Datatilsynet (Norway) - 20/02006

From GDPRhub
Datatilsynet - 20/02006
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law:
Article 17 of Directive 95/46/EC
Article 6 of Directive 95/46/EC
Article 7 of Directive 95/46/EC
§ 11 (1)(c) Personopplysningsloven 2000
§ 13-12 Tolloven
§ 2-11 Personopplysningsforskriften
§ 2-14 Personopplysningsforskriften
§ 8 Personopplysningsloven 2000
§ 33 Personopplysningsloven 2018
Type: Investigation
Outcome: Violation Found
Started:
Decided: 01.09.2020
Published: 20.11.2020
Fine: 400000 NOK
Parties: Norwegian Customs
Norwegian Customs
National Case Number/Name: 20/02006
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

Datatilsynet holds that the Norwegian Customs Authority processed personal data from the Automatic Numberplate Recognition (ANPR) database without a legal basis, as it processed data not that was not connected to cross-border traffic. The case was decided under the national implementation of 95/46/EC.

English Summary

Facts

The investigation started after the DPA was notified of a personal data breach from the Customs Authority regarding several issues concerning the use of the ANPR system.

The ANPR database is a shared database, also used by the Norwegian Public Roads Administration. After an internal evaluation of the use of this database and the legal basis for the processing of the data, the Customs Authority sent a data breach notification to the DPA.

The basis for this notification was the uncertainty of the wording of the law and whether it only applied to the border crossing, or if it also concerned traffic to and from the border.

Dispute

The dispute of the case was whether tolloven § 13-12 "grensekryssende trafikk" ("cross-border traffic"), read in conjunction with the preparatory works, limited the use of the ANPR system to the actual border crossing, or if internal, domestic traffic to and from the border was also covered by the law.

In addition, the question was whether the Customs Authority could process personal data from the shared database of cameras which the Public Roads Administration was the controller of.

Holding

The DPA held that the preparatory works' use of "border control" and "cross-border traffic" was synonymous, and that an expansion of the term to also cover internal domestic traffic would be in contravention to the principle of legality.

The DPA held that the Customs Authority and the Public Road Administration were controllers for different processing operations with regards to the database. Highlighting that while it is a shared database, and some of the tasks laid out by law concerning surveillance of traffic overlapped between the Customs Authority and the Public Roads Administration, the two authorities were controllers for different parts of the database. The national law, tolloven § 13-12, did not grant the Customs Authority any legal basis for processing data from the part of the database where the Public Roads Administration was the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 THE CUSTOMS DIRECTORATE
 PO Box 2103 Vika

 0125 OSLO






Their reference Our reference Date
18 / 27245-4 20 / 02006-1 (18/01144) / KBK 01.09.2020



Partial reversal of decisions on infringement fines - Directorate of Customs


1 Introduction
Reference is made to received notification of breach of personal data security (non-conformance notification)

from the Norwegian Customs Directorate on 29 June 2018, the Danish Data Protection Agency's notification of infringement fines on 11 March
2019, the Norwegian Customs Directorate's comments of 16 April 2019 on the Data Inspectorate's notification, the Data Inspectorate's
decision on infringement fee of 2 July 2019 and the Directorate of Customs' appeal of 31 August 2019.


In the decision on the infringement fee of 2 July 2019, the Data Inspectorate added the following offense
superficial:


"The report of a breach of personal data security has revealed circumstances that constitute
possible violations of the Personal Data Act 2000 §§ 11 and 8, the Personal Data Regulations 2000
§§ 2-11 and 2-14.


    • The Customs Act § 13-12 only authorizes the storage of personal data from the agency's own ANPR-
        camera for cross-border traffic. On January 1, 2017, there was a breach

        the personal data security that resulted in the Directorate of Customs also receiving
        access to, and stored personal information from the Norwegian Public Roads Administration's ANPR camera, which
        is not located for cross-border traffic monitoring. For these ANPR
        the cameras lacked the Customs Directorate's basis for processing

        the Personal Data Act 2000 § 8. Without such a basis for processing, the processing will
        be illegal.


    • Storing information from the ANPR cameras to the Norwegian Public Roads Administration is a violation
        the Personal Data Act 2000 § 11 first paragraph letter c, where it is stated: «Den
        data controllers shall ensure that the personal data processed - - c)

        not later used for purposes incompatible with the original purpose
        the collection, without the data subject's consent ».


    • Lack of technical and organizational measures that ensure satisfactory
        information security with regard to confidentiality constitutes a possible breach

        the Personal Data Regulations §§ 2-11 and 2-14. The ANPR database used by both

Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLO The Norwegian Customs Directorate and the Norwegian Public Roads Administration have not had satisfactory access control.
        This has meant that people have had unauthorized access for a long time
        personal data where confidentiality is required. "

The legal basis for making the decisions is the Personal Data Act 2018 § 26, cf. § 33, cf.
Personal Data Act 2000 § 46.


On the basis of the Directorate of Customs' complaint, the Data Inspectorate finds reason to partially change ours
decision on infringement fee, cf. the Public Administration Act § 33 second paragraph, in that it is not imposed
emphasis on reported deviations about lack of access control as this appears in section no. 5,
bullet point three in the Data Inspectorate's letter of 2 July 2019. All matters related to this are thus removed
of the document.


The Data Inspectorate's assessment is that this is a breach of personal data security, but as such
in this context is not necessary to respond to. There were several users in the Customs
had access to stored information than provided in the preparatory work for the Customs Act § 13-12. Everyone
however, these had an official need for the information, and no misuse has been established
the information. The Data Inspectorate sees that this has been handled satisfactorily by the agency and chooses
therefore not to pursue this part of the case further. The Data Inspectorate has as a result of this

adjusted the infringement fee to DKK 400,000.

