Datatilsynet (Norway) - 20/03771-17: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/03771-17 |ECLI= |Original_Source_Name_1=Datatilsynet |Original_Source_Link_1=https://www.datatilsynet.no/contentassets/a3e5338a8fac4012ad9c18f17276ea5a/vedtak-google-analytics.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Orig...") |
(→Holding: Fixed misspelling) |
||
Line 99: | Line 99: | ||
Finally, the DPA highlighted that the CJEU ruled that international transfers based on SCCs violate Chapter V when the country of destination offers a lower level of protection and the controller does not adopt sufficient complementary measures. In the case in question, the DPA pointed out that the anonymization process is carried out on Google's servers, meaning that the data is transferred before being anonymized. In addition, DPA recalled that the personal data processed was not limited to IP addresses and that this non-anonymized data could be accessed by the processor. | Finally, the DPA highlighted that the CJEU ruled that international transfers based on SCCs violate Chapter V when the country of destination offers a lower level of protection and the controller does not adopt sufficient complementary measures. In the case in question, the DPA pointed out that the anonymization process is carried out on Google's servers, meaning that the data is transferred before being anonymized. In addition, DPA recalled that the personal data processed was not limited to IP addresses and that this non-anonymized data could be accessed by the processor. | ||
For these reasons, the DPA found that personal data of visitor of the controller's website were processed by the controller in the context of Google Analytics and | For these reasons, the DPA found that personal data of visitor of the controller's website were processed by the controller in the context of Google Analytics and illegally transferred to the US. However, the DPA only issued a reprimand. | ||
== Comment == | == Comment == |
Latest revision as of 07:55, 10 August 2023
Datatilsynet - 20/03771-17 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 44 GDPR Article 45 GDPR Article 46 GDPR Article 47 GDPR Article 48 GDPR Article 49 GDPR Article 50 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 26.07.2023 |
Published: | |
Fine: | n/a |
Parties: | Telenor ASA |
National Case Number/Name: | 20/03771-17 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Datatilsynet (in EN) |
Initial Contributor: | Bernardo Armentano |
The Norwegian DPA held that transfers of personal data to the United States in the context of Google Analytics were illegal, as the controller failed to implement sufficient protective measures in addition to SCCs.
English Summary
Facts
Following the Schrems II ruling of 16 July 2020 (CJEU case C-311/18), noyb lodged 101 complaints with various DPAs in the European Economic Area (EEA), all of them concerning the use of Google Analytics or Facebook Connect on websites.
On 17 August 2020, one of these complaints was filed against Telenor ASA, the controller, with the Austrian DPA. In the complaint, noyb alleged that the use of Google Analytics on the controller's website and the transfer of a data subject's personal data to the US violated Article 44 GDPR.
Since Telenor’s main establishment is in Norway, the Austrian DPA transferred the complaint to the Norwegian DPA pursuant Article 56(1) GDPR. The Norwegian DPA then proceeded to investigate the case and notified the controller asking for information about the investigated facts.
In response, the controller stated that after becoming aware of the judgment in the Schrems II case, it reassessed its contract with Google, the processor, and adopted standard contractual clauses (SCCs) as the legal basis for the transfer of data to the US. Furthermore, it claimed that it was taking additional measures to ensure the protection of personal data transferred outside the EU/EEA. As examples of these measures, the controller mentioned the application of a writing script on the website to prevent personal data from being involuntarily shared with the processor, as well as the anonymization of data as examples of these measures. Furthermore, it alleged that the processor had formed a team of lawyers specialized in dealing with requests for access to personal data by authorities in the US.
Thus, the controller continued to use Google Analytics on its website until January 2021, collecting data such as online identifiers, including cookie identifiers, IP addresses, device identifiers and customer identifiers. However, in its view, the only personal data processed were the IP addresses themselves, since the other data were anonymized. The processor confirmed this understanding, stating that it would not be possible to re-identify the anonymized data even if there was an order from a public authority.
Holding
The DPA was concerned with three legal questions: a) whether or not personal data was processed in the context of Google Analytics; b) provided that personal data was processed, whether or not this personal data was transferred to the US; c) provided that the personal data was processed and transferred to the US, whether or not this transfer infringed Chapter V GDPR, in view of the Schrems II judgment.
Regarding the first question, the DPA analyzed the evidence produced by the data subject and verified that several personal data had been processed, such as: unique identifier(s) that identify(s) the browser/device used to visit the website; the website operator's Google Analytics account ID; website address and HTML title; information about the browser, operating system, screen resolution, language settings, as well as the date and time the website was accessed by the data subject, in addition to the IP address.
The DPA also noted that these identifiers, when combined with other data such as the URL, the time and date of the visit to the website, in addition to metadata about the browser and operating system, are unique to the point of characterizing the fingerprint of the device. Thus, the DPA held that these identifiers were defined with the specific objective of differentiating individuals. Taking all this into account, DPA considered that the data in question was personal data within the meaning of Article 4(1) GDPR.
As for the second issue, the DPA noted that the controller reported that it was not possible to demonstrate whether there was a transfer of the data subject's personal data to the US, as this would depend on factors such as their location and, presumably, Internet traffic conditions at the time of the access. However, it understood that this statement indicated that there were transfers to the US, at least in cases where these conditions were present. In addition, the DPA pointed out that, regardless of which Google server personal data is sent to, the company, as a processor, transfers Google Analytics data to the USA. Therefore, the DPA concluded that the controller most likely transferred personal data to the US.
Finally, the DPA highlighted that the CJEU ruled that international transfers based on SCCs violate Chapter V when the country of destination offers a lower level of protection and the controller does not adopt sufficient complementary measures. In the case in question, the DPA pointed out that the anonymization process is carried out on Google's servers, meaning that the data is transferred before being anonymized. In addition, DPA recalled that the personal data processed was not limited to IP addresses and that this non-anonymized data could be accessed by the processor.
