Datatilsynet (Norway) - 22/03622: Difference between revisions

From GDPRhub
No edit summary
Line 81: Line 81:


The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including:
The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including:
name of item
 
price per item
* name of item
total amount of the receipt
* price per item
payment method
* total amount of the receipt
amount per payment method
* payment method
start and end time of the purchase
* amount per payment method
ID of returns
* start and end time of the purchase
ID for terminated purchase
* ID of returns
ID of offers/discounts
* ID for terminated purchase
* ID of offers/discounts


The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.
The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.


SSB's legal basis for the processing is the Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be necessary.
SSB's legal basis for the processing is the [https://www.ssb.no/en/omssb/ssbs-virksomhet/styringsdokumenter/statistikkloven/_/attachment/inline/15f00d0d-322a-4b96-bfcb-a0159f76e2c2:165eaa37f1aae978f2a570066c4ad86830ae2094/Statistikklov_ENGELSK_red29des2020.pdf Statistics Act] § 10 ''Duty to provide information'', which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be ''necessary''.


During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.
Line 102: Line 103:
The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy.
The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy.


Based on Article 58(2)(f), the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per Article 6(3) to process the personal data as intended, and consequently imposed a ban on the processing.
Based on [[Article 58(2)(f)]], the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per [[Article 6 GDPR|Article 6(3)]] to process the personal data as intended, and consequently imposed a ban on the processing.


Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision.
Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision.

Revision as of 08:33, 1 December 2022

Datatilsynet - 22/03622
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(c) GDPR
Article 6(3) GDPR
Article 58(2)(f) GDPR
Statistikkloven (The Statistics Act, in English)
Statistikkloven (The Statistics Act)
Type: Investigation
Outcome: Violation Found
Started: 01.05.2022
Decided: 28.11.2022
Published: 30.11.2022
Fine: n/a
Parties: Statistisk sentralbyrå (Statistics Norway)
National Case Number/Name: 22/03622
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (the Norwegian DPA) (in NO)
Datatilsynet (the Norwegian DPA) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA has notified the national statistical institute of an intention to ban their planned real-time mass-processing of nearly all purchase transactions in the country, including linkage to bank accounts and birth dates, for the purpose of providing official statistics.

English Summary

Facts

In May 2022, the Norwegian DPA Datatilsynet was approached by a grocery chain and a payment transaction provider regarding an instruction the former had received from Statistics Norway (SSB), the national statistical institute, to submit purchase transaction data to them. The DPA had also received several complaints and inquiries from private parties regarding this matter, and in June they asked SSB, by letter, to clarify. Following their reply, the parties had a meeting in August.

The various interactions clarified that SSB had instructed the main grocery chains in Norway (Rema 1000, NorgesGruppen, Coop and Bunnpris, accounting for about 99% of the Norwegian grocery market) to start submitting purchase transaction data ("bongdata" in Norwegian) to them on a regular basis, including:

  • name of item
  • price per item
  • total amount of the receipt
  • payment method
  • amount per payment method
  • start and end time of the purchase
  • ID of returns
  • ID for terminated purchase
  • ID of offers/discounts

The data would be reported directly from their point of sale systems so that SSB would receive the data continuously. Purchased items would be classified into product groups and consumers would be classified by size and type of household, income, level of education and country region. This would be contingent on a connection to transactional data/bank account number and then birth date.

SSB's legal basis for the processing is the Statistics Act § 10 Duty to provide information, which states that "any person must provide the data that are necessary to develop, produce or disseminate official statistics if so ordered by Statistics Norway". The purpose of the intended processing is to develop, produce and disseminate official statistics as per the Statistics Act, and SSB considers the processing to be necessary.

During the investigation, SSB shared two data protection impact assessments (DPIA) with the DPA, one dated 27 January 2021 and the other from the period October 2021 to June 2022.

Holding

From the first DPIA, the DPA highlights a section describing that information about nearly all grocery purchases for the entire population of Norway would be collected, stored indefinitely, without allowing the data subjects to exercise their rights (because of exceptions in the national regulations). The DPA notes that SSB would receive extensive data more or less in real-time and with a high degree of accuracy, about every individual's grocery shopping, including where, how and what they purchased, for any purchase made at stores covering 99% of the Norwegian market (unless they paid by cash).

The DPA also notes that SSB's assessments are inadequate and their impression is that SSB has an insufficient understanding of the concept of personal data protection, privacy as a fundamental right and the value of adequate privacy.

Based on Article 58(2)(f), the DPA held that Statistics Norway does not have a sufficient supplementary legal basis as per Article 6(3) to process the personal data as intended, and consequently imposed a ban on the processing.

Statistics Norway has three weeks (until 19 December 2022) to provide comments to the DPA before they make their final decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

STATISTICAL CENTRAL BUREAU
PO Box 2633 St. Hanshaugen

0131 OSLO








Your reference Our reference Date
                        22/03622-10 28.11.2022



Notice of decision on banning the processing of personal data


The Norwegian Data Protection Authority refers to previous contact and correspondence in connection with our control case
linked to Statistics Norway's decision on the obligation to provide information in the form of handing over bank data
for four grocery players.


Statistics Norway (hereafter Statistics Norway) has ordered the players to transfer the bank data for the customers
commodity transactions. The four players are NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS
and the Bottom Price Chain.


 1. The proceedings
The Norwegian Data Protection Authority became aware of the case through inquiries from NorgesGruppen ASA and

the payment intermediary Nets Branch Norway in May 2022.

The Norwegian Data Protection Authority has also received several complaints and inquiries from private parties in this matter.


We sent a demand for an explanation to Statistics Norway on 02.06.2022. Statistics Norway answered our questions in a letter by
13/06/2022.