The reported breach of personal data security (deviation) was related to
the sign recognition system ANPR, and consisted of several factors, of which point 1 is covered by this
decision.

    1) Personal data from fixed and mobile cameras from traffic has been processed

        which cannot be characterized as cross-border, and therefore cannot be treated according to
        Customs Act § 13-12.

ANPR is an English abbreviation for Automatic Numberplate Recognition. In the law of 21.
December 2007 no. 119 on customs and movement of goods (the Customs Act) this is referred to as
«Sign recognition system», see section 13-12 of the Act. ANPR is an aid that has been used

the road authorities, the Customs and the police, and more. The Directorate of Customs and the Norwegian Public Roads Administration have
stored information from the ANPR cameras in a common database. The Directorate of Customs has
legal authority to process information from cross-border traffic, related to customs purposes, and
is responsible for processing these. These are collected in a separate database. The Norwegian Public Roads Administration can
process information for traffic control, and is responsible for processing it.

The Norwegian Customs Directorate has monitored 70.4 million crossings, where the number of affected persons is estimated

to 7-8 million.

Deviation no. 1 has been confirmed closed in the statement of 19 October 2018.

The Norwegian Data Protection Authority has reviewed the comments to the Norwegian Customs Directorate and made the necessary changes in
the decision and its reasons. In the feedback, the Directorate of Customs states that the directorate
still has delegated competence for control of annual fee, use of marked mineral oil,




                                                                                                 2status change for van, and temporary use of foreign registered vehicle, and that
The Customs' authority under the Road Traffic Act has remained unchanged. The Data Inspectorate has noticed

this.

Similarly, the Norwegian Data Protection Authority has noticed some disagreement within the Norwegian Customs Directorate as to whether
the agency had a sufficient processing basis for the use of all personal data in the ANPR
the database. In the Data Inspectorate's view, it is worrying that the Norwegian Customs did not stop
the project, and clarified the basis for the decision, before proceeding.


The Norwegian Data Protection Authority has noted that the Directorate of Customs was of the opinion that it was sufficient
legal basis for storing information both from cameras at the border (and that this
included the Norwegian Public Roads Administration's cameras at Svinesund) and from the Norwegian Public Roads Administration's
cameras that were located domestically.

Finally, the Norwegian Customs Directorate corrects the number of passes from 80 million passes to 70.4
millions. The Norwegian Data Protection Authority has also noted the other input that has come from
The Directorate of Customs, but can not see that they have an impact on whether an infringement fine should be imposed,

or the size of this.

2 The offense
The report of a breach of personal data security has revealed conditions that make it possible
violation of the Personal Data Act 2000 § 8.


Section 13-12 of the Customs Act states:

        «(1) When planning, targeting and carrying out inspections can
        the customs authorities collect, store, compile and use necessary
        personal information, including health information, cf. the Privacy Ordinance article
        9 No. 1, and information as mentioned in the Privacy Ordinance Article 10. For the same
        purpose can cross-border traffic on the road and ferry terminals with foreign
        traffic is monitored by the customs authorities using a sign recognition system. "


It is further stated in § 13-12 no. 3 last sentence: «Information obtained by
sign recognition system, may be stored for up to six months after the information is obtained. "

    • The Customs Act § 13-12 authorizes the storage of personal data from ANPR cameras for
        cross-border traffic. On January 1, 2017, there was a breach
        personal data security in that the Norwegian Customs Directorate stored personal data from

        The Norwegian Public Roads Administration's ANPR camera. For these ANPR cameras were missing
        Directorate of Customs processing basis pursuant to the Personal Data Act 2000 § 8. Without
        such treatment basis, the treatment will be illegal.

3 Notification of decision on infringement fine

It is the time of action that must be taken into account when a decision is made
infringement fee due to illegal processing of personal data, cf. Act of 15 June
2018 no. 38 on the processing of personal data § 33 (Personal Data Act 2018). IN



                                                                                              3this case is the time of action before the law enters into force on 20 July 2018. It follows then
of the Personal Data Act § 33 that this case shall be assessed in accordance with Act of 14 April 2000 no. 31

on the processing of personal data (Personal Data Act 2000).

Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance article
58 no. 2 letter i), cf. article 83, the Data Inspectorate makes the following decision on infringement fines:

1. The Customs Directorate is imposed pursuant to Article 58 of the Privacy Ordinance, cf.
     the Personal Data Act 2000 § 46, first paragraph, cf. § 11 first paragraph, cf. § 8, to pay a

     violation fee to the Treasury of 400,000 - four hundred thousand - to have
     processed personal data without a basis for processing, cf. the Personal Data Act § 8.

It follows from the Personal Data Act 2018 § 33 first paragraph second sentence that the legislation
at the time of the decision shall be taken into account when this leads to a more favorable result for
the person in charge. An assessment of the conditions that have occurred in accordance with the Personal Data Act 2018
would probably have resulted in an infringement fee higher than NOK 400,000. We refer to
the Privacy Ordinance art. 83 no. 5, which stipulates that an infringement fine may be imposed

up to 20 million euros, if the offense involves a violation of the fundamentals
the principles for the processing of personal data in art. 5, 6, 7 and 9, cf. also
the Personal Data Act 2018 § 26 second paragraph. The condition in the Personal Data Act 2018 § 33
The second sentence of the first paragraph is thus not fulfilled.


