Personvernnemnda (Norway) - 2018-14 (15/01355)

From GDPRhub
PVN - 2018-14 (15/01355)
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7 GDPR
Article 7(4) GDPR
Article 9 GDPR
Article 9(2)(a) GDPR
Article 85 GDPR
European Convention on Human Rights Article 10
European Convention on Human Rights Article 8
Grunnloven (The Constitution of the Kingdom of Norway) § 100
Personopplysningsloven (Personal Data Act) § 3
Decided: 21.01.2019
Published: 21.01.2019
Parties: Legelisten.no AS
National Case Number/Name: 2018-14 (15/01355)
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
15/01355
Appeal to: Appealed - Confirmed
Norges Høyesterett (Norway)
HR-2021-2403-A
Original Language(s): Norwegian
Original Source: Personvernnemnda (Privacy Appeals Board) (in Norwegian)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board partly overturned a decision from the DPA regarding the processing of personal data on the website Legelisten. Importantly, the Board held that Legelisten had legal grounds for processing the personal data of healthcare personnel and rejected the DPA's decision to provide them with an opt-out. The decision was then taken to the lower courts in Norway, before the Supreme Court ultimately upheld the Board's decision in 2021.

English Summary

Facts

In 2017, the Norwegian DPA Datatilsynet found that a company "Legelisten", running an anonymous review website of healthcare personnel, lacked a legal basis for processing and instructed them to allow said personnel to opt out of being listed and reviewed, in addition to several other instructions.

Both the initial complainant and Legelisten responded to the DPA's decision with complaints. The DPA considered both complaints, but did not find any grounds to change their decision. Consequently, the case was submitted to the Norwegian Privacy Appeals Board, who considered comments from the initial complainant, Legelisten, the Norwegian Consumer Council, and the DPA.

The Board focused their assessment on the lawfulness of processing of personal data on the website Legelisten.no. First, they considered the applicable law, as the GDPR had entered into force since the initial complaints dating back to 2012. They found that the GDPR would indeed apply.

Holding

The Board reviewed several aspects relating to the case in question, summarised below.

Controller responsibility

The Board agreed with the DPA's finding that Legelisten is the controller for all processing of personal data related to their site (as listed above), for both users and the healthcare personnel, because they in all these instances determine how the personal data will be processed (the purpose) and the means (technical platform, layout, which processors to use).

The relationship to freedom of speach and processing for journalistic purposes

The Board agreed with the DPA's finding that there were no exemptions or derogations for processing carried out for journalistic purposes in this case.

Legal grounds for processing personal data about the users

The DPA found that Legelisten lacked a legal basis for processing contact information (email address) of users submitting reviews, because they could not rely on consent as this was not found to have been provided voluntarily.

The Board agreed that email addresses will often reveal the identity of a person and is, as such, personal data, and that information related to visits to or contact with specialist healthcare personnel, will reveal special category personal data and thus requires a legal ground for processing as per Article 9(2) GDPR, in addition to Article 6(1). However, the Board were split in their view of consent being a valid legal basis for processing in this specific case. The majority disagreed with the DPA and found that Legelisten could rely on consent for processing contact information of users, because they provided sufficient sufficient information in their terms and privacy notice, and required users to provide their consent through a clear affirmative act. The Board's decision here effectively reverted the DPA's initial decision item 8.

Legal grounds for processing personal data about healthcare personnel

Processing of personal data about healthcare personnel on Legelisten relates to two categories: objective vs. subjective personal data. The Board noted that the relevant legal basis in both cases is Article 6(1)(f), legitimate interest, and made a thorough assessment relating to the three-part test (the purpose test, the necessity test and the balancing test).

The Board first assessed the legal basis relating to the users' subjective reviews of healthcare personnel. In the balancing test, the Board were split in their views. First, the majority found that the subjective expressions of the individual patient in principle are expressions protected by the right of freedom of speech, cf. the Norwegian Constitution § 100 and the European Convention on Human Rights Article 10, and that most healthcare personnel on Legelisten can be seen as public figures, cf. the Article 29 Data Protection Working Party guidelines 225, number 2: «Does the data subject play a role in public life? Is the data subject a public figure?».

Next, the majority emphasised that patients' subjective reviews of their experiences with healthcare personnel is of public interest and Legelisten's services contributes to safeguarding important consumer interests. Hence, they concluded that a general right to opt out of being reviewed on the website, would reduce the value of Legelisten as a source of information on the quality of health-related services in Norway. They pointed to the almost immediate reservation requests from about 20% of general practicioners following the DPA's decision.

In conclusion, the majority of the Board held that the various legitimate interests of Legelisten outweighed the rights and freedoms of the healthcare personnel, that the processing of their personal data is necessary for the purpose and, consequently, lawful as per Article 6(1)(f).

For the objective personal data, an unanimous Board agreed that Legelisten had a legitimate interest in processing these.

The Board's decision

  1. Legelisten is the controller for all personal data published on their website.
  2. Legelisten's publishing of reviews of healthcare personnel is not subject to the exemptions or derogations for processing carried out for journalistic purposes.
  3. Legelisten has legal grounds for processing user contact information, cf. Article 6(1)(a), cf. Article 9(2)(a).
  4. Legelisten is not instructed to publish the identity of the users submitting reviews of healthcare personnel.
  5. Legelisten has legal grounds for collecting and publishing subjective reviews of healthcare personnel, cf. Article 6(1)(f), and does not have to provide healthcare personnel with the right to opt out.
  6. Legelisten has legal grounds for collecting and publishing objective personal data of healthcare personnel, cf. Article 6(1)(f), and does not have to provide healthcare personnel with the right to opt out.

Comment

Complaints against Legelisten started in 2012 and went through several rounds both at the Norwegian DPA and the Privacy Appeals Board (Personvernnemda), before going to the Norwegian courts and, ultimately, the Supreme Court.

The initial cases were assessed against the former Personal Data Act of 2000, however since the case continued into 2018 (and later), after the GDPR had taken effect, everything above is referenced with GDPR Articles. Consequently, the DPA's decision item 8 was removed entirely, as the introduction of the GDPR removed the requirement for a license from the DPA to process special category personal data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 21 January 2019 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Gisle Hannemyr, Hans Marius Tessem, Heidi Talsethagen)

