Datatilsynet (Norway) - 17/01281

From GDPRhub
Datatilsynet - 17/01281
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 58(2)(b) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 16.09.2020
Published: 16.09.2020
Fine: None
Parties: Datatilsynet
Privacy Appeals Board
Community missionary organization (anonymized)
National Case Number/Name: 17/01281
European Case Law Identifier: n/a
Appeal: Appealed - Overturned
Original Language(s): Norwegian
Original Source: Personvernnemda (in NO) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board (Personvernrådet) overturned the Norwegian DPA's (Datatilsynet) decision to reprimand a local missionary organization's use of private camera surveillance footage under Article (6)(1)(f).

English Summary

Facts

The Norwegian DPA (Datatilsynet) had issued a reprimand to a local missionary organization for what the DPA said was unlawful use of private camera surveillance footage (i.e. lacking legal grounds for processing under Article (6)(1)(f)). The Norwegian Privacy Appeals Board (Personvernrådet) overturned this decision, as they concluded that the missionary organization had indeed legal grounds as per Article (6)(1)(f) to process the personal data in question.

The case revolved around neighbours A and B, who had a conflict. B had installed camera surveillance on her property and some footage revealed A's seemingly harassing behaviour towards B. B shared this footage with C, a deputy member of the board of a local missionary organization, where A was a board member. C further involved D, the chairman of the organization. Based on the footage they'd viewed, C and D questioned if A was suited to be a member of the board. They presented the footage to A and her husband (whom A had requested to be there), and following some discussions, A withdrew from the board. A then submitted a complaint to the DPA, for what she felt was unjust and unlawful processing of her personal data in the surveillance footage.

The question here was consequently: did the missionary organization have legal grounds to process the footage, based on Article (6)(1)(f)?

The DPA held that they didn't, after their review of the three necessary elements of legitimate interest: 1) First, the DPA concluded the missionary organization had a legitimate interest to process the personal data. 2) Second, the DPA held, however, that the processing was *not* necessary to achieve this interest, and therefore, 3) the balancing test should go in favor of the data subject (in this case "A"). Thus, the DPA concluded that the conditions for relying on Article (6)(1)(f) was not fulfilled.

On the contrary, the Norwegian Privacy Appeals Board considered that the second condition of legitimate interest was indeed fulfilled, as it was deemed necessary to view the footage. In addition, they considered that there were little harm to A, as the footage was only viewed by C, D, A herself and her husband (on her request).

Dispute

Was the DPA's conclusion to reprimand the missionary organization for lack of legal grounds, correct?

Holding

The Norwegian Privacy Appeals Board (Personvernrådet) held that the missionary organization had legal grounds under Article (6)(1)(f) to process the personal data in question.

Comment

In this case, 6 out of 7 members of the Norwegian Privacy Appeals Board (Personvernrådet), agreed to overturning the DPA's decision, while the last member argued in favor of the DPA's decision.

Further Resources

Share blogs or news articles here!

