Personvernnemnda (Norway) - PVN-2023-03

From GDPRhub
Revision as of 10:11, 11 October 2023 by Ar (talk | contribs)
PVN - PVN-2023-03
Courts logo1.png
Court: PVN (Norway)
Jurisdiction: Norway
Relevant Law: Article 55 GDPR
Section 21a of the Norwegian Health Personnel Act
Section 20 of the Norwegian Personal Data Act
Decided: 15.09.2023
Published:
Parties: Datatilsynets
National Case Number/Name: PVN-2023-03
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Norwegian
Original Source: Personvernnemnda (in Norwegian)
Initial Contributor: ar

The Norwegian Data Protection Board ruled that the transmission of the complainant's health information to a third person during a court proceeding fell outside the scope of the Norwegian Personal Data Act. In fact, their privacy had been sufficiently safeguarded by Norwegian Administration of Justice laws.

English Summary

Facts

During an ongoing dispute at a Norwegian Court of Appeal regarding the award of occupational injury insurance between a complainant and an insurance company (the data controller), the latter forwarded some of the complainant's health information to an external psychiatrist as a private expert. However, in its judgment of 7 January 2022, the Court of Appeal did not find it necessary to give decisive weight to the private expert's assessment and disregarded it.

On 22 November 2021, the Norwegian DPA received an enquiry from a complainant who argued that the data controller's disclosure to the private expert resulted in a breach of the GDPR.

However, on 5 September 2022, the DPA dismissed the complaint because it concerned the processing of personal data that falls outside the scope of the Norwegian Personal Data Act under section 2, second paragraph, letter b, meaning that the DPA did not have any authority on the process, pursuant to Article 55 GDPR and section 20 of the Personal Data Act.

On 26 September 2022, the complainant filed a timely complaint against this decision and on 30 January 2023, the case was submitted to the Norwegian Data Protection Board. Which, on 15 September 2023, considered whether the insurance company's transmission of the case documents containing the complainant's health information to a privately engaged expert, in connection with the processing of a civil case before the Court of Appeal, falls outside the scope of the Norwegian Personal Data Act.

Holding

The Norwegian Data Protection Board noted that the present case fell within an exception of the Norwegian Personal Data Act. Accordingly, the Act shall not apply to cases decided pursuant to Norwegian Administration of Justice laws, such as the Dispute Act, as they provide sufficient safeguards for privacy.

Regarding the complaint, the Norwegian Data Protection Board observed that personal data processing in connection with a case before a court is sufficiently regulated by Norwegian Administration of Justice laws. In fact, during the proceedings before the Court of Appeal, the Court had already ruled that the use of the complainant’s health information had been contrary to section 21a of the Health Personnel Act and that the expert witness's statements should be dismissed as obtained improperly. So there was no need to consider any additional regulation under the data protection legislation.

Furthermore, the Norwegian Data Protection Board stated that the Norwegian Personal Data Act does not regulate what evidence can be presented in court, nor the collection and disclosure of personal data that constitutes evidence in a proceeding. In fact, the rules on access to information and the presentation of evidence in legal proceedings are set out in Norwegian procedural legislation and do not fall within the authority of the DPA and the Norwegian Data Protection Board.