4 The actual conditions
It is the deviation report of 29 June 2018 (18 / 01144-1) that forms the basis for our understanding
of the actual pages of the case. However, we also refer to the non-conformance report from the Norwegian Public Roads Administration
28 June 2018 (18 / 01133-1), as this includes the same thematic issues.

The discrepancy arose as a consequence of the Customs Act § 13-12 being amended so that «information
obtained by sign recognition system, can be stored up to six months after the information

has been obtained ». The Norwegian Customs Directorate considered this extension of the storage period so that everyone
information from the ANPR cameras that were in the joint database with the Norwegian Public Roads Administration was
covered by the provision, ie also information from the ANPR camera where the Norwegian Public Roads Administration
was responsible for processing.

In addition, reference can be made to the deviation report from the Norwegian Public Roads Administration on 25 January 2017 (17/00100).
Here it is stated that personal information from the Norwegian Public Roads Administration's ANPR cameras became
stored at the Norwegian Customs Directorate for 6 months without legal authority. Internally in the Directorate of Customs, there was one

some disagreement as to whether the Directorate of Customs had a basis for processing information
from the Norwegian Public Roads Administration's ANPR camera. Reference is made to this in the Directorate of Customs' report
and point 5.

5 The Directorate of Customs' comments on the facts of the case
This item is quoted from the Directorate of Customs' letter of 16 April 2019 for the items that

is related to the assessment of the legal basis in the Customs Act § 13-12.





                                                                                                4Under section 2.2 of the above-mentioned letter, the Directorate of Customs explains the situation that it was internal
disagreement in the assessment of whether the Directorate of Customs had a basis for processing to obtain
personal information from the Norwegian Public Roads Administration's ANPR camera: It says here:


        «We have chosen to give a detailed description of the internal handling in the period 3.
        January 2018 and until the deviation report was sent on 29 June 2018. This is because
        In the notification of infringement fines, the Norwegian Data Protection Authority has chosen to mention an internal e-mail of 3.
        January 2018 and partly based on this concludes that the agency has not taken them

        necessary steps and therefore have acted klande1verdig in a way that is designated
        as grossly negligent on the verge of intentional.

        In September 2017, the director of customs decided to establish a privacy project that would

        map the agency's processing of personal data, and settle the status of the agency
        compliance with the privacy regulations. The privacy project started in November
        2017 and had a close dialogue with the line on implementation. This led to two
        employees January 3, 2018 sent an email (not a note) to management with

        heading «Re. ANPR »who asked questions about the basis of treatment. We would like
        point out that it was a management initiative that led to the question being raised.

        The e-mail was sent to the section leader, who sent it to him the same day

        department director, with a proposal to have a meeting between the project and the lawyers who
        sent the email. The email of January 3, 2018 reads:

                «In connection with this work, we have [reference to the privacy project]

                has been made aware that the Customs collects and stores information from everyone
                The Norwegian Public Roads Administration's cameras for 6 months. Parts of this treatment are
                probably unauthorized. We therefore recommend that such treatment be stopped and that it
                assess whether the Data Inspectorate should be notified. We also recommend that you take into account

                the legal basis for the processing of information in the further
                the development of ANPR ».

        The department director considered that a more detailed account of it was necessary

        the legal basis before there was a basis for concluding whether the treatment was
        unauthorized. It is emphasized that the e-mail mentions that there were only parts of the treatment as
        probably was unauthorized.


        The ANPR project 2r financed with earmarked funds, approved by the Storting above
        the state budget. Further assignments have been given by the Ministry of Finance throughout
        The award letter for 2016. All enterprises are in accordance with the Financial Regulations in the state § 4 3
        required to ensure sufficient management information and a sound basis for decision-making.

        As explained in section 3.1 is the legal situation and the collaboration with
        The Norwegian Public Roads Administration complex. It was not then, nor is it now, obvious that


1Datatilsynet's notification of infringement fee item 6 b) last paragraph, last two sentences
2Prop. 1 S (2015-2016)
3Regulations for financial management in the state within the state adopted on 12 December 2003, § 4 Basic management principles, letter c)




                                                                                                      The legal basis was not sufficient for the ongoing treatment, and the
nor did the post provide any justification for this. The project itself believed that
the treatment was in line with the legal basis. To act immediately on the e-mail,
without further assessments, must be considered to be in conflict with the requirements of the financial regulations
sound decision basis.

At this time (January 2018), the department director had delegated

the project owner responsibility for the ANPR project to the subject director. In the period 3 January 2018
to 11 January 2018, the department director, project owner and section leader discussed how
the issue needed to be addressed further. In that the project seemed to have deviated
assessments from the department's lawyers, and because it is the project that possesses
factual knowledge of how the sign recognition system is used, it was considered
important to involve the project in the work and establish an understanding of why it was
important to address the issue. In addition, there was a history with

communication challenges between the project and the legal team that we wanted to improve
through involvement and collaboration.

A meeting was held between the department director and the project manager on 11 January
2018. Department director asked the project to design an order for legal assessment
«The basis (need) for us to have access to SVV's cameras and legal basis for
data processing ». In an e-mail from the department director to the project manager on 24 January 2018,

it sent a reminder on the order, where it was specified that it had to contain one
assessment of «1) whether we have authority to access SVV's cameras, 2) whether
the legal basis covers storage of information from SVV's cameras for 6 months, and 3) if we
has the authority to publish information from ANPR to Statistics Norway ». It was clarified that this
hastet.


