PVN - PVN-2024-03

From GDPRhub
PVN - PVN-2024-03
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1) GDPR
Article 14(1)(d) GDPR
Article 14(1)(f) GDPR
Article 58(2) GDPR
Decided: 27.08.2024
Published:
Parties: Human-Etisk Forbund (the Norwegian Humanist Association )
the Church of Norway
National Case Number/Name: PVN-2024-03
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
20/01772-25
Appeal to: Unknown
Original Language(s): Norwegian
Original Source: Personvernnemnda (Norway) (in Norwegian)
Initial Contributor: wp

The Data Protection Board dismissed a data subject’s appeal against the DPA’s decision to reprimand the Church of Norway. The Appeals Board held that the data subject had no right to appeal against corrective measures they consider too lenient.

English Summary

Facts

The Church of Norway had access to birth certificates of children. Some data subjects discovered that they or their children were listed as member of the Church of Norway. Although the state church system was abolished, and there was no legal basis for access to confidential information from the National Population Register, the data were processed by the Church of Norway.

The data subjects lodged a complaint with the Norwegian DPA (Datatilsynet). In parallel, a Norwegian NGO, the Norwegian Humanist Association (Human-Etisk Forbund) filed similar complaints on behalf of five of its members.

The DPA reprimanded the Church of Norway for a violation of Article 6(1) GDPR, Article 14(1)(d) GDPR, Article 14(2)(f) GDPR in conjunction with Article 12(1) GDPR. The DPA found the Church of Norway accessed and processed birth certificates for members' children from the National Population Register without a legal basis. Additionally, the Church of Norway didn’t provide its members with easy accessible information about the processing taking place.

The data subject, including the ones represented by the Norwegian Humanist Association, appealed against the DPA decision with the Data Protection Board (Personvernnemnda). The data subjects stood on a position that the reprimand issued against the Church or Norway was inadequate and more severe correction measures needed to be applied by the DPA.

Holding

The Data Protection Board dismissed the appeal.

The aim of the appeal was to contest the measures applied by the DPA in reaction to the GDPR violation. However, the Board found no need to reconsider the appropriateness of the measure imposed by the DPA. The Privacy Appeals Board emphasised that the DPA’s choice of reaction towards a violation of the GDPR was not supposed to be influenced by data subject’s expectation of “revenge”. Hence, the data subject had no interest in the outcome of the case after the DPA's correction measure brought the processing into compliance with the GDPR.

