Datatilsynet (Norway) - 20/02137: Difference between revisions

From GDPRhub

Revision as of 16:08, 26 November 2020

Datatilsynet - Telenor Norge AS
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 32(1) GDPR
Article 33 GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 27.05.2020
Fine: None
Parties: n/a
National Case Number/Name: Telenor Norge AS
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) issued a reprimand against Telenor Norge AS for a failure to implement appropriate personal data security measures in its voicemail box functions, and for failing to notify the Datatilsynet of a personal data breach by Telenor Norge AS.

English Summary

Facts

Telenor Norge AS is largest digital services provider in Norway in the telecommunications and data services sectors.

The Datatilsynet opened a supervisory case based on information that Telenor had detected a security breach in its voicemail box function.

Dispute

Had Telenor Norge violated Article 33 GDPR by failing to notify the Datatilsynet of the data breach? Had Telenor Norge violated Article 32(1) GDPR by failing to implement appropriate technical measures that would ensure an appropriate level of security for its voicemail box functions?


Holding

The Datatilsynet found that Telenor Norge had failed to fulfil its obligations under both Articles 33 and 32(1).

On this basis the Datatilsynet issued a reprimand to Telenor Norge pursuant to Article 58(2)(b) GDPR. Its rationale for issuing a reprimand rather than a fine was based on the Norwegian National Communications Authority already fining Telenor Norge 1.5 million NOK (approximately 139,000€) for the same incident under the Electronic Communications Act.

Comment

Recital 148 GDPR permits the issuing of other penalties such as reprimands alongside administrative fines. However, in the case of issuing reprimands against a service provider, Recital 148 GDPR suggests that this is an appropriate penalty only "in a case of a minor infringement". The questions of appropriate financial thresholds for acts constituting a "minor infringement", or whether the actions by Telenor were considered "minor infringements", were not discussed in this decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Notice of reprimand against Telenor Norge AS

We give notice of a decision to reprimand Telenor Norge AS for lack of personal data security in the voicemail function, and for non-conformity reporting to the Data Inspectorate.

For several years, it has been possible to hack mobile responses through "spoofing services" and intercept the messages to about 1.3 million mobile subscribers in Norway.
- We believe that Telenor Norge AS has not implemented adequate security measures to protect the personal information that is disseminated through the voice mail function, says Section Manager Ylva Marrable of the Norwegian Data Inspectorate.

Violation of the Privacy Regulation

This is a prior warning under the Public Administration Act that the Danish Data Protection Agency makes a decision on redress against Telenor Norge AS for:
Infringement of Article 32 (1) of the Privacy Regulation by failing to take appropriate technical and organizational measures to achieve a level of security appropriate to the risk,
Violation of the Privacy Regulation Article 33, for failure to notify the Data Inspectorate of a breach of personal data security.

NKOM has adopted a fee of 1.5 million

The Data Inspectorate opened a supervisory case based on information that Telenor detected a security breach in its voice mailbox function. The breach was discussed through several news articles on digi.no. According to an article published on November 29, 2019, it has been possible for several years to hack mobile responses through "spoofing services" and listen to messages to mobile subscribers in Norway. Read the full article at digi.no.

The National Communications Authority (NKOM) has previously decided on a violation fee of 1.5 million for breach of the Electronic Communications Act, for the same circumstances as the Data Protection Authority has assessed. In order to prevent Telenor Norge AS from being punished twice for the same offense, we give notice of reprimand. A reprimand can be combined with a violation fee according to our regulations.

Should have reported the breach

- We also give notice of reprimands for non-conformity reporting to the Data Inspectorate. We believe that Telenor Norge AS should have reported the security breach to us as soon as they became aware of the vulnerability, ”says Ylva Marrable.

The legal basis for issuing a reprimand is Article 58 (2) (b) of the Privacy Policy.