Datatilsynet - 20/02006
|Datatilsynet - 20/02006|
Article 17 of Directive 95/46/EC
Article 6 of Directive 95/46/EC
Article 7 of Directive 95/46/EC
§ 11 (1)(c) Personopplysningsloven 2000
§ 13-12 Tolloven
§ 2-11 Personopplysningsforskriften
§ 2-14 Personopplysningsforskriften
§ 8 Personopplysningsloven 2000
§ 33 Personopplysningsloven 2018
|National Case Number/Name:||20/02006|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
Datatilsynet holds that the Norwegian Customs Authority processed personal data from the Automatic Numberplate Recognition (ANPR) database without a legal basis, as it processed data not that was not connected to cross-border traffic. The case was decided under the national implementation of 95/46/EC.
English Summary[edit | edit source]
Facts[edit | edit source]
The investigation started after the DPA was notified of a personal data breach from the Customs Authority regarding several issues concerning the use of the ANPR system.
The ANPR database is a shared database, also used by the Norwegian Public Roads Administration. After an internal evaluation of the use of this database and the legal basis for the processing of the data, the Customs Authority sent a data breach notification to the DPA.
The basis for this notification was the uncertainty of the wording of the law and whether it only applied to the border crossing, or if it also concerned traffic to and from the border.
Dispute[edit | edit source]
The dispute of the case was whether tolloven § 13-12 "grensekryssende trafikk" ("cross-border traffic"), read in conjunction with the preparatory works, limited the use of the ANPR system to the actual border crossing, or if internal, domestic traffic to and from the border was also covered by the law.
In addition, the question was whether the Customs Authority could process personal data from the shared database of cameras which the Public Roads Administration was the controller of.
Holding[edit | edit source]
The DPA held that the preparatory works' use of "border control" and "cross-border traffic" was synonymous, and that an expansion of the term to also cover internal domestic traffic would be in contravention to the principle of legality.
The DPA held that the Customs Authority and the Public Road Administration were controllers for different processing operations with regards to the database. Highlighting that while it is a shared database, and some of the tasks laid out by law concerning surveillance of traffic overlapped between the Customs Authority and the Public Roads Administration, the two authorities were controllers for different parts of the database. The national law, tolloven § 13-12, did not grant the Customs Authority any legal basis for processing data from the part of the database where the Public Roads Administration was the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE CUSTOMS DIRECTORATE PO Box 2103 Vika 0125 OSLO Their reference Our reference Date 18 / 27245-4 20 / 02006-1 (18/01144) / KBK 01.09.2020 Partial reversal of decisions on infringement fines - Directorate of Customs 1 Introduction Reference is made to received notification of breach of personal data security (non-conformance notification) from the Norwegian Customs Directorate on 29 June 2018, the Danish Data Protection Agency's notification of infringement fines on 11 March 2019, the Norwegian Customs Directorate's comments of 16 April 2019 on the Data Inspectorate's notification, the Data Inspectorate's decision on infringement fee of 2 July 2019 and the Directorate of Customs' appeal of 31 August 2019. In the decision on the infringement fee of 2 July 2019, the Data Inspectorate added the following offense superficial: "The report of a breach of personal data security has revealed circumstances that constitute possible violations of the Personal Data Act 2000 §§ 11 and 8, the Personal Data Regulations 2000 §§ 2-11 and 2-14. • The Customs Act § 13-12 only authorizes the storage of personal data from the agency's own ANPR- camera for cross-border traffic. On January 1, 2017, there was a breach the personal data security that resulted in the Directorate of Customs also receiving access to, and stored personal information from the Norwegian Public Roads Administration's ANPR camera, which is not located for cross-border traffic monitoring. For these ANPR the cameras lacked the Customs Directorate's basis for processing the Personal Data Act 2000 § 8. Without such a basis for processing, the processing will be illegal. • Storing information from the ANPR cameras to the Norwegian Public Roads Administration is a violation the Personal Data Act 2000 § 11 first paragraph letter c, where it is stated: «Den data controllers shall ensure that the personal data processed - - c) not later used for purposes incompatible with the original purpose the collection, without the data subject's consent ». • Lack of technical and organizational measures that ensure satisfactory information security with regard to confidentiality constitutes a possible breach the Personal Data Regulations §§ 2-11 and 2-14. The ANPR database used by both Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO The Norwegian Customs Directorate and the Norwegian Public Roads Administration have not had satisfactory access control. This has meant that people have had unauthorized access for a long time personal data where confidentiality is required. " The legal basis for making the decisions is the Personal Data Act 2018 § 26, cf. § 33, cf. Personal Data Act 2000 § 46. On the basis of the Directorate of Customs' complaint, the Data Inspectorate finds reason to partially change ours decision on infringement fee, cf. the Public Administration Act § 33 second paragraph, in that it is not imposed emphasis on reported deviations about lack of access control as this appears in section no. 5, bullet point three in the Data Inspectorate's letter of 2 July 2019. All matters related to this are thus removed of the document. The Data Inspectorate's assessment is that this is a breach of personal data security, but as such in this context is not necessary to respond to. There were several users in the Customs had access to stored information than provided in the preparatory work for the Customs Act § 13-12. Everyone however, these had an official need for the information, and no misuse has been established the information. The Data Inspectorate sees that this has been handled satisfactorily by the agency and chooses therefore not to pursue this part of the case further. The Data Inspectorate has as a result of this adjusted the infringement fee to DKK 400,000. The reported breach of personal data security (deviation) was related to the sign recognition system ANPR, and consisted of several factors, of which point 1 is covered by this decision. 