Thus, the Norwegian Data Protection Board agreed with the Norwegian DPA and ruled against the complainant’s objection.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Privacy Board's decision 15 September 2023 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns a complaint from A against the Norwegian Data Protection Authority's decision on 5 September 2022, where the Norwegian Data Protection Authority rejected the case citing that it fell outside the scope of the Personal Data Act, cf. Personal Data Act § 2 second paragraph letter b.
Background of the case
On 22 November 2021, the Danish Data Protection Authority received an inquiry from A about what she believed to be illegal processing of her personal data by If Skadeforsikring. In a, at the time, ongoing dispute before the courts regarding the awarding of occupational injury insurance, the insurance company had sent the case's documents (including A's health information) to an external psychiatrist whom the company engaged as a private (not court-appointed) expert. It appears from the pleadings submitted that A also stated in the legal process that the disclosure of A's health information to the privately engaged expert represented a breach of the Personal Data Protection Ordinance. It is not known whether a request was made to suppress evidence and whether the Borgarting Court of Appeal made a decision on this. The Borgarting Court of Appeal held the main hearing in the case in December 2021 and delivered its judgment on 7 January 2022. It appears from the judgment that the court received a statement from the privately engaged expert, but that the court was unable to place decisive weight on his assessment.
The Norwegian Data Protection Authority made the following decision on 5 September 2022:
"The complaint is rejected. In our opinion, the complaint concerns the processing of personal data that falls outside the scope of the personal data protection regulations, cf. the Personal Data Act § 2 second paragraph letter b. The Danish Data Protection Authority thus does not have the competence to process the case according to the Personal Data Protection Regulation Article 55 and the Personal Data Act § 20."
A timely appealed against the decision on 26 September 2022. The Norwegian Data Protection Authority assessed the complaint, but found no basis for changing its decision. The case was forwarded to the Personal Protection Board on 30 January 2023. A was informed about the case in a letter from the board, and was given the opportunity to make comments. A has not given any comments.
The case was dealt with at the board's meeting on 15 September 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present.
Briefly about the Norwegian Data Protection Authority's decision
The Danish Data Protection Authority assumed that the complaint concerned the processing of personal data that falls outside the scope of the Personal Data Act pursuant to Section 2, second paragraph, letter b of the Personal Data Act, and rejected the complaint.
The Norwegian Data Protection Authority points out that even if the case does not concern the court's processing of personal data, it is a case that was dealt with pursuant to an administration of justice act. The wording in section 2, second paragraph, letter b, is, according to the supervisory authority's assessment, clearly in the direction that the Administration of Justice Act exception applies to all actors who process personal data in connection with legal disputes. The exception to the Legal Services Act applies to "cases" in their entirety, without reference to a limitation that suggests that it is exclusively court proceedings that are covered. The purpose of and considerations behind the rule also suggest that the Administration of Justice Act exception includes the parties' processing activities in connection with the legal dispute.
In this case, it is If, as a party to the case before the court, which disclosed personal data to a private expert engaged in the case. The expert was summoned as a witness in the case and this indicates that the handover took place in the context of the court proceedings and that the exception to the Administration of Justice Act applies, cf. the Personal Information Act § 2 second paragraph letter b.
As's view of the case in brief
The Norwegian Data Protection Authority has competence to process the case, as the present case falls outside the exception in the Personal Data Act § 2 second paragraph letter b.
The scope of the exception in the Personal Data Act § 2 second paragraph letter b is unclear, cf. the preparations for the act, Prop. 56 LS (2017-2018) points 4.4.7 and 4.5.7. The question has not previously been put to the fore, and there is consequently neither case law nor tribunal practice that clarifies the boundary more closely.
The legal process has ended and the consideration behind the exception no longer applies. In the case, it is not a question of cutting off evidence, nor a question of reviewing the court's assessment. In its judgment, the Court of Appeal did not deal with the issue that was raised ahead of the main hearing, as A during the appeal case agreed to the psychiatrist testifying as an expert witness in the case. In its judgment on 7 January 2022, the Court of Appeal disregards the psychiatrist's assessment.
The Borgarting Court of Appeal issued a ruling on 17 January 2021 in another case that touches on a similar theme to the present case, see LB-2021-65580. Borgarting Court of Appeal states:
"As the Court of Appeal has come to the conclusion that the evidence was obtained improperly in violation of the Health Personnel Act § 21 a, it is not necessary for the Court of Appeal to also assess whether the passing on of the information from Protector to Dr. Weisæth and Dr. Nordal is in violation of GDPR.”
The Supreme Court rejected the appeal from the company and the ruling is legally binding.
A requests that the case be processed. Disclosure of sensitive personal data to external experts is common at If. It is therefore important to clarify this question of principle.
The Norwegian Privacy Board's assessment
The Personal Data Act and the Personal Data Protection Regulation apply to fully or partially automated processing of personal data and to non-automated processing of personal data that is or is to be included in a register. The Act and the Ordinance do not apply when otherwise determined by or pursuant to law, cf. Personal Data Act § 2 first paragraph.
The Personal Data Act § 2 second paragraph letter b sets out exceptions from the Personal Data Act's factual scope as follows:
"The Act and the Personal Data Protection Ordinance do not apply
[...]
b) for cases that are dealt with or decided in accordance with the administration of justice laws (the Courts Act, the Criminal Procedure Act, the Disputes Act and the Enforcement Act, etc.)"