On 29 January 2018, the department director received an e-mail from the project manager stating
confirmed that the order would be executed. Attached to the email was a note of 12
pages with the project's own assessment of the treatment basis, and their conclusion
that it was adequate for practice. The department director responded to this email 4.
February 2018 that it was requested that the order be sent to the legal team and not
to the department director. On 8 February 2018, a new order was sent from
department director for the project that a DPIA also had to be implemented

(privacy impact assessment). On 15 February 2018, a mandate was sent
for a legal assessment of 5 pages from project manager to project owner and department director,
where it i.a. was recommended to set up a broad-based working group to
carry out an investigation. Project owner and department director answered project manager in e-
poster 14 February 2018 that it did not seem necessary to have such a «heavy rig
at work ”which the establishment of a separate working group would entail, and that it therefore
there was no need for a separate mandate for the work. It was specified that the focus should

be to answer the three questions, that the project should share its assessment with legal
team and that the project had to make itself available to contribute to the work. It was too
specified that «if the lawyers in the work come across other relevant questions regarding.
privacy, we must also bring these to the surface - the assignment must therefore not be interpreted
restrictive, but as a minimum ».




                                                                                         6On the basis of the preliminary findings of the privacy project, the director of customs in
the same period initiated a meeting with the Norwegian Data Protection Authority. The director of customs wanted to
inform about the preliminary findings in the survey that the privacy project had
initiated. The meeting was held on 9 February 2018 and the agency informed that it would
be undertaken extensive work to establish adequate management and control for
compliance with the Privacy Ordinance. This work is still in full swing.


A meeting was held between the ANPR project and the legal team on 15 February
2018, as a start to further work. From 15 February 2018, it was the legal team
who was responsible for continuing the work, and they submitted the report on 23 May 2018.
The legal team has had a fairly independent role in the department, and to a large extent itself
assessed priority and progress on their tasks - based on assessments of whom
the client is, the materiality of the assignments, whether the tasks are urgent, the assignments

scope etc. Legal team had at this time several assignments from
The Ministry of Finance has a high priority and was under great pressure on the resource side. Two
employees had left ila. 2017, of which one new recruited employee was to be trained in
the same period and the second position remained vacant until December 2018.
The management realizes that the work with the legal assessment in the current case should have been
given clearer priority so that progress was faster, and that the work should have been
followed up more closely. Given that it was the legal team that reported the issue in

January 2018, it was assumed that the legal team itself made good assessments of this
was precarious to deal with or not. Given also that the ANPR project had made a 12
sides assessment that the legal basis stood was the management of the opinion that
it could be that the legal team in their work considered that the case in the spring of 2018 stood
different from the email of January 3, 2018 suggested.


The legal assessment submitted to the department director on 23 May 2018 was very difficult
short, and it remained to carry out several assessments related to the cameras' specifics
location and use. From the conclusion is hit: «We recommend that a concrete is taken
assessment of which cameras monitor cross-border traffic, and that collection
and storage from other cameras is stopped immediately and that already obtained
information is deleted ». Management had expected that these assessments were already
done, given that the project and the legal team were asked to cooperate, but it had to

further assessments are made.

For information, on 20 March 2018, organizational changes were made to the ANPR
the project; department director entered the project ownership role and the project got a new one
Project Manager.

On 28 May 2018, the ANPR project was commissioned to make the specific assessment of

which cameras monitor cross-border traffic, and which can not be said to
do it. The project manager confirmed early on 29 May 2018 that the assignment had been received. Same
Today, the department director informed the agency's privacy representative about the case, and about the need
to conduct an assessment of the cameras' location and use. IN
the period 29 May 2018 until the non-conformance report was sent on 29 June 2018, it was completed




                                                                                         7 further assessments; including which measures were to be implemented and
        how these could be implemented technically. In the same period was also
        top management and the Norwegian Public Roads Administration informed, meetings were held with both
        The Ministry of Finance, the Norwegian Data Protection Authority and the Privacy Ombudsman, and a draft deviation report

        was formulated. Access to those of the Norwegian Public Roads Administration's cameras that are not considered to
        capture cross-border activity (all cameras located other than on
        Svinesund) was deactivated on 22 June 2018, ie before the deviation report was formally sent
        through Altinn.

        The Customs has closed all non-conformities mentioned in the non-conformance report, even if questions

        related to the legal basis is still not finally clarified ».

In the same letter, the Directorate of Customs explained the legal basis in the Customs Act § 13-12
following:


        "As stated in the introduction, it is a key question whether it exists
        legal basis for processing personal data from cameras that are not
        located on the border. The Norwegian Data Protection Authority has assumed that the basis for processing is regulated
        of the Customs Act § 13-12 which limits the use of the sign recognition system to
        «Cross-border traffic on the road». The Data Inspectorate considers that cameras placed
        places other than the border fall outside this legal basis and that the Customs Service consequently

        has processed personal data in violation of the processing basis.

        The Norwegian Data Protection Authority links the discussion of the deviation to the cameras owned by the Norwegian Public Roads Administration.4
        The Customs Act § 13-12 first paragraph last sentence says nothing explicitly about where
        the surveillance can take place or who owns the camera, but what traffic that

        can be monitored (cross-border traffic). The decisive thing seems to be about the individual
        camera is placed in place that allows it to capture such traffic. It is specified in
        this context that the legal provision for the storage of information from
        sign-reading camera (Customs Act § 13-12 third paragraph) is general, but covers
        cross-border traffic when read together with the first paragraph. Ownership of the camera is
        consequently not decisive. The customs service still has access to information from three

        camera locations owned by the Norwegian Public Roads Administration and located at Svinesund. This
        is completely in line with the legal basis. Information from here can also be stored according to
        Section 13-12, third paragraph, of the Customs Act, with access only for the Customs' defined user groups.
        This understanding is not considered disputed and is used as a basis in the following.