1) Personal data from fixed and mobile cameras from traffic has been processed which cannot be characterized as cross-border, and therefore cannot be treated according to Customs Act § 13-12. ANPR is an English abbreviation for Automatic Numberplate Recognition. In the law of 21. December 2007 no. 119 on customs and movement of goods (the Customs Act) this is referred to as «Sign recognition system», see section 13-12 of the Act. ANPR is an aid that has been used the road authorities, the Customs and the police, and more. The Directorate of Customs and the Norwegian Public Roads Administration have stored information from the ANPR cameras in a common database. The Directorate of Customs has legal authority to process information from cross-border traffic, related to customs purposes, and is responsible for processing these. These are collected in a separate database. The Norwegian Public Roads Administration can process information for traffic control, and is responsible for processing it. The Norwegian Customs Directorate has monitored 70.4 million crossings, where the number of affected persons is estimated to 7-8 million. Deviation no. 1 has been confirmed closed in the statement of 19 October 2018. The Norwegian Data Protection Authority has reviewed the comments to the Norwegian Customs Directorate and made the necessary changes in the decision and its reasons. In the feedback, the Directorate of Customs states that the directorate still has delegated competence for control of annual fee, use of marked mineral oil, 2status change for van, and temporary use of foreign registered vehicle, and that The Customs' authority under the Road Traffic Act has remained unchanged. The Data Inspectorate has noticed this. Similarly, the Norwegian Data Protection Authority has noticed some disagreement within the Norwegian Customs Directorate as to whether the agency had a sufficient processing basis for the use of all personal data in the ANPR the database. In the Data Inspectorate's view, it is worrying that the Norwegian Customs did not stop the project, and clarified the basis for the decision, before proceeding. The Norwegian Data Protection Authority has noted that the Directorate of Customs was of the opinion that it was sufficient legal basis for storing information both from cameras at the border (and that this included the Norwegian Public Roads Administration's cameras at Svinesund) and from the Norwegian Public Roads Administration's cameras that were located domestically. Finally, the Norwegian Customs Directorate corrects the number of passes from 80 million passes to 70.4 millions. The Norwegian Data Protection Authority has also noted the other input that has come from The Directorate of Customs, but can not see that they have an impact on whether an infringement fine should be imposed, or the size of this. 2 The offense The report of a breach of personal data security has revealed conditions that make it possible violation of the Personal Data Act 2000 § 8. Section 13-12 of the Customs Act states: «(1) When planning, targeting and carrying out inspections can the customs authorities collect, store, compile and use necessary personal information, including health information, cf. the Privacy Ordinance article 9 No. 1, and information as mentioned in the Privacy Ordinance Article 10. For the same purpose can cross-border traffic on the road and ferry terminals with foreign traffic is monitored by the customs authorities using a sign recognition system. " It is further stated in § 13-12 no. 3 last sentence: «Information obtained by sign recognition system, may be stored for up to six months after the information is obtained. " • The Customs Act § 13-12 authorizes the storage of personal data from ANPR cameras for cross-border traffic. On January 1, 2017, there was a breach personal data security in that the Norwegian Customs Directorate stored personal data from The Norwegian Public Roads Administration's ANPR camera. For these ANPR cameras were missing Directorate of Customs processing basis pursuant to the Personal Data Act 2000 § 8. Without such treatment basis, the treatment will be illegal. 3 Notification of decision on infringement fine It is the time of action that must be taken into account when a decision is made infringement fee due to illegal processing of personal data, cf. Act of 15 June 2018 no. 38 on the processing of personal data § 33 (Personal Data Act 2018). IN 3this case is the time of action before the law enters into force on 20 July 2018. It follows then of the Personal Data Act § 33 that this case shall be assessed in accordance with Act of 14 April 2000 no. 31 on the processing of personal data (Personal Data Act 2000). Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance article 58 no. 2 letter i), cf. article 83, the Data Inspectorate makes the following decision on infringement fines: 1. The Customs Directorate is imposed pursuant to Article 58 of the Privacy Ordinance, cf. the Personal Data Act 2000 § 46, first paragraph, cf. § 11 first paragraph, cf. § 8, to pay a violation fee to the Treasury of 400,000 - four hundred thousand - to have processed personal data without a basis for processing, cf. the Personal Data Act § 8. It follows from the Personal Data Act 2018 § 33 first paragraph second sentence that the legislation at the time of the decision shall be taken into account when this leads to a more favorable result for the person in charge. An assessment of the conditions that have occurred in accordance with the Personal Data Act 2018 would probably have resulted in an infringement fee higher than NOK 400,000. We refer to the Privacy Ordinance art. 83 no. 5, which stipulates that an infringement fine may be imposed up to 20 million euros, if the offense involves a violation of the fundamentals the principles for the processing of personal data in art. 5, 6, 7 and 9, cf. also the Personal Data Act 2018 § 26 second paragraph. The condition in the Personal Data Act 2018 § 33 The second sentence of the first paragraph is thus not fulfilled. 4 The actual conditions It is the deviation report of 29 June 2018 (18 / 01144-1) that forms the basis for our understanding of the actual pages of the case. However, we also refer to the non-conformance report from the Norwegian Public Roads Administration 28 June 2018 (18 / 01133-1), as this includes the same thematic issues. The discrepancy arose as a consequence of the Customs Act § 13-12 being amended so that «information obtained by sign recognition system, can be stored up to six months after the information has been obtained ». The Norwegian Customs Directorate considered this extension of the storage period so that everyone information from the ANPR cameras that were in the joint database with the Norwegian Public Roads Administration was covered by the provision, ie also information from the ANPR camera where the Norwegian Public Roads Administration was responsible for processing. In addition, reference can be made to the deviation report from the Norwegian Public Roads Administration on 25 January 2017 (17/00100). Here it is stated that personal information from the Norwegian Public Roads Administration's ANPR cameras became stored at the Norwegian Customs Directorate for 6 months without legal authority. Internally in the Directorate of Customs, there was one some disagreement as to whether the Directorate of Customs had a basis for processing information from the Norwegian Public Roads Administration's ANPR camera. Reference is made to this in the Directorate of Customs' report and point 5. 