Datatilsynet - 20/02058 - Smittestopp

From GDPRhub
Datatilsynet - 20/02058 - Smittestopp
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 15 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 12.06.2020
Published: 15.06.2020
Fine: None
Parties: n/a
National Case Number/Name: 20/02058 - Smittestopp
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

Datatilsynet issued the controller Folkehelseinstituttet (the Institute of Public Health) a temporary ban on the processing of personal data by the covid-19 tracking app “Smittestopp”. Datatilsynet found a breach of the principle of data minimization, the right of access and the principle of transparency, pursuant to Articles 5(1)(a), 5(1)(c) and 15.

English Summary[edit | edit source]

Facts[edit | edit source]

The temporary ban has its background from Datatilsynet’s decision to control the tracking app “Smittestopp”. Datatilsynet commented earlier on a lacking analysis of the risks and vulnerabilities connected to the use of the app. Datatilsynet decided to evaluate the app after receiving answers by the Institute of Public Health to an order of information connected to questions regarding the usefulness of the app, and if the interference to users privacy was proportional.

Unlike many other apps, Smittestopp use location data (to track movement) in addition to Bluetooth (to track whom the users’ were in contact with). The personal data is first stored locally, but approximately once an hour it is sent to an Azure server located in Ireland. The app would try to send the data for seven days provided it did not manage to connect to the server. The data was stored centrally for a maximum of 30 days. It was later planned that the data should be stored for a maximum of ten days.

The personal data uploaded was used for two purposes, tracking and limiting the spread of covid-19, as well as being used for research and analysis on aggregated and anonymised data.

Notification of covid-19 infections were only implemented in three (test) municipalities. A way to analyse, aggregate and anonymise the data was not in place at the time of the decision.

The users could not choose to share the data for one or both purposes.

Dispute[edit | edit source]

The question for Datatilsynet was if the way the app was implemented and processed data was in line with the legal requirements under GDPR, mainly data minimization.

Holding[edit | edit source]

Datatilsynet highlighted that the app is a big interference in users’ privacy, even during the threat of a pandemic, which entails that the processing of personal data is necessary and proportional. Part of this evaluation considered the social benefit of the app. According to the latest numbers, around 50-550 people in Norway was/is infected – approximately 0.01 % of the population. Existing measures works seemingly well in containing the spread of the virus.

Datatilsynet highlighted that the privacy impact happened at the time of collection, regardless of if the measures to anonymise, aggregate and use the data for research purposes was implemented, as the personal data is collected for these purposes. It further stressed that as a controller, the Public Health Institute is responsible for clarifying which personal data is used for what purpose, and the Public Health Institute needs to establish that it is necessary to process each concrete (category) of personal data for the specific purpose.

Even if the measures to anonymise the information is not implemented, the Public Health Institute should have a better overview over which information was necessary to achieve the different purposes of tracking and anonymization.

Datatilsynet also highlighted that in the eyes of the DPA, Bluetooth technology is sufficient to achieve the aim of tracking and notifying users of covid-19 infection. In addition, that the Public Health Institute had not provided in a satisfactory manner why GPS location data was strictly necessary. In addition, the users should have the option to only use the data for one purpose and not the other, if they so wanted.

Datatilsynet concluded that Smittestopp was not limited to collecting data to what is necessary to fulfil the purpose of the app. As such, Datatilsynet found the app to be in breach of the data minimization principle found in Article 5(1)(c) GDPR.

The Public Health Institute did not have a good solution for dealing with subject access requests. In addition, deleting uploaded data from the app also deleted information about who had accessed the personal data. Datatilsynet highlighted that both were a breach of the data subject’s right to access under Article 15 GDPR, and thus also a breach of the principle of openness pursuant to Article 5(1)(a) GDPR.

Datatilsynet stressed that by issuing a temporary ban it would have the opportunity evaluate if the users' privacy was sufficiently protected when the Public Health Institute wanted to resume processing. Datatilsynet highlighted that it was their view that the Public Health Institute would need to document that the processing was proportional and neccessary in a more sufficient way, or change the implementation.

Datatilsynet emphasized that it was not finished reviewing the security of the app.

Comment[edit | edit source]

The Institute of Public Health could have processed personal data until the deadline on 23.06.2020. Instead, they chose to stop the processing operations on the 15.06.2020 and deleted the collected data on the 16.06.2020.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.