For these reasons, the DPA found that personal data of visitor of the controller's website were processed by the controller in the context of Google Analytics and illegally transferred to the US. However, the DPA only issued a reprimand.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
TELENOR ASA Postboks 800 1331 FORNEBU By email to eirik.h.andersen@telenor.com tonje.orseth@telenor.com Your reference Our reference Date 20/03771-17 26.07.2023 Decision – Google Analytics – Telenor ASA 1. Introduction The Norwegian Data Protection Authority (“Datatilsynet, “Norwegian SA”, “we”, “us”, “our”) is the independent supervisory authority responsible for monitoring the application of 1 the General Data Protection Regulation (“GDPR”) in Norway. We refer to our advance notification of a reprimand to Telenor ASA (“Telenor”, “you”, “your”) for having breached Article 44 GDPR, dated 28 February 2023. We also refer to the response to our advance notification, submitted by Telenor on 28 March 2023. The present decision has been taken in accordance with the cooperation mechanism set out in Article 60 GDPR, in cooperation with the concerned supervisory authorities. 2. Decision Pursuant to Article 58(2)(b) GDPR, we issue a reprimand to Telenor for having transferred personal data to a third country without complying with the conditions laid down in Chapter V GDPR, in violation of Article 44 GDPR. 3. Facts and background of the case 3.1 101 complaints from noyb – European Center for Digital Rights Following the Court of Justice in the European Union (“CJEU”) ruling on 16 July 2020 in C- 311/18 – Facebook Ireland and Schrems (“Schrems II judgment”), noyb – European Center for Digital Rights (“noyb”) lodged 101 complaints to several data protection authorities in the European Economic Area (“EEA”). All complaints concerned different European websites’ use of Google Analytics (“GA”) or Facebook Connect. 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ [2018] L 119/1. Postal address: Office addresPhone: Ent.reg: Home page: P.O. Box 458 Sentrum Trelastga+47 22 39 69 00 974 761 467 www.datatilsynet.no/en/ N-0105 OSLO N-0191 OSLOBased on the Schrems II judgment, noyb’s complaints claim that the European websites’ integration of Google Analytics and Facebook Connect causes European citizens visiting the websites to have their personal data transferred to the U.S. without a valid basis for transfer pursuant to Chapter V GDPR. To ensure cooperation between every complaint-receiving supervisory authority (“SA”) in the handling and enforcement of the 101 complaints, the European Data Protection Board (“EDPB”) established a task force. This task force held regular meetings to organise and coordinate the complaints-handling process, and it has functioned as a forum for relevant discussions related to the subject matter of the complaints. It has also produced written documents, such as the questions provided to you in the order to provide information. Additionally, the task force prepared an order to provide information to Google in relation to the processing of personal data in Google Analytics. Please note that all SAs participating in the task force have done so on a voluntary basis, and that SAs in no way are bound by the work of, or conclusions reached by, the task force. 3.2 Google Analytics According to Google, “Google Analytics is a measurement service that allows customers to measure traffic to their properties, including website owners who wish to measure traffic to their websites. The analytics services are a popular category of service offered by multiple providers and are considered by many as an essential tool for operating a website. Website owners may use web analytics services such as Google Analytics to help them understand how their users interact with their site and services.” 3.3 Complaint against Telenor On 17 August 2020, noyb lodged a complaint against the website www.telenor.com (“the Website”) with the Austrian Data Protection Authority (“DPA”). In accordance with Article 80(1) GDPR, noyb is representing the data subject in Austria (“the complainant”). Pursuant to Article 4(23)(b), the processing of personal data subject to the complaint was assumed to be cross-border in nature. As Norway is the place of Telenor’s central administration in the EEA, its main establishment within the meaning of Article 4(16)(a) GDPR is in Norway. In accordance with Article 56(1) GDPR, The Austrian DPA therefore transferred the complaint to the Norwegian SA. On 17 August 2020, the complainant visited the Website while being logged in to the Google account associated with their email address. As a controller, Telenor had embedded the HTML code for Google Services, including Google Analytics, on the Website. The use of Google Analytics is subject to the Google Analytics Terms of Service and the Google Ads Data Processing Terms. According to the terms, Google is the contractual partner of the controller, processes personal data on behalf of the controller, and qualifies as the controller’s data processor under Article 4(8) GDPR. 2Statement by Google, 9 April 2021. 2In the course of the complainant’s visit on the Website, Telenor processed the complainant’s personal data – at least the IP address and cookie data. The complainant alleges that according to the HTTP Archive format (“HAR”) data of the Website visit provided by them, some of this data was transferred to Google. Pursuant to point 10 of the Google Ads Data Processing Terms, Telenor has agreed that Google may store and process personal data “in the USA or any other country in which Google or any of its Subprocessors maintain facilities.” The complainant maintains that such a transfer of their personal data from Telenor in the EEA to Google or its sub-processors in the USA (or any other non-EEA country) requires a legal basis under Article 44 et seqq. GDPR. As the CJEU invalidated the “EU-U.S. Privacy Shield” decision in the Schrems II judgment, Telenor can no longer base the data transfer to Google in the U.S. on an adequacy decision under Article 45 GDPR. Telenor may also not base the data transfer on standard data protection clauses under Article 46(2)(c) and (d) if the third country receiving the personal data does not ensure adequate protection, under EU law, of the personal data transferred pursuant to those clauses. In the Schrems II judgment, the CJEU explicitly found that further transfers to companies that fall under 50 U.S. Code § 1881a (“FISA 702”) violate the relevant Articles in Chapter V GDPR, Article 7 and 8 and the essence of Article 47 of the Charter of Fundamental Rights of the European Union. Any further transfer of personal data would therefore violate the fundamental right to privacy, data protection and the right to an effective remedy to a fair trial. Google qualifies as an electronic communication service provider within the meaning of 50 U.S. Code § 1881(b)(4). As such, they are subject to U.S. intelligence surveillance under FISA 702. As apparent by the “Snowden Slides” and Google’s own Transparency Report, Google is actively providing personal data to the U.S. government under 50 U.S. Code § 1881a. Consequently, Telenor is unable to ensure an adequate protection of the complainant’s personal data that is transferred to Google. Nevertheless, as of 12 August 2020, Telenor and Google have attempted to rely on standard data protection clauses for data transfers to the U.S., as evidenced by point 10.2 of the New Google Ads Data Processing Terms. Such practice ignores the Schrems II judgment, which puts Telenor under a legal obligation to refrain from transferring the complainant’s personal data – or any other personal data – to Google in the U.S. More than one month after the judgment, Telenor had still not refrained from this processing. 3HAR is a JSON-formatted archive file format for logging a web browser’s interaction with a website. 3In its complaint, noyb requests that the NO SA fully investigates the complaint under Article 58(1), immediately imposes a ban or suspension of any data flows from Telenor to Google in the U.S., and imposes an effective, proportionate and dissuasive fine against Telenor under Article 83(5)(c). 