On 29 August 2022, a meeting was held between the Norwegian Data Protection Authority and Statistics Norway on the occasion of the case. The meeting
was reported. Draft minutes were sent to Statistics Norway on 01.09.2022, and Statistics Norway agreed
comments on the minutes on 07/09/2022. The final report was sent to Statistics Norway on 21 September 2022.


The Norwegian Data Protection Authority has also received copies of correspondence relating to NorgesGruppen ASA and
Coop Norge AS' complains about Statistics Norway's decision on the release of bin data. As far as we know,
the complaints are being processed by the Ministry of Finance as the complaints body.


 2. Notice of decision
Pursuant to the personal data protection regulation, article 58 no. 2 letter f, the Norwegian Data Protection Authority notifies the following

decision:




Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO The Norwegian Data Protection Authority bans the processing of Bong data on the basis of a decision on
        obligation to provide information determined by Statistics Norway. There is no sufficient supplementary legal provision
        basis for the processing, cf. the personal data protection regulation article 6 no. 3.

 3. More details about SSB's planned processing of bong data
3.1 The decisions on the obligation to provide information
In the decisions on the obligation to provide information to the grocery operators, Statistics Norway states that bank data from

the grocery trade is considered to be of great use for the production of official statistics which are
important to society. Statistics Norway will produce statistics on consumption in Norwegian households and new
statistics on diet.

Furthermore, the data will be used to investigate the consumer price index and merchandise trade statistics
can have bong data as a data base.


Statistics Norway will also test and develop new methods to ensure even greater confidentiality in
statistics production.

The voucher data will include, among other things:
     product name
     price per item

     total amount on receipt
     method of payment
     amount per payment method
     start and end time for trading

     identifier on return
     identifier of completed trade
     identifier of the sale/offer

Any customer loyalty numbers must not be reported.


The voucher data must be reported as streamed data from the cash register systems, so that Statistics Norway receives it
the data continuously.

NorgesGruppen ASA and Coop Norge AS have appealed against the decisions on the obligation to provide information. SSB
has maintained its decisions and forwarded the complaints to the Ministry of Finance on 04.10.2022
for complaint processing.


3.2 Statistics Norway's report to the Norwegian Data Protection Authority
3.2.1 Statement of purpose
In the statement dated 13 June 2022, it appears that Statistics Norway considers the development, preparation and
dissemination of official statistics as one processing purpose, as the tasks are set out in
the Statistics Act.

This interpretation appears from the legislative preparations, Prop. 72 LS (2018-2019), in the notes to

the purpose provision in § 1 and to § 17 on SSB's tasks. Here is development, preparation and
dissemination of official statistics referred to as one main purpose and one main task. Also in



                                                                                               2NOU 2018: 7 New Act on Official Statistics and Statistics Norway is stated in point 10.4
that: "Method development is an integral part of the work of producing statistics".

Statistics Norway nevertheless points out that the assessment of necessity and the result of concrete data minimization
will be able to turn out differently depending on whether the purpose is development or preparation of current
statistics.


3.2.2 Consumption statistics
Statistics Norway has explained what it wants to achieve by using bong data to produce
consumption statistics.

Voucher data will improve the quality of consumption statistics. The voucher data will be connected
self-reported purchases (on the basis of consent), and it will be possible to correct for measurement errors in
the self-report. The comparison will provide a basis for supplementing the statistics with

improved uncertainty estimates.

The production of statistics will also be made more efficient by classifying grocery purchases
automatic. The methods for automatic classification have been developed with test voucher data from 2018.
This has an impact on the quality of the statistics, but it will also have a great impact on
the use of resources to prepare the statistics. Furthermore, the statistics on grocery consumption can
broken down on far more levels than has been possible in the past.


In addition, Statistics Norway will be able to gain valuable knowledge about the strengths and weaknesses of the various data sources,
so that one can further develop the methods for estimating uncertainty and adjusting for biases.
This is one of several possible analyses, which may in turn provide a basis for data minimization in the future
statistics production.

3.2.3 Dietary statistics

Since the beginning of 2020, Statistics Norway has investigated the possibilities for preparing new diet statistics
based on information about which foodstuffs the Norwegian population buys from the largest
the players in the grocery market. The work has been carried out in close collaboration with, among others
The Norwegian Directorate of Health and the large grocery chains.

Statistics Norway plans to publish official diet statistics based on information on sales

food from grocery chains and information on the nutritional content of food obtained from others
sources, based on test voucher data from 2018. From 2023, the diet statistics will be further developed with
new bong data and information from other data sources, including information on households
from registers SSB already uses in other statistical production.

Access to all information that the grocery chains can supply (so-called full count) is as of today
crucial for Statistics Norway to be able to produce dietary statistics. Complete data will provide

basis for development work that may lead to future data minimization. This work will
could not be done without obtaining data on all purchases, where one looks at occurrences in and
variations between smaller groups. Statistics Norway also considers it necessary to use a full count for
to observe basic statistical principles such as quality awareness, cost-effectiveness,
relevance, accuracy and reliability.




                                                                                                  33.3 Summary of the meeting between the Norwegian Data Protection Authority and Statistics Norway
In the meeting, Statistics Norway explained its mandate, which is to develop, prepare and disseminate official
statistics. Through political guidelines and assignment letters, Statistics Norway is required to look for and adopt
new data sources as a basis for statistics, in addition to developing new methods for
statistics production.

Statistics Norway explained their work with consumption statistics, that is, statistics on what the country's

households spend money on. The last survey was carried out in 2012. Statistics Norway has had problems
with obtaining acceptable data quality as the survey has been based on volunteers
reporting, with a significant task burden for the participants and high drop-out rates. Furthermore, have
The Norwegian Directorate of Health expressed a need for dietary statistics as a basis for public health work,
and Statistics Norway has an established collaboration with the grocery chains to develop a data basis.