5 The Directorate of Customs' comments on the facts of the case This item is quoted from the Directorate of Customs' letter of 16 April 2019 for the items that is related to the assessment of the legal basis in the Customs Act § 13-12. 4Under section 2.2 of the above-mentioned letter, the Directorate of Customs explains the situation that it was internal disagreement in the assessment of whether the Directorate of Customs had a basis for processing to obtain personal information from the Norwegian Public Roads Administration's ANPR camera: It says here: «We have chosen to give a detailed description of the internal handling in the period 3. January 2018 and until the deviation report was sent on 29 June 2018. This is because In the notification of infringement fines, the Norwegian Data Protection Authority has chosen to mention an internal e-mail of 3. January 2018 and partly based on this concludes that the agency has not taken them necessary steps and therefore have acted klande1verdig in a way that is designated as grossly negligent on the verge of intentional. In September 2017, the director of customs decided to establish a privacy project that would map the agency's processing of personal data, and settle the status of the agency compliance with the privacy regulations. The privacy project started in November 2017 and had a close dialogue with the line on implementation. This led to two employees January 3, 2018 sent an email (not a note) to management with heading «Re. ANPR »who asked questions about the basis of treatment. We would like point out that it was a management initiative that led to the question being raised. The e-mail was sent to the section leader, who sent it to him the same day department director, with a proposal to have a meeting between the project and the lawyers who sent the email. The email of January 3, 2018 reads: «In connection with this work, we have [reference to the privacy project] has been made aware that the Customs collects and stores information from everyone The Norwegian Public Roads Administration's cameras for 6 months. Parts of this treatment are probably unauthorized. We therefore recommend that such treatment be stopped and that it assess whether the Data Inspectorate should be notified. We also recommend that you take into account the legal basis for the processing of information in the further the development of ANPR ». The department director considered that a more detailed account of it was necessary the legal basis before there was a basis for concluding whether the treatment was unauthorized. It is emphasized that the e-mail mentions that there were only parts of the treatment as probably was unauthorized. The ANPR project 2r financed with earmarked funds, approved by the Storting above the state budget. Further assignments have been given by the Ministry of Finance throughout The award letter for 2016. All enterprises are in accordance with the Financial Regulations in the state § 4 3 required to ensure sufficient management information and a sound basis for decision-making. As explained in section 3.1 is the legal situation and the collaboration with The Norwegian Public Roads Administration complex. It was not then, nor is it now, obvious that 1Datatilsynet's notification of infringement fee item 6 b) last paragraph, last two sentences 2Prop. 1 S (2015-2016) 3Regulations for financial management in the state within the state adopted on 12 December 2003, § 4 Basic management principles, letter c) The legal basis was not sufficient for the ongoing treatment, and the nor did the post provide any justification for this. The project itself believed that the treatment was in line with the legal basis. To act immediately on the e-mail, without further assessments, must be considered to be in conflict with the requirements of the financial regulations sound decision basis. At this time (January 2018), the department director had delegated the project owner responsibility for the ANPR project to the subject director. In the period 3 January 2018 to 11 January 2018, the department director, project owner and section leader discussed how the issue needed to be addressed further. In that the project seemed to have deviated assessments from the department's lawyers, and because it is the project that possesses factual knowledge of how the sign recognition system is used, it was considered important to involve the project in the work and establish an understanding of why it was important to address the issue. In addition, there was a history with communication challenges between the project and the legal team that we wanted to improve through involvement and collaboration. A meeting was held between the department director and the project manager on 11 January 2018. Department director asked the project to design an order for legal assessment «The basis (need) for us to have access to SVV's cameras and legal basis for data processing ». In an e-mail from the department director to the project manager on 24 January 2018, it sent a reminder on the order, where it was specified that it had to contain one assessment of «1) whether we have authority to access SVV's cameras, 2) whether the legal basis covers storage of information from SVV's cameras for 6 months, and 3) if we has the authority to publish information from ANPR to Statistics Norway ». It was clarified that this hastet. On 29 January 2018, the department director received an e-mail from the project manager stating confirmed that the order would be executed. Attached to the email was a note of 12 pages with the project's own assessment of the treatment basis, and their conclusion that it was adequate for practice. The department director responded to this email 4. February 2018 that it was requested that the order be sent to the legal team and not to the department director. On 8 February 2018, a new order was sent from department director for the project that a DPIA also had to be implemented (privacy impact assessment). On 15 February 2018, a mandate was sent for a legal assessment of 5 pages from project manager to project owner and department director, where it i.a. was recommended to set up a broad-based working group to carry out an investigation. Project owner and department director answered project manager in e- poster 14 February 2018 that it did not seem necessary to have such a «heavy rig at work ”which the establishment of a separate working group would entail, and that it therefore there was no need for a separate mandate for the work. It was specified that the focus should be to answer the three questions, that the project should share its assessment with legal team and that the project had to make itself available to contribute to the work. It was too specified that «if the lawyers in the work come across other relevant questions regarding. privacy, we must also bring these to the surface - the assignment must therefore not be interpreted restrictive, but as a minimum ». 