3.4 The Norwegian Supervisory Authority’s investigation Following noyb’s complaint and the subsequent transferral of the complaint from the Austrian SA to the Norwegian SA, we sent Telenor an order to provide information on 18 December 2021. The questions in the order to provide information were prepared by the aforementioned EDPB task force. Telenor asked for an extension on the deadline to reply to the order to provide information, and as per Telenor’s request, we extended the deadline from 25 January 2021 to 8 February 2021. Telenor submitted its response to the Norwegian SA on 8 February 2021. 3.4.1 Telenor’s response to the order to provide information Controllership, purpose and use of Google Analytics: Telenor stated that the decision to embed Google Analytics on the Website was made by Telenor. As such, Telenor is the data controller. Google is a data processor in the use of Google Analytics on the Website, pursuant to the Google Analytics Terms of Service and Data Processing Terms applicable to Google Analytics. Telenor also stated that the Website is aimed at website visitors internationally, and that therefore, data subjects from several EEA states may systematically have been subject to processing through Google Analytics on the Website. Google Analytics was implemented before the Schrems II judgment and remained active on the Website up until 15 January 2021. On that date, Telenor completed a planned disabling of the tool as part of a revamp of the site and move to a new CMS system. At the time you responded to our order to provide information, the use of Google Analytics was decommissioned. Google Analytics was embedded on the Website to provide basic, aggregated website analytics data about the use of the site in order to optimise and improve the site layout and content. At the time Google Analytics was chosen, it was deemed a basic and easy-to-implement solution that provided the necessary analytics functionalities to cover Telenor’s minimal needs. Data localisation: According to the information available to you, no data localisation options, including to the U.S., has been or is available when using Google Analytics. Based on information provided by Google, the data collected by Google Analytics is processed in the data center closest to the location of the user. As Google does not offer Google Analytics with region-based processing, it cannot, according to Google, be accurately determined in which country/countries Google processes such data. Google’s data cent4rs are located in several countries in North America, South America, Europe and Asia. 4https://www.google.com/about/datacenters/locations/, last visited 5 June, 2023. 4Data collection: As regards data collection using Google Analytics, you state – referencing the Google Ads Data Protection Terms: Service Information – that the personal data elements collected by Google Analytics are limited to online identifiers, including cookie identifiers, internet protocol (“IP”) addresses, device identifiers and client identifiers. To reduce the privacy implications of the Website’s monitoring and IP address collection, you have enabled the IP anonymisation feature of Google Analytics. It is your understanding that the identifiers listed above cannot be regarded as personal data in the context of your use of Google Analytics, as the IP anonymisation process has severed any link to an individual. You have stated that the IP anonymisation feature of Google Analytics ensures that IP addresses from website visitors are anonymised (by removing the last octet of IPv4 addresses or removing the last 80 bits of IPv6 addresses) at the earliest possible time after data has been received by Google Analytics (i.e., the Analytics Collection Network), and before any subsequent processing takes place, including access to the data by you. According to information you have received from Google, the IP anonymisation process takes place in the memory of the recipient webservers of Google Analytics only (i.e., data is never written to disk) and is deleted from memory rapidly. Only an extremely limited number of Google Data Center personnel have access to the relevant server memories, and such access is to your understanding never utilised for any direct processing purposes, only for technical system maintenance by Data Center personnel. Google logs all such access. Google has informed you that it would not be possible to extract such data following a potential legally binding authority request. You assert that the only personal data collected by Google Analytics on the Website and subsequently processed by you in the context of Google Analytics has been IP addresses. Transfers of personal data to third countries: In late August 2020, you initiated a review project to assess agreements entered into by Telenor in light of the Schrems II judgment. You considered the Schrems II judgment to apply to your use of Google Analytics, as the agreement is entered into with Google as a U.S. data processor of Telenor. Any transfer of personal data to Google is carried out subject to the SCC’s Module Two. You have not carried out a thorough review of potential third country legislation, as it, according to information from Google, is not possible to determine the exact location of processing. This is due to Google applying the user’s proximity to the data center as one of the primary deciding factors for the processing location. You are aware of the CJEU’s interpretation of U.S. law, specifically FISA 702 and Executive Order 12333, and your focus has therefore been to ensure that appropriate technical and organisational measures are implemented to prevent unauthorised access to personal data. Moreover, Google has confirmed that it will not be possible for foreign authorities to gain access to the IP addresses collected prior to the anonymisation process. 5You have summarised the supplementary measures implemented by you and Google as follows. Firstly, Google has established policies and procedures for handling authority requests for user data from authorities across the world. According to Google, any request for customer data is handled by a team of qualified lawyers, and the requests are carefully reviewed to make sure they satisfy requirements in applicable laws. Secondly, Google has, through their IP anonymisation feature, made available a technical measure preventing the full IP addresses from being processed in manner that allows access by public authorities. This process is coupled with strict controls regarding privileges for access to the production environment of the Analytics Collection Network. In terms of supplementary measures implemented by you, you have applied a redaction script as an additional measure on the Website to prevent personal data unintentionally being shared with Google. You are of the opinion that the SCC’s, in addition to the supplementary measures adopted by Telenor and Google, would guarantee the contractual obligations as laid out in the SCCs. Your website analytics at present: According to your privacy policy, you now use Adobe Analytics as your web analytics vendor. Adobe Analytics processes IP addresses before deletion to allow geo-locating on municipality and city level, which allows you to filter your anonymous web visitors by municipality and city. IP addresses are not visible to you because they are automatically removed after processing. Adobe Analytics is a Software-as-a-Service (SaaS) that leverages cloud hosting. They use Adobe-owned servers in a Data Processing Center (DPC) in London for processing and 5 storage. 3.4.2 Advance notification of a reprimand The information provided by Telenor did not mitigate our concerns regarding the lawfulness of the use of Google Analytics. On 28 February 2023, we therefore sent you an advance notification of our intent to issue a reprimand to Telenor for having transferred personal data to a third country without complying with the conditions laid down in Chapter V GDPR, in violation of Article 44 GDPR. 3.4.3 Telenor’s response to the advance notification The Norwegian SA received Telenor’s response to the advance notification on 28 March 2023. We will go through Telenor’s arguments in more detail below, but the main legal arguments can be summarised as follows: 5https://www.telenor.com/privacy-policy/, last visited 5 June, 2023. 