In addition, the Board mentioned that the data subject, who felt they suffered damage due to violation of the GDPR, are entitled to claim damages before the court.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Norwegian Privacy Board's decision on 27 August 2024 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns a complaint from the Human-Ethical Association, on behalf of five of its members, as well as similar complaints from three individuals who are not members of the Human-Ethical Association; A, B and C. The complaint concerns the Norwegian Data Protection Authority's decision on 28 June 2023, where the Norwegian Data Protection Authority rejected a complaint about the Danish Norwegian Data Protection Authority's decision to reprimand the Church of Norway for breaching the privacy regulation.
Background of the case
The Church Act's automatic affiliation scheme for children in the Church of Norway was repealed when the new Religious Communities Act came into force on 1 January 2021. The new Religious Communities Act replaced both the Church Act and the Act on Faith Communities and many other things. In the draft law, Prop. 130 L (2018-2019) p. 141, it follows:
"Since the law no longer provides rules that children automatically belong to the Church of Norway as long as one or both parents are members, there will not be a statutory requirement for relatives to be included in the register, cf. also the notes to the individual provisions in the proposed law § 17.”
Before the new Religious Communities Act came into force on 1 January 2021, it followed from § 3 no. 2 of the Church Act that children are considered to belong to the Church of Norway if one of the parents is a member. Children who were considered to belong to the Church of Norway became members of this when they were baptized. If the child turned 18 without being baptised, that person was no longer considered to belong to the Church of Norway, cf. § 3 no. 5. Persons who were considered to belong to or were members of the Church of Norway were registered in The Church of Norway's central membership register, cf. § 3 no. 10. Rules on the keeping of the register were given by the Church Meeting, and the Church Council is responsible for processing the central membership register, cf. regulations on the Church of Norway's membership register § 4.
In the past, the Church of Norway has received digital birth notifications directly from the National Register of Citizens. Linked to the membership information registered on parents, the Church of Norway could thus enter relatives into the church's membership register based on this information. In the National Register Act, which entered into force on 1 October 2017, information about kinship is subject to a duty of confidentiality, cf. Section 9-1 of the National Register Act, and can only be disclosed to public and private enterprises that are authorized by law to obtain this information, cf. Section 10- 2. The Church of Norway was authorized to receive the birth notifications in the transitional arrangement in the National Register Act Section 13-1 until 1 October 2018, but after this did not have any such legal authority.
The Human-Ethical Association and the individual complainants (hereinafter the complainants) v/lawyer Kristian Foss approached the Data Protection Authority on 28 February 2020 and complained about the processing of minors' personal data in the Church of Norway. They stated that they or their children were still listed as belonging to the Church of Norway, despite the fact that the state church system had been abolished, the new National Register Act had entered into force and the authority for access to confidential information from the National Register had ceased. This also applied to one child born after 1 October 2018.
On 12 August 2020, the Norwegian Data Protection Authority asked the Church of Norway to explain the case. The Church of Norway gave such an explanation on 2 September 2020. The Norwegian Data Protection Authority asked for further explanations on 16 December 2020 and 21 April 2021. The Church of Norway answered the inquiries on 22 January and 11 May 2021.
The Norwegian Data Protection Authority notified the Church of Norway on 23 June 2021 that the Norwegian Data Protection Authority would make a decision on reprimands for violations of the Personal Protection Regulation article 6 no. 1 and article 14 no. 1 letter d and no. 2 letter f, cf. article 12 no. 1. also sent a letter to the Church of Norway on the same day pointing out the duty related to the processing of personal data.
Both the Church of Norway and the complainants responded to the notice on 1 July and 7 September 2021, respectively. The Church of Norway apologized for the breaches of the regulation and took note of the supervisory authority's notified decision on reprimand. The complainants stated that the reaction "reprimand" was too mild.
The Norwegian Data Protection Authority made the following decision on 9 January 2023, cf. the Personal Protection Regulation article 58 no. 2 letter b:
"The Norwegian Data Protection Authority hereby adopts a decision on reprimand against the Church of Norway at the Church Council, 818 066 872, for:
Violation of the personal data protection regulation article 6 no. 1, by obtaining birth notices for members' children from the National Register from 1 October to 14 November 2018, and by continuing to store the personal data collected through the birth notices, without a valid legal basis.
Violation of the personal protection regulation article 14 no. 1 letter d and no. 2 letter f, cf. article 12 no. 1, by not providing easily accessible information to the registered about the collection of birth notices for members' children from the National Register."
The Norwegian Data Protection Authority clarified in the decision that a reprimand is an administrative reaction with the purpose of highlighting criticism of the mentioned breaches of the rules, and that such a reprimand can be weighted when assessing infringement fees for subsequent similar breaches of the regulations, cf. the Personal Protection Regulation article 83 no. 2 letter i The Authority stated that the decision could be appealed by the Church of Norway.