6On the basis of the preliminary findings of the privacy project, the director of customs in the same period initiated a meeting with the Norwegian Data Protection Authority. The director of customs wanted to inform about the preliminary findings in the survey that the privacy project had initiated. The meeting was held on 9 February 2018 and the agency informed that it would be undertaken extensive work to establish adequate management and control for compliance with the Privacy Ordinance. This work is still in full swing. A meeting was held between the ANPR project and the legal team on 15 February 2018, as a start to further work. From 15 February 2018, it was the legal team who was responsible for continuing the work, and they submitted the report on 23 May 2018. The legal team has had a fairly independent role in the department, and to a large extent itself assessed priority and progress on their tasks - based on assessments of whom the client is, the materiality of the assignments, whether the tasks are urgent, the assignments scope etc. Legal team had at this time several assignments from The Ministry of Finance has a high priority and was under great pressure on the resource side. Two employees had left ila. 2017, of which one new recruited employee was to be trained in the same period and the second position remained vacant until December 2018. The management realizes that the work with the legal assessment in the current case should have been given clearer priority so that progress was faster, and that the work should have been followed up more closely. Given that it was the legal team that reported the issue in January 2018, it was assumed that the legal team itself made good assessments of this was precarious to deal with or not. Given also that the ANPR project had made a 12 sides assessment that the legal basis stood was the management of the opinion that it could be that the legal team in their work considered that the case in the spring of 2018 stood different from the email of January 3, 2018 suggested. The legal assessment submitted to the department director on 23 May 2018 was very difficult short, and it remained to carry out several assessments related to the cameras' specifics location and use. From the conclusion is hit: «We recommend that a concrete is taken assessment of which cameras monitor cross-border traffic, and that collection and storage from other cameras is stopped immediately and that already obtained information is deleted ». Management had expected that these assessments were already done, given that the project and the legal team were asked to cooperate, but it had to further assessments are made. For information, on 20 March 2018, organizational changes were made to the ANPR the project; department director entered the project ownership role and the project got a new one Project Manager. On 28 May 2018, the ANPR project was commissioned to make the specific assessment of which cameras monitor cross-border traffic, and which can not be said to do it. The project manager confirmed early on 29 May 2018 that the assignment had been received. Same Today, the department director informed the agency's privacy representative about the case, and about the need to conduct an assessment of the cameras' location and use. IN the period 29 May 2018 until the non-conformance report was sent on 29 June 2018, it was completed 7 further assessments; including which measures were to be implemented and how these could be implemented technically. In the same period was also top management and the Norwegian Public Roads Administration informed, meetings were held with both The Ministry of Finance, the Norwegian Data Protection Authority and the Privacy Ombudsman, and a draft deviation report was formulated. Access to those of the Norwegian Public Roads Administration's cameras that are not considered to capture cross-border activity (all cameras located other than on Svinesund) was deactivated on 22 June 2018, ie before the deviation report was formally sent through Altinn. The Customs has closed all non-conformities mentioned in the non-conformance report, even if questions related to the legal basis is still not finally clarified ». In the same letter, the Directorate of Customs explained the legal basis in the Customs Act § 13-12 following: "As stated in the introduction, it is a key question whether it exists legal basis for processing personal data from cameras that are not located on the border. The Norwegian Data Protection Authority has assumed that the basis for processing is regulated of the Customs Act § 13-12 which limits the use of the sign recognition system to «Cross-border traffic on the road». The Data Inspectorate considers that cameras placed places other than the border fall outside this legal basis and that the Customs Service consequently has processed personal data in violation of the processing basis. The Norwegian Data Protection Authority links the discussion of the deviation to the cameras owned by the Norwegian Public Roads Administration.4 The Customs Act § 13-12 first paragraph last sentence says nothing explicitly about where the surveillance can take place or who owns the camera, but what traffic that can be monitored (cross-border traffic). The decisive thing seems to be about the individual camera is placed in place that allows it to capture such traffic. It is specified in this context that the legal provision for the storage of information from sign-reading camera (Customs Act § 13-12 third paragraph) is general, but covers cross-border traffic when read together with the first paragraph. Ownership of the camera is consequently not decisive. The customs service still has access to information from three camera locations owned by the Norwegian Public Roads Administration and located at Svinesund. This is completely in line with the legal basis. Information from here can also be stored according to Section 13-12, third paragraph, of the Customs Act, with access only for the Customs' defined user groups. This understanding is not considered disputed and is used as a basis in the following. The decisive factor is whether the camera captures "cross-border traffic" according to Customs Act § 13-12, or if the treatment is covered by another treatment basis. It is not considered disputed that the Customs Service has authority in the Customs Act § 13-12 to collect and store information from the camera located at the border. 