6 • The Norwegian SA has not sufficiently distinguished the different roles of the parties, i.e., when Google is a controller and when Google is a processor. • The Schrems II judgment related to the transfer of all or part of the personal data in clear text, which is substantially different from the processing activities in the present case. • The Norwegian SA has not documented a clear preponderance of probability relating to the findings of transfers to the U.S. and that FISA 702 applies in practice. When issuing a reprimand stating that provisions of the GDPR have been infringed, European Convention on Human Rights (“ECHR”) Article 6 requires that there must be established a clear preponderance of probability. • The processing of personal data in question does not constitute cross-border processing. • For visitors within the EEA, the IP address is not transferred to the U.S., as the IP address of European visitors are pseudonymised through the IP anonymisation in the memory of Google servers located in Europe. • Telenor had a valid legal basis for transfer. FISA 702 does not apply to Google Analytics in practice, and the transfer did not constitute an infringement of Chapter V GDPR. 3.5 Statement by Google On behalf of the EDPB taskforce, the Austrian DPA sent a questionnaire to Google regarding Google Analytics and supplementary measures. In a letter dated 9 April 2021, Google responded to the questions. Google lists the legal, organisational and technical supplementary measures they adopted after the Schrems II judgment. According to their statement, Google has implemented a legal review of data requests, notification of customers before disclosure, and publishes a Transparency Report on data requests. Additionally, they have, inter alia, implemented measures in relation to encryption, data access, pseudonymity, data minimisation, and adopted strict data security and data privacy policies. 6 4. Relevant GDPR requirements 4.1 Material and territorial scope Article 2(1) GDPR provides that the Regulation applies to “the processing of personal data wholly or partly by automated means (…)”. What constitutes “personal data” is defined in Article 4(1) GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (…)”. Article 4(2) GDPR defines “processing” as: 6Statement by Google, 9 April 2021. 7 “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. As regards the territorial scope of the GDPR, Article 3(1) establishes that the Regulation: “applies to the processing of personal data in the context of the activities of an establishment of a controller (…) in the Union, regardless of whether the processing takes place in the Union or not.” 4.2 Controller and processor Pursuant to Article 4(7) GDPR, “controller” means: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (…)”. Pursuant to Article 4(8) GDPR, “processor” means: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” 4.3 Cross-border processing Article 4(23) stipulates that cross-border processing means either: (a) “Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member state; or (b) Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.” 4.4 Transfers of personal data to third countries Transfer of personal data from the EEA to third countries is regulated by Chapter V GDPR. Pursuant to Article 44 GDPR, the general principle for transfers reads as follows: 8 “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country (…) shall take place only if, subject to the other provisions of this Regulation, the conditions in this Chapter are complied with by the controller and processor(…). All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. Chapter V GDPR further foresees different tools for transfer to ensure an equivalent level of protection for natural persons as provided for in the EEA and required by Article 44 GDPR. Relevant tools for transfers: Adequacy decisions, Article 45(1) GDPR: “A transfer of personal data to a third country (…) may take place where the Commission has decided that the third country (…) in question ensures an adequate level of protection. Such transfer shall not require any specific authorisation.” Appropriate safeguards, Article 46(1) GDPR: “In the absence of an [adequacy decision] (…) a controller may transfer personal data to a third country (…) only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” Pursuant to Article 46(2)(c), the appropriate safeguard may be provided for, without requiring any specific authorisation from a supervisory authority, by “Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).” (“SCCs”) Schrems II judgment: In the Schrems II judgment, the CJEU declared the “EU-U.S. Privacy Shield” decision pursuant to Article 45(1) GDPR invalid, as American intelligence and surveillance laws undermined the level of protection for data subjects in the EEA guaranteed by the GDPR. Equally, the CJEU stated that the use of SCCs may not in themselves be sufficient to ensure that level of protection, in which case the implementation of supplementary measures may be necessary. The purpose of such supplementary measures is to ensure that personal data is not processed beyond what is necessary in a democratic society. The EDPB has issued recommendations on supplementary measures (“EDPB Recommendations”). 7See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, available on https://edpb.europa.eu/our-work-tools/our- documents/recommendations/recommendations-012020-measures-supplement-transfer_en, last visited 5 June 2023. 95. Our assessment of the case 5.1 Main legal questions There are three main legal questions arising from this case, namely; i) Whether or not personal data was processed in the context of the Google Analytics tool, ii) Provided that personal data was processed, whether or not this personal data was transferred to the U.S., and iii) Provided that the personal data was processed and transferred to the U.S., whether or not this transfer infringed Chapter V GDPR, also considering the Schrems II judgment. In the following, we will assess these three questions in addition to other relevant elements of the case. 5.2 Scope of the Norwegian SA’s investigation Our investigation into your use of Google Analytics is limited to the time period from the CJEU’s Schrems II judgment to your discontinuation of Google Analytics, i.e. between 16 July 2020 and 15 January 2021 – a time period of six months. We have not investigated Google’s potential further processing of the personal data subject to the complaint, as this was not within the scope of the complaint. Furthermore, we have not investigated your use of the new web analytics vendor implemented on the Website. 