Datatilsynet (Norway) - 22/03622: Difference between revisions

Latest revision as of 08:41, 31 May 2023

Datatilsynet - 22/03622

Authority:	Datatilsynet (Norway)
Jurisdiction:	Norway
Relevant Law:	Article 5(1)(c) GDPR Article 6(3) GDPR Article 58(2)(f) GDPR Statistikkloven (The Statistics Act, in English) Statistikkloven (The Statistics Act)
Type:	Investigation
Outcome:	Violation Found
Started:	01.05.2022
Decided:	26.04.2023
Published:	02.05.2023
Fine:	n/a
Parties:	n/a
National Case Number/Name:	22/03622
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Norwegian Norwegian
Original Source:	Datatilsynet (press release) (in NO) Datatilsynet (the Norwegian DPA) (in NO)
Initial Contributor:	Rie Aleksandra Walle

The Norwegian DPA imposed a ban on the national statistical institute's planned real-time mass-processing of nearly all purchase data in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.

English Summary

Facts

In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB), to submit purchase data ("bongdata" in Norwegian) to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August.

The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including:

name of item
price per item* total amount of the receipt
payment method
amount per payment method
start and end time of the purchase
ID of returns
ID for terminated purchase
ID of offers/discounts

The data would be reported directly from the point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.

The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents.

SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.

Holding

From the first DPIA, the DPA highlighted the fact that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA noted that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).

The DPA makes an interesting discussion on the right to respect for a private life under the European Convention on Human Rights (ECHR). This right is adopted in Norwegian law, both through ECHR and the Constitution § 102. When public authorities collect and store personal data, this is in itself interfering with privacy. The DPA emphasizes that in a democratic society, legal certainty is a central foundation and a principle in a democracy is that the state does not inferfere with citizens' private life without a basis in law (the principle of legality, as anchored in the Constitution § 113). The requirements for this basis in law increases with the severity of the interference. So even if SSB has a general basis in law for creating statistics, the interference in privacy in this particular case is so great that the DPA finds it cannot be justified with this only.

SSB tried to claim that the DPA was wrong in identifying them as "the state", to which the DPA responds that SSB is a public authority, funded over the National Budget, and despite being an independent authority clearly a part of the Norwegian state.

On 29 November 2022, the DPA notified SSB of their intention to ban the planned processing. SSB then submitted their comments and a legal consideration by a law firm, in January 2023. This did not, however, affect the DPA's intention to ban the processing.

The DPA found that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. The DPA viewed that collection and storage of personal data by public authorities is an intrusion in in itself which must form the basis for the assessment of any interference with privacy.

Consequently, the DPA held that SSB did not have a sufficient supplementary legal basis as per Article 6(3) GDPR to process the transaction personal data ("bongdata" in Norwegian) as intended, and based on Article 58(2)(f) GDPR imposed a ban on the processing.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

STATISTICAL CENTRAL BUREAU
PO Box 2633 St. Hanshaugen
0131 OSLO

Your reference Our reference Date
22/993 22/03622-15 26.04.2023

Decision on banning the processing of personal data

The Norwegian Data Protection Authority refers to our control case related to Statistics Norway's decision on
obligation to provide information in the form of handover of bank data for four grocery players.

In its decisions, Statistics Norway (hereafter Statistics Norway) has ordered the four players to transfer
bank data for the customers' goods transactions. The four players are NorgesGruppen ASA, Coop

Norge AS, Rema 1000 AS and Bunnpriskjeden.

1. Resolution
Pursuant to the Personal Protection Regulation article 58 no. 2 letter f, the Norwegian Data Protection Authority has today decided

the following decision:

The Norwegian Data Protection Authority prohibits the processing of bank data on the basis of a decision on

obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision
basis for the processing, cf. the personal data protection regulation article 6 no. 3.

2. The proceedings

The Norwegian Data Protection Authority became aware of the case through inquiries from NorgesGruppen ASA and
the payment intermediary Nets Branch Norway in May 2022.

The Norwegian Data Protection Authority has also received several complaints and inquiries from private individuals in this matter.

We sent a demand for an explanation to Statistics Norway on 02.06.2022. Statistics Norway answered our questions in a letter by
13/06/2022.

On 29 August 2022, a meeting was held between the Norwegian Data Protection Authority and Statistics Norway on the occasion of the case. The meeting
was reported. Draft minutes were sent to Statistics Norway on 01.09.2022, and Statistics Norway agreed
comments on the minutes on 07/09/2022. The final report was sent to Statistics Norway on 21 September 2022.

Postal address: Office address: Telephone: Organization number: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLODatatilsynet has also received a copy of correspondence relating to NorgesGruppen ASA and
Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know,
the complaints are still being processed by the Ministry of Finance as the complaints body.

In a letter dated 29 November 2022, we notified Statistics Norway of a decision to ban the processing of
personal data in the form of bank data. Statistics Norway has commented on the notice in a letter dated
23.01.2023, attached a legal assessment from Advokatfirmaet Schjødt AS. We have incorporated

the comments in the decision where it is considered relevant.

3. More details about SSB's planned processing of bong data
3.1 Statistics Norway's decision on the obligation to provide information
In the decisions on the obligation to provide information to the grocery operators, Statistics Norway states that bank data from
the grocery trade is considered to be of great use for the production of official statistics which are
important to society. Statistics Norway will produce statistics on consumption in Norwegian households and new

statistics on diet.

Furthermore, it appears from the decisions that the data will be used to investigate the consumer price index
and the merchandise trade statistics can have bong data as a data basis.

Statistics Norway will also test and develop new methods to ensure even greater confidentiality in
statistics production.

The voucher data will include, among other things:
• product name
• price per item
• total amount on receipt

• method of payment
• amount per payment method
• start and end time for trading
• identifier on return

• identifier of completed trade
• identifier of the sale/offer

Any customer loyalty numbers must not be reported.

The voucher data must be reported as streamed data from the cash register systems, so that Statistics Norway receives it
the data continuously.

NorgesGruppen ASA and Coop Norge AS have appealed against the decisions on the obligation to provide information. SSB
has maintained its decisions and forwarded the complaints to the Ministry of Finance on 04.10.2022
for complaint processing.

23.2 Statistics Norway's reports to the Norwegian Data Protection Authority
3.2.1 Statement of purpose
In the statement from Statistics Norway dated 13 June 2022, it appears that Statistics Norway considers development, preparation and
dissemination of official statistics as one processing purpose, as the tasks are set out in
the Statistics Act.

This interpretation appears from the legislative preparations, Prop. 72 LS (2018-2019), in the notes to

the purpose provision in § 1 and to § 17 on SSB's tasks. Here is development, preparation and
dissemination of official statistics referred to as one main purpose and one main task. Also in
NOU 2018: 7 New Act on Official Statistics and Statistics Norway appears in point 10.4
that: "Method development is an integral part of the work of producing statistics".

Statistics Norway points out, however, that the assessment of necessity and the result of concrete data minimization will
could turn out differently depending on whether the purpose is development or preparation of current

statistics.

In the letter of 23 January 2023, it appears that Statistics Norway has nevertheless assessed the overall data need under
one (development, preparation and dissemination of official consumption and dietary statistics) and added
up to one data collection instead of collecting several almost identical, parallel data sets.
The background is that Statistics Norway believes that there is one purpose with several statistical products and
associated development work.

3.2.2 Assessment of the privacy intervention
In the letter of 23 January 2023, it appears that Statistics Norway believes that the privacy intervention is proportionate and
justified based on the purpose of the processing, the limited collection period and
the measures that have been established to reduce the privacy disadvantages. Statistics Norway has placed a decisive emphasis on
the purpose of the processing and the measures implemented.

Statistics Norway also points out that it was the data protection commissioner who recommended revising the decision
disclosure obligation time-limited to the period 2022 – 2023. An important part of the methodological work in
the two-year period is described as the assessment and concretization of data-minimizing measures
both before and after the collection, without compromising the quality of the statistical products
is reduced. Relevant measures can be periodic data collection, various forms of selection and
storage limitations.

3.2.3 Quality requirements
In the letter of 23 January 2023, Statistics Norway refers to the quality requirements in Section 5 of the Statistics Act, which correspond to
the requirements of European Parliament and Council Regulation (EU) 223/2009. Compliance with
the quality requirements require data of a certain content and scope.

Section 5 of the Statistics Act states, among other things, that statistics must be "relevant, accurate, up-to-date,

punctual, accessible and clear, comparable and coherent'.

Statistics Norway points to bong data as an example of a data source that has great potential to increase
the quality of several statistics.

33.2.4 Consumption statistics
Statistics Norway has explained what it wants to achieve by using bong data to produce
consumption statistics.

According to Statistics Norway, bong data will improve the quality of consumption statistics. The voucher data will be linked
to self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors
in the self-report. The comparison will provide a basis for supplementing the statistics

improved uncertainty estimates.

The production of statistics will also be made more efficient by classifying grocery purchases
automatic. The methods for automatic classification have been developed with test voucher data from 2018.
This has an impact on the quality of the statistics, but it will also have a great impact on
the resource use that goes into preparing the statistics. Furthermore, the statistics above
grocery consumption is broken down at far more levels than has been possible in the past.

In addition, Statistics Norway will be able to gain valuable knowledge about the strengths and weaknesses of the various data sources,
so that one can further develop the methods for estimating uncertainty and adjusting for biases.
This is one of several possible analyses, which may in turn provide a basis for data minimization in the future
statistics production.

3.2.5 Dietary statistics

Since the beginning of 2020, Statistics Norway has investigated the possibilities for preparing new diet statistics
based on information about which foodstuffs the Norwegian population buys from the largest
the players in the grocery market. The work has been carried out in close collaboration with, among others
The Norwegian Directorate of Health and the large grocery chains.

Statistics Norway plans to publish official diet statistics based on information on sales

food from grocery chains and information on the nutritional content of food obtained from others
sources, based on test voucher data from 2018. From 2023, the diet statistics will be further developed with
new bong data and information from other data sources, including information on households
from registers SSB already uses in other statistical production.

Access to all information that the grocery chains can supply (so-called full count) is as of today
crucial for Statistics Norway to be able to produce dietary statistics. Complete data will provide

basis for development work that may lead to future data minimization. This work will
could not be done without obtaining data on all purchases, where one looks at occurrences in and
variations between smaller groups. Statistics Norway also considers it necessary to use a full count for
to observe basic statistical principles such as quality awareness, cost-effectiveness,
relevance, accuracy and reliability.

3.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway

In the meeting held in August 2022, Statistics Norway explained its mandate: Develop, prepare and
disseminate official statistics. Furthermore, Statistics Norway explained that they, through political guidance and
assignment letter, is required to look for and use new data sources as a basis for statistics, i
in addition to developing new methods for statistics production.

4SSB explained its work with consumption statistics, that is, statistics on what the country's
households spend money on. The last survey was carried out in 2012. Statistics Norway has had problems
with obtaining acceptable data quality as the survey has been based on volunteers
reporting, with a significant task burden for the participants and high drop-out rates. Furthermore, have
The Norwegian Directorate of Health expressed a need for dietary statistics as a basis for public health work,
and Statistics Norway has an established collaboration with the grocery chains to develop a data base.

Barcode data is already collected today from, among other things, grocery chains for use in
the consumer price index (CPI), but in an aggregated format. Furthermore, Statistics Norway has received bank data and
bank transaction data in a development project where it was investigated whether bank data can be used for
the desired purpose – consumption and diet statistics. Parallel to the collection of new
bongdata, Statistics Norway will collect data through self-reports, where consumers, among other things,
can scan receipts.

SSB described in more detail the planned processing of bong data internally at SSB. The goods which
are purchased will be classified into product groups. Furthermore, consumers will be classified according to
household size/type (about 10 groups in total) and other background variables, such as
household income (grouped), level of education and region/region. This presupposes a
link to transaction data/account number and then national ID number.

All use of information, including linking bank data to bank transaction data and

account number, is done with pseudonymous data, so that the individual receipt cannot be linked
directly against an individual. The receipts as they are received are stored in the system as raw data, that is
that is, without the link to the individuals who have made the purchases. Systems for
access management has been established, and access to raw data is strictly regulated. In principle it is
however, it is possible to make the connection again at a later time.

For the further processing of the bank data internally at Statistics Norway, the individual transaction will therefore
be aggregated at household group level. As the treatment is now planned and
presented, you will not be able to follow an individual household over time - only
household groups. Statistics Norway focuses on removing the data you do not need as early as possible
in the process. A statutory confidentiality requirement applies to the publication of official statistics,
that is to say that individuals/households should neither directly nor indirectly be able to
are identified.

Statistics Norway plans an evaluation of the solution in 2023, where, among other things, the level of detail of the data,
frequency and extent will be assessed.

3.4 The cost-benefit assessment
Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they
decides to adopt an order on the obligation to provide information.

5SSB has published the cost-benefit assessment on its website. We will summarize them below
the parts of the assessment that relate to consequences for data subjects' privacy.

Statistics Norway states in its assessment that bong data from the grocery chains does not contain

personal data in itself. Through links to other sources, bongdata will still be able to
be linked to a person. By connecting a bong to a payment transaction (a payment by bank card),
purchases of goods can be linked to individuals and households via data from the Norwegian Tax Agency and the National Register of Citizens.
The connection to a person will be possible for more than 70% of the vouchers.

Statistics Norway considers that the bong data acquires the character of being sensitive personal data when they

linked to an individual and a household. It is emphasized that the bong data are distinctive both on
because of the large amount of data and because the information is not already available in public
register. In addition, Statistics Norway will receive the data in near real time and with a high degree of detail. They connected
the data will include information about where and when the individual has shopped for groceries, and that
detailed information will appear about which goods and quantity of goods you have bought.

This applies to all purchases from the four grocery operators that are not paid in cash.
The players together cover 99% of the market.