        The decisive factor is whether the camera captures "cross-border traffic" according to Customs Act § 13-12,
        or if the treatment is covered by another treatment basis. It is not considered
        disputed that the Customs Service has authority in the Customs Act § 13-12 to collect and store
        information from the camera located at the border.






4Talked either as «The Norwegian Public Roads Administration's cameras» or «ANPR cameras where the Norwegian Public Roads Administration is responsible for processing».



                                                                                              8 The theme from here will consequently be whether there is a treatment basis for the camera as
        are located elsewhere in the customs area than at the border. The legal situation here is more

        unclear.

        The customs service has several tasks (and legal basis) related to vehicle control.


        The customs service may, as part of the goods transport control, control any means of transport
        and any person on his way to or from the border. This follows from the Customs Act § 1-5
        (customs authorities' control of the movement of goods) cf. §§ 13-1 and 13-3 first paragraph letter

        a) «The customs authorities may stop and investigate any other [than vessels, aircraft]
        means of transport en route to or from the customs border ». This
        the access to control applies in general, without the need for concrete suspicion. Customs

        can also carry out inspections at unloading and loading places, customs warehouses and several others
        areas and means of transport in the customs area when it is to bring about a commodity
        is or is sought to be evaded from the control of the customs authorities. 5


        The customs service also has other control tasks related to vehicles, authorized in
        the Road Traffic Act 6 § 36 third paragraph, the Tax Administration Act 7 § 10-8 and
        the Tax Payment Act § 14-11 third paragraph. These give the authority to “at any time without

        notice check motor vehicles to ensure that provisions for annual fee for
        motor vehicle… is complied with », as well as to revoke identification and vehicle card when using
        vehicles will be banned due to lack of periodic vehicle inspection, lack of

        re-registration, when the vehicle is not in proper condition or the load is not sufficient
        secured, and to carry out signage when there is a ban on use associated with
        non-payment of insurance and fees. Pursuant to the Road Traffic Act § 10 is
        The customs service delegated authority to control and impose a ban on the use of

        violation of provisions on requirements for tread depth in tires and the obligation to bring
        chains.


        As mentioned, the Customs Act § 13-12, first paragraph, last sentence says nothing explicitly about where
        the monitoring can take place, but which traffic can be monitored («border crossing
        traffic"). The crucial thing seems to be whether the individual camera is placed in a place like
        allows it to capture such traffic. Cameras located domestically also capture

        traffic coming from or going to the border. The wording of the provision, the purpose and
        the connection with the Customs' other control powers, especially the connection with
        Section 13-3, first paragraph, letter b) of the Customs Act, which discusses control access to any

        means of transport which are «en route to or from the border» are therefore not necessarily available
        prevents the Customs from processing information from cameras located elsewhere
        than at the border crossings (or in close proximity to these).




5
 The Customs Act § 13-1 first paragraph letters a) to d), § 13-2 and § 13-3 first paragraph letters a) to d).
6LOV-1965-06-18-4
7LOV-2018-12-20-110
8LOV-2018-12-20-106
9FOR-2002-03-11-236




                                                                                                   9 If the Customs Act § 13-12 should not provide a legal basis for processing
       personal data from ANPR cameras in areas other than the border
       not without further ado that the Customs Service has no basis for treatment. The customs service has a legal basis

       to exercise authority throughout the customs territory. Particularly relevant in this context is
       the provision in the Customs Act § 13-3 (1) letters a and b. The customs authorities are given great freedom
       to take the measures deemed necessary to carry out this inspection, cf.
       Customs Act § 13-3 (2). Whether the Customs Service has a legal basis for such monitoring therefore depends
       on a specific assessment of whether the measure is considered «necessary for the implementation of

       control of means of transport », cf. the Customs Act § 13-3 (2), cf. § 13-3 (1) letter b.
       can therefore be argued that the customs authorities have the authority to process
       personal data from cameras in places in the customs area where means of transport to or
       from the border normally passes, even if these places are not located by themselves
       border crossings.


       The customs service may therefore have a basis for processing also for the processing of
       personal information from sign-reading cameras outside the border crossings.

       However, the preparatory work 10 for the legislative amendment in 2017 indicates that the system was intended
                                                                                           11
       deployed in connection with the border crossings. Also the Storting's allocation for 2016
       for further roll-out of the system is linked to the physical boundary, as well as ferry terminals
       with foreign traffic. The same is stated in the Allocation Letter to the Customs Service for 2016
       which in section 4.2.2 mentions that electronic presence must be established 'by all
       road border crossings ».


       Although the Customs may also have a basis for processing the use of
       sign recognition system located domestically, there are, as shown, several factors that speak for
       that such use is intended for purposes and limitations other than the border control tasks.
       However, the Customs Service has a legal basis under the Road Traffic Act,

       the Tax Administration Act and the Tax Payment Act, which form the basis for
       camera surveillance according to the purpose of these provisions. In that case, have
       the treatments had the same or very similar purpose as for the Norwegian Public Roads Administration's use.
       There are then arguments that there is no conflict of purpose related to the acquisition,
       but for the use of the information and storage of it.


       It is relevant to consider the framework for the use of mobile cameras. It has not been
       disputed that the Customs can use mobile cameras both for control tasks after
       the Customs Act § 13-12 and according to the Road Traffic Act, the Tax Administration Act and
       the Tax Payment Act, but then in line with these purposes and the framework that applies after
                                                      12
       the general rules of the privacy regulations.






