processing of personal data is necessary to carry out a publicly beneficial task or exercise public authority. Furthermore, it is required that the supplementary legal basis must "meet an objective in the public interest interest and stand in a reasonable relationship to the legitimate aim sought to be achieved". It is laid i.e. up to a proportionality assessment, in which the intervention in privacy must be in relation to the social good that is achieved. The preamble to the Personal Data Protection Regulation in many cases provides guidance for the specifics the provisions of the regulation, including Article 6 No. 3. Although a supplementary legal basis does not have to be in the form of a law, it appears from recital 41 that the legal basis should be "clear and precise". It further states that the application of the legal basis should be predictable for citizens. The requirements for the supplementary legal basis are discussed by the Ministry of Justice and Emergency Preparedness in the preparations for the Personal Data Act, Prop. 56 LS (2017-2018). Section 6.3.2 states: "It follows from recital 41 that "when this regulation refers to a legal basis or a legislative measure, this does not necessarily require one regulatory act adopted by a parliament'. In the ministry's view, it must be added 11 reason that in any case statutory and regulatory provisions may constitute supplementary legal basis. The Ministry assumes that also decisions made in accordance with law or regulations are covered, as there is also a legal or regulatory basis in these cases". However, this is nuanced in the following: "If the processing of personal data constitutes an intrusion into the right to privacy according to Section 102 of the Constitution or Article 8 of the ECHR, it may however be necessary a more specific legal basis for the processing than the wording of the regulation can indicate. It also follows expressly from recital 41 that there should be a legal basis "clear and precise, and its application should be predictable to persons who covered by it, in accordance with the case law of the Court of Justice of the European Union (the "Court") and the European Court of Human Rights. In other words, must the regulation's requirement for a supplementary legal basis for the processing is interpreted and applied in line with the human rights requirements for a legal basis for interference with the right to privacy. This means that a closer assessment of the legal basis must be made and the treatment, where, among other things, emphasis must be placed on how invasive the treatment is. Depending on the circumstances, the outcome of such an assessment may be that a more specific basis than what might appear to be the minimum requirements is required the wording of the regulation". In point 6.4 of the preparatory work it also appears: "At the same time, there is no doubt that the regulation's general rules, possibly i combination with a supplementary legal basis that only meets the minimum requirements according to the wording in Article 6 no. 3, will not always provide a sufficiently specific legal basis or necessary guarantees in line with the Constitution and the ECHR. It will then be necessary to design more specific legal bases and additional guarantees in national law, and that will i in many cases be necessary with express authority in special legislation. In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR. (…) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can in the circumstances imply that the supplementary legal basis must contain such more specific provisions that Article 6 nos. 2 and 3 allow for. What is required of the supplementary legal basis, cannot be answered in general, but must be decided according to one concrete assessment". The European Court of Justice states the following in case C-175/20 in section 83: "In this regard, it is nevertheless noted that the legislation which forms basis for the processing, in order to fulfill the requirement of proportionality, such as Article 5, item 1, letter c) (…) is an expression of (…), must lay down clear and precise rules, where regulates the scope and application of the measure in question, and which lays down minimum requirements, so that the persons whose personal data are affected prevail over sufficient guarantees, which make it possible to effectively protect this information against the risk of abuse. This legislation must be legally binding in national law 12 and in particular state, under what circumstances and under what conditions that can a measure is adopted on the processing of such information, whereby it is ensured, that the intervention is limited to what is strictly necessary'. For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice from the European Court of Justice will still have significance in the area of privacy as it is a basic assumption that the rules of the Personal Data Protection Regulation are understood and practiced equally throughout EU/EEA. 5. The Norwegian Data Protection Authority's sanctioning authority The Norwegian Data Protection Authority's authority to impose administrative sanctions is regulated in the privacy the regulation, article 58. Article 58 no. 2 states which corrective measures the supervisory authority can take adopt. The relevant parts of the provision read: "2. Each supervisory authority shall have the authority to decide on the following corrective measures measures: a. issue warnings to a data controller or data processor that they the planned processing activities are likely to be in breach of the provisions of this regulation, (…) d. instruct the controller or data processor to ensure that the processing activities take place in accordance with the provisions of this regulation and, if relevant, in a specific manner and within a specific deadline, (…) f. introduce a temporary or permanent restriction of, including a ban on, treatment". 6. The Norwegian Data Protection Authority's assessment 6.1 Assessment of the size of the privacy intrusion If privacy is to be encroached upon, it is a requirement according to both our human rights laws obligations under the ECHR, the Constitution and the privacy regulations that a thorough investigation is carried out assessment of the proportionality of the measure. The disadvantages to the citizens of that personal data if they are collected must be weighed against the authority's needs for personally identifiable data to provide citizen services and carry out their tasks. We make it clear that an invasion of privacy already occurs during the actual collection of data personal data and not until the data is further processed. The European one In the cases Amann v. Switzerland (case 1995-27798) and S. and Marper v. Great Britain (Case 2004-30562) clearly stated that states intervene against the citizens already when collecting personal data as such. The Norwegian Data Protection Authority recognizes the societal benefit of consumption and diet statistics. For example dietary statistics are the basis for national public health work. We see that data with the same 2 See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX:62012CJ0293. 