Statistics Norway recognizes that the individual consumer cannot be expected to be aware that Statistics Norway wants to
use the electronic tracks from current purchases, and forward these with
personally identifiable data, to create statistics. Statistics Norway states that it is therefore important that

the bong data is treated with extra care, and Statistics Norway will implement extra measures to
safeguard privacy and information security.

The privacy deficiencies must be remedied through the general security measures that apply to everyone
processing of statistical information. Statistics Norway must ensure confidentiality in all dissemination of

statistics. Furthermore, SSB's employees and contractors are subject to a duty of confidentiality, and SSB must
implement measures to achieve a satisfactory level of security. This includes, among other things
to ensure adequate access management, logging and subsequent control as well as regular
risk and vulnerability analyzes and threat simulations.

Statistics Norway will pseudonymise the personal data upon receipt, and aggregations of data adapted

the individual statistical needs will be an important measure. An important part of the investigative work will
be aimed at the development of new methods for data minimization and promoting privacy
production processes when processing this type of data.

Furthermore, the information shall only be used for statistical purposes within the framework of

the Statistics Act. According to Statistics Norway, statistical use is generally a purpose that has a low
privacy risk.

In its assessment of whether the information is necessary and relevant, cf. the principle of
data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been
sufficient for some of the relevant statistical purposes. Daily reporting of bong data on

2
rema-1000-norgesgruppen-coop-and-bottom-price

However, product level 6 will also enable many forms of development work, both for new ones
statistical products and methods for processing this type of data. This work will not be
possible with sample surveys, aggregations or less frequent data deliveries.

Statistics Norway assesses that there are no conditions in the bong data that indicate limitations in
secondary use.

3.5 The assessment of privacy consequences
The Norwegian Data Protection Authority has received two assessments of privacy consequences (DPIA) from Statistics Norway, one
dated 27.01.2021 and the other from the period October 2021 to June 2022.

The first assessment relates to the completed development project where testing has been carried out
out the use of bong data, while the second assessment concerns the planned treatment.
The Norwegian Data Protection Authority nevertheless considers several of the assessments in the privacy impact assessment to be dated

27.01.2021 as relevant for the planned use of bong data.

On page 4 of the assessment from 27.01.2021, it is explained why a need has been identified
for such a privacy impact assessment:

"Data from the grocery chains contains detailed information about which products are
purchased, location and time. Bank transaction data includes all purchases with

debit cards, of all types, in addition to the location and time of transaction. In that these two
sources are linked to bank account and bank account owner, it will be possible to do
compilations so that we can link individuals to both time, place and what these are
buyer of goods and services. The potential to be able to make such connections suggests that
the data is considered to contain personally identifiable and sensitive information, and they
must be dealt with accordingly".

Furthermore, it appears on page 6 et seq. that information will be collected on virtually everyone
grocery purchases for the entire Norwegian population, and the data must be stored permanently. The
registered persons cannot exercise their rights either, as exceptions to these have been made
the rights in the regulations.

As regards how the processing will be perceived from the data subject's point of view, it appears

the following on pages 10 and 11:

“The data described in this DPIA contains directly identifiable
personal data. It must be assumed that the registered person experiences this as intrusive and
basically offensive.

We are talking about large amounts of data that apply to information that does not exist in it

public records. This means that those to whom the information applies are neither prepared
or have an expectation that this information will be collected and processed by one
public authority. However, the data subject is aware that the information
is registered and is available to the grocery chains.

7 In our opinion, the privacy disadvantage consists of perceived discomfort when a public
authority sits on this type of information which is perceived by many to belong to it
private sphere. Correspondingly, it can be experienced as a disadvantage for traders, among others
otherwise based on competitive assessments. The privacy disadvantage
increases when the information is compiled with other sources. Receipt data for
persons are planned to be linked with account holder information from the tax authorities and
transaction data from banks, as well as the household register.

The disadvantages described above are partially remedied by general security measures that apply to everyone
processing of statistical information in Statistics Norway. In addition, SSB's special
security measures that have been established for this data in particular. It is also emphasized that the purpose
is the development of statistics, that the processing is regulated in the Statistics Act, and that
information about the individual registered shall not be processed separately'.

3.6 Legal assessment from Statistics Norway
Statistics Norway has sent an undated assessment prepared by Advokatfirmaet Schjødt AS at
lawyers Eva Jarbekk and Inge Kristian Brodersen, with the heading "The principle pages
when collecting detailed information about individual citizens - the relationship with the Constitution and the ECHR
and the requirement for proportionality'. The assessment states, among other things, the following:

"Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to

be contrary to basic human rights, the specific use of
the authority is assessed in each individual case. Statistics Norway believes that legally regulated purpose/use
limitation and the data minimization measures that have been implemented to a sufficient extent
reduces the inconvenience for the individual, so that the treatment is considered not to be in breach
with Section 102 of the Constitution or Article 8 of the ECHR. Special reference is made here to the fact that
Bong data is not at any time stored or processed with personal identifiers

characteristic, that bong data is only handled aggregated at group level (in reality a two-
dimensional aggregation in that bong data is aggregated on different product groups and
collated with households aggregated to different socio-social groups). The result
of the link are anonymous statistics”.

According to this, Statistics Norway believes that the established data minimization and security measures i
sufficiently takes care of both the grocery chains and the customers. SSB still wants to

to further develop new methods and tools that can further reduce the privacy disadvantage.

4. Relevant legal rules
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
Article 57 of the regulation and § 20 of the Personal Data Act.

Below, we will explain the legal rules that we believe are relevant in the present case.

84.2 The right to privacy
4.2.1 Privacy as a human right
Everyone has the right to protection of their privacy. This is a right protected by the European
the Human Rights Convention (ECHR) as well as a constitutional right. A central part of the dish
to privacy is the right to protection of one's personal data.

The ECHR has been made Norwegian law through the Human Rights Act of 1999. In the ECHR article 8 no. 1
it appears that "[e]veryone has the right to respect for his private life and family life, his home and his
correspondence".

Furthermore, Article 8 no. 2 of the ECHR states that interventions in citizens' privacy must be "in accordance with

the law". The intervention must be necessary in a democratic society for reasons of importance
societal interests.

The right to privacy is recognized as a central human right by being taken into
Section 102 of the Constitution, where it is stated, among other things, that "[e]veryone has the right to respect for his
privacy and family life, one's home and one's communication" and that "[t]he state authorities shall
ensure protection of personal integrity".

As regards the relationship between the human right to privacy and the privacy regulations,
we also refer to the preparations for the Personal Information Act, Prop. 56 LS (2017-2018), point 6.4.
Here it appears on page 34:

"In its practice, the EMD has assumed that public authorities' storage of

personal data that is linked to private life within the meaning of the provision constitutes a
intervention in the court pursuant to ECHR article 8 no. 1, see Amann v. Switzerland 16.2.2000 [ECHR-
1995-27798] paragraph 65 and S. and Marper v. Great Britain 4.12.2008 [EMD-2004-
30562] section 67”.

That public authorities' collection and storage of personal data is an intervention in itself

itself is therefore indisputable and must be the basis for the assessment of any privacy intervention.

4.2.2 The principle of legality
In a democratic society, legal certainty is a central foundation. It is a fundamental
principle in a democracy that the state does not interfere with citizens without authority. This is called
the principle of legality and is anchored in § 113 of the Constitution, which specifies that "[t]he authorities'

intervention against the individual must have a basis in law". As mentioned above, the ECHR also states article
8 no. 2 that interventions in citizens' privacy require sufficient authority. Such protection in the form of
legal protection against arbitrary and unpredictable interventions is an important guarantee of legal certainty.

The requirement for the clarity of the law is tightened in line with the size of the intervention. The most serious
the interventions must be based on law rather than regulations or administrative decisions. In case of significant

intervention in the citizens' legal sphere, it must be clear from the wording of the law that the intervention is covered
of the relevant statutory provision. Enshrining privacy intrusions in the legal text itself creates

2In the personal protection regulation, this is expressed through article 6 no. 3, see point 4.6 below.

9 greater predictability for the general public, and laws are adopted through a thorough democratic process
process where trade-offs between the individual's privacy and the state's need for processing of
personal information must be done.

In Section 113 of the Constitution, there is a further requirement that there must be intervention towards the citizens
necessary to fulfill legitimate purposes. This means that an intervention in privacy must have
a useful value for society.

The requirements for legal regulation are also evident from our human rights obligations according to Den
the international convention on civil and political rights (SP), which has been made Norwegian law
through the Human Rights Act from 1999. In Norwegian law, it is assumed that national legislation
is in line with our international obligations in the area of human rights.

4.3 The principle of data minimization

The basic principles for processing personal data are set out in
Article 5 of the Personal Data Protection Regulation. Particularly central to this case is the principle of
data minimization.

The principle of data minimization appears in the personal data protection regulation article 5 no. 1 letter c,
according to which personal data must be "adequate, relevant and limited to what is
necessary for the purposes for which they are processed”.

According to the principle of data minimization, it is not sufficient that it is practical or desirable to
process personal data; the processing must be necessary for the purpose to be achieved.
The requirement of necessity will naturally become more stringent the greater the invasion of privacy.

The principle of data minimization also includes an overarching assumption that the processing of

personal data contributes to achieving a specific purpose. The purpose description will be that
natural starting point for assessments of the utility value of a treatment. The more
the more invasive the measure, the greater the requirements for the purpose description and a documented
usefulness of the measure.

4.4 The concept of personal data
The term personal data is defined in the Personal Data Protection Regulation Article 4 No. 1 as

"any information about an identified or identifiable natural person (the
registered"); an identifiable natural person is a person who directly or indirectly can
is identified, in particular by means of an identifier, e.g. a name, a
identification number, location information, an online identifier or one or more
elements that are specific to said natural person's physical, physiological, genetic,
mental, economic, cultural or social identity".

Paragraph 26 of the regulation states:

"When determining whether a natural person is identifiable, everyone should be taken into account
means that it can reasonably be thought that the data controller or another

10 person can use to identify the person concerned directly or indirectly, e.g.
designation. To determine whether funds can reasonably be expected to be used to
identify the natural person, all objective factors should be taken into account, e.g.
the cost of and the time necessary to make the identification, when it is taken
taking into account the technology available at the time of processing, as well as the
technological development".

4.5 Legal basis
4.5.1 The Personal Data Protection Regulation
Any processing of personal data must have a legal basis to be legal.
The Personal Protection Regulation Article 6 No. 1 provides an exhaustive overview of which legal
grounds (authorities) that may be the basis for processing personal data - and
thus an intervention in privacy.

Article 6 no. 1 letter c (fulfilment of a legal obligation) and e (exercise of public
authority or performance of a task in the public interest) are the most relevant
the provisions for the cases where public authorities intervene in citizens' privacy.

When applying the above-mentioned authorities, there must be an additional authority in national law
or in EU law that imposes duties or tasks on public authorities.
This follows from Article 6 No. 3 of the Personal Protection Ordinance and is described as supplementary

legal basis.

4.5.2 The Statistics Act
Statistics Norway's tasks and area of authority are regulated in the Statistics Act with regulations. SSB access
to order other businesses to hand over information for statistical purposes is regulated in
Section 10 of the Statistics Act. The provision reads:

"1) Anyone must, without being hindered by the duty of confidentiality and by order from Statistics Norway
provide information that is necessary for the development, preparation or dissemination of
official statistics. The duty applies to information about the person obliged to provide information and others
information over which the person obliged to provide information has the right to dispose of it. A deadline can be set
to provide information. Confidentiality as mentioned in the Criminal Procedure Act § 119 first and
second paragraph and the Disputes Act section 22-5 first paragraph precede the obligation to provide information according to the first

dot.

(2) Statistics Norway can issue regulations on the obligation to provide information and order
obligation to provide information in individual cases.

(3) Information can be refused to be disclosed in accordance with the first paragraph when an exception is required for reasons
to national defense and security interests or police crime-fighting

business.

(4) Statistics Norway may determine the manner in which the information is to be provided and
which documentation must be included. No remuneration can be required for this
costs of fulfilling the obligation to provide information.

11 (5) Before Statistics Norway decides to impose an obligation to provide information, there must be a
assessment of the usefulness of receiving the information, weighed against the costs for it
subject to disclosure and how invasive the treatment is considered to be for it
the information applies. The assessment must be made public.

(6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision,

among other things about limitations in the obligation to provide information".

In the preparations for the Statistics Act, Prop. 72 LS (2018-2019), the relationship with the Constitution and
ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on pages 41 and 42:

"The special regulation in the Personal Data Protection Regulation on the processing of personal data to
among other things, statistical purposes, see below, indicate that this type of treatment is considered

as minimally invasive.

Article 5 of the Personal Data Protection Regulation deals with the principles for the processing of
personal data. It follows from article 5 no. 1 letter b that further processing of
personal data for archival, research or statistical purposes in accordance with
article 89 no. 1, shall be considered compatible with the collection purpose. Furthermore, it follows
of recital 50 that the data controller does not need a new legal basis

to further process personal data for compatible purposes. The Personal Data Protection Regulation
Article 5 no. 1 letter c establishes the principle of data minimization, which implies that
personal data must be adequate, relevant and limited to what is
necessary for the purposes for which they are processed. The ministry indicates that
the personal data to be provided according to the proposal are relevant and necessary for that
Statistics Norway must be able to develop, prepare or disseminate statistics as it pleases

be covered by the national statistics programme.
(…)
Statistics Norway's collection of personal data will also constitute an intervention in
the right to privacy according to Section 102 of the Constitution and Article 8 of the ECHR. The processing is then only
permitted if it has sufficient authority, pursues a legitimate purpose and is
proportionately. For a general discussion of these requirements, reference is made to Prop. 56 LS
(2017–2018) point 6.4. As it appears there, Section 102 of the Constitution has clear similarities

with Article 8 of the ECHR, and must be interpreted in the light of this, cf. Rt-2015-93. It is not
evidence that Section 102 of the Constitution sets stricter requirements than Article 8 of the ECHR
legal basis for processing personal data. Statistics Norway can follow
The proposal collects a large amount of personal data. According to the Ministry's assessment
is this necessary for the agency to be able to fulfill its societal task of developing,
prepare and disseminate official statistics. This is a legitimate purpose. Statistically
centralbyrå must process the information in a reassuring manner and only for them

the purposes mentioned in the bill § 10. Further processing of information is
discussed in chapters 6 and 7.2. The ministry also refers to the discussion in chapter 4 of statistical
confidentiality, non-disclosure and information security. On this background consider
the ministry the proposal for a statutory provision as proportionate.