Table of contents
1 Introduction
The case concerns the question of whether the processing of personal data on the website Legelisten.no is in line with the Personal Data Act. The tribunal discusses and decides who is to be regarded as the data controller, whether the processing falls under the exception in the Personal Data Act 2018 § 3 (processing of personal data for purely journalistic purposes), whether there is a processing basis for collecting users' e-mail addresses and whether there is a processing basis for processing personal data about health personnel on the website, both objective factual information and subjective assessments given by the users. The tribunal also assesses whether the users who enter assessments on the site should be allowed to be anonymous externally.
2. Fact
The company Legelisten.no AS (hereinafter Legelisten) launched the website Legelisten.no in May 2012. Legelisten.no is a commercial website with a comprehensive overview of all the country's GPs, with their names, contact information, gender and age, as follows from the overview above GPs at helsenorge.no (the public health portal). In the summer of 2013, the Medical List was expanded to cover dentists. In 2014 and 2015, specialist doctors and chiropractors were included, and video doctors in 2018.
In addition to the mentioned factual information, the Medical List contains an overview of the users' assessments of the individual therapist with a free text field where reviews are given, and a rating scale of up to five stars in the categories «overall assessment», «availability», «trust and communication» and «service ». Anyone can post reviews of a therapist on the website, but according to the website's own guidelines, reviews should only be given by the therapist's patient. The assessments are published anonymously, and are linked to a named therapist.
The doctor's list states that the purpose of the service is for users to read about the various medical services before choosing a therapist. The medical list further states that all posts on the website are read and approved before publication via a moderator function. The doctor's list states on its website that this is "[f] or to ensure the quality of assessments and ensure that they are in line with our terms and guidelines […]"
According to the Medical List, the website has approx. 2 million unique users every year. Nearly 12,000 health professionals are registered on the website, including 4,800 GPs, who make up the largest group. The medical list has stated that 67,000 assessments have been published since the start in 2013 and that 14,000 assessments have been rejected for publication in the same period.
In accordance with the website's terms and conditions, the company reserves the "right to remove or fail to publish reviews in its sole discretion and without justification". Furthermore, the following is stated about the submission of assessments:
"When you submit an assessment, you vouch for all the content of the assessment. Furthermore, you guarantee that the assessment is based on your own experiences, and that you do not pretend to be a different person than you are.
You are solely responsible for the content of the reviews you submit. The company does not allow assessments such as:
are racist, pornographic or otherwise illegal and / or offensive
contains personal injury, defamation, libel or is likely to harm other persons or businesses
infringes intellectual property or other rights, including but not limited to copyright, trademark and patent rights, or trade secrets
contains trade secrets and confidential information
contains specific allegations of incorrect treatment, misdiagnosis or lack of acute / vital treatment
An assessment must contain a justification for your views or a description of your experience, and must not only contain single words such as "bad" or "recommended". Rogue assessments and assessments with limited or no information value for the users of the service may be rejected.
An assessment must be based on experience with the therapist in a medical context, where you have sought health care yourself.
We encourage you to avoid sharing information about your own health in reviews you write about health professionals. "
The doctor's list also offers a payment service where users of the website can find out if health personnel have received administrative reactions from the Norwegian Board of Health Supervision. The service also contains an automated solution for ordering access to the associated case documents from the Norwegian Board of Health. The payment service means that the user can also choose to receive a notification when a health service provider receives new assessments or when a GP gets a free place on their list, and when the doctor last opened for new patients outside the waiting list. As of December 2018, the payment service cost NOK 95 for three months (one-time payment). The doctor list also offers "tailor-made advertising packages" for GPs who want more patients.
As the service is currently set up, healthcare professionals do not have any general reservation access against being registered and assessed on the website. The medical list practices a reservation scheme where health personnel can request to make a reservation if compelling reasons so require. In the event of such inquiries, the Medical List carries out a specific balancing of interests. The medical list has stated that, before this case, they had received just under 50 requests for reservations, of which 11 of these were granted. After the Data Inspectorate made its decision with an order to introduce a scheme with general reservation rights, the Medical List has received a request for a reservation from approx. 1,100 health personnel, most of whom are GPs.
3. Proceedings
Dentist A originally contacted the Norwegian Data Protection Authority on 10 July 2015 because she had received negative publicity on the Medical List. She stated that the processing of personal data lacked a processing basis in the Personal Data Act 2000 § 8 letter f, and demanded, among other things, own personal data deleted from the page. The Data Inspectorate assessed whether A could demand that negative assessments about herself be deleted on the website and rejected her request in a decision on 6 October 2016. A appealed the decision to the Privacy Board, which on 1 November 2016 sent the case back to the Data Inspectorate for new substantive processing. The tribunal was of the opinion that the Data Inspectorate had not taken a position on A's principal demand to have all personal information about himself deleted from the Medical List.
The Data Inspectorate resumed processing of the case. It appears from the case documents that the Data Inspectorate, in the period they have worked on the case, has been contacted by several doctors and other health personnel who feel their privacy has been violated through the established service. The Data Inspectorate has also had a meeting and dialogue with the Norwegian Medical Association, which is very skeptical of the website and, among other things, has pointed out the danger that the website will be a public gap, more than a real aid for patients looking for a new GP. The Norwegian Data Protection Authority has also received various inquiries from users of the service who are positive about the service and want it to be continued. The Consumer Council has, on its own initiative, submitted a statement of the consumer considerations they believe are relevant to the case. The memorandum has also been published on the Consumer Council's website and the Consumer Council's arguments are presented in brief below.
On 8 November 2017, the Data Inspectorate issued a decision ordering various conditions that may have been met for the processing to be in accordance with the law: The decision has the following 10 points:
Legelisten.no AS is ordered to facilitate that health personnel can reserve themselves from being assessed on Legelisten.no and that assessments are displayed on the website, as the treatment otherwise has no basis for treatment.
Legelisten.no AS is required to lay down deletion rules that ensure that information that health personnel have had their authorization, license or specialist approval revoked is deleted no later than five years after any new authorization, license or specialist approval has been granted, as the treatment otherwise has no basis for treatment.
Legelisten.no AS is ordered to lay down deletion rules that ensure that information that health personnel have had their right to requisition revoked is deleted no later than two years after any new requisition right has been granted, as the treatment otherwise has no basis for treatment.
Legelisten.no AS is required to lay down deletion rules that ensure that information that health personnel's authorization, license, specialist approval or requisition right has been restricted is deleted no later than two years after the restrictions have been lifted, as the treatment otherwise has no basis for treatment.
Legelisten.no AS is ordered to lay down deletion rules that ensure that information that health personnel have been issued warnings from the Norwegian Board of Health Supervision is deleted no later than two years after the warning was given, as the treatment otherwise has no basis for treatment.
Legelisten.no AS is required to ensure that information about health personnel's authorization, license, specialist approval and requisition law is correct and up to date.
Legelisten.no AS is ordered to ensure that information about former health personnel who no longer practice the profession is removed, as this treatment is not relevant for the purpose.
Legelisten.no AS is ordered to cease processing sensitive personal data by requesting or storing the e-mail address of patients who have submitted an assessment of health personnel in the specialist health service, as the treatment lacks a basis for treatment.
Legelisten.no AS is not granted a dispensation from the licensing obligation pursuant to the Personal Data Act § 33 third paragraph, as the relevant processing of sensitive personal data lacks a processing basis.
Legelisten.no AS is required to provide information in accordance with the Personal Data Act § 20 to all health personnel whose personal data the company processes, unless it is clear that the health personnel already know the information the notification must contain.
On 21 November 2017, the Medical Council requested the Norwegian Data Protection Authority to order the orders in the decision to be postponed. On 27 November 2017, the Norwegian Data Protection Authority granted deferred implementation of the order in section 1 of the decision, but not for the other sections.
A submitted a timely appeal against the Data Inspectorate's decision on 4 December 2017. The Medical List also submitted a timely appeal against the decision on 15 January 2018, after postponing the appeal deadline, and at the same time requested a postponed implementation of the orders in decision points 8 and 9. The Data Inspectorate rejected the request.
The Consumer Council submitted, on its own initiative, an assessment of relevant consumer considerations in the case in a letter on 26 January 2018.
The Data Inspectorate assessed both complaints, but found no basis for changing its decision. The case was submitted to the Privacy Board, which received the case on 26 June 2018. Both Legelisten and A have submitted comments on the Data Inspectorate's submission letter.
The medical list submitted a new request for deferred implementation of the orders in points 8 and 9 of the decision to the Privacy Board. The request for deferred implementation was received in the tribunal case number PVN-2018-20. In a decision of 10 September 2018, the tribunal granted deferred implementation in line with the petition submitted.