5.3 Whether the processing in question constitutes cross-border processing In our order to provide information dated 18 December 2020, we laid down an assumption stating that the processing of personal data within the context of Google Analytics on the Website was cross-border in nature according to Article 4(23)(b) GDPR. This assumption was based on the fact that the Telenor Website has a global reach, attracting visitors from both the EEA and the rest of the world, and that the Website’s default language is English. In line with Article 4(23)(b), we assumed that the processing of personal data through Google Analytics on the Website substantially affected or was likely to substantially affect data subjects in more than one Member state. As such, we considered the processing to be cross-border in nature. In your response to our order to provide information dated 8 February 2021, you did not contradict this assumption. Furthermore, you also stated that: “The telenor.com site is open and accessible to any website visitor from around the globe. Telenor.com is the main corporate website of the Telenor Group, the site is 10 aimed at visitors from all around the globe. As such, data subjects from any European Members State may have been subject to the processing of the Tool. ” 8 Following this, we concluded that the processing constituted cross-border processing within the meaning of Article 4(23)(b) in our advance notification with the following statement: “The processing of personal data on the Website substantially affects or is likely to substantially affect data subjects in more than one Member State, as the target audience of the site are customers and stakeholders of Telenor’s subsidiaries internationally. Thus, the processing constitutes cross-border processing pursuant to Article 4(23)(b) GDPR. ” 9 In your response to our advance notification, you state that the we have not provided any grounds to substantiate why we have concluded that the processing through Google Analytics on the Website constitutes cross-border processing. You are of the opinion that there is no cross-border processing of personal data through Google Analytics on the Website within the meaning of Article 4(23)(b) GDPR. You argue that there is a certain threshold for the processing to “substantially affect or is likely to substantially affect data subjects in more than one Member State, and that this threshold is not met in the present case. Furthermore, you state that the Website is aimed at corporations and companies and not at individual data subjects per se, and that it does not offer services or products to customers in Norway or any other country. You also state that your statistical overview shows that the number of individuals from other EEA countries who visit the website is low, and that, as per February 2023, the top three countries from which the Website was visited were Pakistan, Norway and India. In your view, this speaks to the fact that the processing does not substantially affect a significant number of data subjects in several Member States. Against this background, you are of the opinion that the processing does not constitute cross-border processing. Article 4(23)(b) establishes two conditions that must be met in order for the processing to be considered cross-border; the processing must take place in the context of the activities of a single establishment of a controller or processor in the Union, and the processing must substantially affect or be likely to substantially affect data subjects in more than one Member State. The starting point for the assessment of whether the processing is cross-border or not, is the processing operation itself. In this case, the processing in question is the alleged collection and subsequent transfer of personal data to a third country through Google Analytics, embedded on the Website by Telenor. As this processing took place in the context of the activities of a single establishment of Telenor in the Union, the first condition of Article 4(23)(b) is satisfied. 8 9Response from Telenor ASA to the questions posed by Datatilsynet on 18 December 2021, p. 1, question 4. Advance notification, point 3.3.1 11When it comes to the second condition, namely that the processing must substantially affect or be likely to substantially affect data subjects in more than one Member State, we agree with Telenor that not all cross-border processing activity falls within the definition of cross-border 10 processing in Article 4(23)(b). As you state, this is also the position of the EDPB. We also agree that the fact that a website is accessible to anyone in the EEA with an Internet connection does not automatically mean that cross-border processing is taking place. However, the processing in question does meet the threshold that Article 4(23)(b) sets out for the following reasons. As also stated in the above-mentioned EDPB Guidelines, Supervisory Authorities will interpret “substantially affects” on a case-by-case basis, taking into account the context of the processing, the type of data, the purpose of the processing, as well as several listed factors.11 Going off the list of factors, the collection and subsequent transfer of personal data to a third country through Google Analytics on the Website can have “unlikely, unanticipated or unwanted consequences for individuals”. A person visiting the website might not be aware that their personal data is being collected and subsequently transferred to the U.S., where it can be subject to U.S. intelligence surveillance. This type of processing is intrusive, uncomfortable, and is likely to substantially affect the data subjects. Furthermore, the processing in question does not happen in plain sight and is difficult to follow for an individual. Again, some visitors might not even be aware that their personal data were being collected through Google Analytics when visiting the Website. Moreover, the processing clearly affects data subjects in more than one Member State. The Website is the main corporate website of the Telenor Group, which has owner interests and shareholders in several countries inside and outside the EEA. Accordingly, the website is aimed at visitors from all around the globe, including the EEA, and arguably especially at visitors from countries where the Telenor Group has subsidiaries, which includes EEA countries such as Sweden and Denmark. Your statistical overview also demonstrates that Norway, Sweden, Denmark and Germany are among the top ten countries from which the Website is visited as per February 2023. 13 Taking this into account, we have found the processing in question to substantially affect, or to be likely to substantially affect, data subjects in more than one Member State. As such, the processing constitutes cross-border processing within the meaning of Article 4(23)(b). 5.4 Competence of the Norwegian Supervisory Authority 10Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, Version 2.0, Adopted on 29 March 2023, para. 7. 11Ibid, para. 12. 12Ibid, bullet point eight. 13Annex 1from Telenor: «Telenor.com | Besøk topp 50 land | Februar 2023». 12As per point 5.3, the processing of personal data constitutes cross-border processing within the meaning of Article 4(23)(b). Norway is the place of Telenor’s central administration in the EEA. As such, the main establishment of Telenor, within the meaning of Article 4(16)(a) GDPR, is in Norway. The Austrian SA therefore transferred the complaint to the Norwegian SA in accordance with Article 56(1) GDPR. Therefore, the Norwegian SA is the competent SA and acts as the lead supervisory authority in this case. 5.5 Controller and processor 5.5.1 General overview Controller: The complainant has identified Telenor as the controller in its complaint. In your response to us, you stated that the decision to embed Google Analytics on the Website was made by Telenor. Therefore, we find it to be undisputed and clear that you “determine(d) the purposes and means of the processing of personal data” subject to the complaint, and therefore acted as a controller pursuant to Article 4(7) GDPR. Processor: The complainant further identifies Google in the U.S. as Telenor’s processor in relation to the personal data processed in Google Analytics. In your response to us, you state that Google is the data processor in the use of Google Analytics on the Website, as stated in the Google Analytics Terms of Service and Data processing Terms applicable to Google Analytics. Furthermore, you have entered into SCCs with Google, using Module Two of the SCCs. Against this background, we find it to be undisputed and clear that Google “processe(d) personal data on behalf of” you within the context of Google Analytics, and therefore acted as a processor pursuant to Article 4(8) GDPR. Seeing as neither the complainant nor you have addressed Google Ireland Limited in relation to the processing of personal data in question, we have not investigated if, and to what extent, they are involved in the processing. Thus, we are assessing the case on the premise that a data subject in Austria visited the Website, and whether or not the complainant’s personal data subsequently was unlawfully transferred from the EEA to the U.S. through your use of Google Analytics. 