12 According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and
Article 8 of the ECHR".

4.6 Requirements for the supplementary legal basis
Article 6 no. 3 of the Personal Protection Regulation contains several additional requirements
the legal basis. The supplementary legal basis – whether it is a legal authority, a
regulation or an administrative decision – must therefore meet certain criteria.

According to Article 6 No. 3, it must be clearly stated that the processing of personal data is
necessary to carry out a publicly beneficial task or exercise public authority.

Furthermore, it is required that the supplementary legal basis must "meet an objective in the public interest
interest and stand in a reasonable relationship to the legitimate aim sought to be achieved". It is laid
i.e. up to a proportionality assessment, to which the intervention in privacy must be in relation to

the social good that is achieved.

The preamble to the Personal Data Protection Regulation in many cases provides guidance for the specifics
the provisions of the regulation, including Article 6 No. 3.

Although a supplementary legal basis does not have to be in the form of a law, it appears from
recital 41 that the legal basis should be "clear and precise". It further states that

the application of the legal basis should be predictable for citizens.

The requirements for the supplementary legal basis are discussed by the Ministry of Justice and Emergency Preparedness in
the preparations for the Personal Data Act, Prop. 56 LS (2017-2018). Section 6.3.2 states:

"It follows from recital 41 that "when this regulation refers to a legal

basis or a legislative measure, this does not necessarily require one
regulatory act adopted by a parliament'. In the ministry's view, it must be added
reason that in any case statutory and regulatory provisions may constitute supplementary
legal basis. The Ministry assumes that also decisions made in accordance with law or regulations
are covered, as there is also a legal or regulatory basis in these cases".

However, this is nuanced in the following:

"If the processing of personal data constitutes an intrusion into the right to privacy
according to Section 102 of the Constitution or Article 8 of the ECHR, it may however be necessary
a more specific legal basis for the processing than the wording of the regulation can
indicate. It also follows expressly from recital 41 that there should be a legal basis
"clear and precise, and its application should be predictable to persons who
covered by it, in accordance with the case law of the Court of Justice of the European Union

(the "Court") and the European Court of Human Rights. In other words, must
the regulation's requirement for a supplementary legal basis for the processing is interpreted and applied
in line with the human rights requirements for a legal basis for interference with the right to
privacy. This means that a closer assessment of the legal basis must be made
and the treatment, where, among other things, emphasis must be placed on how invasive

13 the treatment is. Depending on the circumstances, the outcome of such an assessment may be that
a more specific basis than what might appear to be the minimum requirements is required
the wording of the regulation".

In point 6.4 of the preparatory work it also appears:

"At the same time, there is no doubt that the regulation's general rules, possibly i

combination with a supplementary legal basis that only meets the minimum requirements
according to the wording in Article 6 no. 3, will not always provide a sufficiently specific legal basis
or necessary guarantees in line with the Constitution and the ECHR. It will then be necessary to
design more specific legal bases and additional guarantees in national law, and that will i
in many cases be necessary with express authority in special legislation.
In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR.

(...) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can
in the circumstances imply that the supplementary legal basis must contain such
more specific provisions that Article 6 nos. 2 and 3 allow for. What is required of
the supplementary legal basis, cannot be answered in general, but must be decided according to one
concrete assessment".

The European Court of Justice states the following in case C-175/20 in section 83:

"In this regard, it is nevertheless noted that the legislation which forms
basis for the processing, in order to fulfill the requirement of proportionality, such as Article 5,
item 1, letter c) (…) is an expression of (…), must lay down clear and precise rules, where
regulates the scope and application of the measure in question, and which
lays down minimum requirements, so that the persons whose personal data are affected prevail

over sufficient guarantees, which make it possible to effectively protect this information
against the risk of abuse. This legislation must be legally binding in national law
and in particular state, under what circumstances and on what conditions that may
a measure is adopted on the processing of such information, whereby it is ensured,
that the intervention is limited to what is strictly necessary'.

For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice

from the European Court of Justice will still have significance in the area of privacy as it is a
basic assumption that the rules of the Personal Data Protection Regulation are understood and practiced equally throughout
EU/EEA.

5. The Norwegian Data Protection Authority's sanctioning authority
The Norwegian Data Protection Authority's authority to impose administrative sanctions is regulated in the privacy
the regulation, article 58. Article 58 no. 2 states which corrective measures the supervisory authority can take

adopt.

The relevant parts of the provision read:

14 «2. Each supervisory authority shall have the authority to decide on the following corrective measures
measures:
a. issue warnings to a data controller or data processor that they
the planned processing activities are likely to be in breach of the provisions of

this regulation, (…)
d. instruct the controller or data processor to ensure that
the processing activities take place in accordance with the provisions of this regulation
and, if relevant, in a specific manner and within a specific deadline, (…)
f. introduce a temporary or permanent restriction of, including a ban on,
treatment".

6. The Norwegian Data Protection Authority's assessment
6.1 Assessment of the size of the privacy intrusion
If privacy is to be encroached upon, it is a requirement according to both our human rights laws
obligations under the ECHR, the Constitution and the privacy regulations that a thorough investigation is carried out

assessment of the proportionality of the measure that constitutes the intervention. The disadvantages of
citizens in that personal information about them is collected must be weighed against that of the authorities
need for personally identifiable data to provide citizen services and carry out their duties.

We emphasize again that an invasion of privacy already occurs during the actual collection of
personal data and not until the data is further processed. The European one

In the cases Amann v. Switzerland (case 1995-27798) and S. and
Marper v. United Kingdom (Case 2004-30562) clearly established that states intervene against
the citizens already when collecting personal data as such. 3

In the response to the notice of decision and in dialogue with us, Statistics Norway has stated that the Norwegian Data Protection Authority is wrong when

we refer to SSB as "the state". In addition, we would like to note that Statistics Norway is a public authority,
financed through the state budget. Although SSB is an independent body, SSB is still a part
of the state apparatus. In our view, there is no doubt that Statistics Norway falls under the term "the state",
although that term may be imprecise. In any case, the use of the term "the state" has not had
significance for our assessments in the case.

The Norwegian Data Protection Authority recognizes the societal benefit of consumption and diet statistics. For example
dietary statistics are the basis for national public health work. We see that data with the same
quality that cannot be obtained from other sources, for example the consumers themselves. Statistics on a
area like this is undoubtedly a legitimate and socially beneficial purpose.

We have also noticed that SSB has good internal routines and systems for fast
pseudonymisation and aggregation of data, strict internal access management, etc. SSB is good
equipped to also handle bong data in a reassuring manner internally.

Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can
lead to quality improvement and future data minimization through more precise data extraction, etc.

3 See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX:62012CJ0293.

15As we understand it, however, the utility value of the development work will be unknown at the time
when the data is collected. We cannot therefore attach decisive importance to the objective of
future data minimization.

Bong data in itself does not contain any personal data, but the bong data must be linked
transaction data, which makes it possible to link the information to an individual.
The connection takes place with relatively simple means for SSB and within a short time after they
The continuously streamed data is received at SSB. The Danish Data Protection Authority is therefore of the opinion that
the right thing is to consider the bong data as personal data already from the time
the collection takes place, cf. point 26 of the Personal Data Protection Ordinance. In all cases will

the bank data will be personal data as soon as the link to transaction data has been made internally
at SSB.

It is thus the intervention of the collection of bong data that must be assessed in this case.

The planned collection of bong data for statistics involves the processing of enormous amounts
amounts of transactional data about a significant part of the population. It is also a brand new one
form of data collection by the authorities from private actors. SSB as public
authorities will gain completely new knowledge about which grocery purchases a large majority of Norwegians make
the population does in real time. The citizens cannot be said to have any expectation that a
public authorities will receive information about which groceries they buy from a completely private company

prosecutor. Statistics Norway also points out that the average citizen will not be able to predict that the state will collect
information about their purchases of groceries.

The individual data subjects have no real opportunity to oppose the collection of
personal data, except through trading with cash and avoiding the big ones

the grocery players. Nor do those registered receive targeted and individual information that
the collection takes place, as public authorities can typically make use of the data
the exceptions from the obligation to provide information according to the personal protection regulations. 4

It is therefore of less importance for our assessment of the size of the privacy intervention that
Statistics Norway's mandate is the production, dissemination and development of statistics, which in itself is not

linked to individuals. Whether the intervention is proportionate based on, among other things
purpose considerations, is another consideration.

The relationship with Section 102 of the Constitution and Article 8 of the ECHR is affected in the preparations for the Statistics Act.
The Ministry of Finance's assessment here is that section 10 of the Statistics Act in itself is not contrary to

the requirements of Section 102 of the Constitution and Article 8 of the ECHR and that statistics must generally be considered small
interfering with privacy. At the same time, the ministry also emphasizes that the individual interventions in
privacy must be proportionate to the social good that is achieved.

The Norwegian Data Protection Authority believes that there are weaknesses in the specific privacy impact assessments which
Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers

4 See the Personal Data Protection Ordinance, Article 14 No. 5 letter c. We do not go into the assessment of whether this specific
the collection is "expressly provided for in Union law or the national law of the Member States".

16SSB to a "perceived discomfort". This may indicate a lack of understanding of
the concept of privacy, privacy as a fundamental right and the value of good
privacy. Privacy as a societal value is a matter of trust and values. The assessments of
which personal data it is necessary for a public authority to process must therefore
considered in a broader perspective. Information security and other remedial measures are important
measures, but they do not reduce the size of the privacy intervention itself; the
the fundamental breach of privacy is the same regardless of how Statistics Norway handles the data

further. We also refer here to the fact that the intervention in privacy is already taking place
collection of personal data, cf. the decisions of the European Court of Justice and the European Court of Human Rights mentioned above.

As a data protection authority, we also believe that the Ministry of Finance's conclusion in the preparatory work
to the Statistics Act stating that processing for statistical purposes should generally be considered to be small
invasive is too unvarnished. The data collection that forms the basis for the preparation of
statistics can constitute a significant intrusion into data subjects' privacy. Although the end result

are anonymous statistics, large amounts of personal data could be processed by a government
body (SSB) in the process.

In this case, the dietary statistics are requested by the health authorities, and
The consumption statistics will be of much better quality if bong data is used. The statistics must
is based, among other things, on information about which grocery purchases individual individuals make, such as
Statistics Norway will get through bank data combined with transaction data.

As stated above, this is a completely new data collection from private actors, and there is agreement
that citizens cannot expect or anticipate that a public authority will do this
the type of data collection.

Although Statistics Norway has good internal processes and measures for pseudonymisation and screening of

personal data, and the data must be quickly aggregated, the underlying raw data
(voucher data and transaction data) remain available at Statistics Norway for at least a two-year period. The
means that the intervention persists, even if the statistical product is anonymous and only pseudonymous
data is used in the development work.

The Norwegian Data Protection Authority is of the clear opinion that the privacy intrusion when collecting Bong data is
very large. It must be questioned whether it is necessary for Statistics Norway to collect these

the data to carry out its social mission. We believe that the intervention cannot be considered as
proportional if the purpose can be achieved in a sufficiently good way through others,
less invasive means.

An important factor in this specific weighing will be the achievement of SSB's objectives. The Norwegian Data Protection Authority
believes that, after a concrete assessment of the proportionality of the privacy intervention, one must
accept that not all statistical purposes can be fully achieved. In such cases it is necessary to

accept that data must be collected from other sources with the consequence that the statistics get a
lower level of precision and quality.

In this matter, we believe that Statistics Norway's mandate to utilize new, digital sources to prepare and
developing statistics on the one hand, and the encroachment on privacy on the other, is i

17 conflict. Privacy is not an absolute right, but there is still an outer limit to which
interference with privacy that can be accepted.

In a case like this, the right to privacy is primarily about trust in the public sector
Norway, and less about the fear of misuse of personal data. In our view, the core of
the assessment of the privacy intervention in this case what is necessary for the public
authorities to know about the individual citizen.

Public authorities have enormous amounts of data about citizens through various
socio-economic registers and health registers. Through social security numbers, this data can be linked
up against each other. The result of such connections is something more than just the sum of the individual parts
the information; it can give a more or less complete picture of a single individual's life from
cradle to grave.

Public Norway has exclusively a mandate and authority that is linked to good
purposes and objectives, be it crime fighting, public health, good
welfare services or other. In many cases, it is absolutely essential to treat
personal data to perform public tasks. The Norwegian Data Protection Authority believes that it is still possible
limit on which data public authorities can process about individuals, even there
the purpose is good. It is at the core of the Norwegian Data Protection Authority's tasks as a supervisory authority to assess
where this boundary is to be drawn.

A serious, long-term consequence of disproportionately large intrusions into privacy can be
weakened trust in public authorities and lower willingness to share data with the public; it
the so-called cooling effect. Ultimately, this can affect the view of Norway as
democratic society. We would like to point out that both the Norwegian Data Protection Authority and Statistics Norway have received many negatives
reactions from individuals in this case.

6.2 Statement of purpose and data minimization
In the cost-benefit assessment, Statistics Norway has made an assessment of whether bong data are necessary and
relevant information for the purposes, cf. the principle of data minimisation. Here SSB states that
different forms of selection of bong data probably could have been sufficient for some of them
relevant statistical purposes. When it comes to development work, however, will not
sample surveys, aggregations or less frequent data deliveries are sufficient.