The case was then dealt with in the board's meetings on 12 November and 10 December 2018, and 21 January 2019. The Privacy Board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Line Coll, Gisle Hannemyr, Hans Marius Tessem and Heidi Talsethagen. Ellen Økland Blinkenberg did not participate due to incapacity. The committee's secretary, Anette Klem Funderud, was also present.
4. A's statements in brief
The Privacy Board is asked to make a decision that health personnel can reserve themselves against all mention on the Medical List, also of personnel.
She disagrees with the Data Inspectorate's assessment that objective personal information can be published on
Legelisten. She also disagrees with the Medical List's statement that the website's legitimate interest is based on the public's interests in the choice of health personnel. The doctor's interest must be regarded as purely financial, because the list aims at earnings in the form of advertisements and the like. This is clear from the website. Such an interest cannot weigh heavily in the balance of interests. The interest in privacy must weigh heavier.
Healthcare professionals have a clear interest in where their personal details are reproduced, and therefore have a clear right to refuse reproduction on Internet sites that they do not wish to help legitimize. It must be irrelevant whether the information is available elsewhere. It must be up to the individual health personnel to choose where they want their personalities mentioned. If health personnel make reservations against assessments, it must not be the case that this, together with personnel, gives the impression that something negative is attached to the person in question. It will easily appear this way, and also therefore health professionals must have the right to a complete reservation.
The assessments reproduced on the Medical List are given by persons who remain anonymous. The Norwegian Data Protection Authority has stated that "in this case, we note that anonymous assessments are negative for the privacy of the doctor, but positive for the privacy and freedom of expression of the patients". It is not acceptable to post anonymous user reviews on a website. It should be a clear principle that the person who submits an assessment is allowed to provide it with his or her own name. The principle of freedom of expression should be accompanied by a principle of responsibility for expression. This will also have a limiting effect on many of the statements that are included on websites and which for most people appear to be repulsive in form and content.
5. The doctor's list's in brief
The Medical List's processing of personal data is covered by the exemption for journalistic purposes and is protected by the Personal Data Act 2000 § 7. The Medical List can thus not be imposed obligations under the Act as the Data Inspectorate has based its decision. This is the reason why all orders have been appealed. If the tribunal concludes that the Medical List is not protected in accordance with the Personal Data Act 2000 § 7, the Medical List will comply with the Data Inspectorate's decisions sections 2-7 and 10. In that case, it is decision points 1, 8 and 9 that are appealed.
The Data Inspectorate's decision is based on a misunderstanding of the legal issues raised by the case. The Norwegian Data Protection Authority has also based its assessment on incorrect facts. In addition, the Medical List finds that the Norwegian Data Protection Authority has not acted neutrally in this case.
5.1 Responsible for processing
The doctor's list is responsible for processing the objective information collected about health personnel, information about administrative reactions against health personnel from the Norwegian Board of Health Supervision and information about the users who leave assessments.
The medical list is not responsible for the treatment of the subjective assessments of health personnel that the users themselves post on the website, but must be regarded as data processors for these subjective assessments.
5.2 The exception for journalistic purposes
The Medical List's assessment service is covered by the journalist exemption in the Personal Data Act 2000 § 7 and thus protected by the freedom of information and expression.
The Norwegian Data Protection Authority has too narrow an understanding of which statements / information fall under the journalist exemption. Statements on health services must be regarded as specially protected, cf. the decision of the European Court of Human Rights (ECHR) 02/08/2000, Bergens Tidende and others v. Norway, section 51.
The Data Inspectorate apparently distinguishes between the user's statement (the original statement) and the Medical List's statement. The Norwegian Data Protection Authority believes that the user's expression is in principle protected by freedom of expression, while the Medical List's dissemination is not. There is no evidence in the preparatory work or in case law for such an understanding of the law. The decisive factor is whether the statement as such is protected.
The doctor's list is a communication platform and disseminates (in moderated form) users' statements. In this sense, the Medical List does not differ from other media that convey readers '/ users' opinions, such as reader posts and comment fields in online newspapers. Reader contributions undoubtedly fall under the Personal Data Act § 7, cf. NOU 2009: 1 page 107.
Collecting and presenting user experiences in a socially important area such as health must be considered a journalistic activity. There can be no requirement for the information to appear in a socially or system-critical context. Positive reviews also fall within the term.
The mentions on the Medical List can serve as a barometer of how the health service is perceived, and the information can be used by the media or as a basis for academic work. A large part of the Medical List's societal benefits take place at the local level. The assessments are part of a local debate that is taking place in all Norwegian municipalities, and the Medical List provides insight into the primary health care service, which is necessary to make politicians responsible for ensuring that citizens have satisfactory health care services accountable.
If the users are not allowed to convey the statements through the Medical List, this entails an interference with the users' freedom of expression. And anyway; if the Medical List is prohibited from disseminating the assessments, this entails an interference with the Medical List's freedom of expression. Dissemination of other people's expressions is also protected by freedom of expression.
It is not clear what the Data Inspectorate includes in the requirement that the processing must "exclusively" be for journalistic purposes. In Case C-73/07, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, the European Court of Justice has interpreted journalistic purposes broadly.
The medical list has no other interest in the operation of the service than to facilitate sober and factual dissemination of information about health personnel. The medical list also has a commercial interest in the service providing returns to owners and jobs to the employees, as well as the media, artists and authors who normally have financial earnings as the ultimate goal of their business.
Reference is made to the tribunal's previous practice, including PVN-2005-03 and PVN-2010-11. In both cases, the tribunal concluded that the statements were protected by freedom of expression. The purpose of the later change in the law in 2012 was to make a «certain» change in practice in relation to what the Privacy Board had expressed in PVN-2010-11, see Prop.47 L (2011-2012) section 4.6. In reality, however, the content of the exception is the same, see Bjarne Kvam, Is the Data Inspectorate's interpretation of the law too restrictive, Law and Justice 2012 pages 45-56.
The statements that the legislature wanted to bring to life at the time of the amendment were statements that were close to the harassing and indefensible. This case concerns sober value assessments of health professionals' exercise of their role as professionals. Such statements are protected.
If the Privacy Board concludes that the Medical List is not covered by the journalist exemption for freedom of expression, it entails a narrowing of previous practice. There is no basis for this after the draft legislation.
Legal theory substantiates that material published on websites is usually covered by the journalist exemption, see Wille Johansen et al., Personal Data Act commentary edition, Universitetsforlaget 2001, page 92.
It follows from EMD practice according to the European Convention on Human Rights, Article 10 of the ECHR and Article 8 that the balancing shall be carried out as a balance test, where the opposing rights shall be given «equal respect», cf. EMD case 39954/08 Axel Springer AG v Germany 2012, premise 87. The Norwegian Data Protection Authority has not made any specific assessment of the information published on the Medical List against the freedom of expression in assessing whether the journalist exemption applies. The view that assessments of health personnel are value assessments that enjoy strong protection during freedom of expression is absent. The same applies to the debate about the public health service, which is at the core area of what is protected by freedom of expression.
With regard to the balance between the freedom of expression of users, which is protected by the Constitution § 100, and the health personnel's privacy, reference is made to Rt. 2014 page 152 (ambulance driver) premises 104 and 106.
How health professionals perform their medical work is clearly a socially important topic. Comparison of health services is to the highest degree content of a journalistic nature and is of general interest. Firstly, health professionals take care of the basic need for health care in the entire population. Secondly, it should as far as possible be up to the individual to decide which health services they want to receive, as well as who they want to receive these from. Thirdly, the feedback can in many cases be seen as a contribution to the general debate about how the GP scheme works. Fourthly, doctors are entrusted with important tasks related to the management of welfare benefits. Fifth, the health personnel themselves are recipients of relatively significant funds from the public sector in the form of subsidy and reimbursement schemes.
Consideration for the health personnel's privacy shall be given weight, but may not be overweighted as long as the information published about the professional health personnel's professional practice is mainly sober and factual.
5.3 Processing basis for processing personal data about the users of the website
The users who submit assessments on the website provide an e-mail address to the Medical List. This is not sensitive personal information. An email address in itself is not sensitive. The possible sensitivity lies in the link between the natural person, e-mail address and the fact that a patient has visited the specialist health service.
The Medical List does not agree with the Norwegian Data Protection Authority that the core of the Medical List's service is to be a «platform for anonymous statements». The core of the Medical List, on the other hand, is to be a «platform for quality-assured, moderated, assessments». If the platform does not moderate and quality assure received reviews, the website will quickly be littered with junk and false reviews and thus lose its value to users. In moderating assessments, it is crucial to have contact information for the submitter. Without contact information for the submitter, the necessary moderation will not be possible and the Medical List will not be able to publish the submitted assessment.