Barcode data is already collected today from, among other things, grocery chains for use in

the consumer price index (CPI), but in an aggregated format. Furthermore, Statistics Norway has received bank data and
bank transaction data in a development project where it was investigated whether bank data can be used for
the desired purpose – consumption and diet statistics. In parallel with the collection of new
bongdata, Statistics Norway will collect data through self-reports, where consumers, among other things,
can scan receipts.

SSB explained in more detail the planned processing of bong data internally at SSB. The goods which

are purchased will be classified into product groups. Furthermore, consumers will be classified according to
household size/type (about 10 groups in total) and other background variables, such as
household income (grouped), level of education and region/region. This presupposes a
link to transaction data/account number and then national ID number.

All use of information, including linking bank data to bank transaction data and
account number, is done with pseudonymous data, so that the individual receipt cannot be linked

directly against an individual. The receipts as they are received are stored in the system as raw data, that is
that is, without the link to the individuals who have made the purchases. Systems for
access management has been established, and access to raw data is strictly regulated. In principle it is
however, it is possible to make the connection again at a later time.

For the further processing of the bank data internally at Statistics Norway, the individual transaction will therefore

be aggregated at household group level. As the treatment is now planned and
presented, you will not be able to follow an individual household over time - only
household groups. Statistics Norway focuses on removing the data you do not need as early as possible
in the process. A statutory confidentiality requirement applies to the publication of official statistics,
that is to say that individuals/households should neither directly nor indirectly be able to
are identified.


Statistics Norway plans an evaluation of the solution in 2023, where, among other things, the level of detail of the data,
frequency and extent will be assessed.







                                                                                                 43.4 The cost-benefit assessment
Section 10 fifth subsection of the Statistics Act requires that Statistics Norway conduct a cost-benefit assessment before they
decides to adopt an order on the obligation to provide information.

                                                            1
Statistics Norway has published the cost-benefit assessment on its website. We will summarize them below
the parts of the assessment that are linked to consequences for data subjects' privacy.

Statistics Norway states that bank data from grocery chains does not contain personal information in itself.
Through links to other sources, bong data can still be linked to a person. By connecting
a voucher for a payment transaction (a payment by bank card), purchases of goods can be linked

person and household via data from the Swedish Tax Agency and the National Register of Citizens. The link to person will
could be done for more than 70% of the bonds.

Statistics Norway considers that the bong data acquires the character of being sensitive personal data when they
linked to an individual and a household. It is emphasized that the bong data are distinctive both on

because of the large amount of data and because the information is not already available in public
register. In addition, Statistics Norway will receive the data in near real time and with a high degree of detail. They connected
the data will include information about where and when the individual has shopped for groceries, and that
detailed information will appear about which goods and quantity of goods you have bought.
This applies to all purchases from the four grocery operators that are not paid in cash.
The players together cover 99% of the market.


The individual consumer cannot be expected to be aware that Statistics Norway will use the electronic ones
the traces from ongoing purchases, and forward these with personally identifiable data, to create
statistics. Statistics Norway states that it is therefore important that the bong data is processed extra
caution, and Statistics Norway will implement extra measures to safeguard privacy and

information security.

The privacy deficiencies must be remedied through the general security measures that apply to everyone
processing of statistical information. Statistics Norway must ensure confidentiality in all dissemination of
statistics, is subject to a duty of confidentiality and must implement measures to achieve a satisfactory
security level. This includes, among other things, ensuring adequate access management, logging

and subsequent control as well as regular risk and vulnerability analyzes and
threat simulations.

Statistics Norway will pseudonymise the personal data upon receipt, and aggregations of data adapted
the individual statistical needs will be an important measure. An important part of the investigative work will

be aimed at the development of new methods for data minimization and promoting privacy
production processes when processing this type of data.

Furthermore, the information shall only be used for statistical purposes within the framework of
the Statistics Act. According to Statistics Norway, statistical use is generally a purpose that has a low
privacy risk.


1
 https://www.ssb.no/omssb/ssbs-versiktom/kost-nyttevuderning/leveranse-av-bongdata-fra-dagligvarekjedene-
rema-1000-norgesgruppen-coop-and-bottom-price



                                                                                                 5 In its assessment of whether the information is necessary and relevant, cf. the principle of
data minimisation, Statistics Norway states that different forms of selection of bong data could probably have been
sufficient for some of the relevant statistical purposes. Daily reporting of bong data on
However, product level will also enable many forms of development work, both for new ones
statistical products and methods for processing this type of data. This work will not be
possible with sample surveys, aggregations or less frequent data deliveries.


Statistics Norway assesses that there are no conditions in the bong data that indicate limitations in
secondary use.

3.5 The assessment of privacy consequences
The Norwegian Data Protection Authority has received two assessments of privacy consequences (DPIA) from Statistics Norway, one
dated 27.01.2021 and the other from the period October 2021 to June 2022.


The first assessment relates to the completed development project where testing has been carried out
out the use of bong data, while the second assessment concerns the planned treatment. We
nevertheless considers several of the assessments in the privacy impact assessment dated 27.01.2021
as relevant to the planned use of bong data.

On page 4 of the assessment from 27.01.2021, it is explained why a need has been identified
for such a privacy impact assessment:


        "Data from the grocery chains contains detailed information about which products are
        purchased, location and time. Bank transaction data includes all purchases with
        debit cards, of all types, in addition to the location and time of transaction. In that these two
        sources are linked to bank account and bank account owner, it will be possible to do
        compilations so that we can link individuals to both time, place and what these are
        buyer of goods and services. The potential to be able to make such connections suggests that

        the data is considered to contain personally identifiable and sensitive information, and they
        must be dealt with accordingly".