Statistics Norway has therefore itself pointed out that the assessment of necessity will be different for the different people
the purposes.

Furthermore, statistics production and method development are two different processes, although
statistical production is based on methods that have been developed using the basic data.

In our view, this illustrates the weaknesses of the necessity assessment that has been carried out.
The need for complete bong data for development purposes plays into the assessment that SSB
considers the collection necessary - also for the purpose of producing statistics.

18 Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics
and development work must be defined as different processing purposes in the Personal Data Protection Regulation
understanding.

Nor can we see that Statistics Norway has assessed the dietary statistics and the consumption statistics separately.
These are different forms of statistics that have different purposes, underlying considerations and
societal functions. As a result, the necessity assessment will be able to beat

also different for the two forms of statistics.

The Danish Data Protection Authority has chosen not to go into further detail in the assessment of the necessity of the bong data
the purposes. In this supervisory case, we have chosen to concentrate on the assessment of that
supplementary legal basis for the collection of bong data, cf. point 6.3 below. It may
nevertheless there is a need to make a thorough assessment of necessity at a later stage.

6.3 The supplementary legal basis
Through Section 10 of the Statistics Act, Statistics Norway has been given almost a blank authorization to make decisions or
adopt regulations on the obligation to provide information. Section 10 of the Statistics Act is thus a framework provision
which presupposes that the detailed access to process personal data is determined in a
other legal basis. Statistics Norway's processing of personal data must nevertheless be in line with
the privacy regulations.

In the preparations for the Personal Data Act, Prop. 56 LS (2017-2018), it appears that a
administrative decisions can constitute a supplementary legal basis in the personal data protection regulation
understanding. Whether an administrative decision is considered a sufficiently clear and predictable legal one
basis must, however, be assessed concretely.

In this case, Statistics Norway has decided to obtain enormous amounts of information about Norwegians

consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is
considerably larger than what Statistics Norway seems to have assumed. That the collection of bong data is done
for statistical purposes is of secondary importance in this assessment as the intervention itself i
privacy already occurs at the time of data collection.

As we assume that the breach of privacy when collecting bong data is very large,
this sets stricter requirements for the supplementary legal basis, cf. the Personal Data Protection Ordinance

article 6 no. 3.

Section 10 of the Statistics Act stipulates that Statistics Norway itself shall carry out the cost-benefit assessment and determine
individual decisions, possibly adopting regulations, on the obligation to provide information.

From what we know, it is unusual for such an extensive collection and processing of
personal data to which this case applies is based on administrative decisions as supplementary

legal basis.

For comparison, we will refer to the system established for medical and healthcare professionals
research projects. In medical and healthcare research, decisions on exemption from
confidentiality and/or ethical approval decisions are the basis for the processing. In these

In the 19 cases, the assessment of whether data should be used for research is added to an external one
third party (respectively the Norwegian Directorate of Health and the regional committees for medical and
health research ethics, REK) and not to the institution responsible for the research.

Medical and healthcare research usually involves handling large amounts of health data and
other personal data. The third-party assessment is considered a guarantee for safeguarding
the research participants' rights and interests. The regional ethics committees can for

for example, set conditions for the collection, storage and use of data.

It appears in the letter of 23 January 2023 that Statistics Norway considers this comparison to be a
external considerations. Statistics Norway points out that the Storting has adopted the Statistics Act without it
is set up for an external third-party assessment and that this type of arrangement is therefore not possible
is given weight in the case.

We nevertheless believe that extensive processing of personal data pursuant to
administrative decisions are so unusual that the comparison above is not irrelevant to ours
assessment. As there is no external third-party assessment, and the Statistics Act §
10, which sets the framework, is so broadly designed, the Norwegian Data Protection Authority's control function will be the same
more important.

A natural consequence of SSB's purpose and social mission is that they must facilitate for

performance of the tasks assigned to them in the best possible way. Statistics Norway's operations are also regulated
partly of strategic guidance nationally and internationally. In highly invasive treatments
of personal data, it is therefore particularly important that the privacy impact assessment which
is the basis for the processing of personal data is good.

As mentioned in point 6.1, we believe that the assessments made by Statistics Norway in connection with collection

of bong data are lacking. As a consequence, the process harmonises towards Statistics Norway's decision
on the obligation to provide information does not meet the requirements of the privacy regulations. The ratings that
is settled against the principle of data minimization in the personal protection regulation article 5 no. 1
letter c and the principle of purpose limitation in letter b are not good enough in our view.
This means that it is not possible to make a fully sound proportionality assessment, like this
the privacy regulation article 6 no. 3 requires.

For Statistics Norway's operations, Statistics Norway alone can assess and decide that data should be collected. Any actor,
private as well as public, may be required to hand over personal data on a large scale.
Decisions on the obligation to provide information can be appealed to the Ministry of Finance, but we consider that such
complaint handling has a different function than an external third-party assessment at a business
with purposes other than just the preparation and development of statistics.

The Norwegian Data Protection Authority has assumed that the invasion of privacy when collecting Bong data is very serious

large. We believe that an administrative decision made by Statistics Norway pursuant to section 10 of the Statistics Act does not
is a sufficiently clear and predictable legal basis for such extensive processing.
Statistics Norway's decision also does not provide sufficient guarantees for those registered for such an intervention
processing such as collection of bong data. We believe that this view has support in

20 wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and case law from
ECtHR and the European Court of Justice.

The Norwegian Data Protection Authority is therefore of the opinion that Statistics Norway's decision on the obligation to provide information to
the grocery operators do not meet the requirements of the supplementary legal basis i
the personal protection regulation article 6 no. 3.

6.4 Conclusion: Decision on banning the processing of personal data
The Norwegian Data Protection Authority has come to the conclusion that Statistics Norway's decision on the obligation to provide information to the grocery operators
NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden, comprised of
authority in Section 10 of the Statistics Act, does not meet the requirements for a supplementary legal basis i
the personal protection regulation article 6 no. 3.

We have therefore decided to adopt a ban on the processing of personal data in the form of

bong data, cf. the personal data protection regulation article 58 no. 2 letter f.

7. Right of appeal
This decision can be appealed within three weeks after you have received this letter, cf.
Sections 28 and 29 of the Administration Act. A possible complaint is sent to the Norwegian Data Protection Authority.

If we uphold our decision, the case will be sent to the Norwegian Personal Protection Board for

complaint processing, cf. Personal Data Act § 22.

With best regards

Line Coll
director
Susan Lie
legal professional director

The document is electronically approved and therefore has no handwritten signatures