The medical list has a basis for processing for storing contact information from the farms, cf. the Personal Data Act 2000 § 9 letter a «consent» or d «the registered person has voluntarily made the information generally known». Proposition 43 of the Privacy Ordinance supports that the Play List has valid consent. Email address is required for the service and therefore consent is valid. With regard to the Personal Data Act 2000 § 9 letter d, the preparatory work for the law mentions as an example that a person posts information about health on their own website. It is completely voluntary to post information, and there is no obligation to submit assessments on the Medical List.
Reference is also made to other platforms in other EEA states that require identity in order to publish assessments.
5.4 Processing basis for processing personal data about health personnel on the website
5.4.1 Comments on the actual basis The Data Inspectorate bases its decision on
It is not correct, as the Data Inspectorate has assumed, that subjective assessments involve a significant interference with health personnel's privacy. Until February 2017, the Medical List had only received around 50 inquiries about reservations, even though 12,000 doctors are registered on the site. Such a modest number of reservation requirements substantiate that the privacy disadvantages are not particularly prominent. The medical list also has a reservation scheme where health personnel with compelling reasons can be granted a reservation after an individual assessment.
There is no evidence to claim that the website is used to slander doctors, as the Data Inspectorate assumes. Most reviews are positive. Negative assessments must be considered well-founded. It is otherwise difficult to understand the distinction related to whether the statement is presented on the Medical List or other channels, and that the argumentative value should be perceived differently.
The Norwegian Data Protection Authority apparently emphasizes that the professional integrity of health personnel is at stake if the Medical List is allowed to publish subjective assessments. The medical list believes that safeguarding the professional integrity of health personnel is not a relevant consideration under the Personal Data Act, and in any case is not a consideration that can be given particularly heavy weight.
The Norwegian Data Protection Authority has placed too much emphasis on privacy disadvantages that have not been documented, which is assumed to be due to a campaign-oriented influx from the health personnel's interest organizations and in particular the Norwegian Medical Association. The recent involvement of health professionals is believed to be more an expression of loyalty between health professionals, than an expression of real privacy disadvantages. In addition, it seems to be justified in economic considerations.
The Norwegian Data Protection Authority has assumed that the information value of the assessments on the website is limited. It is not correct. The assessments on the Medical List can say something about the professional competence of health personnel. Research shows that there is a connection between patient assessments and the quality of health services. There are no other services where patients can form an impression of healthcare professionals. The medical list has approx. 2 million unique users a year. Furthermore, there are probably between 100,000 and 300,000 Norwegians who use the service every year when they need to find a new GP. That says something about the information value.
It has not been documented that false assessments have been published, although this cannot be ruled out. Web users are accustomed to reading subjective reviews online and are able to assess the value of the information.
In its decision, the Data Inspectorate has assumed that they do not have "the impression that 'all' doctors will now make reservations." Following the Data Inspectorate's decision, the Medical List has received over 1,100 requests for reservations, most of them from GPs. There are about 4,800 GPs in Norway and approx. 20% of these have thus reserved themselves in the short time that has passed. There is no reason to believe that the number of reservations will stop here. The value of the service has already been sharply reduced and the Medical List must, if the decision is upheld, assess whether there is a basis for further operation.
5.4.2 Comments on the legal issues raised by the case
The Medical List maintains that the Personal Data Act 2000 § 8 d ("perform a task of public interest") is a relevant basis for treatment in addition to § 8 f ("legitimate interest").
The Data Inspectorate's balancing of interests pursuant to section 8 f is disputed and it is difficult to see which fact the Data Inspectorate has taken as a basis. The medical list acknowledges that the balance must to some extent be discretionary, but believes that there is a basis for making a quantitative analysis related to the balance of interests.
In January 2018, the medical list prepared such a quantitative balance of interests. The analysis is based on the number of people who benefit from the service, how much benefit they achieve, the number of people who experience inconveniences in connection with the service and how much inconvenience is inflicted. The sizes are quantified and compared. The analysis shows that the advantages of the website clearly outweigh the disadvantages and that society's legitimate interest is many times greater than the privacy disadvantage inflicted on doctors or other health professionals. This suggests that the site has a processing basis in the Personal Data Act 2000 § 8 letter f.
The medical list maintains that statements on the website are covered by the journalist exemption. Nevertheless, if the Privacy Board finds that the Personal Data Act 2000 § 8 f applies, reference is made to the arguments that have been put forward regarding the journalist exemption, which also apply in the balancing of interests according to § 8 f.
The main rule is that freedom of expression takes precedence in those cases where the information is in the public interest - and it is the information that is published on the Medical List. Health personnel are authorized, GPs are authorized by the municipalities to run GP services, most doctors are financed by the public sector to take care of the population's health, doctors have socially important tasks and patients are normally in a vulnerable position.
There is no basis for derogating from the main rule in this case, mainly for the following reasons:
Healthcare professionals have a role to play in public life.
The statements apply to the practice of their professions and do not concern private / family matters.
The statements are factual, sober and relevant.
Article 29 of the Article 29 Working Party's Guide WP 225 (Article 29 Data Protection Working Party, 14 / EN WP 225) states on page 13 that members of the regulated professions have a role in public life. The Medical List shares the Article 29 Working Party's assessment that the threshold for the publicity that persons in public life must endure is higher than the threshold for persons who cannot be considered to play any role in public life.
The different categories of health personnel listed on the Medical List play a different role in public life and the assessment may be different for GPs, specialists, dentists and private chiropractors and psychologists. The element of public funding, public authority and the central gatekeeper function that GPs have, indicates that at least these have a role in public life. Society has a great interest in information about how such health personnel exercise their role and manage their responsibilities.
If the Privacy Board concludes that a reservation scheme is required, this must only include health personnel who to a small or no degree can be considered to have a role in public life, otherwise the interference with freedom of expression becomes too great. The right of reservation, as the Data Inspectorate has ordered, can potentially interfere with the freedom of expression of several million users. The medical list disagrees that the right of reservation has only limited consequences for the individual's free formation of opinion.
The Data Inspectorate's decision constitutes illegal prior censorship, cf. section 100 of the Constitution, because it interferes with the Danish Medical Association's freedom to disseminate statements from patients. In any case, a general right of reservation goes further than what is necessary under section 100 of the Constitution and Article 10 of the ECHR. The Data Inspectorate's decision is intended to protect a minority, but a general right of reservation goes further than that. An arrangement where each individual statement is considered removed after a balance will fully safeguard the balance between the conflicting human rights. That the balancing in a specific case can be difficult, or that it can be difficult to formulate the criteria for such balancing, is not in itself an argument for making a decision that is more intrusive than necessary.
The Data Inspectorate's decision goes beyond what can be justified on the basis of privacy considerations and is therefore disproportionate. From a legal point of view, the decision does not pass the necessity test that must be carried out both in accordance with Norwegian internal rules and in accordance with the ECHR. A scheme where the health personnel can subsequently demand an assessment removed after a balance between privacy and freedom of expression will fully safeguard the balance between the opposing human rights.
The medical list has also facilitated the possibility for health personnel to respond to any criticism. The Data Inspectorate believes that this can not fully minimize the privacy disadvantages because the assessments are anonymous, because the duty of confidentiality sets limits, because it is difficult to defend oneself and because it requires the individual to spend time writing answers. However, the privacy disadvantages cannot be fully minimized. Together with the existing reservation access when compelling reasons so require, the privacy disadvantages have been reduced to an acceptable level.
Similar websites have been created in Denmark, Sweden, Germany, respectively,
Great Britain, Austria, Slovenia, Poland and Ireland. In these countries, websites corresponding to the Medical List without reservation rights are permitted. Relevant authorities' assessments can be given different weight, but there is no basis for assuming that the Data Inspectorate's assessment of the case is more thorough than similar assessments in other countries.
The Swedish Data Inspectorate has stated that this type of site is protected by the Swedish rules for freedom of expression. In Germany, the United Kingdom and Slovenia, such websites are considered to have a basis for processing in provisions corresponding to the Personal Data Act 2000 § 8 letter f without the right of reservation. In Austria, it was considered that a national rule on the unconditional right of reservation was contrary to freedom of expression. In Poland and Ireland, similar services operate legally without reservation access.
Other companies have already taken over the market for the Medical List's market in Norway. The biggest competitor is Google, which operates in the Norwegian market and allows patients to write reviews about a very large number of healthcare professionals, including the dentist who has complained to the Norwegian Data Protection Authority. As far as the Medical List is aware, healthcare professionals have no opportunity to reserve themselves from being assessed on Google's service.