4Talked either as «The Norwegian Public Roads Administration's cameras» or «ANPR cameras where the Norwegian Public Roads Administration is responsible for processing». 8 The theme from here will consequently be whether there is a treatment basis for the camera as are located elsewhere in the customs area than at the border. The legal situation here is more unclear. The customs service has several tasks (and legal basis) related to vehicle control. The customs service may, as part of the goods transport control, control any means of transport and any person on his way to or from the border. This follows from the Customs Act § 1-5 (customs authorities' control of the movement of goods) cf. §§ 13-1 and 13-3 first paragraph letter a) «The customs authorities may stop and investigate any other [than vessels, aircraft] means of transport en route to or from the customs border ». This the access to control applies in general, without the need for concrete suspicion. Customs can also carry out inspections at unloading and loading places, customs warehouses and several others areas and means of transport in the customs area when it is to bring about a commodity is or is sought to be evaded from the control of the customs authorities. 5 The customs service also has other control tasks related to vehicles, authorized in the Road Traffic Act 6 § 36 third paragraph, the Tax Administration Act 7 § 10-8 and the Tax Payment Act § 14-11 third paragraph. These give the authority to “at any time without notice check motor vehicles to ensure that provisions for annual fee for motor vehicle… is complied with », as well as to revoke identification and vehicle card when using vehicles will be banned due to lack of periodic vehicle inspection, lack of re-registration, when the vehicle is not in proper condition or the load is not sufficient secured, and to carry out signage when there is a ban on use associated with non-payment of insurance and fees. Pursuant to the Road Traffic Act § 10 is The customs service delegated authority to control and impose a ban on the use of violation of provisions on requirements for tread depth in tires and the obligation to bring chains. As mentioned, the Customs Act § 13-12, first paragraph, last sentence says nothing explicitly about where the monitoring can take place, but which traffic can be monitored («border crossing traffic"). The crucial thing seems to be whether the individual camera is placed in a place like allows it to capture such traffic. Cameras located domestically also capture traffic coming from or going to the border. The wording of the provision, the purpose and the connection with the Customs' other control powers, especially the connection with Section 13-3, first paragraph, letter b) of the Customs Act, which discusses control access to any means of transport which are «en route to or from the border» are therefore not necessarily available prevents the Customs from processing information from cameras located elsewhere than at the border crossings (or in close proximity to these). 5 The Customs Act § 13-1 first paragraph letters a) to d), § 13-2 and § 13-3 first paragraph letters a) to d). 6LOV-1965-06-18-4 7LOV-2018-12-20-110 8LOV-2018-12-20-106 9FOR-2002-03-11-236 9 If the Customs Act § 13-12 should not provide a legal basis for processing personal data from ANPR cameras in areas other than the border not without further ado that the Customs Service has no basis for treatment. The customs service has a legal basis to exercise authority throughout the customs territory. Particularly relevant in this context is the provision in the Customs Act § 13-3 (1) letters a and b. The customs authorities are given great freedom to take the measures deemed necessary to carry out this inspection, cf. Customs Act § 13-3 (2). Whether the Customs Service has a legal basis for such monitoring therefore depends on a specific assessment of whether the measure is considered «necessary for the implementation of control of means of transport », cf. the Customs Act § 13-3 (2), cf. § 13-3 (1) letter b. can therefore be argued that the customs authorities have the authority to process personal data from cameras in places in the customs area where means of transport to or from the border normally passes, even if these places are not located by themselves border crossings. The customs service may therefore have a basis for processing also for the processing of personal information from sign-reading cameras outside the border crossings. However, the preparatory work 10 for the legislative amendment in 2017 indicates that the system was intended 11 deployed in connection with the border crossings. Also the Storting's allocation for 2016 for further roll-out of the system is linked to the physical boundary, as well as ferry terminals with foreign traffic. The same is stated in the Allocation Letter to the Customs Service for 2016 which in section 4.2.2 mentions that electronic presence must be established 'by all road border crossings ». Although the Customs may also have a basis for processing the use of sign recognition system located domestically, there are, as shown, several factors that speak for that such use is intended for purposes and limitations other than the border control tasks. However, the Customs Service has a legal basis under the Road Traffic Act, the Tax Administration Act and the Tax Payment Act, which form the basis for camera surveillance according to the purpose of these provisions. In that case, have the treatments had the same or very similar purpose as for the Norwegian Public Roads Administration's use. There are then arguments that there is no conflict of purpose related to the acquisition, but for the use of the information and storage of it. It is relevant to consider the framework for the use of mobile cameras. It has not been disputed that the Customs can use mobile cameras both for control tasks after the Customs Act § 13-12 and according to the Road Traffic Act, the Tax Administration Act and the Tax Payment Act, but then in line with these purposes and the framework that applies after 12 the general rules of the privacy regulations. 