The Norwegian Data Protection Authority has processed the case in accordance with the Privacy Ordinance, which became part of Norwegian law from 20 July 2018, ie approximately 20 months after the alleged breach of A's privacy took place. Questions are asked about the Authority's choice of law. In the decision, the Norwegian Data Protection Authority errs in its assessment of the regulations. The audit first concludes that the mission assembly had a legitimate interest in obtaining the information, but then states that the purpose could have been achieved in a less intrusive way than by obtaining and storing the footage from the private camera surveillance. There is a mutual contradiction between the sentences. In any case, the rules of error of law are invoked. D and C acted in good faith, with the best intentions for all parties and were not aware that the actions could be in violation of applicable Norwegian law. A view of the matter in brief B sent the private film footage to D and C after B had moved from the home. She made false allegations about A, which D and C adopted. D and C then used the film footage against her and questioned her suitability to sit on the board and threatened to show the film clips to the rest of the board. She was pushed out of the board in the mission meeting by the board chairman and deputy, who came to her door. She felt compelled to watch the footage that D and C brought. The showing of the footage to her and her husband constituted the unlawful disclosure of her personal information. A himself brought the matter before the board, which the minutes from the board meeting on 4 September 2017 confirm. A and her husband know that the footage was shown to others and spread throughout the local community, something she holds C, D and the missionary assembly accountable for. D also used the content of the footage against her in a meeting with the top leaders of the mission organization, without the films being shown. D and C present the case in a completely different way, and the attempt to embellish what they have done is offensive, intrusive and destructive. She and her husband were squeezed out of a Christian community and community and are considering moving, even though they have lived at X all their lives. They experience being put in a public gauntlet in the small community where everyone knows everyone. After this, she experiences that life is ruined. The Data Inspectorate's assessment A reprimand is a corrective measure The Data Inspectorate has the authority to decide in accordance with the Privacy Ordinance Article 58 no. 2 letter b. The reprimand given in this case is to be regarded as an individual decision that gives the parties a right of appeal under the Public Administration Act. The collection, storage and deletion of the five film recordings took place before the Privacy Ordinance entered into force on 20 July 2018. The case will be assessed in accordance with the Privacy Ordinance as this was valid at the time of decision on 19 March 2020, and this case is not a decision on infringement fees. This presumably follows from the transitional rules in the Personal Data Act 2018 § 33, cf. the Privacy Board's decision PVN-2018-14. This also has support in the preparatory work for a new Personal Data Act. Collecting and storing film clips in which individuals are depicted constitutes a processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2. The Data Inspectorate assumes that D and C acted as chairman of the board and board member, respectively, on behalf of the mission assembly in the case, as the purpose was to assess the complainant's suitability to sit on the board. The mission meeting is therefore responsible for processing, cf. Article 4 (7) of the Privacy Ordinance. It is further assumed that the films have not been distributed to anyone other than D and C, and that they have only been shown to A and her husband during one of the meetings between the four. The relevant basis for processing in this case is the Privacy Ordinance, Article 6 (1) (f), which stipulates that an undertaking may process personal data if this is necessary to safeguard a legitimate interest that outweighs the interests of the individual's privacy. The question is whether the missionary assembly had a legal basis for processing under the Privacy Ordinance, Article 6, paragraph 1, letter f, when they obtained and stored the clips from B's private camera surveillance. The first condition that must be met for processing to be lawful is that the missionary assembly had a "legitimate interest" in processing the information. The mission assembly has reported that the clips were used for the purpose of assessing A's suitability for his position on the board. Board positions presuppose trust in the organization in question, and it will be an important interest for companies to be able to obtain relevant personal information in order to assess the suitability of board members. The missionary assembly thus had a "legitimate interest" in obtaining the information. The next condition is whether the relevant processing of the complainant's personal data was "necessary" to achieve the purpose. The mission assembly obtained and stored clips from private surveillance cameras that, among other things, depict A in a difficult situation characterized by a long-term neighbor conflict. The film clips were then referred to complainants once on 20 November 2016. The content of the films was then discussed between the representatives of the mission assembly and A during a meeting later in the