The Norwegian Data Protection Authority forwarded the decision to the Human-Ethical Association on 9 January 2023. In the accompanying letter, the Norwegian Data Protection Authority writes that it considered the breaches to be serious, but did not find it necessary to react with an infringement fee against the Church of Norway.
In the appeal against the decision on 3 February 2023, the complainants argued that the authority should have imposed an infringement fee to highlight the seriousness of the privacy breach.
The Danish Data Protection Authority forwarded the complaint to the Church of Norway on 7 March 2023, which gave its comments on the complaint on 14 March 2023.
The Danish Data Protection Authority rejected the complaint on 28 June 2023 citing that there was no right of appeal, cf. section 28 first paragraph of the Public Administration Act.
After the postponed appeal deadline, the complainants lodged a timely appeal against the rejection decision on 7 September 2023. The Norwegian Data Protection Authority assessed the appeal, but found no basis for changing its decision.
The case was forwarded to the Personal Protection Board on 8 February 2024. The complainants were informed about the case in a letter from the board on 13 November 2023, and were given the opportunity to make comments. The complainants have given comments in a letter on 5 March 2024.
The case was dealt with in the board's meeting on 27 August 2024. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Hans Marius Tessem and Malin Tønseth. Investigation leader Anette Klem Funderud was also present.
The Norwegian Data Protection Authority's assessment in brief
It follows from Section 28, first paragraph of the Public Administration Act that a "single decision" can be appealed by a "party" or another with a "legal appeal interest" in the case.
The Norwegian Data Protection Authority's reprimand against the Church of Norway is a "single decision" that the church, in its capacity as "the decision is aimed at", can complain about, which has not been done.
The complainants do not have the right to appeal against the Norwegian Data Protection Authority's imposition of a sanction, as this is not a decision directed at the complainant nor is it decisive for the person concerned's rights and duties, cf. the Administrative Act § 2. In the cases PVN-2020-07 and PVN, the Personal Protection Board has -2020-10 based on the fact that the Norwegian Data Protection Authority's choice of reaction – including failure to impose an infringement fee for established offenses – is not "decisive" for the complainants' "rights and duties", and that this is thus not a "single decision" that the data subjects can appeal.
The Norwegian Data Protection Authority assumes that the complainants are not parties connected to the Data Protection Authority's choice of reaction against the Church of Norway. The Authority then assesses whether the complainants still have a "legal interest in appealing" for this decision.
The Norwegian Data Protection Authority assumes that failure to impose an infringement fee has no legal consequences for the complainants, or clear/direct factual consequences for them. The interest in a stricter reaction is limited to the Church of Norway being punished more severely. Such an interest is not of such a nature that there is a "legal appeal interest". Nor does the statement that an infringement fee to a greater extent than a reprimand will have a preventive effect against future breaches indicate that the complainants have a legal interest in complaining. The effect is too derivative for the complainants, both in terms of topicality and connection, cf. also Bjørn O. Berg, Administrative sanctions 2005, page 93.
The Danish Data Protection Authority concludes that the complainants do not have a "legal interest in making a complaint", cf. Section 28 of the Administrative Procedure Act. The conditions for processing the complaint have not been met, and the Danish Data Protection Authority rejects the complaint.
The complainants' view of the case in brief
The decision of 9 January 2023 on the reprimand against the Church of Norway is a single decision because it is a sanction against the Church of Norway and therefore applies to the Church of Norway's rights and duties, cf. section 2 letter b of the Administration Act.
In addition to the parties to an individual decision having the right to appeal, others with a "legal interest in appeal" have the right to appeal, cf. section 28 first paragraph of the Administration Act. It is not a requirement that the decision is at the same time a single decision vis-à-vis the persons with a legal appeal interest. Then they would have the right to appeal as a party anyway.
The right to appeal, like other specially affected persons, follows a separate track, with its own requirements for connection. The purpose is to expand the circle of people who can complain. Assessing whether the complainants have the right to appeal based on the question of whether the reprimand is a single decision towards the complainants, as the Norwegian Data Protection Authority does, is wrong.
Possibly the misunderstanding stems from the Personal Protection Board's cases in PVN-2020-07 and PVN-2020-10 to which the Data Protection Authority refers. In both cases, the Personal Data Protection Board raises questions about "The Norwegian Data Protection Authority's decision, whether to issue any order or impose any sanction for this breach, is a decision that determines the rights and obligations of the data subject(s) and thus a single decision that the data subject can appeal" , cf. PVN-2020-07. This is a correct question only if the complainants claimed to have the right to complain because they were a party to the case, cf. the Administration Act section 28 first paragraph and section 2 letter b and e. The correct question in our case is a) about the Norwegian Data Protection Authority's decision to reprimand Den norske church is an individual decision for some, and if so, b) whether the complainants have a legal interest in complaining.
Whether you have a legal appeal depends on a concrete overall assessment. The overarching question is whether the decision affects the complainants in a way that makes it reasonable and natural for the person in question to have access to appeal. The norm determines how strong the requirement's topicality and connection to the complainants must be. According to the Supreme Court's practice, sufficient timeliness can also exist in more abstract legal questions where there is a need for legal clarification.