If the Privacy Board finds that a reservation scheme is required, this must be introduced at the same time for all players in the Norwegian market, including Google and yelp.no.
6. Consumer considerations
The Consumer Council has, on its own initiative, submitted a statement of the consumer considerations that, in their view, apply in the case. The main points of view in the Consumer Council's statement are reproduced here:
The Consumer Council supports the Data Inspectorate's assessment that the Medical List has a legitimate interest in processing subjective personal data about health personnel, and that the processing is necessary to safeguard this interest. The Consumer Council further believes that the Medical List has a basis for treatment for treating subjective assessments of health personnel without the introduction of a general reservation access and that there are legitimate interests that exceed considerations of doctors' privacy.
There is currently little information of information value related to each individual doctor's office and each individual doctor on helsenorge.no. The information is mainly limited to the doctor's gender and age, whether the doctor is part of a community and whether the doctor's office is adapted for people with reduced mobility. In our view, this information is not sufficient to cover consumers' needs for information on GPs.
As of today, the list of doctors is the only measure in Norway that gives consumers the opportunity to orientate themselves and to obtain relevant information about GPs. The Consumer Council believes that there is a strong public interest in the dissemination of such information. The doctor's list is the only measure that meets patients' desire for a feedback service, which was one of the main findings in the Consumer Council's Patient Survey from 2016.
Subjective assessments from users are of great importance for consumers to be able to make an informed choice of GP. The service's visitor numbers and popularity testify that medical reviews are valuable to consumers. The Consumer Council, like the Norwegian health authorities, considers the right to choose its own GP to be important, and believes that such assessments will be of benefit to consumers when choosing or changing GPs.
Descriptions of how patients experienced being met by the doctor are of great importance for assessing the quality of the health service. The Consumer Council believes that this type of statement deserves strong protection and also believes that the publication of such assessments can contribute to increasing the quality of GPs' health services.
The Consumer Council is of the opinion that the Norwegian Medical Association and individual doctors' emphasis on how consumers may conceivably use the website for reasons not worthy of protection (revenge, private relationships, disagreements) is given too much weight. The Consumer Council does not exclude that junk or unreasonable statements may occur and agrees that statements of this kind are not covered by the protection of expression. Here, the Medical List has an editorial responsibility to ensure that junk statements are not published.
The Consumer Council's experience with similar services shows that consumers have a great understanding of what such "assessment sites" are, and that there are strengths and weaknesses with such services.
In its decision, the Data Inspectorate emphasizes that individual doctors say the fear of poor assessments makes them less equipped to fulfill their social mission, which can sometimes be to reject sick leave, reject questions about certain types of medication and referrals to specialist / expensive examinations. The Norwegian Data Protection Authority also seems to conclude that the absence of consumer assessments will alleviate doctors' uncertainty.
The Consumer Council cannot see that this is the right solution for doctors who feel discomfort by being responsible for their medical assessments. The Consumer Council cannot see that this is different for doctors than for other occupational groups.
The Data Inspectorate's order on reservation access is justified in consideration of the privacy of the individual doctor. In the Consumer Council's view, the legitimate interest in communicating consumers 'subjective assessments exceeds the consideration for doctors' privacy to such an extent that it does not require a reservation access.
The Consumer Council believes that consideration for privacy is taken into account when using other privacy-promoting measures, such as the Medical List's editorial treatment of consumers' subjective assessments. Considerations for doctors' privacy are stretched too far if the order for reservation access is upheld.
7. The main points in the Data Inspectorate's assessment
7.1 Responsible for processing
The data controller is defined as the person who determines the purpose of and the aids for the processing of personal data, cf. the Personal Data Act 2000 § 2 no. 4.
With regard to users' assessments of health personnel, the Data Inspectorate assumes that it is the Medical List that has set the framework for the form and content of the assessments, including the choice of technical solutions, layout and data processors to be used. The users' utterances are used to achieve the purposes defined by the Medical List. As the Medical List has determined the purpose of the processing of the information and which aids are used in the processing, the Medical List is to be regarded as responsible for the processing of all of the information categories.
7.2 The exception for journalistic purposes
The Personal Data Act 2000 basically requires that the data controller must have a processing basis for publishing personal data on the Internet, cf. the Personal Data Act § 11 a, cf. §§ 8 and 9. This does not apply if the personal data is processed exclusively for artistic, literary or journalistic purposes, cf. The Personal Data Act 2000 § 7. The provision is intended to protect the media, companies and individuals' contribution to the public debate and to disseminate news. The exception in § 7 applies regardless of the type of medium used by the data controller or the data controller's profession.
The law requires that the purpose is "exclusively" artistic, literary or journalistic. This does not prevent a newspaper or the like from having commercial interests related to its activities, cf. the European Court of Justice's case C-73/07, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, section 59. In addition, the word "exclusively" implies that there can be no self-interest in publishing other than the artistic, literary or journalistic.
It is the person responsible for the treatment and the nature of the statement that is decisive. How others want to use the information is not relevant. Individuals can also process personal data for journalistic purposes. It is not a sufficient or necessary condition that the treatment represents an opinion-forming statement, cf. No. 92 (19981999) page 107 and Prop. 47 L (20112012) chapter 4.6.
The Supreme Court has ruled that the debate on the health service may be of public interest, cf. Rt. 2014 p. 152 (ambulance driver), which dealt with the issue of hidden racism in the health care system. The case differs from the present case. The medical list can by far be compared with a quantitative user survey which, for example, is carried out in a customer group, a sample of the population or the like. In this survey, the entire population is invited to participate, and the results are published for the common good of society. The user assessments are about how health personnel meet patients, how they refer to further treatment, whether the patient feels heard, whether the health secretaries are accommodating and the like. The Norwegian Data Protection Authority believes that the assessments do not appear in a socially or system-critical context, to put the health service under debate or in connection with a current case. The same applies to the reactions from the Norwegian Board of Health Supervision, they are not used in a journalistic context, for example as part of a debate about shortcomings in the health service or whether the reactions work as intended. On the other hand, the purpose of the statements (both the assessments and the reactions) seems to be, as the Medical Association has also stated, to enable patients to better choose health personnel. Rating sites that evaluate products and services cannot, in the Authority's assessment, therefore be said to process personal data solely for journalistic purposes.
The German and British statements to which the Medical List has referred have also not regarded this type of website as protected according to their equivalent to § 7.
The assessments in PVN-2017-06 are not relevant to the assessments in this case.
The dissemination of information provided by the Medical List, subjective assessments of all service providers in a market, are not exclusively of a journalistic nature, cf. the Personal Data Act 2000 § 7.
7.3 Processing basis for processing personal data about the users of the website
The personal information about the users who submit assessments of health personnel is sensitive personal information, cf. the Personal Data Act 2000 § 2.
Everyone who submits assessments must provide an e-mail address. Email addresses often contain names or are linked to the identity of individuals in other ways, for example by using the email address when registering on social media. In cases where health personnel in the specialist health service are assessed, the fact that you have visited the doctor in question may in itself say something about your state of health.
If the e-mail addresses are deleted, the link disappears. Alternatively, the assessments can be removed. Deleting email addresses is the least intrusive way to ensure that sensitive personal information is no longer processed.
The processing of sensitive personal data must have a basis for processing both in the Personal Data Act 2000 §§ 8 and 9. The medical list believes that the processing has a basis for consent. A consent must be voluntary, informed and express in order to be valid, cf. the Personal Data Act 2000 § 2 no. 7.
The requirement for voluntariness is that the person is free to choose whether he or she wants to provide the personal data without any negative consequences if consent is not given, cf. Article 29 Group, Opinion 15/2011 on the definition of consent (WP 187), page 12-13. In this case, users are asked for an email address when submitting reviews by healthcare professionals. It is not optional to enter the e-mail address, and if the user does not want to leave an e-mail address, he or she can not leave comments either. Providing an e-mail address is thus a condition of the service, and if you do not accept this, you will be banned from the service.
This does not prevent the comment fields of the online newspapers and the like from requiring an e-mail address in these cases. 8 letter f. If the individual chooses to provide sensitive personal information, this is based on consent.
The doctor's list believes that an e-mail address is required for the agreement, and therefore the consent is valid. Such an understanding of Article 7 (4) of the GDPR is deficient. If the information is necessary to fulfill the agreement, this has a separate basis for processing in Article 6, first paragraph, letter b. Here, personal information is requested that is not necessary to fulfill the agreement.