5.5.2 The roles of Telenor and Google In your response to our advance notification, you claim that the Norwegian SA does not distinguish between data elements collected by Google as a data processor for Telenor in its 13provision of Google Analytics, and personal data collect14 by Google as a data controller with respect to its provisioning of services to data subjects. You state that you are responsible as a controller and data exporter for the data collected through the use of Google Analytics, namely: • IP addresses; • Unique identifier that identifies the browser/device used to visit the Website (“cookie ID”); • Unique identifier used to identify the Website operator (in this case the account ID of Telenor); • Address and HTML title of the Website (i.e. Telenor.com + subdomains); and • Information on browser, operating system, screen resolution, language settings as well as date and time of access to the Website. Furthermore, you state that where Google acts as data controller, any transfer of personal data by Google falls outside the responsibility of Telenor. Google is the controller when it comes to the processing of personal data that happens when a visitor visits the Website while being logged into their account. Where a visitor is logged into their account in the browser, this is a processing activity that occurs in the relationship between Google as a data controller and the individual using Google services such as a Google account. These processing activities occur by virtue of a contract entered into between Google and that particular user, and falls outside the processing activities and responsibilities of Telenor. The Norwegian SA agrees with Telenor that there likely exist situations where Google is an independent or joint controller in relation to analytics data. However, our proceedings only concern the processing carried out in Google Analytics by Google as a data processor for Telenor, i.e. the above list of data collected through your use of Google Analytics. The current case does not concern how Google processes Google account data. Nonetheless, in assessing whether the data in scope constitutes personal data, it is necessary to assess whether the data subject is identifiable, and this includes looking at all possibilities Google may have for identification. 5.6 Whether personal data was processed in Google Analytics In order for the GDPR to apply, “personal data” pursuant to Article 2(1) must be processed. Therefore, the complainant needs to be identified or identifiable, directly or indirectly, by the data processed in Google Analytics. Online identifiers, such as IP addresses and information stored in cookies, can be used to identify a user, in particular when combined with similar types of information. This is illustrated by Recital 30 GDPR, whereby: 14Telenor’s Response to Advance notification of a reprimand p. 5. 14 “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers (…). This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” In order to assess whether the complainant is identifiable through the data processed in Google Analytics, thus making it personal data pursuant to Article 4(1) GDPR, it must be assessed how Google Analytics works, and whether the complainant is identifiable to Telenor or Google. Telenor has implemented Google Analytics on the Website by inserting a JavaScript command (a tag), which was specified by Google, into the source code of the Website. While the page is loading in the browser of the visitor, the JavaScript code is now loaded from the servers of Google and executed locally in the visitor’s browser. A cookie, under the domain of the website operator, is set by this JavaScript code. Among other elements, a permanent unique identifier is set in the cookie value. This unique identifier is generated and managed by Google. Telenor, however, can read the value. On the basis of the HAR data, the following data was processed when the complainant visited the Website: • Unique identifier(s) that identifies the browser/device used to visit the Website, as well as a unique identifier that identifies the Website operator, in other words the Google Analytics account ID of the Website operator, • Address and HTML title of the Website, • Information on browser, operating system, screen resolution, language settings, as well as the time and date the Website was accessed by the complainant, • The complainant’s IP address. As regards IP addresses, it is worth noting that the anonymisation process is carried out on Google’s servers. In other words, the IP address is sent to Google before it is anonymised. The CJEU has al15ady ruled that IP addresses in most circumstances are to be considered as personal data. In our view, IP addresses still qualify as personal data even though the means of identifiability lie in third entities. Additionally, IP addresses can be combined with further elements in order to make the data subject identifiable. As these unique identifiers are set with the specific purpose to differentiate individuals, where differentiation was not possible before, they contribute to making the individual identifiable. In this regard, we note the findings of the Austrian SA in a similar case, also referring to a decision by the European Data Protection Supervisor, that these Google Analytics identifiers in principle qualify as personal data.16 15 16See judgments C-597/19 and C-582/14. See page 27 of the decision in question, available on https://noyb.eu/sites/default/files/2022- 04/Bescheid%20geschw%C3%A4rzt.pdf, last accessed 13 June 2023. 15Even if unique identifiers per se would not make individuals identifiable, they can also be combined with further elements. In this case and as already mentioned, the IP address and cookie identifiers were combined with, inter alia, the address of the specific website the complainant visited, the time and date of the website visit, as well as metadata about the browser and operating system. While the latter may appear seemingly innocuous, the combination of settings and parameters of the browser and the operating system may sometimes be sufficiently unique to lead to so-called device fingerprinting. Therefore, both you and Google have several elements that combined can enable you to single out visitors, including the complainant, on the Website where Google Analytics was implemented. The GDPR does not require the controller or processor to know the name or physical address of the visitor – it suffices that it would be possible to identify an individual, also relying on additional data from other sources. As illustrated by Recital 26, the singling out of individuals may be sufficient to make them identifiable. Additionally, the complainant was logged into their Google account at the time the Website was visited. As shown by Google’s statement, the implementation of Google Analytics on a website enables Google to receive information that a specific Google account has visited that website. Even though Google states that certain settings must be enabled in order for them to process such information, it must be noted that the definition of personal data is based on whether it is technically possible to identify an individual, not whether a party chooses to do so in practice. In our understanding, tweaking the relevant settings would affect the latter aspect, but not necessarily the former. Furthermore, the fact that you consider Google your data processor and have entered into a data processing agreement with them in the context of your use of Google Analytics, would also seem to indicate that the contracting parties are of the opinion that personal data is being processed. Taking all of this into account, as a result, we find that the data in question is to be regarded as personal data within the meaning of Article 4(1) GDPR. 5.7 Whether a transfer of personal data to the U.S. has taken place In your response to our advance notification of a reprimand, you state that personal data in clear text was not transferred to the U.S. for processing in Google Analytics. You had implemented the IP anonymisation feature in Google Analytics. When applying this feature, the IP address will be transmitted to the Google server closest to the Website visitor for IP anonymisation and subsequent return of the cookie ID. The IP anonymisation process occurs in the memory of the server and results in an instantaneous deletion of the IP address. Google has confirmed that it is not possible for any public authority to gain access to the IP address prior to the IP anonymisation process. 