10Prop. 1 LS (2016-2017) 11 Prop. 1 S (2015-2016) 12 The Personal Data Act and the Privacy Ordinance, depending on the time of the choice of law 10 13 In the consultation note for the amendment to the Customs Act § 13-12, the use of the mobile phones was made the cameras briefly discussed in connection with the expansion of storage access; «The provision will also cover the possible use of mobile camera devices for collection of similar information of the cross-border traffic, but not if such devices are used in other areas and for purposes other than border control. In such cases, collection, treatment and storage will follow them general provisions of the Personal Data Act ». In Prop. 1 LS (2016-2017) chapter 13.5.3 it is specified that «The customs service's use of mobile sign recognition units is covered in principle not of the proposal, but formally they will be included if used in places covered by the proposal. Normally these devices are used elsewhere and occasionally purposes other than control of the movement of goods in and out of the country ». It is a weakness that the preparatory work for the Customs Act § 13-12 and the background documentation for the transfer of tasks from the Customs and Excise Department to the Tax Administration (as discussed in the factual description under point 2.1) only to a very limited extent mentions the use of the sign recognition system for the control tasks related to the car taxes and those the control tasks that the Customs Service performs on the basis of the Road Traffic Act. The access to The Norwegian Public Roads Administration's domestic cameras were established at a time when the Customs was responsible for and carried out tax inspections to a large extent, also domestically. Establishment of a clear legal basis for using sign-reading cameras for these the tasks were in reality only barely mentioned during the preparation and consultation of the Customs Act § 13-12. There is reason to believe that the reason for this modest mention was that the hearing in coincided with the transfer of tasks to the Tax Administration and is still clear which of the two agencies was to carry out the physical checks in practice. However, it must still be possible to claim that there is a basis for treatment in order to use sign-reading cameras domestically to carry out checks after the Road Traffic Act, the Tax Administration Act and the Tax Payment Act, provided that they general requirements for processing are met (including that the information is not stored, access control is limited and that there is no compilation of the information as is contrary to the purpose behind the collection). There are also grounds for claiming that Domestically placed cameras can capture cross-border traffic, and that it can therefore there is also a basis for processing the use of information from such cameras control of the movement of goods. As mentioned, this is connected with an assessment of that The customs service has the opportunity to carry out physical checks elsewhere than at the border, as stated in the Customs Act §§ 13-3 first paragraph letter b) cf. 13-1 first paragraph letter a), b) and c). The Norwegian Customs Directorate emphasizes that there are uncertainties regarding the scope of the legal basis which implies that we should change the use of the sign recognition system 13Consultation note - extended retention period for information from the Customs Service's sign recognition system (ANPR) Case no. 16/23 22.06.2016 11 to the question was clarified. This decision was made precisely because the Customs wants to safeguard privacy and create clear predictability for the treatment of personal information provided by the agency. The agency could have come to a different conclusion. In that case, the issue would be different. The assessment of that the basis for treatment must be understood in the historical context and the conclusion is after our view is not entirely obvious. The agency has obtained external expertise to assist in this assessment, and will submit further comments when this work is completed. If the Data Inspectorate chooses to grasp decision before this work is completed, we ask that the uncertainty appears in the decision, by emphasizing that there is not a sufficiently clear basis for treatment for the practice that has been established. The Data Inspectorate claims that all passages are registered and stored in the ANPR system, as well those not subject to control. We must emphasize that this is in line with the legal basis in the Customs Act § 13-12. The reason for storage access was precisely that the Customs should be able to make analyzes of the cross-border traffic in order to target controls better. Reference is made to Prop. 1 LS (2016-2017) where it appears clearly why and how the Customs should use the stored information; to find frequency of entrances and exits, compliance with other vehicles and location and time of traffic that deviates from the expected normal flow, assess how the traffic affected by control activity etc. It would therefore be pointless to store information only on controlled vehicles. We can not see what relevance it has for this case that The Norwegian Public Roads Administration can only store information about inspected cars with defects. This affects other systems and legal basis than the sign recognition system. " 6 The Data Inspectorate's assessment of the offense 6.1 Treatment responsibility We assume that the Norwegian Customs is responsible for processing personal information that is done using the ANPR cameras in the border control. We have further assumed that the Norwegian Public Roads Administration will be responsible for processing personal information in ANPR cameras used for other control of vehicles, e.g. if it has completed compulsory EU control, paid tolls, etc. 6.2 «Cross-border traffic» Section 13-12 of the Customs Act states that «[for] the same purpose, cross-border traffic may the highway and ferry terminals with foreign traffic are monitored by the customs authorities during use of sign recognition system. In prop.1 LS (2016-2017) this is discussed under section 13.1 where «[The] Ministry proposes to legislate the right to store information from the Customs Service sign recognition system (ANPR), and that the retention period for information obtained is extended from one hour to six months. The proposal will help strengthen border control. 14Datatilsynet's notification of infringement fee item 2 «Use of ANPR in the Norwegian Customs Directorate», first paragraph on page 3, last sentence It is further stated in section 13.5.1 that the scheme is extended to include monitoring of all border crossings on the road and all ferry terminals. Finally, the above proposition states that «[t] he proposals for changes and expansion of The customs authorities' control documents, etc. and several sanction options promoted in this the proposition, is part of the work to strengthen the Customs' border control », see section 13.2 last paragraph. The Norwegian Data Protection Authority understands "border control" in the proposition as synonymous with the term «Cross-border traffic». In our view, this is clear from the wording that «cross-border traffic »cannot extend beyond the pure border crossings. Becomes the sign recognition system used beyond the pure border controls (at the border), this must consequently be clearly anchored in the legal basis. In our opinion, a discretionary and expansive interpretation of "cross-border traffic" will conflict with the principle of legality. The number of people affected is large, ie more millions. The principle of legality shall ensure that important issues of an intrusive nature, such as restricts the citizens' freedom and