The Privacy Ordinance, paragraph 43, refers to Article 7 (4). This rule does not make an exception to the requirements for consent, but sets additional requirements. The rule states that if consent is set as a condition for using a service and the relevant personal data is not necessary for the implementation of the agreement, there is a presumption that the consent is not valid. According to the Norwegian Data Protection Authority, it is precisely this rule, which also expresses applicable law, that is the reason why the Medical Lists' consent is not valid. Users will be banned from the part of the service that involves submitting reviews if they do not provide an e-mail address. At the same time, the personal data is not necessary to implement the agreement. The Article 29 Working Party has taken the view that the condition "necessary to fulfill the said agreement" must be interpreted strictly and that the personal data required must be genuinely necessary to provide the core of the service (here: platform for anonymous statements). What is stated in the terms of the agreement is therefore not in itself decisive. The Article 29 Working Party also clearly states that the information must be necessary for the performance of the contract in ordinary cases, not for further actions where the terms of the agreement are violated, cf. Opinion 06/201 on the nation of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC, pp. 16-17.
It is quite clear that email addresses are not strictly necessary for the service in this case. There is no real freedom of choice. Consent is therefore not voluntary. The relevant processing of personal data is not based on the user's consent. The Data Inspectorate also notes that consent is not «informed» either.
Other processing bases in the Personal Data Act 2000 § 8 do not apply either. Since the processing of the relevant personal data lacks a basis in the Personal Data Act 2000 § 8, it is not necessary to discuss whether the processing has a processing basis in the Personal Data Act 2000 § 9.
The medical list's processing of sensitive personal data that takes place by the service requesting or storing the e-mail address of patients who provide assessments of health personnel in the specialist health service, lacks a basis for processing and must therefore cease. Sensitive personal information already collected in this way must be deleted.
Dentist A has questioned that the assessments appear to be anonymous on the website. A therefore asks the Data Inspectorate to consider whether it should be permitted at all to enter anonymous user assessments on a website. The Data Inspectorate sees the disadvantages A addresses. On the other hand, many people will probably be reluctant to submit assessments by name, even in cases where the assessments are factual and well-founded, for fear that it will damage the relationship with the health personnel. Since the Data Inspectorate is not given legislative competence, we can not decide whether this is generally law or not and also anonymous statements can enjoy protection of freedom of expression. The Data Inspectorate is of the opinion that each data controller should make an assessment of whether users can express themselves anonymously on their platform, and the Data Inspectorate's role is to review the website as it is. In this case, we note that anonymous assessments are negative for the privacy of the doctor, but positive for the privacy and freedom of expression of patients.
7.4 Processing basis for processing personal data about health personnel on the website
The Norwegian Data Protection Authority has assessed whether there is a basis for processing pursuant to the Personal Data Act § 8 letter f both for the group of objective personal data and for subjective personal data (assessments) of health personnel.
With regard to the objective personal data (such as name, gender, age, date of authorization, place of work, etc.), the Norwegian Data Protection Authority believes that the Medical List has a legitimate interest in processing this. The interests are legal and real, and the processing is considered necessary to safeguard the legitimate interest in question. The data subjects' privacy interest is not considered to take precedence over the legitimate interest that the Medical List safeguards. The Norwegian Data Protection Authority points out, among other things, that the objective information is also available elsewhere, including on helsenorge.no. This availability plays into the balance of interests. Although it may be perceived as unpleasant for some, it is limited how intrusive it is for health professionals that already public information is republished on the Medical List.
With regard to the processing of the subjective personal information about health personnel from users of the website, the Data Inspectorate has concluded that the Medical List does not have a basis for processing as the service appears today, without introducing a general reservation access to subjective assessments. This assessment is explained in more detail below.
7.4.1 The Privacy Disadvantages
The assessments on the Medical List express how individuals perform their profession and meet patients. This is personal information, and information about professional practice and personality traits enjoys a certain protection under the law. In cases of control in working life, for example, the employees' reactions to and feelings about the measure will be important factors in the assessments of whether the measure can be implemented. If health professionals feel that their privacy is threatened by the fact that individuals are free to write assessments about them without a name, then it should weigh heavily in the assessment. The Norwegian Data Protection Authority has received several inquiries from health personnel who find it very uncomfortable to be assessed on the website.
It is difficult to quantify privacy disadvantages, and the number of inquiries is a poor measure of how large the privacy consequences are. The Norwegian Data Protection Authority has also not based the decision solely on individual stories, but it must be assumed that the inquiries from various doctors point to real issues.
The rating page on the Medical List differs from other rating pages because health professionals have a special role in society. Health personnel have the task of providing proper health care. If a doctor refuses to prescribe medication, does not give a sick note or refers to a specialist, the decision may be unpopular, but professionally correct. Healthcare professionals' privacy is therefore more vulnerable in that they are required to make decisions that may lead to unfavorable assessments on the website. It will not necessarily be possible to discover which assessments are due to conflict, because the assessments may appear to be factual. Due to the duty of confidentiality, health professionals have little opportunity to defend themselves against the coverage on the website, which also distinguishes this occupational group from many others. It is also not possible to verify whether the assessments on the Medical List come from actual patients. Doctors are ranked in relation to each other based on purely subjective and non-testable criteria, which also affects privacy. All health professionals are awarded stars, which very quickly give a superficial look at the person's abilities or personality traits. If the health personnel have few assessments, this can give a relatively skewed picture of the person in question. The uncertain quality of the assessments represents a privacy disadvantage.
The information is also easily accessible on the Medical List, and it appears when Google searches for the person's name. The assessments and personal characteristics can therefore have major consequences for the health personnel's reputation and reputation.
There are examples of the Medical List having allowed reservations if there are compelling reasons. The Danish Data Protection Agency does not see how this scheme can work in practice. Anyone can tell credible stories about mental health problems or bullying of children, which in reality can open up a great many reservations. The doctor's list requires that the allegations are further substantiated and substantiated because too many reservations can affect the site's commercial operation. There will therefore be a certain threshold for reservation, and it is unfortunate if the Medical List is to be a judge of what is "true enough".
The Norwegian Data Protection Authority does not trust that the Medical Association's assessment of "weighty" will always give a satisfactory result in practice. It is not always possible to distinguish false assessments by their content. It means that a group of health professionals will still not be heard.
As regards the distinction between the Medical List and statements on online forums and social media, this is due to the fact that the Medical List compiles and systematises information. On the one hand, this is positive for freedom of information because several assessments are gathered in one place. On the other hand, compilation and systematization mean that a larger amount of personal data is processed and that the interference with privacy can thus be greater.
7.4.2 Opposing interests
The privacy disadvantages must be weighed against the legitimate interests of the Medical List and of third parties to whom the information is disclosed.
The doctor's list facilitates patients' opportunity to choose between healthcare professionals and offer a better basis for comparison. The doctor's list facilitates a systematic exchange of experiences. This takes into account the considerations behind free choice of doctor and treatment and makes the choice more real. In addition, it contributes to a freer exchange of opinions and increased flow of information and gives patients a mouthpiece, which is a consideration that freedom of expression is meant to safeguard. The processing of personal data that takes place in connection with the Medical List thus benefits more people and appears to be of public benefit. The doctor's interest in processing and disclosing this personal information is therefore in principle of great importance.
The medical list also has a commercial interest next door. The site has revenue and currently employs two full-time employees. Commercial interests are also legitimate interests, but they will not weigh as heavily in a balance of interests. It is the consideration of free flow of information and exchange of opinions that makes the publication of statements on the Medical List in the first place weigh heavily in the balance of interests.
The medical list has referred to research that shows a connection between patient assessments and the quality of health care. Whether the assessments reflect the health services, however, depends on the health personnel having received a sufficient number of assessments so that overall trends are shown and uncertainties are mitigated.
It is positive for privacy that the Medical List does not allow for accusations of incorrect treatment. At the same time, there is a difference between, for example, assessments of how healthcare professionals meet patients and the information given in the newspaper in Bergens Tidende and others v. Norway, with which the Medical List compares.
7.4.3 Balance of interests between privacy considerations and other considerations
Information of general interest enjoys strong protection, but the societal benefit of the information will vary, among other things depending on the nature of the information. The Medical List provides information that is relevant to the level of health services, but the information is not essential for the level of health services, as the Medical List claims.