Furthermore, it appears on page 6 et seq. that information will be collected on virtually everyone
grocery purchases for the entire Norwegian population, and the data must be stored permanently. The
registered persons cannot exercise their rights either, as exceptions to these have been made

the rights in the regulations.

As regards how the processing will be perceived from the data subject's point of view, it appears
the following on pages 10 and 11:

        “The data described in this DPIA contains directly identifiable
        personal data. It must be assumed that the registered person experiences this as intrusive and

        basically offensive.

        We are talking about large amounts of data that apply to information that does not exist in it
        public records. This means that those to whom the information applies are neither prepared
        or have an expectation that this information will be collected and processed by one




                                                                                               6 public authority. However, the data subject is aware that the information
        is registered and is available to the grocery chains.

        In our opinion, the privacy disadvantage consists of perceived discomfort when a public
        authority sits on this type of information which is perceived by many to belong to it
        private sphere. Correspondingly, it can be experienced as a disadvantage for traders, among others
        otherwise based on competitive assessments. The privacy disadvantage

        increases when the information is compiled with other sources. Receipt data for
        persons are planned to be linked with account holder information from the tax authorities and
        transaction data from banks, as well as the household register.

        The disadvantages described above are partially remedied by general security measures that apply to everyone
        processing of statistical information in Statistics Norway. In addition, SSB's special
        security measures that have been established for this data in particular. It is also emphasized that the purpose

        is the development of statistics, that the processing is regulated in the Statistics Act, and that
        information about the individual registered shall not be processed separately'.

3.6 Legal assessment from Statistics Norway
Statistics Norway has sent an undated assessment with the heading "The principle aspects of
collection of detailed information on individual citizens – the relationship with the Constitution and ECHR and
the requirement of proportionality'. The assessment states, among other things, the following:


        "Even if the statutory power of attorney in section 10 of the Statistics Act is not considered to
        be contrary to basic human rights, the specific use of
        the authority is assessed in each individual case. Statistics Norway believes that legally regulated purpose/use
        limitation and the data minimization measures that have been implemented to a sufficient extent
        reduces the inconvenience for the individual, so that the treatment is considered not to be in breach
        with Section 102 of the Constitution or Article 8 of the ECHR. Special reference is made here to the fact that

        Bong data is not at any time stored or processed with personal identifiers
        characteristic, that bong data is only handled aggregated at group level (in reality a two-
        dimensional aggregation in that bong data is aggregated on different product groups and
        collated with households aggregated to different socio-social groups). The result
        of the link are anonymous statistics”.


Statistics Norway believes that the established data minimization and security measures are sufficient
takes care of both the grocery chains and the customers. Statistics Norway still wants to develop further
new methods and tools that can further reduce the privacy disadvantage.

 4 Relevant legal rules
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
Article 57 of the regulation and § 20 of the Personal Data Act.


Below, we will explain the legal rules that we believe are relevant in the present case.







                                                                                                74.1 The right to privacy
4.1.1 Privacy as a human right
Everyone has the right to protection of their privacy. This is a right protected by the European
the Human Rights Convention (ECHR) as well as a constitutional right. A central part of the dish
to privacy is the right to protection of one's personal data.

The ECHR has been made Norwegian law through the Human Rights Act of 1999. In the ECHR article 8 no. 1

it appears that "[e]veryone has the right to respect for his private life and family life, his home and his
correspondence".

Furthermore, Article 8 no. 2 of the ECHR states that interventions in citizens' privacy must be "in accordance with
the law". The intervention must be necessary in a democratic society for reasons of importance
societal interests.


The right to privacy is recognized as a central human right by being taken into
Section 102 of the Constitution, where it is stated, among other things, that "[e]veryone has the right to respect for his
privacy and family life, one's home and one's communication" and that "[t]he state authorities shall
ensure protection of personal integrity".

As regards the relationship between the human right to privacy and the privacy regulations,
we also refer to the preparations for the Personal Information Act, Prop. 56 LS (2017-2018), point 6.4.

Here it appears on page 34:

        "In its practice, the EMD has assumed that public authorities' storage of
        personal data that is linked to private life within the meaning of the provision constitutes a
        intervention in the court pursuant to ECHR article 8 no. 1, see Amann v. Switzerland 16.2.2000 [ECHR-
        1995-27798] paragraph 65 and S. and Marper v. Great Britain 4.12.2008 [EMD-2004-
        30562] section 67”.


That states' collection and storage of personal data is an intervention in itself must be recognized
reason when assessing privacy intrusions.

4.1.2 The principle of legality
In a legally secure and democratic society, it is crucial that the state does not intervene

the citizens without authorization. This is called the principle of legality and is anchored in Section 113 of the Constitution,
which specifies that "[t]he intervention of the authorities towards the individual must have a basis in law". As
mentioned above, ECHR Article 8 no. 2 also states that interference with citizens' privacy requires
sufficient authority. Such protection against arbitrary and unpredictable interventions is an important one
guarantee of legal certainty.

The requirement for the clarity of the law is tightened in line with the size of the intervention. The most serious

the interventions must be based on law rather than regulations or administrative decisions. In case of significant
intervention in the citizens' legal sphere, it must be clear from the wording of the law that the intervention is covered
of the relevant statutory provision. Enshrining privacy intrusions in the legal text itself creates
greater predictability for the general public, and laws are adopted through a thorough democratic process





                                                                                                8process where trade-offs between the individual's privacy and the state's need for treatment of
personal information must be done.