Copy to: STATISTICS CENTRAL BYRÅ, Thorleiv Valen

21

@@ Line 10: / Line 10: @@
 |ECLI=
-|Original_Source_Name_1=Datatilsynet (the Norwegian DPA)
+|Original_Source_Name_1=Datatilsynet (press release)
-|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/4153adfb55b6454593b716040172ef33/22_03622-10-varsel-om-vedtak-om-forbud-mot-behandling-av-personopplysninger-336993_252320_0.pdf
+|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/forbud-mot-behandling-av-personopplysninger-for-ssb/
 |Original_Source_Language_1=Norwegian
 |Original_Source_Language__Code_1=NO
 |Original_Source_Name_2=Datatilsynet (the Norwegian DPA)
-|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/varsel-om-vedtak-om-forbud-til-ssb/
+|Original_Source_Link_2=https://www.datatilsynet.no/contentassets/599d6a3c42bd4c4abb8f658323cf5f77/_-22_03622-15-vedtak-om-forbud-mot-behandling-av-personopplysninger---utlevering-av-bongdata-388818_9_1.pdf
 |Original_Source_Language_2=Norwegian
 |Original_Source_Language__Code_2=NO
@@ Line 26: / Line 26: @@
 |Outcome=Violation Found
 |Date_Started=01.05.2022
-|Date_Decided=28.11.2022
+|Date_Decided=26.04.2023
-|Date_Published=30.11.2022
+|Date_Published=02.05.2023
-|Year=2022
+|Year=2023
 |Fine=
 |Currency=
@@ Line 57: / Line 57: @@
 |National_Law_Link_4=
-|Party_Name_1=Statistisk sentralbyrå (Statistics Norway)
+|Party_Name_1=
-|Party_Link_1=https://www.ssb.no/en/omssb/ssbs-virksomhet
+|Party_Link_1=
 |Party_Name_2=
 |Party_Link_2=
-|Party_Name_3=
-|Party_Link_3=
 |Appeal_To_Body=
@@ Line 70: / Line 68: @@
 |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
 |
 }}
-The Norwegian DPA has notified the national statistical institute of an intention to ban their planned real-time mass-processing of nearly all purchase transactions in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.
+The Norwegian DPA imposed a ban on the national statistical institute's planned real-time mass-processing of nearly all purchase data in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.
 == English Summary ==
 === Facts ===
-In May 2022, the Norwegian DPA Datatilsynet was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from Statistics Norway (SSB), the national statistical institute, to submit purchase transaction data to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the parties had a meeting in August.
+In May 2022, the Norwegian DPA was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from the national statistical institute Statistics Norway (SSB), to submit purchase data ("bongdata" in Norwegian) to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the DPA and SSB had a meeting in August.
-The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including:
+The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase data ("bongdata" in Norwegian) to them on a regular basis, including:
 * name of item
-* price per item
+* price per item* total amount of the receipt
-* total amount of the receipt
 * payment method
 * amount per payment method
@@ Line 92: / Line 90: @@
 * ID of offers/discounts
-The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.
+The data would be reported directly from the point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.
-SSB's legal basis for the processing is the [https://www.ssb.no/en/omssb/ssbs-virksomhet/styringsdokumenter/statistikkloven/_/attachment/inline/15f00d0d-322a-4b96-bfcb-a0159f76e2c2:165eaa37f1aae978f2a570066c4ad86830ae2094/Statistikklov_ENGELSK_red29des2020.pdf Statistics Act] § 10 ''Duty to provide information'', which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be ''necessary''.
+The purchase data do not in themselves contain any personal data. The intention is, however, to connect these with transactional data which then makes it possible to relate the data to an individual person. SSB will link these to transaction data quickly after continuously receiving them, and thus the DPA finds that it is correct to view the purchase data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of purchase data represents.
-During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
+SSB's claimed legal basis for the processing was the Norwegian Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing was to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considered the processing to be necessary. During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
 === Holding ===
-From the first DPIA, the DPA highlights a section describing that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA notes that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).
+From the first DPIA, the DPA highlighted the fact that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA noted that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).
-The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy.
+The DPA makes an interesting discussion on the right to respect for a private life under the European Convention on Human Rights (ECHR). This right is adopted in Norwegian law, both through ECHR and the Constitution § 102. When public authorities collect and store personal data, this is in ''itself'' interfering with privacy. The DPA emphasizes that in a democratic society, legal certainty is a central foundation and a principle in a democracy is that the state does not inferfere with citizens' private life without a basis in law (the principle of legality, as anchored in the Constitution § 113). The requirements for this basis in law increases with the severity of the interference. So even if SSB has a general basis in law for creating statistics, the interference in privacy in this particular case is so great that the DPA finds it cannot be justified with this only.
-Based on [[Article 58 GDPR#2f|Article 58(2)(f)]], the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per [[Article 6 GDPR|Article 6(3)]] to process the personal data as intended, and consequently imposed a ban on the processing.
+SSB tried to claim that the DPA was wrong in identifying them as "the state", to which the DPA responds that SSB is a public authority, funded over the National Budget, and despite being an independent authority clearly a part of the Norwegian state.
-Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision.
+On 29 November 2022, the DPA notified SSB of their intention to ban the planned processing. SSB then submitted their comments and a legal consideration by a law firm, in January 2023. This did not, however, affect the DPA's intention to ban the processing.
+The DPA found that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy. The DPA viewed that collection and storage of personal data by public authorities is an intrusion in in itself which must form the basis for the assessment of any interference with privacy.
+Consequently, the DPA held that SSB did not have a sufficient supplementary legal basis as per [[Article 6 GDPR|Article 6(3) GDPR]] to process the transaction personal data ("bongdata" in Norwegian) as intended, and based on [[Article 58 GDPR|Article 58(2)(f) GDPR]] imposed a ban on the processing.
 == Comment ==
-''Share your comments here!''
 == Further Resources ==
 ''Share blogs or news articles here!''
@@ Line 119: / Line 119: @@
 STATISTICAL CENTRAL BUREAU
 PO Box 2633 St. Hanshaugen
+OSLO
-OSLO
@@ Line 130: / Line 130: @@
 Your reference Our reference Date
-/03622-10 28.11.2022
+/993 22/03622-15 26.04.2023
+Decision on banning the processing of personal data
+The Norwegian Data Protection Authority refers to our control case related to Statistics Norway's decision on
+obligation to provide information in the form of handover of bank data for four grocery players.
-Notice of decision on banning the processing of personal data
+In its decisions, Statistics Norway (hereafter Statistics Norway) has ordered the four players to transfer
+bank data for the customers' goods transactions. The four players are NorgesGruppen ASA, Coop
+Norge AS, Rema 1000 AS and Bunnpriskjeden.
-The Norwegian Data Protection Authority refers to previous contact and correspondence in connection with our control case
+. Resolution
-linked to Statistics Norway's decision on the obligation to provide information in the form of handing over bank data
+Pursuant to the Personal Protection Regulation article 58 no. 2 letter f, the Norwegian Data Protection Authority has today decided
-for four grocery players.
+the following decision:
-Statistics Norway (hereafter Statistics Norway) has ordered the players to transfer the bank data for the customers
+        The Norwegian Data Protection Authority prohibits the processing of bank data on the basis of a decision on
-commodity transactions. The four players are NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS
-and the Bottom Price Chain.
+        obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision
+        basis for the processing, cf. the personal data protection regulation article 6 no. 3.
+. The proceedings
-. The proceedings
 The Norwegian Data Protection Authority became aware of the case through inquiries from NorgesGruppen ASA and
 the payment intermediary Nets Branch Norway in May 2022.
-The Norwegian Data Protection Authority has also received several complaints and inquiries from private parties in this matter.
+The Norwegian Data Protection Authority has also received several complaints and inquiries from private individuals in this matter.
@@ Line 164: / Line 172: @@
-The Norwegian Data Protection Authority has also received copies of correspondence relating to NorgesGruppen ASA and
-Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know,
-the complaints are being processed by the Ministry of Finance as the complaints body.
-. Notice of decision
-Pursuant to the personal data protection regulation, article 58 no. 2 letter f, the Norwegian Data Protection Authority notifies the following
-decision:
+Postal address: Office address: Telephone: Organization number: Website:
+PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
+OSLO 0191 OSLODatatilsynet has also received a copy of correspondence relating to NorgesGruppen ASA and
+Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know,
+the complaints are still being processed by the Ministry of Finance as the complaints body.
+In a letter dated 29 November 2022, we notified Statistics Norway of a decision to ban the processing of
+personal data in the form of bank data. Statistics Norway has commented on the notice in a letter dated
+.01.2023, attached a legal assessment from Advokatfirmaet Schjødt AS. We have incorporated
-Postal address: Office address: Telephone: Org. no: Website:
+the comments in the decision where it is considered relevant.
-PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
-OSLO 0191 OSLO The Norwegian Data Protection Authority bans the processing of Bong data on the basis of a decision on
-        obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision
-        basis for the processing, cf. the personal data protection regulation article 6 no. 3.
 . More details about SSB's planned processing of bong data
-.1 The decisions on the obligation to provide information
+.1 Statistics Norway's decision on the obligation to provide information
 In the decisions on the obligation to provide information to the grocery operators, Statistics Norway states that bank data from
 the grocery trade is considered to be of great use for the production of official statistics which are
 important to society. Statistics Norway will produce statistics on consumption in Norwegian households and new
 statistics on diet.
-Furthermore, the data will be used to investigate the consumer price index and merchandise trade statistics
+Furthermore, it appears from the decisions that the data will be used to investigate the consumer price index
-can have bong data as a data base.
+and the merchandise trade statistics can have bong data as a data basis.
 Statistics Norway will also test and develop new methods to ensure even greater confidentiality in
 statistics production.
 The voucher data will include, among other things:
-      product name
+     • product name
-      price per item
+     • price per item
+    • total amount on receipt
-      total amount on receipt
+     • method of payment
-     method of payment
+     • amount per payment method
-      amount per payment method
+     • start and end time for trading
-      start and end time for trading
+    • identifier on return
-      identifier on return
+     • identifier of completed trade
-     identifier of completed trade
+     • identifier of the sale/offer
-      identifier of the sale/offer
 Any customer loyalty numbers must not be reported.
 The voucher data must be reported as streamed data from the cash register systems, so that Statistics Norway receives it
 the data continuously.
 NorgesGruppen ASA and Coop Norge AS have appealed against the decisions on the obligation to provide information. SSB
@@ Line 222: / Line 227: @@
-.2 Statistics Norway's report to the Norwegian Data Protection Authority
+.2 Statistics Norway's reports to the Norwegian Data Protection Authority
 .2.1 Statement of purpose
-In the statement dated 13 June 2022, it appears that Statistics Norway considers the development, preparation and
+In the statement from Statistics Norway dated 13 June 2022, it appears that Statistics Norway considers development, preparation and
 dissemination of official statistics as one processing purpose, as the tasks are set out in
 the Statistics Act.
@@ Line 232: / Line 244: @@
 the purpose provision in § 1 and to § 17 on SSB's tasks. Here is development, preparation and
 dissemination of official statistics referred to as one main purpose and one main task. Also in
+NOU 2018: 7 New Act on Official Statistics and Statistics Norway appears in point 10.4
+that: "Method development is an integral part of the work of producing statistics".
+Statistics Norway points out, however, that the assessment of necessity and the result of concrete data minimization will
+could turn out differently depending on whether the purpose is development or preparation of current
+statistics.
+In the letter of 23 January 2023, it appears that Statistics Norway has nevertheless assessed the overall data need under
+one (development, preparation and dissemination of official consumption and dietary statistics) and added
+up to one data collection instead of collecting several almost identical, parallel data sets.
+The background is that Statistics Norway believes that there is one purpose with several statistical products and
+associated development work.
+.2.2 Assessment of the privacy intervention
+In the letter of 23 January 2023, it appears that Statistics Norway believes that the privacy intervention is proportionate and
+justified based on the purpose of the processing, the limited collection period and
+the measures that have been established to reduce the privacy disadvantages. Statistics Norway has placed a decisive emphasis on
+the purpose of the processing and the measures implemented.
+Statistics Norway also points out that it was the data protection commissioner who recommended revising the decision
+disclosure obligation time-limited to the period 2022 – 2023. An important part of the methodological work in
+the two-year period is described as the assessment and concretization of data-minimizing measures
+both before and after the collection, without compromising the quality of the statistical products
+is reduced. Relevant measures can be periodic data collection, various forms of selection and
+storage limitations.
+.2.3 Quality requirements
+In the letter of 23 January 2023, Statistics Norway refers to the quality requirements in Section 5 of the Statistics Act, which correspond to
+the requirements of European Parliament and Council Regulation (EU) 223/2009. Compliance with
+the quality requirements require data of a certain content and scope.
+Section 5 of the Statistics Act states, among other things, that statistics must be "relevant, accurate, up-to-date,
+punctual, accessible and clear, comparable and coherent'.
+Statistics Norway points to bong data as an example of a data source that has great potential to increase
+the quality of several statistics.
-NOU 2018: 7 New Act on Official Statistics and Statistics Norway is stated in point 10.4
-that: "Method development is an integral part of the work of producing statistics".
-Statistics Norway nevertheless points out that the assessment of necessity and the result of concrete data minimization
-will be able to turn out differently depending on whether the purpose is development or preparation of current
-statistics.
-.2.2 Consumption statistics
+.2.4 Consumption statistics
 Statistics Norway has explained what it wants to achieve by using bong data to produce
 consumption statistics.
-Voucher data will improve the quality of consumption statistics. The voucher data will be connected
+According to Statistics Norway, bong data will improve the quality of consumption statistics. The voucher data will be linked
-self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors in
+to self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors
-the self-report. The comparison will provide a basis for supplementing the statistics with
+in the self-report. The comparison will provide a basis for supplementing the statistics
 improved uncertainty estimates.
@@ Line 256: / Line 303: @@
 automatic. The methods for automatic classification have been developed with test voucher data from 2018.
 This has an impact on the quality of the statistics, but it will also have a great impact on
-the use of resources to prepare the statistics. Furthermore, the statistics on grocery consumption can
+the resource use that goes into preparing the statistics. Furthermore, the statistics above
-broken down on far more levels than has been possible in the past.
+grocery consumption is broken down at far more levels than has been possible in the past.
@@ Line 265: / Line 312: @@
 statistics production.
-.2.3 Dietary statistics
+.2.5 Dietary statistics
 Since the beginning of 2020, Statistics Norway has investigated the possibilities for preparing new diet statistics
@@ Line 288: / Line 335: @@
 relevance, accuracy and reliability.
+.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway
+In the meeting held in August 2022, Statistics Norway explained its mandate: Develop, prepare and
+disseminate official statistics. Furthermore, Statistics Norway explained that they, through political guidance and
+assignment letter, is required to look for and use new data sources as a basis for statistics, i
+in addition to developing new methods for statistics production.
-.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway
-In the meeting, Statistics Norway explained its mandate, which is to develop, prepare and disseminate official
-statistics. Through political guidelines and assignment letters, Statistics Norway is required to look for and adopt
-new data sources as a basis for statistics, in addition to developing new methods for
-statistics production.
-Statistics Norway explained their work with consumption statistics, that is, statistics on what the country's
+SSB explained its work with consumption statistics, that is, statistics on what the country's
 households spend money on. The last survey was carried out in 2012. Statistics Norway has had problems
 with obtaining acceptable data quality as the survey has been based on volunteers
 reporting, with a significant task burden for the participants and high drop-out rates. Furthermore, have
 The Norwegian Directorate of Health expressed a need for dietary statistics as a basis for public health work,
-and Statistics Norway has an established collaboration with the grocery chains to develop a data basis.
+and Statistics Norway has an established collaboration with the grocery chains to develop a data base.
 Barcode data is already collected today from, among other things, grocery chains for use in
 the consumer price index (CPI), but in an aggregated format. Furthermore, Statistics Norway has received bank data and
 bank transaction data in a development project where it was investigated whether bank data can be used for
-the desired purpose – consumption and diet statistics. In parallel with the collection of new
+the desired purpose – consumption and diet statistics. Parallel to the collection of new
 bongdata, Statistics Norway will collect data through self-reports, where consumers, among other things,
 can scan receipts.
-SSB explained in more detail the planned processing of bong data internally at SSB. The goods which
+SSB described in more detail the planned processing of bong data internally at SSB. The goods which
 are purchased will be classified into product groups. Furthermore, consumers will be classified according to
 household size/type (about 10 groups in total) and other background variables, such as
@@ Line 321: / Line 369: @@
 All use of information, including linking bank data to bank transaction data and