Assessments of persons' professional practice are personal data and can be linked to individuals because professional practice is linked to personality traits. The assessments on the Medical List contain personal characteristics. The EMD has assumed that professional activities are also protected by the right to privacy, cf. Niemietz v. Germany (13710/88), section 29. In cases of de-indexing search results in search engines (which is a form of publication on the Internet), However, data supervision in the EU / EEA area has assumed that the consideration of information flow weighs somewhat more heavily when it comes to information about professional practice, cf. also the Article 29 Group's guidelines, WP 225 page 16.
When it comes to the question of whether a doctor holds a role in public life, belonging to a regulated profession is only one aspect of the assessment. In any case, having a role in public life does not mean that one must endure all publicity. There are 163 regulated professions in Norway, not all of which have a role in public life because the profession is regulated by law and requires authorization. The Data Inspectorate has therefore in its assessment not placed decisive emphasis on this consideration.
The medical list has stated that since doctors are professional professionals who receive income from the public sector, they must endure receiving criticism. The Data Inspectorate is unsure whether the source of income alone is a good assessment topic, but agrees that certain professions, in terms of their social mission and management of common services, must withstand criticism and debate. The question in this case, however, is whether doctors, who at times make unpopular decisions, should have to end up in a publicly available and searchable register where anyone can criticize their personal features. The Data Inspectorate finds this question somewhat more dubious.
The medical list has referred to similar services in other countries in support of its view. In a judgment of the Frankfurt Oberlandesgericht, Urteil Az. 16 U 125/11 OLG Frankfurt am Main 8 März 2012 (highest regional court, second highest in German court system), the court considers a site where one can rank doctors according to a similar provision as the Personal Data Act 2000 § 8 letter f. The court concluded that the website interest in publishing both objective and subjective assessments exceeded the consideration of doctors' privacy. As the name of the website has been deleted, the Data Inspectorate has not had the opportunity to compare the page with the Medical List to see if they are similar in format and content. The judgment also does not address all the privacy implications listed in this case. In this case, for example, there are threats, assessments with a motive for revenge and assessments from outside prominent factors, but this has not been assessed in the judgment. The judgment is relevant, but the weight is limited, both since it comes from a German regional court and because it does not take a position on key issues that this case raises.
The statements from Germany, the United Kingdom and Slovenia to which the Medical List has referred do not discuss the factors listed in this case, namely the health professionals' particularly vulnerable role as gatekeepers for medicines, sick leave and referrals and the special effects this may have on individual privacy. No statements have been obtained from the Polish and Irish authorities. The statement from Sweden does not conclude and contains references to special Swedish rules.
The Austrian provision on unconditional reservation rights, regardless of the nature of the treatment, is probably in conflict with freedom of expression. The order on reservation access, on which the Data Inspectorate's decision is based, is based on a specific balance of interests between the Medical List and the interests of the general public and doctors' privacy. This is a different situation.
The doctor's list has also referred to a guidance e-mail from the ICO (the British Data Protection Agency) to the owner of a British website where doctors are evaluated. This is also a relevant legal source factor, but the weight is limited since it is a question of very summary guidance and not a reasoned and binding decision.
The medical list has a strong interest in treating subjective assessments of health personnel, and there are privacy-minimizing measures. Nevertheless, the interest is of limited importance in terms of the doctors' role and responsibilities, the content of the assessments and how some people use the website. For some groups of healthcare professionals, the privacy implications are great. The Data Inspectorate finds in doubt that privacy considerations have not been adequately safeguarded. In principle, this indicates that the processing of subjective personal data is not permitted and must cease.
7.4.4 Privacy promotion measures - reservation access
The medical list has measures that are intended to safeguard privacy, and moderates away assessments that are contrary to the guidelines. The medical list has rejected about 14,000 assessments, while 67,000 assessments have been published. Doctors may request that the assessments about them be removed from the website if very special circumstances so require, but the Authority believes that the right of reservation is limited.
The Data Inspectorate assumes that the moderator function as well as the limited reservation access can not fully minimize the privacy disadvantages. The medical list has also introduced the possibility for doctors to respond to assessments. In a telephone conversation with the Norwegian Data Protection Authority, the Norwegian Medical Association has stated that such a function has limited value because the reports are anonymous and difficult to defend against, and that the duty of confidentiality precludes a response. The Norwegian Medical Association believes that it is difficult to defend itself against subjective assessments, and that the time spent on a response is difficult in an already pressured resource situation.
The solution on the website means that the individual must actively follow the website to defend themselves. This is relevant in a privacy law context because it places great demands on the individual.
The Norwegian Data Protection Authority has concluded that if the Medical List is to have a basis for processing in the Personal Data Act 2000 § 8 letter f, the privacy consequences must be minimized. The right of healthcare professionals to reserve themselves from being assessed on the website can minimize the privacy consequences to a sufficient degree, and considerations of privacy will no longer weigh most heavily.
Information about health personnel will then still be available on the Medical List. The reservation access is only aimed at the possibility of being subject to assessment by individuals. The Data Inspectorate does not want to make greater interventions than necessary, but the Authority cannot see that it will be possible to moderate junk assessments because it is not possible for the Medical List to verify the degree of truth in the assessments.
At its core, the case concerns assessments which, according to their content, may seem legitimate, but where the purpose is unjustified retaliation. This is the reason why the Norwegian Data Protection Authority does not propose a specific assessment of each individual assessment and has also explicitly refrained from ordering the removal of individual assessments, cf. the Privacy Board's case PVN-2016-04. It is the company's processing of personal data as a whole that is the theme. In this connection, the Norwegian Data Protection Authority has emphasized that it will not be feasible for the Medical List to decide what is good enough to require a reservation. The only way to remedy this seems to be a general reservation access. It is worth noting that booking does not remove the disadvantages, since the person wants a "blank page", which can also give a negative impression of the person.
With regard to the decision's proportionality, the large number of reservations the Medical List has received shows that the service will be affected by the decision. The doctor list has received over 1,000 reservations. On the other hand, approx. 12,000 health personnel listed on the site. The Data Inspectorate is still very uncertain whether all doctors will make reservations. As we have previously pointed out, it is an advantage to be on the side for health professionals with positive assessments, and the Medical List itself has pointed out that the vast majority of assessments on the Medical List are positive. Reserving can also be a disadvantage, as mentioned above, because it may look like you have something to hide. In any case, the company's earnings appear to be based at least in part on services that will not be directly affected by decision point 1. The medical list will be able to continue its operations, but within the framework of a reservation access. The medical list may also consider developing its service further in order to disseminate information about health personnel in other ways than through subjective assessments from individuals.
The Data Inspectorate thus believes that the service has no basis for processing the dissemination of assessments without health personnel being given the opportunity to make reservations. If other companies later enter the market from abroad, the Data Inspectorate will be able to participate in enforcing the privacy rules according to the consistency mechanism in the Privacy Ordinance.
The reservation scheme only needs to apply to the actual assessments as mentioned above, the Medical List has a basis for treatment in order to publish objective facts about health personnel.
The Medical List believes that a reservation scheme will distort competition because the Data Inspectorate in other EU / EEA countries has not made the same assessment as the Data Inspectorate. Actors from other countries in the EEA can thus in theory offer the same service without corresponding restrictions. This is a relevant argument because the Privacy Directive is intended to ensure equal protection, but also free movement of personal data throughout the EEA, and therefore the rules in the Personal Data Act must at least to some extent be interpreted harmoniously with how relevant bodies in the other countries view the provisions. However, the Data Inspectorate cannot see that other data inspections or courts have made an equally thorough assessment as those in this case, and several of the key aspects of the case have not even been touched on in the few cases mentioned by the Medical List. There is therefore no reason to change the conclusion for reasons of harmonization.
A general reservation access will protect the minority who find it very stressful to be assessed on the Internet or who feel a strong pressure to appease their patients.
The Data Inspectorate believes that such an interference with freedom of expression can be defended against section 100 of the Constitution and that the interventions are authorized by law. The Authority believes that the restrictions contained in the decision are necessary to protect the rights of individuals. The interventions are proportionate and the interventions in freedom of expression can be defended against Article 10 of the ECHR.
The Data Inspectorate's decision does not set any limits on which statements can be made, and therefore does not constitute prior censorship, cf. the prohibition in the Constitution § 100 fourth paragraph.
8. The Privacy Board's assessment
The case concerns the question of whether the processing of personal data that takes place on the website Legelisten.no is legal processing of personal data.
8.1 Choice of law
The tribunal will first say something about which law will apply.
The Norwegian Data Protection Authority has assessed the case in accordance with the Personal Data Act 2000, before submitting it to the Privacy Board in June 2018.