changes the rights and obligations of the citizens, shall be dealt with by The Storting. Protection of citizens is central. A comprehensive legal process will lead to the questions get a thorough case processing and the various issues related to different rules will be studied and discussed. Such a process is considered an important part of our legal security. Claim on the basis of formal law will also prevent arbitrariness and abuse by the administration. A monitoring of private individuals by the Norwegian Customs Directorate is too strong remedy and cannot take place without this being clearly enshrined in formal law. 6.3 Does the Customs Act § 13-12 also include collection from external data controllers? Based on the deviation report from the Norwegian Public Roads Administration of 25 January 2017 and The Customs Directorate's non-conformance report of 29 June 2018, the Customs Directorate has been aware that the agency's processing of personal data could be in breach of the Customs Act § 13-12. This also admits the Directorate of Customs. This indicates that the Directorate of Customs in the period from 1 January 2017 and to deviations were sent The Data Inspectorate has processed personal data without basis for processing pursuant to the Personal Data Act 2000 § 11 first paragraph letter a, cf. § 8. Both the Norwegian Customs Directorate and the Norwegian Public Roads Administration collect personal information using ANPR system. The collections take place for different purposes. . We have assumed that the Customs Directorate and the Norwegian Public Roads Administration are responsible for processing various processing of personal data, which happens using different cameras. That the Directorate of Customs and the Norwegian Public Roads Administration have any joint control tasks under the Road Traffic Act, does not entail any change in this. After Section 13-12 no. 1 of the Customs Act states that «when planning, targeting and implementing controls, the customs authorities can collect, store, compile and use necessary personal data, including health data, cf. the Privacy Ordinance Article 9 no.1 and information as mentioned in the Privacy Regulation Article 10. For the same purpose can cross-border traffic on the road and ferry terminals with foreign traffic are monitored by the customs authorities when using the sign recognition system » 13 As the Data Inspectorate sees it, § 13-12 does not provide any legal authority for the Customs Authorities to process personal data collected from the part of the database where the State The Norwegian Public Roads Administration is responsible for processing. After this, we have come to the conclusion that the Directorate of Customs did not have a legal basis to process personal information from the cameras that did not belong to the Customs. The Data Inspectorate also points out that in prop. 1 LS section 13.1 Section 7 states that the right to store the information for six months applies «from the Customs' sign recognition system». The Data Inspectorate has also noted section 13.5 of the proposition, which applies to extended storage time for information from the «Customs' sign recognition system». This must, as the Data Inspectorate sees it, be understandable that the legislature has decided that the provision only applies to the Customs Service's own camera. The statements as mentioned in the said proposition clearly speak in favor of delimiting the legal entity treatment. 7 General information on infringement fines The Data Inspectorate believes it is necessary to respond to the offenses described above. IN pursuant to the Personal Data Act 2018, cf. section 33, cf. the Personal Data Act 2000 § 46 may The Data Inspectorate imposes an infringement fee: «The Data Inspectorate may impose on anyone who has violated this Act or regulations in pursuant to it, to pay a sum of money to the Treasury (infringement fee) of up to 10 times the basic amount in the National Insurance Scheme. Natural persons can only be imposed infringement fee for intentional or negligent infringements. A company can not an infringement fee is imposed if the infringement is due to circumstances outside the company control. When assessing whether an infringement fee should be imposed, and when determining, it should particular emphasis is placed on a) how seriously the violation has violated the interests protected by law, b) the degree of guilt, c) about the offender by guidelines, instruction, training, control or other measures could have prevented the infringement, d) whether the infringement was committed to promote the interests of the infringer, e) whether the offender has had or could have obtained an advantage in the infringement, f) if there is a repetition, g) whether other reactions as a result of the violation are imposed on the violator or someone else who has acted on behalf of this, including someone individual is punished and (h) the financial capacity of the offender. " The Personal Data Act 2000 § 46 provides in principle instructions for the imposition of violation fee is based on a discretionary overall assessment, but adds guidance the exercise of discretion by highlighting factors that should have special weight, taking into account that The imposition of infringement fines in each individual case shall be effective, proportionate and deterrent. The right to impose infringement fines is provided as a means of ensuring effective compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as punishment under Article 6 of the European Convention on Human Rights, cf. also the Supreme Court decision in Rt. 2012 page 1556 with further references. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required offense in order to impose a fee. The case and the question of imposing infringement fines are assessed on the basis of this evidentiary requirement. The Norwegian Data Protection Authority finds it clear that the Norwegian Customs has lacked a basis for processing processing of the personal data collected and stored regarding the ANPR the cameras where the Norwegian Public Roads Administration is responsible for processing, cf. the Personal Data Act § 11 first paragraph letter a, cf. § 8. We have placed particular emphasis on the following aspects in our assessment of whether or not infringement fines must be imposed: a) how seriously the violation has violated the interests protected by law The Personal Data Act 2000 § 11 is the main provision in the Act, and sets basic requirements the processing of personal data. Lack of treatment basis must be considered as one serious violation. In this way, reference is also made to the notice sent by the customs authorities' own lawyers where it is pointed out that the agency lacks a basis for treatment for its treatment of personal information on the Norwegian Public Roads Administration's ANPR cameras. This means that the Directorate of Customs has had knowledge that the agency could