The EEA court sets requirements for effective enforcement of the right to appeal. The decision not to impose an infringement fee is a decision that applies to the complainants, cf. the data protection regulation article 78. The complainants are affected by the decision because it stems from illegal processing of their personal data. The connection is emphasized by the fact that the violations would have continued if the complainants had not complained.
The Norwegian Data Protection Authority seems to have made a distinction between the decision that the Church of Norway has committed a breach of privacy and the sanction. However, the sanction is not a separate individual decision separate from the decision on privacy violations, but a consequence of the identified violations. Setting up such a distinction, where the Norwegian Data Protection Authority determines the right of appeal based on the complainant's connection to a single part of the decision (sanction), is not in line with section 34 of the Public Administration Act, which states that the appeal body can examine all sides of a case.
The condition of legal appeal interest is met because:
- Connection and topicality. The connection is obvious: The Church of Norway is reprimanded for violating the complainants' privacy rights as a result of their complaint. Actuality exists because there is a need for clarification of the size and practice of sanctions for effective enforcement of privacy rights in such cases. As mentioned, the Supreme Court also considers more abstract legal issues to be relevant.
- A tangible reaction is the only way the complainants can protect themselves. Due to the nature of the right – protection of integrity – effective legal remedies against the party responsible for the infringement are the only possibility the complainants have in practice to protect themselves. Not only will very few have the resources to sue, the court's ability to review the administration's discretion is also limited.
- The choice of sanction has an impact on the complainants' future privacy rights. The illegal processing of personal data by the complainants has been experienced as a violation of the complainants' exercise of their views on life. A stricter reaction will increase the preventive effect. Thus, it is less likely that a similar invasion of privacy will happen again.
The fact that the breach of privacy affects many people does not mean that each individual has any less connection to the reaction.
A party will never complain about what it considers to be too lenient a decision against itself. If only the party itself has the right to appeal against sanctions, and the Data Protection Authority sets up a practice that is too lenient, the consequence is that this lenient practice will never be reviewed and tightened (by the Personal Data Protection Board). The bias would mean that the Privacy Board could not fulfill its role as a review body for the Data Protection Authority. This would have undermined the control of the Norwegian Data Protection Authority as a supervisory body. In other words, that the complainants have the right to appeal is a prerequisite for the Personal Protection Board to be able to review the Norwegian Data Protection Authority, set the right level for sanctioning practices and thus fulfill its function.
The Norwegian Privacy Board's assessment
Five of the complainants are represented by the Human-Ethical Association. According to the tribunal's assessment, the Human-Ethical Association falls under the type of organization that can be granted the right of representation according to article 80, cf. the regulation's recital 142. The Administrative Act section 12, second paragraph, also allows for the Human-Ethical Association to act as a proxy on behalf of the registered members of the association.
Article 78 no. 1 of the Personal Data Protection Regulation gives every natural or legal person the right to an effective legal remedy against a binding decision "that applies to them" and that has been made by a supervisory authority. It is left to national law to lay down rules on handling the complaint. The Norwegian Personal Data Protection Board's activities are regulated in the Personal Data Act § 22 and regulations on the processing of personal data of 15 June 2018 no. 876 (the Personal Data Regulations) §§ 4 and 5. It is the general procedure rules in the Public Administration Act that apply to the Norwegian Data Protection Authority's and the board's handling of complaints, cf. Prop. 56 LS (2017-2018) clauses 26.5 and 27.5.
Section 28, first paragraph, of the Administration Act states that individual decisions can be appealed by a party or other with a legal interest in the matter. A party is a "person to whom a decision is directed or to whom the case otherwise directly concerns", cf. the Administration Act § 2 letter e. The expression "legal interest in appeal" is not defined in the Act.
In its practice, the Tribunal has assumed that a data subject whose personal data is processed by a data controller is to be considered a party to a case in which the Data Protection Authority assesses whether the data controller has processed the personal data of the data subject in accordance with the law. The Privacy Board has further assumed that the Data Protection Authority's decisions that the data controller's processing of personal data about the data subject is not illegal, is a decision that also applies to the data subject and is decisive for the data subject's rights and obligations and thus a single decision that can be appealed.
In this case, the Norwegian Data Protection Authority has concluded that the Church of Norway has breached the Personal Protection Ordinance Article 6 No. 1 by obtaining birth notices for members' children from the National Register from 1 October to 14 November 2018, and by continuing to store this personal data without a valid legal basis , until all the information was deleted no later than 1 January 2021. The Norwegian Data Protection Authority has also concluded that the Church of Norway has breached the Personal Protection Regulation article 14 no. 1 letter d and no. 2 letter f, cf. article 12 no. 1, by not provide sufficient information to those registered about the collection of birth notices for members' children from the National Register of Citizens. In the decision, the Norwegian Data Protection Authority reprimanded the Norwegian Church for these violations. The registered persons have thus accepted that the Church of Norway has broken the rules in its processing of their personal data. In the Norwegian Data Protection Authority's handling of this question, both the Church of Norway and the registered parties have been considered parties.