In Section 113 of the Constitution, there is a further requirement that there must be intervention towards the citizens
necessary to fulfill legitimate purposes. This means that an intervention in privacy must have
a useful value for society.


The requirements for legal regulation are also evident from our human rights obligations according to Den
the international convention on civil and political rights (SP), which has been made Norwegian law
through the Human Rights Act from 1999. In Norwegian law, it is assumed that national legislation
is in line with our international obligations in the area of human rights.

4.2 The principle of data minimization
The basic principles for processing personal data are set out in

Article 5 of the Personal Data Protection Regulation. Particularly central to this case is the principle of
data minimization.

The principle of data minimization appears in the personal data protection regulation article 5 no. 1 letter c,
according to which personal data must be "adequate, relevant and limited to what is
necessary for the purposes for which they are processed”.


According to the principle of data minimisation, it is not sufficient that it is practical or desirable to
process personal data; the processing must be necessary for the purpose to be achieved.
The requirement of necessity will naturally become more stringent the greater the invasion of privacy.

The principle of data minimization also includes an overarching assumption that the processing of
personal data contributes to achieving a specific purpose. The purpose description will be that
natural starting point for assessments of the utility value of a treatment. The more

the more invasive the measure, the greater the requirements for the purpose description and a documented
usefulness of the measure.

4.3 Legal basis
4.3.1 The Personal Data Protection Regulation
Any processing of personal data must have a legal basis to be legal.

The Personal Protection Regulation Article 6 No. 1 provides an exhaustive overview of which legal
grounds (authorities) that may be the basis for processing personal data - and
thus an intervention in privacy.

Article 6 no. 1 letter c (fulfilment of a legal obligation) and e (exercise of public
authority or performance of a task in the public interest) are the most relevant
the provisions for the cases where public authorities intervene in citizens' privacy.


When applying the above-mentioned authorities, there must be an additional authority in national law
or in EU law that imposes duties or tasks on public authorities.
This follows from Article 6 No. 3 of the Personal Protection Ordinance and is described as supplementary
legal basis.




                                                                                                94.3.2 Statistics Act
Statistics Norway's tasks and area of authority are regulated in the Statistics Act with regulations. SSB access
to order other businesses to hand over information for statistical purposes is regulated in
Section 10 of the Statistics Act. The provision reads:

        "1) Anyone must, without being hindered by the duty of confidentiality and by order from Statistics Norway
        provide information that is necessary for the development, preparation or dissemination of

        official statistics. The duty applies to information about the person obliged to provide information and others
        information over which the person obliged to provide information has the right to dispose of it. A deadline can be set
        to provide information. Confidentiality as mentioned in the Criminal Procedure Act § 119 first and
        second paragraph and the Disputes Act section 22-5 first paragraph precede the obligation to provide information according to the first
        dot.

        (2) Statistics Norway can issue regulations on the obligation to provide information and order

        obligation to provide information in individual cases.

        (3) Information can be refused to be disclosed in accordance with the first paragraph when an exception is required for reasons
        to national defense and security interests or police crime-fighting
        business.

        (4) Statistics Norway may determine the manner in which the information is to be provided and

        which documentation must be included. No remuneration can be required for this
        costs of fulfilling the obligation to provide information.

        (5) Before Statistics Norway decides to impose an obligation to provide information, there must be a
        assessment of the usefulness of receiving the information, weighed against the costs for it
        subject to disclosure and how invasive the treatment is considered to be for it
        the information applies. The assessment must be made public.


        (6) The Ministry may issue regulations on the obligation to provide information pursuant to this provision,
        among other things about limitations in the duty to provide information".

In the preparations for the Statistics Act, Prop. 72 LS (2018-2019), the relationship with the Constitution and
ECHR and the right to privacy discussed. It appears in point 5.1.4.8 on page 42:


        "Statistics Norway's collection of personal data will also constitute an intervention in
        the right to privacy according to Section 102 of the Constitution and Article 8 of the ECHR. The processing is then only
        permitted if it has sufficient authority, pursues a legitimate purpose and is
        proportionately. For a general discussion of these requirements, reference is made to Prop. 56 LS
        (2017–2018) point 6.4. As it appears there, Section 102 of the Constitution has clear similarities
        with Article 8 of the ECHR, and must be interpreted in the light of this, cf. Rt-2015-93. It is not

        evidence that Section 102 of the Constitution sets stricter requirements than Article 8 of the ECHR
        legal basis for processing personal data. Statistics Norway can follow
        The proposal collects a large amount of personal data. According to the Ministry's assessment
        is this necessary for the agency to be able to fulfill its societal task of developing,
        prepare and disseminate official statistics. This is a legitimate purpose. Statistically




                                                                                                10 Central Agency must process the information in a reassuring manner and only for them
        the purposes mentioned in the bill § 10. Further processing of information is
        discussed in chapters 6 and 7.2. The ministry also refers to the discussion in chapter 4 of statistical
        confidentiality, non-disclosure and information security. On this background consider
        the ministry the proposal for a statutory provision as proportionate.

        According to the ministry's assessment, the proposal meets the requirements of Section 102 of the Constitution and

        Article 8 of the ECHR".

Furthermore, it is stated in point 6.2.4.7 on pages 61 and 62:

        "If disclosure would constitute an intrusion into the right to privacy pursuant to Section 102 of the Constitution
        and Article 8 of the ECHR, it must nevertheless be assessed whether more specific ones are necessary
        legal or regulatory provisions and/or guarantees to fulfill the Constitution and

        ECHR's requirements for a legal basis for invasion of privacy.
        (…)
        The special regulation on the processing of personal data in the Personal Data Protection Ordinance to
        among other things, research purposes and statistical purposes indicate that this type of treatment
        considered to be minimally invasive'.