10Prop. 1 LS (2016-2017)
11 Prop. 1 S (2015-2016)
12 The Personal Data Act and the Privacy Ordinance, depending on the time of the choice of law



                                                                                           10 13
        In the consultation note for the amendment to the Customs Act § 13-12, the use of the mobile phones was made
        the cameras briefly discussed in connection with the expansion of storage access;

               «The provision will also cover the possible use of mobile camera devices for

               collection of similar information of the cross-border traffic, but
               not if such devices are used in other areas and for purposes other than
               border control. In such cases, collection, treatment and storage will follow them
               general provisions of the Personal Data Act ».

        In Prop. 1 LS (2016-2017) chapter 13.5.3 it is specified that


               «The customs service's use of mobile sign recognition units is covered in principle
               not of the proposal, but formally they will be included if used in places
               covered by the proposal. Normally these devices are used elsewhere and occasionally
               purposes other than control of the movement of goods in and out of the country ».


        It is a weakness that the preparatory work for the Customs Act § 13-12 and the background documentation
        for the transfer of tasks from the Customs and Excise Department to the Tax Administration (as discussed in
        the factual description under point 2.1) only to a very limited extent mentions the use of
        the sign recognition system for the control tasks related to the car taxes and those
        the control tasks that the Customs Service performs on the basis of the Road Traffic Act. The access to

        The Norwegian Public Roads Administration's domestic cameras were established at a time when the Customs
        was responsible for and carried out tax inspections to a large extent, also domestically.
        Establishment of a clear legal basis for using sign-reading cameras for these
        the tasks were in reality only barely mentioned during the preparation and consultation of the Customs Act §
        13-12. There is reason to believe that the reason for this modest mention was that the hearing in

        coincided with the transfer of tasks to the Tax Administration and is still clear
        which of the two agencies was to carry out the physical checks in practice.

        However, it must still be possible to claim that there is a basis for treatment in order to
        use sign-reading cameras domestically to carry out checks after
        the Road Traffic Act, the Tax Administration Act and the Tax Payment Act, provided that they

        general requirements for processing are met (including that the information is not stored,
        access control is limited and that there is no compilation of the information as
        is contrary to the purpose behind the collection). There are also grounds for claiming that
        Domestically placed cameras can capture cross-border traffic, and that it can therefore
        there is also a basis for processing the use of information from such cameras

        control of the movement of goods. As mentioned, this is connected with an assessment of that
        The customs service has the opportunity to carry out physical checks elsewhere than at the border,
        as stated in the Customs Act §§ 13-3 first paragraph letter b) cf. 13-1 first paragraph letter
        a), b) and c).

        The Norwegian Customs Directorate emphasizes that there are uncertainties regarding the scope of

        the legal basis which implies that we should change the use of the sign recognition system


13Consultation note - extended retention period for information from the Customs Service's sign recognition system (ANPR) Case no. 16/23 22.06.2016



                                                                                             11 to the question was clarified. This decision was made precisely because the Customs wants
        to safeguard privacy and create clear predictability for the treatment of
        personal information provided by the agency. The agency could have come to a different conclusion.
        In that case, the issue would be different. The assessment of that
        the basis for treatment must be understood in the historical context and the conclusion is after

        our view is not entirely obvious.

        The agency has obtained external expertise to assist in this assessment, and will submit
        further comments when this work is completed. If the Data Inspectorate chooses to grasp
        decision before this work is completed, we ask that the uncertainty appears in the decision,
        by emphasizing that there is not a sufficiently clear basis for treatment for
        the practice that has been established.


        The Data Inspectorate claims that all passages are registered and stored in the ANPR system, as well
        those not subject to control. We must emphasize that this is in line with
        the legal basis in the Customs Act § 13-12. The reason for storage access was precisely
        that the Customs should be able to make analyzes of the cross-border traffic in order to
        target controls better. Reference is made to Prop. 1 LS (2016-2017) where it appears

        clearly why and how the Customs should use the stored information; to
        find frequency of entrances and exits, compliance with other vehicles and location
        and time of traffic that deviates from the expected normal flow, assess how the traffic
        affected by control activity etc. It would therefore be pointless to store information
        only on controlled vehicles. We can not see what relevance it has for this case that
        The Norwegian Public Roads Administration can only store information about inspected cars with defects. This

        affects other systems and legal basis than the sign recognition system. "

6 The Data Inspectorate's assessment of the offense


6.1 Treatment responsibility
We assume that the Norwegian Customs is responsible for processing
personal information that is done using the ANPR cameras in the border control. We have
further assumed that the Norwegian Public Roads Administration will be responsible for processing
personal information in ANPR cameras used for other control of vehicles, e.g. if it
has completed compulsory EU control, paid tolls, etc.


6.2 «Cross-border traffic»
Section 13-12 of the Customs Act states that «[for] the same purpose, cross-border traffic may
the highway and ferry terminals with foreign traffic are monitored by the customs authorities during use
of sign recognition system. In prop.1 LS (2016-2017) this is discussed under section 13.1 where

«[The] Ministry proposes to legislate the right to store information from the Customs Service
sign recognition system (ANPR), and that the retention period for information obtained is extended
from one hour to six months. The proposal will help strengthen border control.




14Datatilsynet's notification of infringement fee item 2 «Use of ANPR in the Norwegian Customs Directorate», first paragraph on page 3, last sentence



                                                                                              It is further stated in section 13.5.1 that the scheme is extended to include monitoring of all
border crossings on the road and all ferry terminals.

Finally, the above proposition states that «[t] he proposals for changes and expansion of
The customs authorities' control documents, etc. and several sanction options promoted in this
the proposition, is part of the work to strengthen the Customs' border control », see section 13.2
last paragraph.