16You further state that for visitors within the EEA, the IP address is not transferred to the U.S., as the IP Addresses of European visitors are pseudonymised through the IP anonymisation in the memory of Google servers located in Europe. The IP address of EEA visitors is thus not exported out of the EEA, only the cookie ID. As regards Website visitors from outside the EEA, you state that you will be a data exporter under Chapter V GDPR in situations where the IP address is transferred for IP anonymisation to another third country, i.e. when the closest server location to the visitor is in a third country. Furthermore, you state that, as a result of the Google Analytics network being hosted within the U.S., data elements such as cookie ID, website visited, operating system, device type and screen resolution will be exported to and processed within the U.S. You are responsible under Chapter V GDPR for the export of these data elements. We find that there is no dispute surrounding the fact that all data processed in Google Analytics eventually ends up in the U.S. – some data in clear text, and other pseudonymised. We further agree that the IP addresses of EEA visitors are most likely truncated on a European server before the cookie ID is transferred to the U.S. However, the Website has many visitors from different third countries. When a visitor from a third country closer to a non-EEA data centre visited the Website, they are never connected to a European server, but are connected to a Google server in a third country instead. As 18 such, the IP address of the visitor is transferred to a third country before it can be anonymised. Pursuant to Article 3(1) GDPR, the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller (…) in the Union, regardless of whether the processing takes place in the Union or not.” This means that the GDPR applies regardless of where the data subject is located. 19 In any case, as explained above, there are several data categories which in themselves or in combination constitute personal data, including the visitor’s unique identifier (cookie ID), the time of the visit and metadata about the browser and operating system. Even if IP addresses are disregarded, we find that the totality of the data transferred still constitute personal data. Against this background, we find that personal data was transferred to the U.S. through the use of Google Analytics on the Website. 5.8 Whether the transfer of personal data infringed Article 44 et seqq. GDPR In your response to our advance notification, you state that Telenor had a valid legal basis for transfer, that the data was not at risk for authority requests under FISA 702, that the transferred data were trivial in nature and would not have entailed an infringement of the 17Annex 1from Telenor: «Telenor.com | Besøk topp 50 land | Februar 2023». 18https://support.google.com/analytics/answer/11598602, last visited 14 June 2023. 19See also EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), available on https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article- 3-version_en, which on p. 10 states the following: “However, geographical location is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question.” 17fundamental rights of the individual if accessed by the authorities, but rather a mere interference. As the processing activities took place within the U.S., Telenor and Google had entered into the SCCs for processors as the legal basis for transfer of personal data to the U.S. Under the SCC, Telenor acted as data exporter and Google acted as data importer. You disagree with our advance notification, where we held that the use of SCCs generally will not be sufficient for transfer of personal data to an organisation in the U.S. subject to FISA 702. You further maintain that Telenor and Google had implemented adequate supplementary measures to protect the data. You state that although Google has been subject to access requests in general, this is not a relevant prior instance of requests for access. Furthermore, Google has confirmed publicly that during the 15-year period during which Google Analytics has been available, Google had, as of 19 January 2022, not received a single FISA request for such data. You therefore contend that FISA 702 did not apply to Google Analytics in practice. Google LLC, as a data importer in the U.S., classifies as an electronic communications service provider within the meaning of 50 U.S. Code § 1881(b)(4). Google is therefore subject to surveillance by U.S. intelligence agencies pursuant to FISA 702, and is therefore obliged to provide the U.S. government with personal data when FISA 702 is invoked. In Schrems II, the CJEU held that the U.S. surveillance programs based on FISA 702, E.O. 12333 and Presidential Policy Directive 28 do not meet the minimum requirements laid down in EU law in accordance with the principle of proportionality. This means that the monitoring programs based on those provisions cannot be considered to be limited to what is strictly necessary. In other words, the CJEU found that the level of protection of personal data when transferring personal data to the U.S. is not essentially equivalent to that guaranteed in the EU. As pointed out by Telenor, it is important to distinguish between interferences with, and infringements of, fundamental rights. Laws on governmental access which do not meet the requirements of proportionality and necessity constitute infringements by definition, and the CJEU found that U.S. surveillance laws fall within this category. As an exception from this, we have stated in our public-facing guidance that transferring personal data that are publicly available to third countries without supplementary measures may possibly not constitute an infringement. This is clearly not relevant in this case, as the personal data in question are not publicly available. Worth noting is that neither the wording of Chapter V GDPR, the Schrems II judgment, nor the practice of other EEA data protection authorities permit a so-called ‘risk-based approach’ under which data can be transferred without supplementary measures if they are not likely to be intercepted (for example if the controller believes that the data are not ‘interesting’ to third 20Schrems II judgment, para. 184. 18country authorities) or if the consequences of interception are perceived by the controller as being small (for example due to the perceived nature of the data). Furthermore, the CJEU points out that when transferring personal data on the basis of SCCs, in order to ensure that the level of protection is not undermined, it is necessary to also examine the third country’s legal system with regard to access by third country authorities. 