 account number, is done with pseudonymous data, so that the individual receipt cannot be linked
 directly against an individual. The receipts as they are received are stored in the system as raw data, that is
 that is, without the link to the individuals who have made the purchases. Systems for
 access management has been established, and access to raw data is strictly regulated. In principle it is
 however, it is possible to make the connection again at a later time.
 For the further processing of the bank data internally at Statistics Norway, the individual transaction will therefore
 be aggregated at household group level. As the treatment is now planned and
 presented, you will not be able to follow an individual household over time - only
@@ Line 340: / Line 388: @@
 Statistics Norway plans an evaluation of the solution in 2023, where, among other things, the level of detail of the data,
 frequency and extent will be assessed.
+.4 The cost-benefit assessment
+Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they
+decides to adopt an order on the obligation to provide information.
@@ Line 347: / Line 401: @@
-.4 The cost-benefit assessment
-Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they
-decides to adopt an order on the obligation to provide information.
+SSB has published the cost-benefit assessment on its website. We will summarize them below
-Statistics Norway has published the cost-benefit assessment on its website. We will summarize them below
+the parts of the assessment that relate to consequences for data subjects' privacy.
-the parts of the assessment that are linked to consequences for data subjects' privacy.
-Statistics Norway states that bank data from grocery chains does not contain personal information in itself.
+Statistics Norway states in its assessment that bong data from the grocery chains does not contain
-Through links to other sources, bong data can still be linked to a person. By connecting
-a voucher for a payment transaction (a payment by bank card), purchases of goods can be linked
-person and household via data from the Swedish Tax Agency and the National Register of Citizens. The link to person will
+personal data in itself. Through links to other sources, bongdata will still be able to
-could be done for more than 70% of the bonds.
+be linked to a person. By connecting a bong to a payment transaction (a payment by bank card),
+purchases of goods can be linked to individuals and households via data from the Norwegian Tax Agency and the National Register of Citizens.
+The connection to a person will be possible for more than 70% of the vouchers.
 Statistics Norway considers that the bong data acquires the character of being sensitive personal data when they
 linked to an individual and a household. It is emphasized that the bong data are distinctive both on
 because of the large amount of data and because the information is not already available in public
 register. In addition, Statistics Norway will receive the data in near real time and with a high degree of detail. They connected
 the data will include information about where and when the individual has shopped for groceries, and that
 detailed information will appear about which goods and quantity of goods you have bought.
 This applies to all purchases from the four grocery operators that are not paid in cash.
 The players together cover 99% of the market.
+Statistics Norway recognizes that the individual consumer cannot be expected to be aware that Statistics Norway wants to
+use the electronic tracks from current purchases, and forward these with
+personally identifiable data, to create statistics. Statistics Norway states that it is therefore important that
-The individual consumer cannot be expected to be aware that Statistics Norway will use the electronic ones
+the bong data is treated with extra care, and Statistics Norway will implement extra measures to
-the traces from ongoing purchases, and forward these with personally identifiable data, to create
+safeguard privacy and information security.
-statistics. Statistics Norway states that it is therefore important that the bong data is processed extra
-caution, and Statistics Norway will implement extra measures to safeguard privacy and
-information security.
 The privacy deficiencies must be remedied through the general security measures that apply to everyone
 processing of statistical information. Statistics Norway must ensure confidentiality in all dissemination of
-statistics, is subject to a duty of confidentiality and must implement measures to achieve a satisfactory
-security level. This includes, among other things, ensuring adequate access management, logging
-and subsequent control as well as regular risk and vulnerability analyzes and
+statistics. Furthermore, SSB's employees and contractors are subject to a duty of confidentiality, and SSB must
-threat simulations.
+implement measures to achieve a satisfactory level of security. This includes, among other things
+to ensure adequate access management, logging and subsequent control as well as regular
+risk and vulnerability analyzes and threat simulations.
 Statistics Norway will pseudonymise the personal data upon receipt, and aggregations of data adapted
 the individual statistical needs will be an important measure. An important part of the investigative work will
 be aimed at the development of new methods for data minimization and promoting privacy
 production processes when processing this type of data.
 Furthermore, the information shall only be used for statistical purposes within the framework of
 the Statistics Act. According to Statistics Norway, statistical use is generally a purpose that has a low
 privacy risk.
+In its assessment of whether the information is necessary and relevant, cf. the principle of
+data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been
+sufficient for some of the relevant statistical purposes. Daily reporting of bong data on
- https://www.ssb.no/omssb/ssbs-versiktom/kost-nyttevuderning/leveranse-av-bongdata-fra-dagligvarekjedene-
 rema-1000-norgesgruppen-coop-and-bottom-price
-In its assessment of whether the information is necessary and relevant, cf. the principle of
+                                                                                                However, product level 6 will also enable many forms of development work, both for new ones
-data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been
-sufficient for some of the relevant statistical purposes. Daily reporting of bong data on
-However, product level will also enable many forms of development work, both for new ones
 statistical products and methods for processing this type of data. This work will not be
 possible with sample surveys, aggregations or less frequent data deliveries.
 Statistics Norway assesses that there are no conditions in the bong data that indicate limitations in
 secondary use.
 .5 The assessment of privacy consequences
@@ Line 420: / Line 472: @@
 dated 27.01.2021 and the other from the period October 2021 to June 2022.
+The first assessment relates to the completed development project where testing has been carried out
+out the use of bong data, while the second assessment concerns the planned treatment.
+The Norwegian Data Protection Authority nevertheless considers several of the assessments in the privacy impact assessment to be dated
-The first assessment relates to the completed development project where testing has been carried out
+.01.2021 as relevant for the planned use of bong data.
-out the use of bong data, while the second assessment concerns the planned treatment. We
-nevertheless considers several of the assessments in the privacy impact assessment dated 27.01.2021
-as relevant to the planned use of bong data.
 On page 4 of the assessment from 27.01.2021, it is explained why a need has been identified
 for such a privacy impact assessment:
          "Data from the grocery chains contains detailed information about which products are
          purchased, location and time. Bank transaction data includes all purchases with
          debit cards, of all types, in addition to the location and time of transaction. In that these two
          sources are linked to bank account and bank account owner, it will be possible to do
          compilations so that we can link individuals to both time, place and what these are
          buyer of goods and services. The potential to be able to make such connections suggests that
          the data is considered to contain personally identifiable and sensitive information, and they
          must be dealt with accordingly".
 Furthermore, it appears on page 6 et seq. that information will be collected on virtually everyone
 grocery purchases for the entire Norwegian population, and the data must be stored permanently. The
 registered persons cannot exercise their rights either, as exceptions to these have been made
 the rights in the regulations.
 As regards how the processing will be perceived from the data subject's point of view, it appears
 the following on pages 10 and 11:
          “The data described in this DPIA contains directly identifiable
          personal data. It must be assumed that the registered person experiences this as intrusive and
          basically offensive.
          We are talking about large amounts of data that apply to information that does not exist in it
          public records. This means that those to whom the information applies are neither prepared
          or have an expectation that this information will be collected and processed by one
+        public authority. However, the data subject is aware that the information
+        is registered and is available to the grocery chains.
-public authority. However, the data subject is aware that the information
-        is registered and is available to the grocery chains.
-        In our opinion, the privacy disadvantage consists of perceived discomfort when a public
+In our opinion, the privacy disadvantage consists of perceived discomfort when a public
          authority sits on this type of information which is perceived by many to belong to it
          private sphere. Correspondingly, it can be experienced as a disadvantage for traders, among others
          otherwise based on competitive assessments. The privacy disadvantage
          increases when the information is compiled with other sources. Receipt data for
          persons are planned to be linked with account holder information from the tax authorities and
          transaction data from banks, as well as the household register.
          The disadvantages described above are partially remedied by general security measures that apply to everyone
          processing of statistical information in Statistics Norway. In addition, SSB's special
          security measures that have been established for this data in particular. It is also emphasized that the purpose
          is the development of statistics, that the processing is regulated in the Statistics Act, and that
          information about the individual registered shall not be processed separately'.
 .6 Legal assessment from Statistics Norway
-Statistics Norway has sent an undated assessment with the heading "The principle aspects of
+Statistics Norway has sent an undated assessment prepared by Advokatfirmaet Schjødt AS at
-collection of detailed information on individual citizens – the relationship with the Constitution and ECHR and
+lawyers Eva Jarbekk and Inge Kristian Brodersen, with the heading "The principle pages
-the requirement of proportionality'. The assessment states, among other things, the following:
+when collecting detailed information about individual citizens - the relationship with the Constitution and the ECHR
+and the requirement for proportionality'. The assessment states, among other things, the following:
+        "Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to
-        "Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to
          be contrary to basic human rights, the specific use of
          the authority is assessed in each individual case. Statistics Norway believes that legally regulated purpose/use
@@ Line 492: / Line 545: @@
          reduces the inconvenience for the individual, so that the treatment is considered not to be in breach
          with Section 102 of the Constitution or Article 8 of the ECHR. Special reference is made here to the fact that
+        Bong data is not at any time stored or processed with personal identifiers
-        Bong data is not at any time stored or processed with personal identifiers
          characteristic, that bong data is only handled aggregated at group level (in reality a two-
          dimensional aggregation in that bong data is aggregated on different product groups and
@@ Line 499: / Line 552: @@
          of the link are anonymous statistics”.
+According to this, Statistics Norway believes that the established data minimization and security measures i
+sufficiently takes care of both the grocery chains and the customers. SSB still wants to
-Statistics Norway believes that the established data minimization and security measures are sufficient
+to further develop new methods and tools that can further reduce the privacy disadvantage.
-takes care of both the grocery chains and the customers. Statistics Norway still wants to develop further
-new methods and tools that can further reduce the privacy disadvantage.
-Relevant legal rules
+. Relevant legal rules
 The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
 Article 57 of the regulation and § 20 of the Personal Data Act.
+Below, we will explain the legal rules that we believe are relevant in the present case.
-Below, we will explain the legal rules that we believe are relevant in the present case.
@@ Line 517: / Line 572: @@
-.1 The right to privacy
+.2 The right to privacy
-.1.1 Privacy as a human right
+.2.1 Privacy as a human right
 Everyone has the right to protection of their privacy. This is a right protected by the European
 the Human Rights Convention (ECHR) as well as a constitutional right. A central part of the dish
 to privacy is the right to protection of one's personal data.
 The ECHR has been made Norwegian law through the Human Rights Act of 1999. In the ECHR article 8 no. 1
 it appears that "[e]veryone has the right to respect for his private life and family life, his home and his
 correspondence".
 Furthermore, Article 8 no. 2 of the ECHR states that interventions in citizens' privacy must be "in accordance with
 the law". The intervention must be necessary in a democratic society for reasons of importance
 societal interests.
 The right to privacy is recognized as a central human right by being taken into
@@ Line 537: / Line 592: @@
 privacy and family life, one's home and one's communication" and that "[t]he state authorities shall
 ensure protection of personal integrity".
 As regards the relationship between the human right to privacy and the privacy regulations,
 we also refer to the preparations for the Personal Information Act, Prop. 56 LS (2017-2018), point 6.4.
 Here it appears on page 34:
          "In its practice, the EMD has assumed that public authorities' storage of
          personal data that is linked to private life within the meaning of the provision constitutes a
          intervention in the court pursuant to ECHR article 8 no. 1, see Amann v. Switzerland 16.2.2000 [ECHR-
@@ Line 549: / Line 605: @@
 ] section 67”.
+That public authorities' collection and storage of personal data is an intervention in itself
-That states' collection and storage of personal data is an intervention in itself must be recognized
+itself is therefore indisputable and must be the basis for the assessment of any privacy intervention.
-reason when assessing privacy intrusions.
-.1.2 The principle of legality
+.2.2 The principle of legality
-In a legally secure and democratic society, it is crucial that the state does not intervene
+In a democratic society, legal certainty is a central foundation. It is a fundamental
+principle in a democracy that the state does not interfere with citizens without authority. This is called
+the principle of legality and is anchored in § 113 of the Constitution, which specifies that "[t]he authorities'
-the citizens without authorization. This is called the principle of legality and is anchored in Section 113 of the Constitution,
+intervention against the individual must have a basis in law". As mentioned above, the ECHR also states article
-which specifies that "[t]he intervention of the authorities towards the individual must have a basis in law". As
+no. 2 that interventions in citizens' privacy require sufficient authority. Such protection in the form of
-mentioned above, ECHR Article 8 no. 2 also states that interference with citizens' privacy requires
+legal protection against arbitrary and unpredictable interventions is an important guarantee of legal certainty.
-sufficient authority. Such protection against arbitrary and unpredictable interventions is an important one
-guarantee of legal certainty.
 The requirement for the clarity of the law is tightened in line with the size of the intervention. The most serious
+the interventions must be based on law rather than regulations or administrative decisions. In case of significant
-the interventions must be based on law rather than regulations or administrative decisions. In case of significant
 intervention in the citizens' legal sphere, it must be clear from the wording of the law that the intervention is covered
 of the relevant statutory provision. Enshrining privacy intrusions in the legal text itself creates
-greater predictability for the general public, and laws are adopted through a thorough democratic process
+In the personal protection regulation, this is expressed through article 6 no. 3, see point 4.6 below.
-process where trade-offs between the individual's privacy and the state's need for treatment of
+greater predictability for the general public, and laws are adopted through a thorough democratic process
+process where trade-offs between the individual's privacy and the state's need for processing of
 personal information must be done.
@@ Line 586: / Line 643: @@
 is in line with our international obligations in the area of human rights.
-.2 The principle of data minimization
+.3 The principle of data minimization
 The basic principles for processing personal data are set out in
 Article 5 of the Personal Data Protection Regulation. Particularly central to this case is the principle of
 data minimization.
@@ Line 597: / Line 654: @@
-According to the principle of data minimisation, it is not sufficient that it is practical or desirable to
+According to the principle of data minimization, it is not sufficient that it is practical or desirable to
 process personal data; the processing must be necessary for the purpose to be achieved.
 The requirement of necessity will naturally become more stringent the greater the invasion of privacy.
 The principle of data minimization also includes an overarching assumption that the processing of
 personal data contributes to achieving a specific purpose. The purpose description will be that
 natural starting point for assessments of the utility value of a treatment. The more
 the more invasive the measure, the greater the requirements for the purpose description and a documented
 usefulness of the measure.
-.3 Legal basis
+.4 The concept of personal data
-.3.1 The Personal Data Protection Regulation
+The term personal data is defined in the Personal Data Protection Regulation Article 4 No. 1 as
+     "any information about an identified or identifiable natural person (the
+     registered"); an identifiable natural person is a person who directly or indirectly can
+     is identified, in particular by means of an identifier, e.g. a name, a
+     identification number, location information, an online identifier or one or more
+     elements that are specific to said natural person's physical, physiological, genetic,
+     mental, economic, cultural or social identity".
+Paragraph 26 of the regulation states:
+     "When determining whether a natural person is identifiable, everyone should be taken into account
+     means that it can reasonably be thought that the data controller or another
+person can use to identify the person concerned directly or indirectly, e.g.
+     designation. To determine whether funds can reasonably be expected to be used to
+     identify the natural person, all objective factors should be taken into account, e.g.
+     the cost of and the time necessary to make the identification, when it is taken
+     taking into account the technology available at the time of processing, as well as the
+     technological development".
+.5 Legal basis
+.5.1 The Personal Data Protection Regulation
 Any processing of personal data must have a legal basis to be legal.