The Norwegian Data Protection Authority understands "border control" in the proposition as synonymous with the term
«Cross-border traffic». In our view, this is clear from the wording that «cross-border
traffic »cannot extend beyond the pure border crossings. Becomes
the sign recognition system used beyond the pure border controls (at the border), this must
consequently be clearly anchored in the legal basis.


In our opinion, a discretionary and expansive interpretation of "cross-border traffic" will
conflict with the principle of legality. The number of people affected is large, ie more
millions. The principle of legality shall ensure that important issues of an intrusive nature, such as
restricts the citizens' freedom and changes the rights and obligations of the citizens, shall be dealt with by
The Storting. Protection of citizens is central. A comprehensive legal process will lead to the questions
get a thorough case processing and the various issues related to different rules
will be studied and discussed. Such a process is considered an important part of our legal security. Claim

on the basis of formal law will also prevent arbitrariness and abuse by the administration.

A monitoring of private individuals by the Norwegian Customs Directorate is too strong
remedy and cannot take place without this being clearly enshrined in formal law.



6.3 Does the Customs Act § 13-12 also include collection from external data controllers?
Based on the deviation report from the Norwegian Public Roads Administration of 25 January 2017 and
The Customs Directorate's non-conformance report of 29 June 2018, the Customs Directorate has been aware that
the agency's processing of personal data could be in breach of the Customs Act § 13-12. This
also admits the Directorate of Customs. This indicates that the Directorate of Customs in the period from 1 January
2017 and to deviations were sent The Data Inspectorate has processed personal data without
basis for processing pursuant to the Personal Data Act 2000 § 11 first paragraph letter a, cf. § 8.


Both the Norwegian Customs Directorate and the Norwegian Public Roads Administration collect personal information using
ANPR system. The collections take place for different purposes. . We have assumed that the Customs Directorate
and the Norwegian Public Roads Administration are responsible for processing various processing of personal data,
which happens using different cameras. That the Directorate of Customs and the Norwegian Public Roads Administration have
any joint control tasks under the Road Traffic Act, does not entail any change in this. After
Section 13-12 no. 1 of the Customs Act states that «when planning, targeting and implementing

controls, the customs authorities can collect, store, compile and use necessary
personal data, including health data, cf. the Privacy Ordinance Article 9 no.1
and information as mentioned in the Privacy Regulation Article 10. For the same purpose can
cross-border traffic on the road and ferry terminals with foreign traffic are monitored by
the customs authorities when using the sign recognition system »




                                                                                               13 As the Data Inspectorate sees it, § 13-12 does not provide any legal authority for the Customs Authorities to
process personal data collected from the part of the database where the State
The Norwegian Public Roads Administration is responsible for processing.

After this, we have come to the conclusion that the Directorate of Customs did not have a legal basis to process
personal information from the cameras that did not belong to the Customs.


The Data Inspectorate also points out that in prop. 1 LS section 13.1 Section 7 states that the right to store
the information for six months applies «from the Customs' sign recognition system». The Data Inspectorate
has also noted section 13.5 of the proposition, which applies to extended storage time for information
from the «Customs' sign recognition system». This must, as the Data Inspectorate sees it, be understandable
that the legislature has decided that the provision only applies to the Customs Service's own
camera. The statements as mentioned in the said proposition clearly speak in favor of delimiting the legal entity

treatment.

7 General information on infringement fines
The Data Inspectorate believes it is necessary to respond to the offenses described above. IN

pursuant to the Personal Data Act 2018, cf. section 33, cf. the Personal Data Act 2000 § 46 may
The Data Inspectorate imposes an infringement fee:

        «The Data Inspectorate may impose on anyone who has violated this Act or regulations in
        pursuant to it, to pay a sum of money to the Treasury (infringement fee) of up to
        10 times the basic amount in the National Insurance Scheme. Natural persons can only be imposed
        infringement fee for intentional or negligent infringements. A company can not

        an infringement fee is imposed if the infringement is due to circumstances outside the company
        control.

         When assessing whether an infringement fee should be imposed, and when determining, it should
        particular emphasis is placed on
           a) how seriously the violation has violated the interests protected by law,
           b) the degree of guilt,

           c) about the offender by guidelines, instruction, training, control or
               other measures could have prevented the infringement,
           d) whether the infringement was committed to promote the interests of the infringer,
           e) whether the offender has had or could have obtained an advantage in the infringement,
           f) if there is a repetition,
           g) whether other reactions as a result of the violation are imposed on the violator or
               someone else who has acted on behalf of this, including someone

               individual is punished and
           (h) the financial capacity of the offender. "

The Personal Data Act 2000 § 46 provides in principle instructions for the imposition of
violation fee is based on a discretionary overall assessment, but adds guidance
the exercise of discretion by highlighting factors that should have special weight, taking into account that





                                                                                             The imposition of infringement fines in each individual case shall be effective, proportionate
and deterrent.

The right to impose infringement fines is provided as a means of ensuring effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights, cf. also the Supreme Court
decision in Rt. 2012 page 1556 with further references.


The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.

The Norwegian Data Protection Authority finds it clear that the Norwegian Customs has lacked a basis for processing
processing of the personal data collected and stored regarding the ANPR

the cameras where the Norwegian Public Roads Administration is responsible for processing, cf. the Personal Data Act § 11
first paragraph letter a, cf. § 8.