4.4 Requirements for the supplementary legal basis

Article 6 no. 3 of the Personal Protection Regulation contains several additional requirements
the legal basis. The supplementary legal basis – whether it is a legal authority, a
regulation or an administrative decision – must therefore meet certain criteria.

According to Article 6 No. 3, it must be clearly stated that the processing of personal data is
necessary to carry out a publicly beneficial task or exercise public authority.


Furthermore, it is required that the supplementary legal basis must "meet an objective in the public interest
interest and stand in a reasonable relationship to the legitimate aim sought to be achieved". It is laid
i.e. up to a proportionality assessment, in which the intervention in privacy must be in relation to
the social good that is achieved.

The preamble to the Personal Data Protection Regulation in many cases provides guidance for the specifics

the provisions of the regulation, including Article 6 No. 3.

Although a supplementary legal basis does not have to be in the form of a law, it appears from
recital 41 that the legal basis should be "clear and precise". It further states that
the application of the legal basis should be predictable for citizens.

The requirements for the supplementary legal basis are discussed by the Ministry of Justice and Emergency Preparedness in

the preparations for the Personal Data Act, Prop. 56 LS (2017-2018). Section 6.3.2 states:

        "It follows from recital 41 that "when this regulation refers to a legal
        basis or a legislative measure, this does not necessarily require one
        regulatory act adopted by a parliament'. In the ministry's view, it must be added




                                                                                                11 reason that in any case statutory and regulatory provisions may constitute supplementary
        legal basis. The Ministry assumes that also decisions made in accordance with law or regulations
        are covered, as there is also a legal or regulatory basis in these cases".

However, this is nuanced in the following:

        "If the processing of personal data constitutes an intrusion into the right to privacy

        according to Section 102 of the Constitution or Article 8 of the ECHR, it may however be necessary
        a more specific legal basis for the processing than the wording of the regulation can
        indicate. It also follows expressly from recital 41 that there should be a legal basis
        "clear and precise, and its application should be predictable to persons who
        covered by it, in accordance with the case law of the Court of Justice of the European Union
        (the "Court") and the European Court of Human Rights. In other words, must
        the regulation's requirement for a supplementary legal basis for the processing is interpreted and applied

        in line with the human rights requirements for a legal basis for interference with the right to
        privacy. This means that a closer assessment of the legal basis must be made
        and the treatment, where, among other things, emphasis must be placed on how invasive
        the treatment is. Depending on the circumstances, the outcome of such an assessment may be that
        a more specific basis than what might appear to be the minimum requirements is required
        the wording of the regulation".


In point 6.4 of the preparatory work it also appears:

        "At the same time, there is no doubt that the regulation's general rules, possibly i
        combination with a supplementary legal basis that only meets the minimum requirements
        according to the wording in Article 6 no. 3, will not always provide a sufficiently specific legal basis
        or necessary guarantees in line with the Constitution and the ECHR. It will then be necessary to
        design more specific legal bases and additional guarantees in national law, and that will i

        in many cases be necessary with express authority in special legislation.
        In other words, the regulation must be interpreted and applied in light of the Constitution and the ECHR.

        (…) The requirements in the Constitution and the ECHR on the legal basis for invasion of privacy can
        in the circumstances imply that the supplementary legal basis must contain such
        more specific provisions that Article 6 nos. 2 and 3 allow for. What is required of

        the supplementary legal basis, cannot be answered in general, but must be decided according to one
        concrete assessment".

The European Court of Justice states the following in case C-175/20 in section 83:

        "In this regard, it is nevertheless noted that the legislation which forms
        basis for the processing, in order to fulfill the requirement of proportionality, such as Article 5,

        item 1, letter c) (…) is an expression of (…), must lay down clear and precise rules, where
        regulates the scope and application of the measure in question, and which
        lays down minimum requirements, so that the persons whose personal data are affected prevail
        over sufficient guarantees, which make it possible to effectively protect this information
        against the risk of abuse. This legislation must be legally binding in national law




                                                                                                12 and in particular state, under what circumstances and under what conditions that can
        a measure is adopted on the processing of such information, whereby it is ensured,
        that the intervention is limited to what is strictly necessary'.


For Norway as an EEA member, the practice of the EU Court is not directly binding. Legal practice
from the European Court of Justice will still have significance in the area of privacy as it is a
basic assumption that the rules of the Personal Data Protection Regulation are understood and practiced equally throughout
EU/EEA.

 5. The Norwegian Data Protection Authority's sanctioning authority

The Norwegian Data Protection Authority's authority to impose administrative sanctions is regulated in the privacy
the regulation, article 58. Article 58 no. 2 states which corrective measures the supervisory authority can take
adopt.

The relevant parts of the provision read:


        "2. Each supervisory authority shall have the authority to decide on the following corrective measures
        measures:
           a. issue warnings to a data controller or data processor that they
              the planned processing activities are likely to be in breach of the provisions of
              this regulation, (…)

           d. instruct the controller or data processor to ensure that
              the processing activities take place in accordance with the provisions of this regulation
              and, if relevant, in a specific manner and within a specific deadline, (…)
           f. introduce a temporary or permanent restriction of, including a ban on,
              treatment".


 6. The Norwegian Data Protection Authority's assessment
6.1 Assessment of the size of the privacy intrusion
If privacy is to be encroached upon, it is a requirement according to both our human rights laws
obligations under the ECHR, the Constitution and the privacy regulations that a thorough investigation is carried out
assessment of the proportionality of the measure. The disadvantages to the citizens of that

personal data if they are collected must be weighed against the authority's needs for
personally identifiable data to provide citizen services and carry out their tasks.