day on 20 November, and then at the meeting on 12 December 2016 which ended with A withdrawing from the board. The Data Inspectorate believes that the mission assembly could have achieved its purpose in a less intrusive way than by obtaining and storing the recordings. The film clips originate from private camera surveillance without connection to the mission assembly's activities, and A therefore had no reasonable expectation that the mission assembly would process this personal information about her. The information is of such a private nature that it would have been sufficient to document the content in writing, and then discuss this with C before any consideration by the board. The mission meeting's collection and storage of the film clips therefore constituted a more intrusive processing of personal data than was necessary to assess A's suitability. Regardless of whether the requirement of necessity is met or not, the consideration of the complainant's privacy will outweigh the company's need to collect and store the recordings due to their private nature, cf. Article 6 no. Letter f (balancing of interests). There is no "mutual contradiction" in the Authority's assessment, as the Mission Assembly claims. The conditions for a valid basis for processing pursuant to Article 6 (1) (f) of the Privacy Ordinance are not met. The Missionary Assembly cannot be heard with its allegation of error of law. On the basis that the information has now been deleted and the conduct from the mission board has ceased, the Data Inspectorate finds it most appropriate to issue a reprimand to the mission meeting, cf. the Privacy Ordinance Article 58 no. 2 letter b. The Privacy Board's assessment The collection, storage and deletion of the five film recordings took place before the Privacy Ordinance entered into force on 20 July 2018 and the Mission Assembly has stated that the case shall be processed in accordance with the Personal Data Act as it stood at the time of action. The Personal Data Act 2018 has transitional rules in § 33. It follows from this provision that the rules on the processing of personal data that applied at the time of action shall be used as a basis when a decision on infringement fees is made, unless the legislation at the time of the decision leads to a more favorable result for the data controller. . In this case, there is no question of imposing an infringement fee, and it then presupposes from the Personal Data Act 2018 § 33 that it is the law, as it reads at the time of decision, that shall be the basis for the Privacy Board's decision. This is also discussed in the preparatory work for the Personal Data Act 2018, Prop. 56 LS (2017-2018) page 196, where the Ministry states, among other things, the following: "There will be a number of cases pending before the supervisory authority and the Privacy Board at the time of the entry into force of the new Personal Data Act. The regulation does not contain any transitional provisions that regulate the processing of such cases. The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to be made on the basis of the substantive rules in force at any given time ». For the sake of clarity, it is noted that when it came to receiving, storing and using recordings from camera surveillance, this was under the 2000 Act regulated by § 8 letter f. The same substantive rules are now given in the Privacy Ordinance Article 6 No. 1 letter f. Like the Data Inspectorate, the tribunal assumes that the mission assembly is responsible for the use and storage of the private camera footage they received from B and which contained footage of A, cf. the Privacy Ordinance, Article 4, No. 2 and No. 7. As the tribunal understands the fact was not the actual collection of camera footage initiated by the missionary assembly. B itself initiated the disclosure of its camera recordings and is thus responsible for the processing of personal data that it represents. The processing of personal data that the disclosure of the camera footage entails does not form part of this case. The tribunal assumes that D and C acted on behalf of the missionary assembly and also had the authority to do so by virtue of their positions on the board. The tribunal refers to the Data Inspectorate's justification which is accepted. The next question is what a "reprimand", cf. Article 58 (2) (b) of the Privacy Ordinance, is to be regarded as, from a legal point of view. If the reprimand is to give the mission assembly the right to appeal, the reprimand must be regarded as an individual decision, cf. the Personal Data Act § 22 second paragraph, cf. the Public Administration Act § 2. Individual decisions are defined in the Public Administration Act § 2, first paragraph, letters a and b. After letter a, a decision is «a decision made in the exercise of public authority and which in general or specifically determines the rights or obligations of private persons». The question is therefore whether a decision ("reprimand") from the Data Inspectorate where it is established that there has been a violation of the Personal Data Act, but no order is imposed or an infringement fee is imposed, partly because the illegal processing has ceased, is a reaction that determines rights and duties for the data controller. In Prop. 62 L (2015-2016) «Amendments to the Public Administration Act, etc. (administrative sanctions, etc.) »section 15.5.1, the Ministry of Justice discusses formal warnings: «Some administrative bodies have the authority to issue formal warnings on the basis of an explicit law or regulation. Such