We have placed particular emphasis on the following aspects in our assessment of whether or not
infringement fines must be imposed:

a) how seriously the violation has violated the interests protected by law

The Personal Data Act 2000 § 11 is the main provision in the Act, and sets basic requirements
the processing of personal data. Lack of treatment basis must be considered as one
serious violation. In this way, reference is also made to the notice sent by the customs authorities' own lawyers
where it is pointed out that the agency lacks a basis for treatment for its treatment of
personal information on the Norwegian Public Roads Administration's ANPR cameras.


This means that the Directorate of Customs has had knowledge that the agency could have processed
personal information beyond what the Customs Act authorized. The Data Inspectorate is surprised that the Customs
has not clarified the legal basis before obtaining personal information from the Norwegian Public Roads Administration
its ANPR camera.

In the Data Inspectorate's view, the Customs Act § 13-12 does not provide a legal basis, as such
the Personal Data Act requires, for the Customs authorities to process personal data as

is collected from the part of the database for which the Norwegian Public Roads Administration is responsible for processing.

b) the degree of guilt
Pursuant to section 46 of the Public Administration Act, an administrative sanction may be imposed on an enterprise even if
no individual has shown guilt. This means that the Norwegian Public Roads Administration has an objective
liability. By enterprise is meant i.a. public company.


The Norwegian Data Protection Authority takes a serious view that a control authority such as the Customs does not clarify in advance
the legal basis, before personal information is obtained from the Norwegian Public Roads Administration. All the while
the above proposition in such clear terms announces that extended storage time only includes
The Customs' own sign recognition system must be regarded as grossly negligent.





                                                                                             15Datatilsynet takes a serious view of the fact that the Norwegian Customs Directorate had early knowledge of this without having to
found a satisfactory solution to the problem. When the agency became aware that doubts had been raised
the basis for treatment, the treatment should have been stopped until clarification of this was available.

The Data Inspectorate therefore concludes that there was no basis for processing pursuant to section 8 to
process information from the Norwegian Public Roads Administration's ANPR camera. Lawyers in the Norwegian Customs Directorate
also notified the management in a note of 3 January 2018. By not taking the necessary steps, and

stopped the storage of personal data from the Norwegian Public Roads Administration's ANPR camera, the agency has
acted reprehensibly.

c) about the offender by guidelines, instruction, training, control or other measures
could have prevented the infringement
It is clear that the Directorate of Customs could have prevented the deviation by establishing routines that would
prevented the deletion period of 6 months from including personal data other than them
The Norwegian Customs Directorate was responsible for processing.


d) whether the violation was committed to promote the interests of the violator
It can be stated that the deviation has taken place to promote the Customs Directorate's interests. See point e).

e) whether the infringer has had or could have obtained an advantage in the infringement
It can be stated that the Directorate of Customs has utilized information covered by
the deviation. This applies in particular to the use of the Norwegian Public Roads Administration's ANPR cameras.

The information has been used in the customs authority's control without the agency having
treatment basis for this.

f) whether there is a repetition
No repetition can be found in the case.

g) whether other reactions as a result of the violation are imposed on the violator or anyone else

    who has acted on behalf of this, including whether any individual is punished
It is not stated in the case about such matters.

(h) the financial capacity of the offender
The Norwegian Data Protection Authority has not placed significant emphasis on the Directorate of Customs' financial capacity.

In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority places particular emphasis on the fact that

The Directorate of Customs has been aware of the discrepancies at an early stage, and could therefore have adjusted
so that the deviation could have been limited. Processing of personal data from ANPR camera
which the Norwegian Public Roads Administration was responsible for processing should have been stopped from the moment it
Doubts were raised about the scope of the Customs Act § 13-12. The Norwegian Data Protection Authority has also emphasized them
general preventive considerations in the case.


Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed.







                                                                                              168 Amount of the fee
With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The conditions the Data Inspectorate has pointed out above speak for themselves
fee of a significant size. The fee should be set so high that it also has an effect beyond it
concrete case.


Significant emphasis has been placed on the fact that the Norwegian Customs has monitored 70.4 million crossings, where
the number of affected persons is estimated at 7-8 million, without there being any basis for treatment
the Personal Data Act 2000 § 8 for this. Norwegian citizens have an expectation that it does not
Surveillance methods are used that illegally violate the right to privacy and involve illegal activities
invasion of privacy. Secondly, the Norwegian Customs has made use of images from the ANPR cameras
to the Norwegian Public Roads Administration without a basis for processing pursuant to the Personal Data Act 2000 § 8.

The Norwegian Customs Directorate has had knowledge of the discrepancies without having rectified the situation in time. It must
in particular, it is expected that a public agency is familiar with and relates to the current
privacy legislation, and the ability to quickly correct pointed out discrepancies. Since this has not happened is
it required a severe reaction. The signal effect of this case, they
general preventive considerations, we believe are clear. We want to clarify that such incidents
must not happen and that all public bodies that process personal data must be themselves
conscious of their responsibilities.


In an aggravating direction, we would like to point out that the Directorate of Customs, against better knowledge, has acquired and
made use of the information covered by the discrepancy.

In a mitigating direction, it must be taken into account that the Customs has taken action on its own initiative
the legal problem, and made a reassessment of this.


After an overall assessment of the case and especially with regard to the seriousness of the violation, we have
concluded that an infringement fine of 400,000 is considered correct.


9 Concluding remarks
Right of appeal

This decision can be appealed in accordance with the provisions of the Public Administration Act. Possible complaint
must be submitted to the Norwegian Data Protection Authority by 25 November 2020 after the decision was received. One
any complaint is sent to the Privacy Board for complaint processing. The Data Inspectorate does in it
connection aware of the right of access to the case documents, cf. the Public Administration Act § 18.

The fulfillment deadline is four weeks from the decision was made, cf. the Public Administration Act § 44.