The question in the case is whether the insurance company's transmission of the case documents with A's health information to a privately engaged expert, in connection with the processing of a civil case before the Court of Appeal, falls outside the scope of the Personal Data Act. Subsidiarily, the question has been raised as to whether the assessment will in any case be different after the legal process has ended.
Today's exception to the Administration of Justice Act represents a continuation of a similar exception in the previous personal data regulation § 1-3. In Prop. 56 LS (2017–2018), the ministry refers to the administration of justice act exception as follows in point 4.5.7:
"The department proposes that the law should not apply to cases that are dealt with or decided in accordance with the administration of justice laws (the Courts Act, the Criminal Procedure Act, the Disputes Act and the Enforcement Act, etc.), see the proposed law § 2 second paragraph letter b. This is a continuation of the current personal data regulations § 1-3 , which has identical wording."
During the hearing round, several hearing bodies pointed out that there were ambiguities with the current Administration of Justice Act exception in the Personal Data Regulations, including the Norwegian Data Protection Authority and the Norwegian Lawyers' Association. The Juristforbundet stated that there is a particular need to clarify the scope of the exception for cases dealt with under the Disputes Act. Among other things, the Danish Data Protection Authority pointed out that the provision does not give instructions on which actors are covered by the exception, which the Danish Data Protection Authority thought was problematic because in connection with cases dealt with or decided by the Administration of Justice Acts there may be a number of different data controllers.
The ministry nevertheless maintained the same wording, with the following justification in the legislative preparations section 4.5.7:
The Ministry would also like to note that the provision continues the current law, so that no new questions of interpretation are raised. At the same time, the ministry has taken note of the statements from the consultation bodies, and believes that it may be appropriate to take the provision up for further assessment. Nevertheless, the ministry does not propose any change to the provision in the proposal here, see point 2.3."
The Ministry of Justice and Emergency Preparedness has previously stated that they are considering an investigation related to the scope of the Administration of Justice Act exception. There is no information on when this work is expected to be completed.
The tribunal assumes that the exception for cases dealt with in accordance with the Administration of Justice Acts is justified in the interest of an independent administration of justice, and that privacy is considered safeguarded through the general guarantees of legal security that the Administration of Justice Acts provide, cf. PVN-2022-16. Even though in various drafts of the law there has been a lack of clarity with regard to the scope of the administration of justice act exception, the ministry has expressed in the drafts of the Personal Information Act 2018 that the previous state of law will continue.
In its practice, the Norwegian Data Protection Authority has assumed that the exception also covers the actors' processing of personal data in cases that are processed or decided in accordance with the Administration of Justice Acts. The Norwegian Privacy Board has also taken this as a basis, cf. PVN-2022-16. The tribunal cannot see that there are privacy considerations that require a tightening of this established administrative practice. If the administration of justice law exception should only apply to the courts, and not the actors who are either parties or represent parties in cases before the court, the exception will have no real meaning. The Court does not process any personal data within its jurisdiction that does not necessarily also have to be processed by the parties to the case.
The tribunal, like the Norwegian Data Protection Authority, assumes that the Personal Information Act does not regulate what evidence can be presented in court, nor the collection and disclosure of personal information that constitutes evidence in a case being heard in the courts. The rules on access to information and the presentation of evidence in legal proceedings appear in the procedural legislation. It is outside the authority of the Norwegian Data Protection Authority and the Norwegian Personal Protection Board to regulate this. If a party states that a piece of evidence is illegal, it is – for civil cases – the rules on prohibition of evidence and exemption from evidence in chapter 22 of the Disputes Act that apply. It is the court that decides whether the evidence can be presented and allowed, cf. for example § 22-7 of the Disputes Act, which determines that in special cases the court can refuse the introduction of evidence that has been obtained in an improper manner.
As's reference to LB-2021-65580-1 does not change the tribunal's assessment of this question. On the contrary, the decision illustrates that the processing of personal data in connection with cases before the courts is sufficiently regulated through the Administration of Justice Acts and any other special legislation so that there is no need for additional regulation under privacy legislation. The main case in the decision from the Borgarting Court of Appeal concerned a claim for occupational injury compensation following an accident at work. During the case preparation, a dispute arose as to whether the insurance company could present as evidence statements prepared by expert witnesses appointed by the insurance company. The expert witnesses had relied on health information (medical records, etc.) about the injured party that was in the case. The injured party had expressly refused consent to these expert witnesses having access to and using his health information. The Court of Appeal came to the conclusion that such use of the health information in this case was contrary to the Health Personnel Act § 21 a and that the statements from the expert witnesses and their explanations had been acquired in an inappropriate manner and could be intercepted, cf. the Disputes Act § 22-7. The Court of Appeal did not rule on whether it also suggested a breach of the Personal Data Protection Ordinance, including whether this Act was applied.
The fact that the processing of a case before the court has ended does not entail any changed or new assessment of whether the processing that has taken place during the processing of the case in the court is legal or not.
The tribunal therefore agrees with the interpretation of the administration of justice law exception expressed by the Norwegian Data Protection Authority.
After this, A is not successful in his appeal.
The decision is unanimous.
Conclusion
The Norwegian Data Protection Authority's decision on rejection is upheld.
Oslo, 15 September 2023
Mari Bø Haugstad
Manager