Datatilsynet (Norway) - 21/00045-5

From GDPRhub
Datatilsynet (Norway) - PVN-2021-06 (Datatilsynet 21/00045)
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 15(1) GDPR
Article 55 GDPR
Type: Complaint
Outcome: Rejected
Decided: 22.06.2021
Published: 22.06.2021
Fine: None
Parties: n/a
National Case Number/Name: PVN-2021-06 (Datatilsynet 21/00045)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Privacy Appeals Board (Personvernrådet) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board rejected a complaint where a data subject asked the DPA to require Microsoft to uncover the identity (via IP addresses used at login) of alleged hackers of their Hotmail account.

English Summary[edit | edit source]

Facts[edit | edit source]

After reviewing their Microsoft Hotmail account login activity, a data subject believed that the account had been hacked as the list of IP addresses showed unlawful logins and email activity. The data subject asked Microsoft support for help to identify these IP addresses, both in terms of the IP "owner" and the login location. Microsoft rejected the request.

The data subject then required assistance of the Norwegian DPA, based on GDPR rights. The DPA denied the request as per Article 55 GDPR, stating that the GDPR does not apply to his situation. In this regard, the DPA noted that IP addresses may be personal data as per Article 4(1) GDPR and that the data subject indeed has a right to obtain these from Microsoft - however only as far as it concerns his own personal data. According to Article 15(1) GDPR where a data subject's access right pertains to their personal data, not the personal data of someone else. Consequently, the DPA stated that they are not competent to instruct Microsoft to hand over this information.

The data subject lodged a complaint to the DPA about their decision, however, the DPA upheld their decision and it was (as per Norwegian law) referred to the Privacy Appeals Board.

Holding[edit | edit source]