The Norwegian Data Protection Authority reprimanded the Church of Norway for the breach of privacy, as a corrective measure, cf. the privacy regulation article 58 no. 2 letter b. It is not stated that the decision to reprimand the Church of Norway is a decision that targets the registered or directly applies them, so that they are to be considered parties. The question for the tribunal is whether the complainants have a legal interest in complaining when it comes to the Norwegian Data Protection Authority's choice of reaction against the Church of Norway.
In a number of cases, the Personal Protection Board has come to the conclusion that those registered, who experience that their personal data is being processed illegally, do not have the right to appeal against the Norwegian Data Protection Authority's choice of reaction, see PVN-2019-12, PVN-2020-07 and PVN-2024-01. The tribunal's reasoning has been that the Data Protection Authority's decision on the choice of reaction is not decisive for the rights and obligations of the data subjects, cf. the Administrative Act § 2 first paragraph letter a, or a decision that "targets" them, cf. § 2 first paragraph letter e The question of whether the registered parties may still have a legal interest, without being a party, is not explicitly mentioned.
It follows from Section 28 of the Public Administration Act that those who have a legal interest in appeal without being parties have the right to appeal. The Administration Act does not have its own definition of legal appeal interest. The criterion legal appeal interest is seen in the context of § 1-3 of the Disputes Act on who can bring a civil case before the courts. When someone with a legal interest in appeal makes use of the right of appeal, the person concerned gains status as a party to the appeal case, cf. Administrative Law Committee, NOU 2019:5 pages 379 and 183.
Section 1-3 of the Disputes Act reads:
"(1) Proceedings may be brought before the courts regarding legal claims.
(2) The person bringing the case must demonstrate a real need to have the claim settled against the defendant. This is decided on the basis of an overall assessment of the timeliness of the claim and the parties' connection to it."
The Supreme Court states the following about the understanding of the provision in HR-2021-417-P (Acer) section 121:
"As far as the overall understanding is concerned, I mention the three terms that appear in the wording in terms of key words. First, the subject matter of the lawsuit must be a "legal claim". According to the second paragraph, there is a requirement for "timeliness", which applies to the lawsuit situation - there must be a real need for legal clarification. Finally, there is a requirement of "connection" to the subject matter of the action - the plaintiff must have a need worthy of protection to obtain judgment against the defendant."
The tribunal maintains that a data subject who has been subject to a breach of the data protection regulation has no legal interest in appealing the question of which corrective measures should be imposed on the data controller when the data breach has ceased.
In this case, the complainants have been upheld that the information about them was processed illegally and the illegal processing has ceased. The complainants then no longer have a real need to have the reaction question reassessed. Violation fee according to the Personal Data Act is an administrative sanction that has the character of a penalty according to Article 6 of the ECHR. It is the supervisory authority that assesses the necessity of imposing such a fee, which must be effective, be in a reasonable relationship to the violation and act as a deterrent. The choice of reaction - infringement fee or reprimand - is not justified in terms of "reparation" or "revenge" for the data subject. The complainants' opportunity to protect themselves against breaches of privacy is therefore, in the tribunal's view, adequately safeguarded by their right to complain about the treatment to the supervisory authorities, even if they do not get the right to complain about the determination of the response itself. In the tribunal's view, the data subject does not have a need worthy of protection to have the reaction against the controller tested. This is a relationship between the controller and the supervisory authority.
However, the data subject who has been exposed to a breach of the Personal Data Protection Ordinance may in some cases be entitled to compensation for non-economic damage, cf. Personal Data Act § 30. Such compensation claims from the data subjects are dealt with by the courts and not by the Norwegian Data Protection Authority.
It is correct, as pointed out by the complainants, that the tribunal's interpretation of "legal appeal interest" means that if the Norwegian Data Protection Authority adopts a practice that is too lenient when imposing sanctions, this practice will not be reviewed because the party itself will not complain about this to the tribunal. However, this is not a factor that changes the tribunal's assessment of the legal appeal interest when choosing a response.
The tribunal then agrees with the Norwegian Data Protection Authority that the effect is too derivative for the complainants, both in terms of topicality and connection. The tribunal also agrees with the Norwegian Data Protection Authority's assessment that the statement that an infringement fee to a greater extent than a reprimand will have a preventive effect against future breaches does not indicate that the complainants have a legal interest in complaining.
The complaint about the Norwegian Data Protection Authority's choice of reaction against the Church of Norway for breach of the privacy regulation is rejected.
The decision is unanimous.
Conclusion
The Norwegian Data Protection Authority's decision on rejection is upheld.
Oslo, 27 August 2024
Mari Bø Haugstad
Manager