We make it clear that an invasion of privacy already occurs during the actual collection of data
personal data and not until the data is further processed. The European one

In the cases Amann v. Switzerland (case 1995-27798) and S. and
Marper v. Great Britain (Case 2004-30562) clearly stated that states intervene against
the citizens already when collecting personal data as such.

The Norwegian Data Protection Authority recognizes the societal benefit of consumption and diet statistics. For example
dietary statistics are the basis for national public health work. We see that data with the same


2
 See also ECJ cases C-293/12 and C‑594/12, https://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX:62012CJ0293.



                                                                                               13quality cannot be obtained from other sources, for example the consumers themselves. We also have
noticed that SSB has good internal routines and systems for rapid pseudonymisation and
aggregation of data, strict internal access management, etc. SSB is well equipped to deal with this as well
bong data in a reassuring manner internally.

Statistics Norway has stated that an important consideration behind the collection of bong data is development work that can
lead to quality improvement and future data minimization through more precise data extraction, etc.

As we understand it, however, the utility value of the development work will be unknown at the time
when the data is collected. We cannot therefore attach decisive importance to the objective of
future data minimization.

The planned collection of bong data for statistics involves the processing of enormous amounts
amounts of transactional data about a significant part of the population. It is also a brand new one
form of data collection by the authorities from private actors. The state will get a brand new one

knowledge about which grocery purchases almost the entire Norwegian population makes in real time.

The individual data subjects have no real opportunity to oppose the collection of
personal data (except through trading with cash and avoiding the big
the grocery players). Nor do those registered receive information that the collection is taking place. As
Statistics Norway itself points out, the average citizen will not be able to predict that the state will collect
information about their purchases of groceries.


It is therefore of less importance for our assessment of the size of the privacy intervention that
Statistics Norway's mandate is the production, dissemination and development of statistics, which in itself is not
linked to individuals.

The relationship with Section 102 of the Constitution and Article 8 of the ECHR is affected in the preparations for the Statistics Act.
The Ministry of Finance's conclusion is that Section 10 of the Statistics Act in itself is not contrary to

the requirements in Section 102 of the Constitution and Article 8 of the ECHR. At the same time, the ministry has indicated that it must
assessed whether more specific statutory or regulatory provisions are necessary and/or
guarantees to fulfill the Constitution's and the ECHR's requirements for a legal basis when this is to be done
invasion of privacy.

The Norwegian Data Protection Authority believes that there are weaknesses in the specific privacy impact assessments which

Statistics Norway has carried out. In the description of the privacy intervention seen from the point of view of the data subjects, refers
SSB to a "perceived discomfort". This may indicate a lack of understanding of
the concept of privacy, privacy as a fundamental right and the value of good
privacy. We also refer here to the fact that the intervention in privacy is already taking place
collection of personal data, cf. the decisions of the European Court of Justice and the European Court of Human Rights mentioned above.

In a case like this, the right to privacy is less about the fear of abuse

personal information than about trust in public Norway. In our view, the core of
the assessment of the privacy intervention what it is necessary for the state to know about the individual
citizen.






                                                                                              14Public authorities have enormous amounts of data about citizens through various
socio-economic registers and health registers. Through social security numbers, this data can be linked
up against each other. The result of such connections is something more than just the sum of the individual parts
the information; it can give a more or less complete picture of a single individual's life from
cradle to grave.

Public Norway has exclusively a mandate and authority that is linked to good

purposes and objectives, be it crime fighting, public health, good
welfare services or other. In many cases, it is absolutely essential to treat
personal data to perform public tasks. In this case, the dietary statistics
requested by the health authorities, and the consumption statistics will be able to have a much better quality
if bong data is used. There must still be a limit to what data public authorities can access
can process about individuals, even where the purpose is good. It is at the core of the Norwegian Data Protection Authority
tasks as a supervisory authority to assess where this line should be drawn.


We believe that the ministry's conclusion in the preparations for the Statistics Act that processing to
statistical purposes in general should be considered to be of little intervention is too unvarnished. The data collection
which is the basis for the preparation of statistics can constitute a significant intervention in them
data subject's privacy. Even if the end result is anonymous statistics, large numbers will
personal data could be processed by a state body (SSB) in the process.


As stated above, the privacy intrusion when collecting bong data is very large. It must
is questioned as to whether it is necessary for Statistics Norway to collect this data in order to carry out its work
social mission.

The Norwegian Data Protection Authority believes that, after a concrete assessment of the privacy intervention
proportionality, must accept that not all statistical purposes can be fully achieved. It is in
such cases necessary to accept that data must be collected from other sources with it

consequence that the statistics get a poorer level of precision and quality.

6.2 Statement of purpose and data minimization
In the cost-benefit assessment, Statistics Norway has made an assessment of whether bong data are necessary and
relevant information for the purposes, cf. the principle of data minimisation. Here SSB states that
different forms of selection of bong data probably could have been sufficient for some of them

relevant statistical purposes. When it comes to development work, however, will not
sample surveys, aggregations or less frequent data deliveries are sufficient.

Statistics Norway has therefore itself pointed out that the assessment of necessity will be different for the different people
the purposes.

Furthermore, statistics production and method development are two different processes though

statistical production is based on methods that have been developed using the basic data.

In our view, this illustrates the weaknesses of the necessity assessment that has been carried out.
The need for complete bong data for development purposes plays into the assessment that SSB
considers the collection necessary - also for the purpose of producing statistics.




                                                                                                15 Against this background, it appears clear to the Norwegian Data Protection Authority that the production/dissemination of statistics
and development work must be defined as different processing purposes in the Personal Data Protection Regulation
understanding.