13quality cannot be obtained from other sources, for example the consumers themselves. We also have noticed that SSB has good internal routines and systems for rapid pseudonymisation and aggregation of data, strict internal access management, etc. SSB is well equipped to deal with this as well bong data in a reassuring manner internally. Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can lead to quality improvement and future data minimization through more precise data extraction, etc. As we understand it, however, the utility value of the development work will be unknown at the time when the data is collected. We cannot therefore attach decisive importance to the objective of future data minimization. The planned collection of bong data for statistics involves the processing of enormous amounts amounts of transactional data about a significant part of the population. It is also a brand new one form of data collection by the authorities from private actors. The state will get a brand new one knowledge about which grocery purchases almost the entire Norwegian population makes in real time. The individual data subjects have no real opportunity to oppose the collection of personal data (except through trading with cash and avoiding the big the grocery players). Nor do those registered receive information that the collection is taking place. As Statistics Norway itself points out, the average citizen will not be able to predict that the state will collect information about their purchases of groceries. It is therefore of less importance for our assessment of the size of the privacy intervention that Statistics Norway's mandate is the production, dissemination and development of statistics, which in itself is not linked to individuals. The relationship with Section 102 of the Constitution and Article 8 of the ECHR is affected in the preparations for the Statistics Act. The Ministry of Finance's conclusion is that Section 10 of the Statistics Act in itself is not contrary to the requirements in Section 102 of the Constitution and Article 8 of the ECHR. At the same time, the ministry has indicated that it must assessed whether more specific statutory or regulatory provisions are necessary and/or guarantees to fulfill the Constitution's and the ECHR's requirements for a legal basis when this is to be done invasion of privacy. The Norwegian Data Protection Authority believes that there are weaknesses in the specific privacy impact assessments which Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers SSB to a "perceived discomfort". This may indicate a lack of understanding of the concept of privacy, privacy as a fundamental right and the value of good privacy. We also refer here to the fact that the intervention in privacy is already taking place collection of personal data, cf. the decisions of the European Court of Justice and the European Court of Human Rights mentioned above. In a case like this, the right to privacy is less about the fear of abuse personal information than about trust in public Norway. In our view, the core of the assessment of the privacy intervention what it is necessary for the state to know about the individual citizen. 14Public authorities have enormous amounts of data about citizens through various socio-economic registers and health registers. Through social security numbers, this data can be linked up against each other. The result of such connections is something more than just the sum of the individual parts the information; it can give a more or less complete picture of a single individual's life from cradle to grave. Public Norway has exclusively a mandate and authority that is linked to good purposes and objectives, be it crime fighting, public health, good welfare services or other. In many cases, it is absolutely essential to treat personal data to perform public tasks. In this case, the dietary statistics requested by the health authorities, and the consumption statistics will be able to have a much better quality if bong data is used. There must still be a limit to what data public authorities can access can process about individuals, even where the purpose is good. It is at the core of the Norwegian Data Protection Authority tasks as a supervisory authority to assess where this line should be drawn. We believe that the ministry's conclusion in the preparations for the Statistics Act that processing to statistical purposes in general should be considered to be of little intervention is too unvarnished. The data collection which is the basis for the preparation of statistics can constitute a significant intervention in them data subject's privacy. Even if the end result is anonymous statistics, large numbers will personal data could be processed by a state body (SSB) in the process. As stated above, the privacy intrusion when collecting bong data is very large. It must is questioned as to whether it is necessary for Statistics Norway to collect this data in order to carry out its work social mission. The Norwegian Data Protection Authority believes that, after a concrete assessment of the privacy intervention proportionality, must accept that not all statistical purposes can be fully achieved. It is in such cases necessary to accept that data must be collected from other sources with it consequence that the statistics get a poorer level of precision and quality. 6.2 Statement of purpose and data minimization In the cost-benefit assessment, Statistics Norway has made an assessment of whether bong data are necessary and relevant information for the purposes, cf. the principle of data minimisation. Here SSB states that different forms of selection of bong data probably could have been sufficient for some of them relevant statistical purposes. When it comes to development work, however, will not sample surveys, aggregations or less frequent data deliveries are sufficient. Statistics Norway has therefore itself pointed out that the assessment of necessity will be different for the different people the purposes. Furthermore, statistics production and method development are two different processes though statistical production is based on methods that have been developed using the basic data. In our view, this illustrates the weaknesses of the necessity assessment that has been carried out. The need for complete bong data for development purposes plays into the assessment that SSB considers the collection necessary - also for the purpose of producing statistics. 