 The Personal Protection Regulation Article 6 No. 1 provides an exhaustive overview of which legal
 grounds (authorities) that may be the basis for processing personal data - and
 thus an intervention in privacy.
 Article 6 no. 1 letter c (fulfilment of a legal obligation) and e (exercise of public
 authority or performance of a task in the public interest) are the most relevant
 the provisions for the cases where public authorities intervene in citizens' privacy.
 When applying the above-mentioned authorities, there must be an additional authority in national law
 or in EU law that imposes duties or tasks on public authorities.
 This follows from Article 6 No. 3 of the Personal Protection Ordinance and is described as supplementary
 legal basis.
+.5.2 The Statistics Act
-.3.2 Statistics Act
 Statistics Norway's tasks and area of authority are regulated in the Statistics Act with regulations. SSB access
 to order other businesses to hand over information for statistical purposes is regulated in
 Section 10 of the Statistics Act. The provision reads:
          "1) Anyone must, without being hindered by the duty of confidentiality and by order from Statistics Norway
          provide information that is necessary for the development, preparation or dissemination of
          official statistics. The duty applies to information about the person obliged to provide information and others
          information over which the person obliged to provide information has the right to dispose of it. A deadline can be set
          to provide information. Confidentiality as mentioned in the Criminal Procedure Act § 119 first and
          second paragraph and the Disputes Act section 22-5 first paragraph precede the obligation to provide information according to the first
          dot.
          (2) Statistics Norway can issue regulations on the obligation to provide information and order
          obligation to provide information in individual cases.
          (3) Information can be refused to be disclosed in accordance with the first paragraph when an exception is required for reasons
          to national defense and security interests or police crime-fighting
          business.
          (4) Statistics Norway may determine the manner in which the information is to be provided and
          which documentation must be included. No remuneration can be required for this
          costs of fulfilling the obligation to provide information.
-        (5) Before Statistics Norway decides to impose an obligation to provide information, there must be a
+(5) Before Statistics Norway decides to impose an obligation to provide information, there must be a
          assessment of the usefulness of receiving the information, weighed against the costs for it
          subject to disclosure and how invasive the treatment is considered to be for it
          the information applies. The assessment must be made public.
+        (6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision,
-        (6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision,
+         among other things about limitations in the obligation to provide information".
-         among other things about limitations in the duty to provide information".
 In the preparations for the Statistics Act, Prop. 72 LS (2018-2019), the relationship with the Constitution and
-ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on page 42:
+ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on pages 41 and 42:
+        "The special regulation in the Personal Data Protection Regulation on the processing of personal data to
+        among other things, statistical purposes, see below, indicate that this type of treatment is considered
-         "Statistics Norway's collection of personal data will also constitute an intervention in
+         as minimally invasive.
+        Article 5 of the Personal Data Protection Regulation deals with the principles for the processing of
+        personal data. It follows from article 5 no. 1 letter b that further processing of
+        personal data for archival, research or statistical purposes in accordance with
+        article 89 no. 1, shall be considered compatible with the collection purpose. Furthermore, it follows
+        of recital 50 that the data controller does not need a new legal basis
+        to further process personal data for compatible purposes. The Personal Data Protection Regulation
+        Article 5 no. 1 letter c establishes the principle of data minimization, which implies that
+        personal data must be adequate, relevant and limited to what is
+        necessary for the purposes for which they are processed. The ministry indicates that
+        the personal data to be provided according to the proposal are relevant and necessary for that
+        Statistics Norway must be able to develop, prepare or disseminate statistics as it pleases
+        be covered by the national statistics programme.
+        (…)
+        Statistics Norway's collection of personal data will also constitute an intervention in
          the right to privacy according to Section 102 of the Constitution and Article 8 of the ECHR. The processing is then only
          permitted if it has sufficient authority, pursues a legitimate purpose and is
          proportionately. For a general discussion of these requirements, reference is made to Prop. 56 LS
          (2017–2018) point 6.4. As it appears there, Section 102 of the Constitution has clear similarities
          with Article 8 of the ECHR, and must be interpreted in the light of this, cf. Rt-2015-93. It is not
          evidence that Section 102 of the Constitution sets stricter requirements than Article 8 of the ECHR
          legal basis for processing personal data. Statistics Norway can follow
@@ Line 681: / Line 785: @@
          is this necessary for the agency to be able to fulfill its societal task of developing,
          prepare and disseminate official statistics. This is a legitimate purpose. Statistically
+        centralbyrå must process the information in a reassuring manner and only for them
-Central Agency must process the information in a reassuring manner and only for them
          the purposes mentioned in the bill § 10. Further processing of information is
          discussed in chapters 6 and 7.2. The ministry also refers to the discussion in chapter 4 of statistical
@@ Line 691: / Line 792: @@
          the ministry the proposal for a statutory provision as proportionate.
-        According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and
-        Article 8 of the ECHR".
-Furthermore, it is stated in point 6.2.4.7 on pages 61 and 62:
-        "If disclosure would constitute an intrusion into the right to privacy pursuant to Section 102 of the Constitution
-        and Article 8 of the ECHR, it must nevertheless be assessed whether more specific ones are necessary
-        legal or regulatory provisions and/or guarantees to fulfill the Constitution and
-        ECHR's requirements for a legal basis for invasion of privacy.
+According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and
-        (…)
+         Article 8 of the ECHR".
-        The special regulation on the processing of personal data in the Personal Data Protection Ordinance to
-         among other things, research purposes and statistical purposes indicate that this type of treatment
-        considered to be minimally invasive'.
-.4 Requirements for the supplementary legal basis
+.6 Requirements for the supplementary legal basis
 Article 6 no. 3 of the Personal Protection Regulation contains several additional requirements
 the legal basis. The supplementary legal basis – whether it is a legal authority, a
 regulation or an administrative decision – must therefore meet certain criteria.
 According to Article 6 No. 3, it must be clearly stated that the processing of personal data is
 necessary to carry out a publicly beneficial task or exercise public authority.
 Furthermore, it is required that the supplementary legal basis must "meet an objective in the public interest
 interest and stand in a reasonable relationship to the legitimate aim sought to be achieved". It is laid
-i.e. up to a proportionality assessment, in which the intervention in privacy must be in relation to
+i.e. up to a proportionality assessment, to which the intervention in privacy must be in relation to
 the social good that is achieved.
 The preamble to the Personal Data Protection Regulation in many cases provides guidance for the specifics
 the provisions of the regulation, including Article 6 No. 3.
 Although a supplementary legal basis does not have to be in the form of a law, it appears from
 recital 41 that the legal basis should be "clear and precise". It further states that
 the application of the legal basis should be predictable for citizens.
 The requirements for the supplementary legal basis are discussed by the Ministry of Justice and Emergency Preparedness in
 the preparations for the Personal Data Act, Prop. 56 LS (2017-2018). Section 6.3.2 states:
          "It follows from recital 41 that "when this regulation refers to a legal
          basis or a legislative measure, this does not necessarily require one
          regulatory act adopted by a parliament'. In the ministry's view, it must be added
+        reason that in any case statutory and regulatory provisions may constitute supplementary
-reason that in any case statutory and regulatory provisions may constitute supplementary
          legal basis. The Ministry assumes that also decisions made in accordance with law or regulations
          are covered, as there is also a legal or regulatory basis in these cases".
 However, this is nuanced in the following:
          "If the processing of personal data constitutes an intrusion into the right to privacy
          according to Section 102 of the Constitution or Article 8 of the ECHR, it may however be necessary
          a more specific legal basis for the processing than the wording of the regulation can
@@ Line 754: / Line 842: @@
          "clear and precise, and its application should be predictable to persons who
          covered by it, in accordance with the case law of the Court of Justice of the European Union
          (the "Court") and the European Court of Human Rights. In other words, must
          the regulation's requirement for a supplementary legal basis for the processing is interpreted and applied
          in line with the human rights requirements for a legal basis for interference with the right to
          privacy. This means that a closer assessment of the legal basis must be made
          and the treatment, where, among other things, emphasis must be placed on how invasive
-        the treatment is. Depending on the circumstances, the outcome of such an assessment may be that
+the treatment is. Depending on the circumstances, the outcome of such an assessment may be that
          a more specific basis than what might appear to be the minimum requirements is required
          the wording of the regulation".
 In point 6.4 of the preparatory work it also appears:
          "At the same time, there is no doubt that the regulation's general rules, possibly i
          combination with a supplementary legal basis that only meets the minimum requirements
          according to the wording in Article 6 no. 3, will not always provide a sufficiently specific legal basis
          or necessary guarantees in line with the Constitution and the ECHR. It will then be necessary to
          design more specific legal bases and additional guarantees in national law, and that will i
          in many cases be necessary with express authority in special legislation.
          In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR.
-         (…) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can
+         (...) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can
          in the circumstances imply that the supplementary legal basis must contain such
          more specific provisions that Article 6 nos. 2 and 3 allow for. What is required of
          the supplementary legal basis, cannot be answered in general, but must be decided according to one
          concrete assessment".
 The European Court of Justice states the following in case C-175/20 in section 83:
          "In this regard, it is nevertheless noted that the legislation which forms
          basis for the processing, in order to fulfill the requirement of proportionality, such as Article 5,
          item 1, letter c) (…) is an expression of (…), must lay down clear and precise rules, where
          regulates the scope and application of the measure in question, and which
          lays down minimum requirements, so that the persons whose personal data are affected prevail
          over sufficient guarantees, which make it possible to effectively protect this information
          against the risk of abuse. This legislation must be legally binding in national law
+        and in particular state, under what circumstances and on what conditions that may
-and in particular state, under what circumstances and under what conditions that can
          a measure is adopted on the processing of such information, whereby it is ensured,
          that the intervention is limited to what is strictly necessary'.
+For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice
-For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice
 from the European Court of Justice will still have significance in the area of privacy as it is a
 basic assumption that the rules of the Personal Data Protection Regulation are understood and practiced equally throughout
 EU/EEA.
 . The Norwegian Data Protection Authority's sanctioning authority
 The Norwegian Data Protection Authority's authority to impose administrative sanctions is regulated in the privacy
 the regulation, article 58. Article 58 no. 2 states which corrective measures the supervisory authority can take
 adopt.
@@ Line 816: / Line 904: @@
-        "2. Each supervisory authority shall have the authority to decide on the following corrective measures
+«2. Each supervisory authority shall have the authority to decide on the following corrective measures
          measures:
             a. issue warnings to a data controller or data processor that they
                the planned processing activities are likely to be in breach of the provisions of
                this regulation, (…)
             d. instruct the controller or data processor to ensure that
                the processing activities take place in accordance with the provisions of this regulation
@@ Line 829: / Line 921: @@
 . The Norwegian Data Protection Authority's assessment
 .1 Assessment of the size of the privacy intrusion
 If privacy is to be encroached upon, it is a requirement according to both our human rights laws
 obligations under the ECHR, the Constitution and the privacy regulations that a thorough investigation is carried out
-assessment of the proportionality of the measure. The disadvantages to the citizens of that
-personal data if they are collected must be weighed against the authority's needs for
+assessment of the proportionality of the measure that constitutes the intervention. The disadvantages of
-personally identifiable data to provide citizen services and carry out their tasks.
+citizens in that personal information about them is collected must be weighed against that of the authorities
+need for personally identifiable data to provide citizen services and carry out their duties.
-We make it clear that an invasion of privacy already occurs during the actual collection of data
+We emphasize again that an invasion of privacy already occurs during the actual collection of
 personal data and not until the data is further processed. The European one
 In the cases Amann v. Switzerland (case 1995-27798) and S. and
-Marper v. Great Britain (Case 2004-30562) clearly stated that states intervene against
+Marper v. United Kingdom (Case 2004-30562) clearly established that states intervene against
-the citizens already when collecting personal data as such.
+the citizens already when collecting personal data as such. 3
+In the response to the notice of decision and in dialogue with us, Statistics Norway has stated that the Norwegian Data Protection Authority is wrong when
+we refer to SSB as "the state". In addition, we would like to note that Statistics Norway is a public authority,
+financed through the state budget. Although SSB is an independent body, SSB is still a part
+of the state apparatus. In our view, there is no doubt that Statistics Norway falls under the term "the state",
+although that term may be imprecise. In any case, the use of the term "the state" has not had
+significance for our assessments in the case.
 The Norwegian Data Protection Authority recognizes the societal benefit of consumption and diet statistics. For example
 dietary statistics are the basis for national public health work. We see that data with the same
+quality that cannot be obtained from other sources, for example the consumers themselves. Statistics on a
+area like this is undoubtedly a legitimate and socially beneficial purpose.
+We have also noticed that SSB has good internal routines and systems for fast
- See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal-
+pseudonymisation and aggregation of data, strict internal access management, etc. SSB is good
-content/en/TXT/?uri=CELEX:62012CJ0293.
+equipped to also handle bong data in a reassuring manner internally.
+Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can
+lead to quality improvement and future data minimization through more precise data extraction, etc.
-quality cannot be obtained from other sources, for example the consumers themselves. We also have
+See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal-
-noticed that SSB has good internal routines and systems for rapid pseudonymisation and
+content/en/TXT/?uri=CELEX:62012CJ0293.
-aggregation of data, strict internal access management, etc. SSB is well equipped to deal with this as well
-bong data in a reassuring manner internally.
-Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can
-lead to quality improvement and future data minimization through more precise data extraction, etc.
 As we understand it, however, the utility value of the development work will be unknown at the time
 when the data is collected. We cannot therefore attach decisive importance to the objective of
 future data minimization.
+Bong data in itself does not contain any personal data, but the bong data must be linked
+transaction data, which makes it possible to link the information to an individual.
+The connection takes place with relatively simple means for SSB and within a short time after they
+The continuously streamed data is received at SSB. The Danish Data Protection Authority is therefore of the opinion that
+the right thing is to consider the bong data as personal data already from the time
+the collection takes place, cf. point 26 of the Personal Data Protection Ordinance. In all cases will
+the bank data will be personal data as soon as the link to transaction data has been made internally
+at SSB.
+It is thus the intervention of the collection of bong data that must be assessed in this case.
 The planned collection of bong data for statistics involves the processing of enormous amounts
 amounts of transactional data about a significant part of the population. It is also a brand new one
-form of data collection by the authorities from private actors. The state will get a brand new one
+form of data collection by the authorities from private actors. SSB as public
+authorities will gain completely new knowledge about which grocery purchases a large majority of Norwegians make
+the population does in real time. The citizens cannot be said to have any expectation that a
+public authorities will receive information about which groceries they buy from a completely private company
-knowledge about which grocery purchases almost the entire Norwegian population makes in real time.
+prosecutor. Statistics Norway also points out that the average citizen will not be able to predict that the state will collect
+information about their purchases of groceries.
 The individual data subjects have no real opportunity to oppose the collection of
-personal data (except through trading with cash and avoiding the big
+personal data, except through trading with cash and avoiding the big ones
-the grocery players). Nor do those registered receive information that the collection is taking place. As
-Statistics Norway itself points out, the average citizen will not be able to predict that the state will collect
-information about their purchases of groceries.
+the grocery players. Nor do those registered receive targeted and individual information that
+the collection takes place, as public authorities can typically make use of the data