Nor can we see that Statistics Norway has assessed the dietary statistics and the consumption statistics separately.
These are different forms of statistics that have different underlying considerations and
societal functions. As a result, the necessity assessment will be able to beat

also different for the two forms of statistics.

The Danish Data Protection Authority has chosen not to go into further detail in the assessment of the necessity of the bong data
the purposes. In this supervisory case, we have chosen to concentrate on the assessment of that
supplementary legal basis for the collection of bong data, cf. point 6.3 below. It may
nevertheless there is a need to make a thorough assessment of necessity at a later stage.


6.3 The supplementary legal basis
Through Section 10 of the Statistics Act, Statistics Norway has been given almost a blank authorization to make decisions or
adopt regulations on the obligation to provide information. Section 10 of the Statistics Act is thus a framework provision
which presupposes that the detailed access to process personal data is determined in a
other legal basis. Statistics Norway's processing of personal data must still be in line with
the privacy regulations.


In the preparations for the Personal Data Act, Prop. 56 LS (2017-2018), it appears that a
administrative decisions can constitute a supplementary legal basis in the personal data protection regulation
understanding. Whether an administrative decision is considered a sufficiently clear and predictable legal one
basis must, however, be assessed concretely.

In this case, Statistics Norway has decided to obtain enormous amounts of information about Norwegians
consumers' grocery purchases. The Norwegian Data Protection Authority believes that the privacy intrusion by the decisions is a lot

greater than what Statistics Norway seems to have assumed. That the collection of bong data is done for
statistical purposes are of secondary importance in this assessment as the intervention itself i
privacy already occurs at the time of data collection.

As we assume that the breach of privacy when collecting bong data is very large,
this sets stricter requirements for the supplementary legal basis, cf. the Personal Data Protection Ordinance

article 6 no. 3.

Section 10 of the Statistics Act stipulates that Statistics Norway itself shall carry out the cost-benefit assessment and determine
individual decisions, possibly adopting regulations, on the obligation to provide information.

For comparison, we will highlight the process for approval of medical and
health research projects. In medical and healthcare research, decisions on

dispensation from confidentiality and/or ethical approval decisions are the basis for
the data processing. In these cases, the assessment is whether the data can be used for research
added an external third party (respectively the Norwegian Directorate of Health and the regional committees for
medical and healthcare research ethics, REK) and not to the person responsible for the research
the institution.




                                                                                                16 Although medical and healthcare research most often involves handling large quantities
health data and other personal data, the third-party assessment is considered a guarantee for
safeguarding the research participants' rights and interests. The regional ethics committees
can, for example, set conditions for the collection, storage and use of data.

Statistics Norway's main purpose is the production, dissemination and development of statistics. A natural
the consequence of this is that Statistics Norway will facilitate the execution of the tasks assigned to them

best possible way. Statistics Norway's operations are also partly regulated by strategic guidelines nationally and
internationally. In the case of highly invasive processing of personal data, it is therefore
particularly important that the privacy impact assessment that is the basis for a processing of
personal data is good.

As mentioned in point 6.1, we believe that the assessments made by Statistics Norway in connection with collection
of bong data are lacking. As a consequence, the process harmonises towards Statistics Norway's decision

on the obligation to provide information does not meet the requirements of the privacy regulations. The ratings that
is settled against the principle of data minimization in the personal protection regulation article 5 no. 1
letter c and the principle of purpose limitation in letter b are not good enough in our view.
This means that it is not possible to make a fully sound proportionality assessment, like this
the privacy regulation article 6 no. 3 requires.

For Statistics Norway's operations, Statistics Norway alone can assess and decide that data should be collected. Any actor,

private as well as public, may be required to hand over personal data on a large scale.
Decisions on the obligation to provide information can be appealed to the Ministry of Finance, but we consider that such
complaint handling has a different function than an external third-party assessment at a business
with purposes other than just the preparation and development of statistics.

The Norwegian Data Protection Authority assumes that an administrative decision made by Statistics Norway does not provide sufficient information
guarantees for those registered for such intrusive processing as collection of bong data.

The legal basis is not sufficiently clear, precise and predictable. We believe that this view
has support in the wording of the Personal Data Protection Ordinance, the preparations for the Personal Data Act and
case law from the European Court of Justice and the European Court of Justice.

The Norwegian Data Protection Authority is therefore of the opinion that Statistics Norway's decision on the obligation to provide information to
the grocery operators do not meet the requirements of the supplementary legal basis i

the personal protection regulation article 6 no. 3.

6.4 Conclusion
The Norwegian Data Protection Authority has come to the conclusion that Statistics Norway's decision on the obligation to provide information to the grocery operators
NorgesGruppen ASA, Coop Norge AS, Rema 1000 AS and Bunnpriskjeden, comprised of
authority in Section 10 of the Statistics Act, does not meet the requirements for a supplementary legal basis i
the personal protection regulation article 6 no. 3.


We have therefore decided to notify Statistics Norway of a decision to ban the processing of
personal data in the form of bank data.






                                                                                               17 7. Further proceedings
This letter is an advance notice of a decision to prohibit the processing of
personal data, cf. section 16 of the Public Administration Act.

Any comments on this notice must be sent to us no later than three weeks after receipt
of this letter.


We assume that the decisions on the obligation to provide information are still under appeal processing at
The Ministry of Finance and that the collection of bank data has not been initiated. We therefore do not see it
necessary to set a shorter deadline for feedback.

If you have any questions, you can contact section manager Camilla Nervik or
case manager Susanne Lie.



With best regards


Line Coll
director
                                                                   Susan Lie

                                                                   legal professional director

The document is electronically approved and therefore has no handwritten signatures



Copy to: STATISTICS CENTRAL BYRÅ, Thorleiv Valen

























                                                                                              18