The Privacy Appeals Board agreed with the DPA and rejected the data subject's complaint. The Privacy Appeals Board noted that regardless of the data subject's claim, it's not Microsoft who has the list of IP addresses matched with identity, but internet providers (for limited time). Further, they note that it's usually difficult to determine the location of an IP address, especially if someone uses a mobile phone and VPN (Virtual Private Network).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 22 June 2021 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin)
The case concerns an appeal from A against the Data Inspectorate's decision of 23 March 2021 not to provide access to personal information related to IP addresses.
Background to the case
A contacted Microsoft Corporation Support in December 2020 and requested an overview of "login activity" on his Microsoft hotmail account. He was given a list of IP addresses showing logins to his e-mail account in 2019-2020. A believes that there have been unauthorized logins to his e-mail account during this period and asked Microsoft for help in identifying the IP addresses, both who was the "owner" of the IP addresses and the place where the machine used to log in was located . Microsoft Corporation denied A request.
A contacted the Data Inspectorate on 13, 15, 17, 19 and 22 December 2020. He requested the Authority's assistance in obtaining the identity of the person (s) associated with the IP address (es) who have logged in to his Microsoft hotmail account from abroad in 2019-2020. He also wanted information about all activity on the e-mail account during this period to find out if he had been the victim of identity theft and if e-mails had been sent in his name that he was not familiar with.
On 1 February 2021, the Norwegian Data Protection Authority made the following decision to reject the complaint:
"The complaint is rejected because the Data Inspectorate cannot see that the complaint deals with matters regulated by the Privacy Ordinance. The Data Inspectorate therefore does not have the competence to process the case in accordance with the Privacy Ordinance art. 55. »
A submitted a timely appeal against the Data Inspectorate's decision on 8 and 12 February 2021.
The Data Inspectorate assessed the complaint, but found no reason to change its decision. The case was sent to the Privacy Board on March 26, 2021. A was informed of the case in a letter from the board on April 6, 2021, and was given the opportunity to comment. A has in a letter dated 23 April 2021 given his comments.
The case was considered at the tribunal's meeting on 22 June 2021. The Privacy Committee had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem and Morten Goodwin. Secretariat leader Anette Klem Funderud was also present.
The Data Inspectorate's assessment in outline
The Data Inspectorate's task is to control the personal data regulations so that individuals are not violated through the use of information that can be linked to them. It follows from the Personal Data Act and the Privacy Ordinance that it must be a matter of processing personal data in order for the regulations to be applied.
The Norwegian Data Protection Authority stipulates that the data subject has the right to access personal data about himself or herself pursuant to Article 15 no. 1 of the Privacy Ordinance, unless one of the exceptions in the Personal Data Act § 16 first paragraph letters a to f applies.
The Data Inspectorate understands A's complaint so that he wants access to other people's personal information, ie the person (s) who owns the IP address (es) that have been used for what he believes are suspicious logins on his hotmail account. The right to access other people's personal data is not regulated in the Privacy Ordinance or in the Personal Data Act, and the Data Inspectorate therefore has no competence to order Microsoft to disclose this.
A has asked the Authority for assistance in accessing information about activity on his e-mail account. The right of access in Article 15 applies to access to one's own personal data, not other types of data.
The Norwegian Data Protection Authority points out that IP addresses can be regarded as personal data pursuant to Article 4 (1) of the Privacy Ordinance and that A has the right to have these disclosed from Microsoft, as long as it concerns his own personal data. The Norwegian Data Protection Authority assumes that he has received this from Microsoft. The Norwegian Data Protection Authority does not have the competence to require Microsoft to provide A with access to information other than personal information about himself.
The Data Inspectorate rejects A's complaint because the complaint does not concern matters regulated by the Privacy Ordinance. The Norwegian Data Protection Authority therefore does not have the competence to process the case pursuant to Article 55 of the Privacy Ordinance.
A view of the matter in brief
He has received a list from Microsoft Corporation of IP addresses for logins to his e-mail account in 2019-2020 which shows that unknown individuals have logged in to the e-mail account from machines outside Norway. There is one IP address in particular associated with a computer in the Netherlands that A finds suspicious. He has lived and stayed in Norway throughout this period.
Someone has illegally hacked his email account and probably sent emails in his name without his knowledge. This is illegal. Identity theft is punishable. He wants to report the case to the police and possibly file a compensation case and then he needs to know the identity of the people who hacked his e-mail. He wants the Data Inspectorate to find and disclose the identity of the people who own the specified IP addresses and find out what they have done with his e-mail account.
When the Data Inspectorate refuses to disclose this information, the Authority protects these persons against criminal prosecution.
The Privacy Board's assessment
The Privacy Ordinance applies to fully or partially automated processing of personal data, cf. the Personal Data Act § 2. IP addresses will, depending on the circumstances, be regarded as personal data according to the Privacy Ordinance Article 4 No. 1 and Microsoft's processing of the IP addresses used to log in. As e-mail account represents a processing of personal data that is covered by the law and the Privacy Ordinance.
The tribunal assumes that A's complaint to the Norwegian Data Protection Authority concerns two different matters;
1. A wants information about the identity of the persons associated with the various IP addresses that are on the list of logins on his e-mail account where the machine used has been outside Norway, and
2. A wants information about all activity on his e-mail account during the periods when the machine used to log in to his e-mail account is located outside Norway
The tribunal initially notes that it is not the e-mail provider Microsoft Corporation that has information about which persons are associated with the various IP addresses that are registered. It will be the various internet providers who, for a limited period, have an overview of personal information belonging to specific IP addresses. Furthermore, the tribunal notes that it will often be difficult to determine with certainty the location of an IP address, especially if a mobile phone and VPN (Virtual Private Network) are used.
The question for the tribunal is whether the Privacy Ordinance gives A the right to access the identity of the persons behind the IP addresses who have logged in to his e-mail account.
Pursuant to Article 15 (1) of the Privacy Ordinance, the person about whom information is processed, in the Act referred to as "the data subject", has the right of access. The right of access includes confirmation of whether personal data about the person in question is processed, and, if this is the case, access to the personal data and also such information as follows from letter a-h in the provision.
Article 15 of the Privacy Regulation does not give the right to access personal information about other persons. Neither the Personal Data Act nor the Privacy Ordinance gives A the right to receive information from the data controller about which persons can be linked to different IP addresses. It is the police who, if the conditions are otherwise met, will be able to request the disclosure of such information in accordance with the provisions on search in the Criminal Procedure Act, Chapter 15. However, as pointed out above, such an inquiry must be directed to the relevant ISP and not to Microsoft.
A will have the right to access registered activities on his e-mail account and the tribunal assumes that he will be given an overview of activities if he directs an inquiry to Microsoft Corporation. However, it will not involve information about which people are associated with the various activities.
The tribunal agrees with the Norwegian Data Protection Authority that the Privacy Ordinance does not give A the right to demand access and disclosure of other people's personal data, but considers this a material assessment of whether the conditions for access under Article 15 are met - and not grounds for rejection.
Conclusion
A is not entitled to further access under Article 15 of the Privacy Ordinance.
The decision is unanimous.
Oslo, 22 June 2021
Mari Bø Haugstad
Manager