+the exceptions from the obligation to provide information according to the personal protection regulations. 4
 It is therefore of less importance for our assessment of the size of the privacy intervention that
 Statistics Norway's mandate is the production, dissemination and development of statistics, which in itself is not
-linked to individuals.
+linked to individuals. Whether the intervention is proportionate based on, among other things
+purpose considerations, is another consideration.
 The relationship with Section 102 of the Constitution and Article 8 of the ECHR is affected in the preparations for the Statistics Act.
-The Ministry of Finance's conclusion is that Section 10 of the Statistics Act in itself is not contrary to
+The Ministry of Finance's assessment here is that section 10 of the Statistics Act in itself is not contrary to
-the requirements in Section 102 of the Constitution and Article 8 of the ECHR. At the same time, the ministry has indicated that it must
+the requirements of Section 102 of the Constitution and Article 8 of the ECHR and that statistics must generally be considered small
-assessed whether more specific statutory or regulatory provisions are necessary and/or
+interfering with privacy. At the same time, the ministry also emphasizes that the individual interventions in
-guarantees to fulfill the Constitution's and the ECHR's requirements for a legal basis when this is to be done
+privacy must be proportionate to the social good that is achieved.
-invasion of privacy.
 The Norwegian Data Protection Authority believes that there are weaknesses in the specific privacy impact assessments which
+Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers
+See the Personal Data Protection Ordinance, Article 14 No. 5 letter c. We do not go into the assessment of whether this specific
+the collection is "expressly provided for in Union law or the national law of the Member States".
-Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers
+SSB to a "perceived discomfort". This may indicate a lack of understanding of
-SSB to a "perceived discomfort". This may indicate a lack of understanding of
 the concept of privacy, privacy as a fundamental right and the value of good
-privacy. We also refer here to the fact that the intervention in privacy is already taking place
+privacy. Privacy as a societal value is a matter of trust and values. The assessments of
+which personal data it is necessary for a public authority to process must therefore
+considered in a broader perspective. Information security and other remedial measures are important
+measures, but they do not reduce the size of the privacy intervention itself; the
+the fundamental breach of privacy is the same regardless of how Statistics Norway handles the data
+further. We also refer here to the fact that the intervention in privacy is already taking place
 collection of personal data, cf. the decisions of the European Court of Justice and the European Court of Human Rights mentioned above.
-In a case like this, the right to privacy is less about the fear of abuse
+As a data protection authority, we also believe that the Ministry of Finance's conclusion in the preparatory work
+to the Statistics Act stating that processing for statistical purposes should generally be considered to be small
+invasive is too unvarnished. The data collection that forms the basis for the preparation of
+statistics can constitute a significant intrusion into data subjects' privacy. Although the end result
+are anonymous statistics, large amounts of personal data could be processed by a government
+body (SSB) in the process.
+In this case, the dietary statistics are requested by the health authorities, and
+The consumption statistics will be of much better quality if bong data is used. The statistics must
+is based, among other things, on information about which grocery purchases individual individuals make, such as
+Statistics Norway will get through bank data combined with transaction data.
+As stated above, this is a completely new data collection from private actors, and there is agreement
+that citizens cannot expect or anticipate that a public authority will do this
+the type of data collection.
+Although Statistics Norway has good internal processes and measures for pseudonymisation and screening of
+personal data, and the data must be quickly aggregated, the underlying raw data
+(voucher data and transaction data) remain available at Statistics Norway for at least a two-year period. The
+means that the intervention persists, even if the statistical product is anonymous and only pseudonymous
+data is used in the development work.
+The Norwegian Data Protection Authority is of the clear opinion that the privacy intrusion when collecting Bong data is
+very large. It must be questioned whether it is necessary for Statistics Norway to collect these
+the data to carry out its social mission. We believe that the intervention cannot be considered as
+proportional if the purpose can be achieved in a sufficiently good way through others,
+less invasive means.
-personal information than about trust in public Norway. In our view, the core of
+An important factor in this specific weighing will be the achievement of SSB's objectives. The Norwegian Data Protection Authority
-the assessment of the privacy intervention what it is necessary for the state to know about the individual
+believes that, after a concrete assessment of the proportionality of the privacy intervention, one must
-citizen.
+accept that not all statistical purposes can be fully achieved. In such cases it is necessary to
+accept that data must be collected from other sources with the consequence that the statistics get a
+lower level of precision and quality.
+In this matter, we believe that Statistics Norway's mandate to utilize new, digital sources to prepare and
+developing statistics on the one hand, and the encroachment on privacy on the other, is i
-Public authorities have enormous amounts of data about citizens through various
+conflict. Privacy is not an absolute right, but there is still an outer limit to which
+interference with privacy that can be accepted.
+In a case like this, the right to privacy is primarily about trust in the public sector
+Norway, and less about the fear of misuse of personal data. In our view, the core of
+the assessment of the privacy intervention in this case what is necessary for the public
+authorities to know about the individual citizen.
+Public authorities have enormous amounts of data about citizens through various
 socio-economic registers and health registers. Through social security numbers, this data can be linked
 up against each other. The result of such connections is something more than just the sum of the individual parts
 the information; it can give a more or less complete picture of a single individual's life from
 cradle to grave.
 Public Norway has exclusively a mandate and authority that is linked to good
 purposes and objectives, be it crime fighting, public health, good
 welfare services or other. In many cases, it is absolutely essential to treat
-personal data to perform public tasks. In this case, the dietary statistics
+personal data to perform public tasks. The Norwegian Data Protection Authority believes that it is still possible
-requested by the health authorities, and the consumption statistics will be able to have a much better quality
+limit on which data public authorities can process about individuals, even there
-if bong data is used. There must still be a limit to what data public authorities can access
+the purpose is good. It is at the core of the Norwegian Data Protection Authority's tasks as a supervisory authority to assess
-can process about individuals, even where the purpose is good. It is at the core of the Norwegian Data Protection Authority
+where this boundary is to be drawn.
-tasks as a supervisory authority to assess where this line should be drawn.
-We believe that the ministry's conclusion in the preparations for the Statistics Act that processing to
-statistical purposes in general should be considered to be of little intervention is too unvarnished. The data collection
-which is the basis for the preparation of statistics can constitute a significant intervention in them
-data subject's privacy. Even if the end result is anonymous statistics, large numbers will
-personal data could be processed by a state body (SSB) in the process.
-As stated above, the privacy intrusion when collecting bong data is very large. It must
-is questioned as to whether it is necessary for Statistics Norway to collect this data in order to carry out its work
-social mission.
-The Norwegian Data Protection Authority believes that, after a concrete assessment of the privacy intervention
+A serious, long-term consequence of disproportionately large intrusions into privacy can be
-proportionality, must accept that not all statistical purposes can be fully achieved. It is in
+weakened trust in public authorities and lower willingness to share data with the public; it
-such cases necessary to accept that data must be collected from other sources with it
+the so-called cooling effect. Ultimately, this can affect the view of Norway as
+democratic society. We would like to point out that both the Norwegian Data Protection Authority and Statistics Norway have received many negatives
+reactions from individuals in this case.
-consequence that the statistics get a poorer level of precision and quality.
 .2 Statement of purpose and data minimization
@@ Line 949: / Line 1,116: @@
 relevant information for the purposes, cf. the principle of data minimisation. Here SSB states that
 different forms of selection of bong data probably could have been sufficient for some of them
 relevant statistical purposes. When it comes to development work, however, will not
 sample surveys, aggregations or less frequent data deliveries are sufficient.
 Statistics Norway has therefore itself pointed out that the assessment of necessity will be different for the different people
 the purposes.
-Furthermore, statistics production and method development are two different processes though
+Furthermore, statistics production and method development are two different processes, although
+statistical production is based on methods that have been developed using the basic data.
-statistical production is based on methods that have been developed using the basic data.
 In our view, this illustrates the weaknesses of the necessity assessment that has been carried out.
@@ Line 967: / Line 1,134: @@
-Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics
+Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics
 and development work must be defined as different processing purposes in the Personal Data Protection Regulation
 understanding.
 Nor can we see that Statistics Norway has assessed the dietary statistics and the consumption statistics separately.
-These are different forms of statistics that have different underlying considerations and
+These are different forms of statistics that have different purposes, underlying considerations and
 societal functions. As a result, the necessity assessment will be able to beat
@@ Line 987: / Line 1,156: @@
 adopt regulations on the obligation to provide information. Section 10 of the Statistics Act is thus a framework provision
 which presupposes that the detailed access to process personal data is determined in a
-other legal basis. Statistics Norway's processing of personal data must still be in line with
+other legal basis. Statistics Norway's processing of personal data must nevertheless be in line with
 the privacy regulations.
@@ Line 997: / Line 1,166: @@
 In this case, Statistics Norway has decided to obtain enormous amounts of information about Norwegians
-consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is a lot
-greater than what Statistics Norway seems to have assumed. That the collection of bong data is done for
+consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is
-statistical purposes are of secondary importance in this assessment as the intervention itself i
+considerably larger than what Statistics Norway seems to have assumed. That the collection of bong data is done
+for statistical purposes is of secondary importance in this assessment as the intervention itself i
 privacy already occurs at the time of data collection.
@@ Line 1,011: / Line 1,180: @@
 individual decisions, possibly adopting regulations, on the obligation to provide information.
-For comparison, we will highlight the process for approval of medical and
+From what we know, it is unusual for such an extensive collection and processing of
-health research projects. In medical and healthcare research, decisions on
+personal data to which this case applies is based on administrative decisions as supplementary
+legal basis.
+For comparison, we will refer to the system established for medical and healthcare professionals
+research projects. In medical and healthcare research, decisions on exemption from
+confidentiality and/or ethical approval decisions are the basis for the processing. In these
-dispensation from confidentiality and/or ethical approval decisions are the basis for
-the data processing. In these cases, the assessment is whether the data can be used for research
-added an external third party (respectively the Norwegian Directorate of Health and the regional committees for
-medical and healthcare research ethics, REK) and not to the person responsible for the research
-the institution.
+                                                                                                In the 19 cases, the assessment of whether data should be used for research is added to an external one
+third party (respectively the Norwegian Directorate of Health and the regional committees for medical and
+health research ethics, REK) and not to the institution responsible for the research.
-Although medical and healthcare research most often involves handling large quantities
+Medical and healthcare research usually involves handling large amounts of health data and
-health data and other personal data, the third-party assessment is considered a guarantee for
+other personal data. The third-party assessment is considered a guarantee for safeguarding
-safeguarding the research participants' rights and interests. The regional ethics committees
+the research participants' rights and interests. The regional ethics committees can for
-can, for example, set conditions for the collection, storage and use of data.
-Statistics Norway's main purpose is the production, dissemination and development of statistics. A natural
+for example, set conditions for the collection, storage and use of data.
-the consequence of this is that Statistics Norway will facilitate the execution of the tasks assigned to them
-best possible way. Statistics Norway's operations are also partly regulated by strategic guidelines nationally and
+It appears in the letter of 23 January 2023 that Statistics Norway considers this comparison to be a
-internationally. In the case of highly invasive processing of personal data, it is therefore
+external considerations. Statistics Norway points out that the Storting has adopted the Statistics Act without it
-particularly important that the privacy impact assessment that is the basis for a processing of
+is set up for an external third-party assessment and that this type of arrangement is therefore not possible
-personal data is good.
+is given weight in the case.
+We nevertheless believe that extensive processing of personal data pursuant to
+administrative decisions are so unusual that the comparison above is not irrelevant to ours
+assessment. As there is no external third-party assessment, and the Statistics Act §
+, which sets the framework, is so broadly designed, the Norwegian Data Protection Authority's control function will be the same
+more important.
+A natural consequence of SSB's purpose and social mission is that they must facilitate for
+performance of the tasks assigned to them in the best possible way. Statistics Norway's operations are also regulated
+partly of strategic guidance nationally and internationally. In highly invasive treatments
+of personal data, it is therefore particularly important that the privacy impact assessment which
+is the basis for the processing of personal data is good.
 As mentioned in point 6.1, we believe that the assessments made by Statistics Norway in connection with collection
 of bong data are lacking. As a consequence, the process harmonises towards Statistics Norway's decision
 on the obligation to provide information does not meet the requirements of the privacy regulations. The ratings that
 is settled against the principle of data minimization in the personal protection regulation article 5 no. 1
@@ Line 1,044: / Line 1,229: @@
 This means that it is not possible to make a fully sound proportionality assessment, like this
 the privacy regulation article 6 no. 3 requires.
 For Statistics Norway's operations, Statistics Norway alone can assess and decide that data should be collected. Any actor,
 private as well as public, may be required to hand over personal data on a large scale.
 Decisions on the obligation to provide information can be appealed to the Ministry of Finance, but we consider that such
@@ Line 1,052: / Line 1,237: @@
 with purposes other than just the preparation and development of statistics.
-The Norwegian Data Protection Authority assumes that an administrative decision made by Statistics Norway does not provide sufficient information
+The Norwegian Data Protection Authority has assumed that the invasion of privacy when collecting Bong data is very serious
-guarantees for those registered for such intrusive processing as collection of bong data.
+large. We believe that an administrative decision made by Statistics Norway pursuant to section 10 of the Statistics Act does not
+is a sufficiently clear and predictable legal basis for such extensive processing.
+Statistics Norway's decision also does not provide sufficient guarantees for those registered for such an intervention
+processing such as collection of bong data. We believe that this view has support in
-The legal basis is not sufficiently clear, precise and predictable. We believe that this view
-has support in the wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and
-case law from the European Court of Justice and the European Court of Justice.
+wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and case law from
+ECtHR and the European Court of Justice.
 The Norwegian Data Protection Authority is therefore of the opinion that Statistics Norway's decision on the obligation to provide information to
 the grocery operators do not meet the requirements of the supplementary legal basis i
+the personal protection regulation article 6 no. 3.
-the personal protection regulation article 6 no. 3.
-.4 Conclusion
+.4 Conclusion: Decision on banning the processing of personal data
 The Norwegian Data Protection Authority has come to the conclusion that Statistics Norway's decision on the obligation to provide information to the grocery operators
 NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden, comprised of
@@ Line 1,070: / Line 1,262: @@
 the personal protection regulation article 6 no. 3.
+We have therefore decided to adopt a ban on the processing of personal data in the form of
-We have therefore decided to notify Statistics Norway of a decision to ban the processing of
+bong data, cf. the personal data protection regulation article 58 no. 2 letter f.
-personal data in the form of bank data.
+. Right of appeal
+This decision can be appealed within three weeks after you have received this letter, cf.
+Sections 28 and 29 of the Administration Act. A possible complaint is sent to the Norwegian Data Protection Authority.
+If we uphold our decision, the case will be sent to the Norwegian Personal Protection Board for
+complaint processing, cf. Personal Data Act § 22.
+With best regards
-7. Further proceedings
-This letter is an advance notice of a decision to prohibit the processing of
-personal data, cf. section 16 of the Public Administration Act.
-Any comments on this notice must be sent to us no later than three weeks after receipt
-of this letter.
-We assume that the decisions on the obligation to provide information are still under appeal processing at
-The Ministry of Finance and that the collection of bank data has not been initiated. We therefore do not see it
-necessary to set a shorter deadline for feedback.
-If you have any questions, you can contact section manager Camilla Nervik or
-case manager Susanne Lie.
-With best regards
@@ Line 1,102: / Line 1,282: @@
 director
                                                                     Susan Lie
                                                                     legal professional director
@@ Line 1,125: / Line 1,304: @@
 </pre>