have processed personal information beyond what the Customs Act authorized. The Data Inspectorate is surprised that the Customs has not clarified the legal basis before obtaining personal information from the Norwegian Public Roads Administration its ANPR camera. In the Data Inspectorate's view, the Customs Act § 13-12 does not provide a legal basis, as such the Personal Data Act requires, for the Customs authorities to process personal data as is collected from the part of the database for which the Norwegian Public Roads Administration is responsible for processing. b) the degree of guilt Pursuant to section 46 of the Public Administration Act, an administrative sanction may be imposed on an enterprise even if no individual has shown guilt. This means that the Norwegian Public Roads Administration has an objective liability. By enterprise is meant i.a. public company. The Norwegian Data Protection Authority takes a serious view that a control authority such as the Customs does not clarify in advance the legal basis, before personal information is obtained from the Norwegian Public Roads Administration. All the while the above proposition in such clear terms announces that extended storage time only includes The Customs' own sign recognition system must be regarded as grossly negligent. 15Datatilsynet takes a serious view of the fact that the Norwegian Customs Directorate had early knowledge of this without having to found a satisfactory solution to the problem. When the agency became aware that doubts had been raised the basis for treatment, the treatment should have been stopped until clarification of this was available. The Data Inspectorate therefore concludes that there was no basis for processing pursuant to section 8 to process information from the Norwegian Public Roads Administration's ANPR camera. Lawyers in the Norwegian Customs Directorate also notified the management in a note of 3 January 2018. By not taking the necessary steps, and stopped the storage of personal data from the Norwegian Public Roads Administration's ANPR camera, the agency has acted reprehensibly. c) about the offender by guidelines, instruction, training, control or other measures could have prevented the infringement It is clear that the Directorate of Customs could have prevented the deviation by establishing routines that would prevented the deletion period of 6 months from including personal data other than them The Norwegian Customs Directorate was responsible for processing. d) whether the violation was committed to promote the interests of the violator It can be stated that the deviation has taken place to promote the Customs Directorate's interests. See point e). e) whether the infringer has had or could have obtained an advantage in the infringement It can be stated that the Directorate of Customs has utilized information covered by the deviation. This applies in particular to the use of the Norwegian Public Roads Administration's ANPR cameras. The information has been used in the customs authority's control without the agency having treatment basis for this. f) whether there is a repetition No repetition can be found in the case. g) whether other reactions as a result of the violation are imposed on the violator or anyone else who has acted on behalf of this, including whether any individual is punished It is not stated in the case about such matters. (h) the financial capacity of the offender The Norwegian Data Protection Authority has not placed significant emphasis on the Directorate of Customs' financial capacity. In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority places particular emphasis on the fact that The Directorate of Customs has been aware of the discrepancies at an early stage, and could therefore have adjusted so that the deviation could have been limited. Processing of personal data from ANPR camera which the Norwegian Public Roads Administration was responsible for processing should have been stopped from the moment it Doubts were raised about the scope of the Customs Act § 13-12. The Norwegian Data Protection Authority has also emphasized them general preventive considerations in the case. Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed. 168 Amount of the fee With regard to the size of the fee, the same factors shall apply as when assessing whether the fee shall be imposed, special weight shall be given. The conditions the Data Inspectorate has pointed out above speak for themselves fee of a significant size. The fee should be set so high that it also has an effect beyond it concrete case. Significant emphasis has been placed on the fact that the Norwegian Customs has monitored 70.4 million crossings, where the number of affected persons is estimated at 7-8 million, without there being any basis for treatment the Personal Data Act 2000 § 8 for this. Norwegian citizens have an expectation that it does not Surveillance methods are used that illegally violate the right to privacy and involve illegal activities invasion of privacy. Secondly, the Norwegian Customs has made use of images from the ANPR cameras to the Norwegian Public Roads Administration without a basis for processing pursuant to the Personal Data Act 2000 § 8. The Norwegian Customs Directorate has had knowledge of the discrepancies without having rectified the situation in time. It must in particular, it is expected that a public agency is familiar with and relates to the current privacy legislation, and the ability to quickly correct pointed out discrepancies. Since this has not happened is it required a severe reaction. The signal effect of this case, they general preventive considerations, we believe are clear. We want to clarify that such incidents must not happen and that all public bodies that process personal data must be themselves conscious of their responsibilities. In an aggravating direction, we would like to point out that the Directorate of Customs, against better knowledge, has acquired and made use of the information covered by the discrepancy. In a mitigating direction, it must be taken into account that the Customs has taken action on its own initiative the legal problem, and made a reassessment of this. After an overall assessment of the case and especially with regard to the seriousness of the violation, we have concluded that an infringement fine of 400,000 is considered correct. 9 Concluding remarks Right of appeal This decision can be appealed in accordance with the provisions of the Public Administration Act. Possible complaint must be submitted to the Norwegian Data Protection Authority by 25 November 2020 after the decision was received. One any complaint is sent to the Privacy Board for complaint processing. The Data Inspectorate does in it connection aware of the right of access to the case documents, cf. the Public Administration Act § 18. The fulfillment deadline is four weeks from the decision was made, cf. the Public Administration Act § 44.