warnings are referred to in the legislation mainly as warnings, but other terms are also used, for example «written reprimand» (the Execution of Sentences Act § 40 second paragraph letter a). Such warnings can be divided into two main categories, but there can be smooth transitions between the categories. First, there are provisions where the warning appears as a condition for a (possible) later reaction. Secondly, there are provisions where the warning appears as an independent reaction to offenses. That the warning is intended as a more independent reaction is often apparent from the context in the legislation, and will often be emphasized in the preparatory work for the law » Furthermore, the ministry states: "As mentioned, the term formal warning does not have an unambiguous definition in current legislation. Whether something that is called a warning by the administration or with related terms must be regarded as an individual decision according to the definition in the Public Administration Act § 2 first paragraph letter b, cf. letter a, depends on a closer assessment of the warning's content and effects. As far as one builds on the definition of formal warning that has been used as a basis, the starting point must be that formal warnings are regarded as individual decisions. The Ministry points out in particular that such warnings imply a finding that the law has been violated. Often, there will also be a legal basis for sanctions against the type of offense in question, either in the form of administrative sanctions or penalties. Thus, it could be a significant burden to have a formal warning directed at you. In some cases, the special legislation explicitly decides whether the warning is to be regarded as an individual decision, cf. for example on the one hand the Dog Act § 18 fifth paragraph last sentence (not individual decision) and on the other hand the Health Personnel Act § 56 last paragraph and the Pharmacy Act § 8-4 second paragraph (individual decision). Even if a warning should not be regarded as an individual decision, certain requirements may apply to the case processing. For example, in some cases concerning non-binding statements, the Civil Ombudsman has set certain requirements for adversarial proceedings, see Somb-2008-48. " Article 58 (2) of the Privacy Regulation distinguishes between various "corrective measures". According to letter a, the supervisory authority may issue warnings that a planned processing activity is likely to be in breach of the regulation. According to letter b, the supervisory authority may issue reprimands and in the other letters c - j, authority has been given to issue various orders, as well as the imposition of infringement fines. It is the supervisory authority that in the first instance decides which corrective measure is appropriate, when the supervisory authority finds that personal data has been processed in violation of the regulation. When the Data Inspectorate in this case has concluded that the data controller did not have a processing basis for its use of the received camera recordings, the Data Inspectorate could choose an appropriate response; reprimand or infringement fine. The fact that the reprimand entails a formal finding that the mission assembly has processed personal data illegally, indicates that the reprimand is considered an individual decision so that the mission assembly is given the right to have the basis for the reprimand tried in the appeal body. Previously found violations of the Privacy Ordinance may also be relevant for the imposition of infringement fines for repeated offenses, cf. the Privacy Ordinance Article 83 no. 2 letter e. considered as an individual decision. The burden of a formal reprimand entails and considerations of the legal security of the data controller indicate that the data controller is given the opportunity to appeal against a reprimand issued. This is also supported by the fact that the Data Inspectorate itself has regarded the reprimand as a decision and has provided information to those responsible for processing on the right to appeal. Following this, the tribunal assumes that the Data Inspectorate's reprimand issued to the data controller is an individual decision that gives a right of appeal under the Public Administration Act. The tribunal then proceeds to assess whether the mission assembly's processing of personal data, collected through the use of camera surveillance, has taken place in accordance with the rules in the Privacy Ordinance. Initially, the tribunal notes that the Data Inspectorate refers to the mission assembly's receipt of the camera footage as the collection of personal information. In that case, it will presuppose that the mission assembly is also responsible for processing the collection of the recordings. The tribunal does not consider this an apt description, cf. the tribunal's assessment above where it is assumed that the handover of the recordings was initiated by B. In any case, the mission assembly's storage and use of recordings from camera surveillance, where identifiable individuals are depicted, will be a treatment of personal data, cf. the Privacy Ordinance Article 4 no. 2. For this processing of personal data, the mission assembly is responsible for processing. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis for processing. The tribunal agrees with the Norwegian Data Protection Authority that the only possible basis for processing the mission association's processing of personal data in this case is Article 6 no. 1 letter f (necessary to safeguard a legitimate interest). Article 6 (1) (f) authorizes the processing of information on the basis of a balance of interests. The law's requirement that the processing must be necessary for purposes related to the data controller's legitimate interest, means that the interest safeguarded by the data controller must be legal and actually justified in the business. Both legal, financial and non-material interests may be justified, cf. the Privacy Council's "Guidelines 3/2019 on processing of personal data through video devices", section 18. The necessity condition further entails a requirement that the purpose cannot be achieved in a less privacy-intrusive manner. . The legitimate interest of the data controller shall then be weighed against the interests of the data subject and fundamental rights and freedoms. If these interests are considered to take precedence and demand protection of the personal data, the legitimate interest of the data controller will have to give way. As also pointed out by the Data Inspectorate in the Authority's decision, the Data Inspectorate's, and thus also the Privacy Board's, task is to exercise control in accordance with the Personal Data Act and the ordinance. This means that it is the mission assembly's use of the footage received from the camera surveillance that is being considered in this case, not the conflict between A and B, or the conflict between A and the mission assembly, including whether there was sufficient grounds to ask A to withdraw. the board of the missionary assembly. The tribunal assumes that the purpose of using the sent film footage was to clarify the correctness of the content of the notification the mission assembly had received about harassing behavior on A's part. The mission meeting considered it necessary to investigate the actual circumstances related to the notice in order to assess A's suitability for his position on the board. Board positions presuppose trust in the organization in question, and it is in principle a legitimate interest to obtain and use personal information that can say something about the board members' suitability for the position. In this case, the chairman and a deputy member of the board had been made aware of serious allegations of harassment made by one of the board members of the assembly. It was therefore necessary to investigate these allegations in more detail and the tribunal agrees with the Norwegian Data Protection Authority that the mission assembly therefore had a legitimate interest in clarifying whether the description of the harassing behavior was correct. The question for the tribunal is whether the mission assembly's storage and use of the received film footage was necessary to safeguard this legitimate interest of the mission assembly or whether the consideration of A and her right to privacy takes precedence and requires protection of the information. In this balancing of interests, the tribunal has been divided into a majority and a minority. The majority of the tribunal consisting of the members Haugstad, Borvik, Graasvold, Coll, Blinkenberg and Tessem has come to the conclusion that the mission assembly had a basis for processing in the Privacy Ordinance article 6 no. 1 letter f to store and view the received film footage. In the majority's view, it was a prudent assessment by the head of the mission assembly and deputy board member that they chose to watch the sent footage after receiving notice of harassing behavior from one of the board members. It represents a proper treatment of the notice received that they make sure to clarify whether the recording shows actions that there was reason to record with A. In the majority's opinion, this was a necessary clarification before D and C decided what to do next. with the notice. The majority understands that this was an unpleasant situation for A, but the situation would most likely not have been less unpleasant if she had been presented with completely undocumented accusations. Since the film recording was then only shown to A and her husband (who participated at A's own request), there has been no further dissemination of the information to anyone other than those who were already familiar with the content of the recordings. The breach of privacy this represents for A is therefore considered to be small, which must be given weight for the balance of interests to be made in accordance with Article 6, paragraph 1, letter f. In the majority's view, the mission assembly's storage and use of the received film footage was necessary to safeguard the legitimate interest of the mission assembly and the consideration for A's privacy does not take precedence over a balance of the various interests. As the treatment was, in the majority's view, legal, there is no basis for issuing any reprimand. The tribunal's minority consisting of member Hannemyr agrees with the Norwegian Data Protection Authority that the mission assembly's storage and use of the transmitted camera footage had no basis for processing in the Privacy Ordinance Article 6 no. 1 letter f and thus represented an illegal processing of personal data. The provision in the Privacy Regulation, Article 6 (1) (f), contains three cumulative conditions, all of which must be met in order for the processing of personal data on this basis to be lawful. The processing must be "necessary", the data controller must have a "legitimate interest" in the processing and a final balance of interests must be struck between the data controller's interests and the data subject's "interests or fundamental