21 Where problematic legislation on governmental access prevails, it is necessary to adopt 22 supplementary measures in addition to the SCCs to uphold the level of protection. For transfers of personal data to the U.S., it is clear that problematic legislation prevails over the SCCs, and thus supplementary measures are required unless an exception applies. However, the EDPB has since the Schrems II judgment stated that if there is no reason to believe that the problematic legislation in question applies in practice, adopting supplementary measures is not necessary. Though this ‘permittance’ was formulated by the EDPB after Telenor stopped using Google Analytics, Telenor should be able to benefit from it if the conditions are met. Concomitantly, the EDPB has specified what is required in this situation and emphasised that controllers remain accountable for their assessments: You will need to have demonstrated and documented through your assessment, where appropriate in collaboration with the importer, that the law is not interpreted and/or applied in practice so as to cover your transferred data and importer, also taking into account the experience of other actors operating within the same sector and/or related to similar transferred personal data and the additional sources of information 23 described further below. Furthermore, the EDPB has stated as follows: You must however note that the absence of prior instances of requests received by the importer can never be considered, by itself, as a decisive factor on the effectiveness of the Article 46 GDPR transfer tool that allows the transfer to proceed without supplementary measures. 24 It is important to note the fundamental difference between situations where there is no reason to believe that personal data are in practice covered by problematic legislation (in Norwegian: ingen grunn til å tro at loven i praksis får anvendelse), and situations where personal data are in fact within scope of the legislation, but there is no reason to believe that authorities will utilise the access they are granted under that legislation (in Norwegian: ingen grunn til å tro 21Ibid., para 104. 22Ibid., para. 133. 23EDPB recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, para 43.3, available on https://edpb.europa.eu/our-work-tools/our- documents/recommendations/recommendations-012020-measures-supplement-transfer_en, 24Ibid., para. 47. 19at loven i praksis vil bli anvendt). Only the former fulfils the criteria set out in the EDPB guidelines, while Telenor’s arguments appear to be tied to the latter. To be clear, the wording of FISA 702 indicates that the personal data in this case are within scope of the problematic legislation. Telenor has failed to demonstrate and document that FISA 702 is not interpreted and/or applied in practice so as to cover that personal data, and Telenor has not documented that it has examined the experience of other actors operating within the same sector and/or consulted the sources of information described by the EDPB. Telenor’s assertion that Google has not historically received access requests regarding Google Analytics data is in itself not sufficient. Therefore, the question at hand is whether the SCCs were supplemented by appropriate measures to prevent U.S. intelligence services processing personal data of visitors to the Website beyond what is necessary in a democratic society. The EDPB Recommendations explain and exemplify which supplementary measures are considered by EEA supervisory authorities to be appropriate in this regard. In general, technical measures that prevent personal data being made available to the data importer in clear text would be required here. Though it has been argued that supplementary measures are in place, it is clear that those measures do not prevent Google from having clear text access to at least some of the personal data in question, such as the combination of the visitor’s unique identifier (cookie ID), the time of the visit and metadata about the browser and operating system, again noting that the scope of personal data in this case is wider than just the IP addresses. On this background, we find that the transfer of personal data infringed Article 44 GDPR. 5.9 Conclusion Based on the above, we find that personal data of visitors to the Website was processed in the context of Google Analytics, that those personal data were transferred to the U.S., and that this transfer infringed Chapter V GDPR. 6. Corrective measure The complainant requests us to impose a ban or suspension of data flows from Telenor to Google in the U.S., as well as impose an effective, proportionate and dissuasive administrative fine against you. Seeing as your use of Google Analytics was discontinued on 15 January 2021, there is no reason to impose a ban or suspension of data flows from Telenor to Google in the U.S. We have, however, considered whether we should exercise any other corrective powers. Taking into account all elements of the case, we find a reprimand to be an adequate and proportionate corrective measure. Pursuant to Article 58(2)(b), a reprimand is a corrective measure that SAs can issue to a controller or processor where processing operations have 20infringed the GDPR. The purpose of reprimands is to indicate criticism towards the identified infringements. In your response to our advance notification, you claim that the issuance of a reprimand requires a clear preponderance of probability, as a reprimand is to be considered as punishment under the European Convention of Human Rights (“ECHR”) Article 6. You base this on the assumption that a reprimand is a “final statement of guilt” for breaching Chapter V GDPR, similar to formal warnings under the Norwegian Public Administration Act. You state that this threshold is not met in the present case. As the case currently stands, also taking as a basis the additional information you provided in your response to our advance notification, we find that there is a clear preponderance of probability that personal data, including the Website visitor’s unique identifier (cookie ID), the time of the visit and metadata about the browser and operating system, was transferred to the U.S. without sufficient supplementary measures where such supplementary measures were required. In any case, we reject that a reprimand pursuant to Article 58(2)(b) is to be considered as punishment under the ECHR Article 6. The European Court of Human Rights (“ECtHR”) has interpreted the notion of ‘criminal charge’ for the purposes of Article 6 ECHR in several of its judgments, most notably in the 26 Engel Case. In that judgment, the ECtHR set out three criteria for the determination of whether a charge is ‘criminal’, namely: 1. the classification of the charge in national law; 2. the nature of the offence; and 3. the degree of severity of the penalty. 27 28 The ECtHR further elaborated on what constitutes a ‘criminal charge’ in the Öztürk Case, where it concluded that a penalty was criminal inter alia because it was punitive and intended to be deterrent.29 Applied to the present case, it is clear that a reprimand is not classified as a criminal law penalty under Norwegian law. As for the degree of severity of the reprimand, it has little impact on the controller and no tangible repercussions. A reprimand cannot be considered to be a measure of any considerable severity, and it is not of a punitive nature. 25 26Norwegian: “Formelle advarsler”. Case of Engel and Others v. the Netherlands (Application no. 5100/71; 5101/71; 5102/71; 5354/72; 5370/72) 27Ibid., para. 82. 28Case of Öztürk v. Germany (Application no. 8544/79) 29Ibid., para. 53. 30In this regard, it is worth noting Recital 148 GDPR, which states that a reprimand may be issued in case of a minor infringement. 21Also worth noting is that under the GDPR, only administrative fines are intended to be dissuasive, pursuant to Article 83(1), in contrast to reprimands and the other corrective measures listed in Article 58(2). As for Telenor’s representations regarding formal warnings, we note that formal warnings are not listed in the Norwegian Public Administration Act Chapter IX among the administrative sanctions that constitute a ‘criminal charge’ in the sense of the ECHR. 7. Right of appeal As this decision has been adopted pursuant to Article 56 and Chapter VII GDPR, the present decision may be appealed before Oslo District Court (“Oslo tingrett”) in accordance with Article 78(1) GDPR, Article 25 of the Norwegian Data Protection Act, and Article 4-4(4) of the Norwegian Dispute Act. 31 Yours sincerely Jørgen Skorstad Director, law Trine Smedbold Legal Adviser This letter has electronic approval and is therefore not signed Copy: noyb – European Center for Digital Rights 31 Act of 17 June 2005 no. 90 relating to mediation and procedure in civil disputes (Lov om mekling og rettergang i sivile tvister (tvisteloven)). 22