15 Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics and development work must be defined as different processing purposes in the Personal Data Protection Regulation understanding. Nor can we see that Statistics Norway has assessed the dietary statistics and the consumption statistics separately. These are different forms of statistics that have different underlying considerations and societal functions. As a result, the necessity assessment will be able to beat also different for the two forms of statistics. The Danish Data Protection Authority has chosen not to go into further detail in the assessment of the necessity of the bong data the purposes. In this supervisory case, we have chosen to concentrate on the assessment of that supplementary legal basis for the collection of bong data, cf. point 6.3 below. It may nevertheless there is a need to make a thorough assessment of necessity at a later stage. 6.3 The supplementary legal basis Through Section 10 of the Statistics Act, Statistics Norway has been given almost a blank authorization to make decisions or adopt regulations on the obligation to provide information. Section 10 of the Statistics Act is thus a framework provision which presupposes that the detailed access to process personal data is determined in a other legal basis. Statistics Norway's processing of personal data must still be in line with the privacy regulations. In the preparations for the Personal Data Act, Prop. 56 LS (2017-2018), it appears that a administrative decisions can constitute a supplementary legal basis in the personal data protection regulation understanding. Whether an administrative decision is considered a sufficiently clear and predictable legal one basis must, however, be assessed concretely. In this case, Statistics Norway has decided to obtain enormous amounts of information about Norwegians consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is a lot greater than what Statistics Norway seems to have assumed. That the collection of bong data is done for statistical purposes are of secondary importance in this assessment as the intervention itself i privacy already occurs at the time of data collection. As we assume that the breach of privacy when collecting bong data is very large, this sets stricter requirements for the supplementary legal basis, cf. the Personal Data Protection Ordinance article 6 no. 3. Section 10 of the Statistics Act stipulates that Statistics Norway itself shall carry out the cost-benefit assessment and determine individual decisions, possibly adopting regulations, on the obligation to provide information. For comparison, we will highlight the process for approval of medical and health research projects. In medical and healthcare research, decisions on dispensation from confidentiality and/or ethical approval decisions are the basis for the data processing. In these cases, the assessment is whether the data can be used for research added an external third party (respectively the Norwegian Directorate of Health and the regional committees for medical and healthcare research ethics, REK) and not to the person responsible for the research the institution. 16 Although medical and healthcare research most often involves handling large quantities health data and other personal data, the third-party assessment is considered a guarantee for safeguarding the research participants' rights and interests. The regional ethics committees can, for example, set conditions for the collection, storage and use of data. Statistics Norway's main purpose is the production, dissemination and development of statistics. A natural the consequence of this is that Statistics Norway will facilitate the execution of the tasks assigned to them best possible way. Statistics Norway's operations are also partly regulated by strategic guidelines nationally and internationally. In the case of highly invasive processing of personal data, it is therefore particularly important that the privacy impact assessment that is the basis for a processing of personal data is good. As mentioned in point 6.1, we believe that the assessments made by Statistics Norway in connection with collection of bong data are lacking. As a consequence, the process harmonises towards Statistics Norway's decision on the obligation to provide information does not meet the requirements of the privacy regulations. The ratings that is settled against the principle of data minimization in the personal protection regulation article 5 no. 1 letter c and the principle of purpose limitation in letter b are not good enough in our view. This means that it is not possible to make a fully sound proportionality assessment, like this the privacy regulation article 6 no. 3 requires. For Statistics Norway's operations, Statistics Norway alone can assess and decide that data should be collected. Any actor, private as well as public, may be required to hand over personal data on a large scale. Decisions on the obligation to provide information can be appealed to the Ministry of Finance, but we consider that such complaint handling has a different function than an external third-party assessment at a business with purposes other than just the preparation and development of statistics. The Norwegian Data Protection Authority assumes that an administrative decision made by Statistics Norway does not provide sufficient information guarantees for those registered for such intrusive processing as collection of bong data. The legal basis is not sufficiently clear, precise and predictable. We believe that this view has support in the wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and case law from the European Court of Justice and the European Court of Justice. The Norwegian Data Protection Authority is therefore of the opinion that Statistics Norway's decision on the obligation to provide information to the grocery operators do not meet the requirements of the supplementary legal basis i the personal protection regulation article 6 no. 3. 6.4 Conclusion The Norwegian Data Protection Authority has come to the conclusion that Statistics Norway's decision on the obligation to provide information to the grocery operators NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden, comprised of authority in Section 10 of the Statistics Act, does not meet the requirements for a supplementary legal basis i the personal protection regulation article 6 no. 3. We have therefore decided to notify Statistics Norway of a decision to ban the processing of personal data in the form of bank data. 17 7. Further proceedings This letter is an advance notice of a decision to prohibit the processing of personal data, cf. section 16 of the Public Administration Act. Any comments on this notice must be sent to us no later than three weeks after receipt of this letter. We assume that the decisions on the obligation to provide information are still under appeal processing at The Ministry of Finance and that the collection of bank data has not been initiated. We therefore do not see it necessary to set a shorter deadline for feedback. If you have any questions, you can contact section manager Camilla Nervik or case manager Susanne Lie. With best regards Line Coll director Susan Lie legal professional director The document is electronically approved and therefore has no handwritten signatures Copy to: STATISTICS CENTRAL BYRÅ, Thorleiv Valen 18