rights and freedoms". The minority believes that the condition of necessity must be understood strictly. The preamble to the Privacy Ordinance, section 39, states that "personal data should be processed only if the purpose of the processing cannot reasonably be fulfilled in another way". This means that the treatment is only necessary if the treatment manager has no other reasonable alternatives. That is not the case here. Such an interpretation of "necessary" corresponds to the principle of data minimization expressed in Article 5 (1) (c) of the Regulation, which states that the processing of personal data shall be "limited to what is necessary for the purposes" for which it is processed ". The wording "necessary" is used here as well, but is supplemented with "limited to" which suggests that treatment is only legal where this is the only way to achieve the purpose. PVN-2015-13 was about a taxi center that recorded telephone conversations between the taxi driver and the taxi center with the aim of preventing inappropriate and harassing calls from the driver to the center. In the assessment of necessity, the tribunal emphasized whether other and less intrusive measures could have been implemented to overcome the problem, and concluded that the treatment was not "necessary". Like the Norwegian Data Protection Authority, the minority believes that the mission assembly could have achieved the same purpose in a less intrusive way than receiving and using the private film footage. They could have requested a written statement of allegations from B and this statement could then have been submitted to A for comment. The film footage should not have been used by anyone other than B, without first being reviewed by A, who may then have consented to being shown to others. The data controller naturally has a vested interest in the fact that the result of the balance of interests that must be made leads to the personal data being processed. If there is no clear framework for how the balancing of interests is to be carried out, the data controller's self-interest may therefore result in personal data being processed to a greater extent or in a more intrusive manner than is lawful. It is therefore important that the framework for balancing interests follows from law, case law and other relevant legal sources. The Article 29 Working Party (Opinion WP 217, p. 30) writes this about the balancing of interests ("legitimate interest" is in English "legitimate interest"): «Finally, it is important to note that unlike the case of the controller's interests, the adjective‘ legitimate ’is not used here to precede the‘ interests ’of the data subjects. This implies a wider scope to the protection of individuals ’interests and rights. Even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. " It is therefore not a question of a pure balance exercise. Even if the data subject has behaved reprehensibly, this is not in itself a legitimate interest that authorizes overriding of the data subject's rights and interests. With regard to the nature of the personal data, the European Court of Justice has stated that the balance in the balancing of interests depends, among other things, on "the nature of the information in question and its sensitivity to the data subject's private life" (cf. C-131/12). In this case, it was personal information that is of a private and personal nature. The bitter neighborly conflict between A and B had nothing to do with A's board position in the missionary assembly. It also appears that the two parties to the conflict mutually accused each other of harassment. It is impossible for others to know who actually did what and when, but it seems that the mission board gave the documentation in the form of the surveillance videos they received from B a lot of weight when they asked her to resign from the board in the mission assembly. Although the surveillance video was only seen by a few people, the treatment of it apparently led to popular talk and exclusion from the Christian community in the village. This too is a significant disadvantage for A. In the Waste Service judgment (Rt-2013-143, section 60), the Supreme Court stated that “in assessing what disadvantages the personal data has had for A, it must also be considered whether the reuse of the information was within his reasonable expectations of what the information could be used for. to". A had hardly expected that private recordings collected by B's surveillance camera would be used in a process internal to the missionary assembly. The Mission Assembly's use of the recordings also constitutes for this reason a great disadvantage for A. The fact that the mission assembly was not aware that their use of the film footage was illegal under the Privacy Ordinance is not a factor that makes the act excusable in the minority's opinion. The data controllers should familiarize themselves with the rules before choosing to use private surveillance recordings in this way. The Norwegian Data Protection Authority has sanctioned the illegal processing of A's personal data by giving a reprimand, cf. the Privacy Ordinance Article 58 no. 2 letter b. This is a very mild form of reaction. The minority wants the Data Inspectorate's decision to be upheld. The decision is made in line with the majority's view. Decision The Data Inspectorate's decision on reprimand is reversed. The Mission Assembly had a basis for processing in the Privacy Ordinance Article 6 No. 1 letter f to store and view the received film footage.


Oslo, 16 September 2020 Mari Bø Haugstad Manager