New law on the processing of personal data (Personal Data Act 2018) entered into force on 20 July 2018. It follows from the Personal Data Act 2018 § 1 that European Parliament and Council Regulation (EU) 679/2016 of 27 April 2016 on the protection of natural persons in connection with processing of personal data and on the free exchange of such data as well as on the repeal of Directive 95/46 / EC (GDPR or the regulation), applies as Norwegian law from 20 July 2018. From the same date, the Personal Data Act 2000 has been repealed.
The Personal Data Act 2018 has transitional rules in § 33. It follows from this provision that the rules on the processing of personal data that applied at the time of action shall be used as a basis when a decision on infringement fees is made, unless the legislation at the time of the decision leads to a more favorable result. persons responsible for processing, cf. the prohibition in section 97 of the Constitution against laws being given retroactive effect. In this case, there is no question of imposing an infringement fee, and it then presupposes from the Personal Data Act 2018 § 33 that it is the law, as it reads at the time of decision, that shall form the basis for the Privacy Board's decision.
This is also discussed in the preparatory work for the Personal Data Act 2018, Prop. 56 LS (2017-2018) page 196, where the Ministry states, among other things:
"There will be a number of cases pending before the supervisory authority and the Privacy Board at the time of the entry into force of the new Personal Data Act [2018]. The regulation does not contain any transitional provisions that regulate the processing of such cases. The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to be made on the basis of the substantive rules in force at any given time ».
Even if the case arose before the new law came into force and the Data Inspectorate assessed the case according to the Personal Data Act 2000, the tribunal must therefore process the case according to the Personal Data Act 2018.
The question for the tribunal will then be whether the Medical List processes personal data in line with the provisions that follow from the Personal Data Act 2018 and GDPR. This means that section 9 of the Data Inspectorate's decision that the Medical List is not granted a dispensation from the licensing obligation pursuant to the Personal Data Act 2000 § 33 third paragraph, lapses, as the licensing scheme is repealed in the Personal Data Act 2018. The question for the board is about the processing of personal data. .no is legal in accordance with the Personal Data Act 2018.
8.2 Responsible for processing
The tribunal will first decide who is responsible for processing personal data processed by the Medical List.
Article 4 (7) of the GDPR defines "data controller" as follows:
«Fysisk a natural or legal person, a public authority, an institution or any other body which alone or together with others determines the purpose of the processing of personal data and the means to be used […]»
This is in accordance with how the data controller was defined in accordance with the Personal Data Act 2000 § 2 first paragraph no. 4 and the new law does not entail any changes to the definition.
The doctor's list processes several forms of personal information: objective personal information (such as name, gender, age, date of authorization, place of work, as well as information on administrative reactions to health personnel from the Norwegian Board of Health), subjective personal information (assessments of health personnel), and information about users.
There is no doubt that the Medical List is responsible for processing the objective information collected about health personnel, including information about administrative reactions against health personnel from the Norwegian Board of Health Supervision, and information about users who leave assessments. However, the doctor's list denies that they are responsible for the treatment of the subjective assessments that the users themselves post on the website. The Medical List states that for this information they must be regarded as data processors, ie that they process the personal data on behalf of the private individuals who use the website who are themselves responsible for processing, cf. GDPR article 4 no. 8.
The tribunal agrees with the Norwegian Data Protection Authority that the Medical List is responsible for processing all the information that is collected, published and otherwise processed in connection with the service that the Medical List offers. It is the Medical List that has determined the purpose of the processing of the information and which aids are to be used in the treatment by setting up the technical solution for the online service, deciding which types of health personnel are to be covered and deciding what type of information is available. As a reason why it is the Medical List that determines the purpose of the processing of the information, it is sufficient to refer to the service's own website. It appears from the front page of the website that the Medical List:
"Helps you find good doctors. Read other patients' assessments and share your own experiences ».
Furthermore, the description «About us» states the following:
"Our goal is to be the place people go to when they want to find a new GP, specialist, dentist, chiropractor and eventually also other types of health professionals."
The tribunal agrees with the Norwegian Data Protection Authority that also with regard to users' subjective assessments of health personnel, the Medical List has set the framework for the form and content of the assessments, and the statements on the page are used to achieve the purposes defined by the Medical List. The Medical List has a moderating role and assesses whether the posts are in line with the guidelines, and it is the Medical List that, in accordance with the guidelines, can unilaterally decide whether the assessments are to be published or not. There is therefore no reason to view the processing responsibility for this information differently than for the other information on the website.
8.3 The exception for journalistic purposes in the Personal Data Act 2018 § 3
The next question is whether the processing of personal data on the website Legelisten.no falls under the so-called journalist exemption in the Personal Data Act 2018 § 3. If the processing of personal data that takes place on the website is covered by this provision, the Data Inspectorate does not have the competence to issue such an order. it is explained in the introduction.
The Personal Data Act 2018 § 3 reads:
"For the processing of personal data solely for journalistic purposes or for the purpose of academic, artistic or literary expression, only the provisions of the Privacy Ordinance Articles 24, 26 28, 29, 32 and 40 to 43 apply, cf. the Privacy Ordinance Chapters VI and VIII and Chapters 6 and 7 in the law here. "
This section originates in Article 85 of the GDPR, which is justified with regard to freedom of expression, as this right is protected by Article 100 of the Constitution, Article 10 of the European Convention on Human Rights (ECHR) and Article 19 of the UN Convention on Civil and Political Rights (SP ). It appears from the preparatory work for the Personal Data Act 2018, Prop. 56 LS (2017-2018), chapter 38.1, that § 3 continues the legal situation that followed from the Personal Data Act 2000 § 7. In Prop. 56 LS (2017-2018), chapter 14.1 reported also legislates in more detail for the term «journalistic purposes»:
"The term 'journalistic purpose' is not limited to professional journalism. The exception includes any processing of personal data for purely journalistic purposes, and it is a specific assessment of the purpose and nature of the processing that is decisive ».
The provision covers everyone who processes personal data, regardless of profession, as long as the processing takes place exclusively for journalistic purposes. The Act applies in the usual way when the processing partly has other purposes, such as advertising for goods and services, cf. Prop. 56 LS (2017-2018), chapter 14.1.
In the EU Privacy Directive 95/46 / EC, the relationship to freedom of expression was regulated in Article 9, and this provision essentially coincides with Article 85 of the GDPR. and 56):
«In order to reconcile those two“ fundamental rights ”for the purposes of the directive, the Member States are required to provide for a number of derogations or limitations in relation to the protection of data and, therefore, in relation to the fundamental right to privacy, specified in Chapters II, IV and VI of the directive. Those derogations must be made solely for journalistic purposes or the purpose of artistic or literary expression, which fall within the scope of the fundamental right to freedom of expression, in so far as it is apparent that they are necessary in order to reconcile the right to privacy with the rules governing freedom of expression.
In order to take into account the importance of the right to freedom of expression in every democratic society, it is necessary, first, to interpret notions relating to that freedom, such as journalism, broadly. Secondly, and in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data provided for in the chapters of the directive referred to above must apply only in so far as is strictly necessary. »
The European Court of Justice here directs that the exceptions from the protection of personal data in the directive cannot be more comprehensive than necessary ("necessary") to ensure freedom of expression. In this connection, the tribunal also refers to Prop. 56 LS (2017-2018), chapter 14.2. where it is stated that no exceptions shall be made from the protection of personal data to a greater extent than is necessary for reasons of freedom of expression and information, and that the scope of the exception rule therefore depends on the requirements of the rules on freedom of expression and information, cf. 100 and Article 10 of the ECHR. In other words, the balance between privacy and freedom of expression shall be based on a proportionality assessment. The European Court of Justice further emphasizes that the exceptions from the protection in the directive cannot go beyond strictly necessary ("strictly necessary"), a wording that normally indicates a particularly strict proportionality assessment, and in the context this appears here it is clear that the the personal data protection that is taken into account.
The Tribunal considers that the above-cited statement from the European Court of Justice, even though it applied to Article 9 of the Directive, is also relevant to the interpretation of Article 85 of the GDPR, and the Tribunal assumes that Article 85 of the GDPR also provides guidance on a proportionality assessment. Exceptions from the protection in the regulation can only be made if this is necessary to ensure a sufficient arm's length for freedom of expression. This interpretation is also supported by paragraph 153 of the preamble, which states, among other things:
"Member States should therefore take legislative measures setting out the exemptions and derogations necessary to strike a balance between these fundamental rights. Member States should adopt the said exemptions and exceptions with regard to general principles, data subjects' rights, data controller and processor, transfer of personal data to third countries or international organizations, independent supervisory authorities, cooperation and uniformity, and specific data processing situations. "
It follows from Article 85 of the GDPR that the Member States shall derogate from the provisions of Chapters II, III, IV, V, VI, VII and IX, but this cannot, in the opinion of the Board, be read as an expression that exceptions must be made from all the provisions of these chapters. Paragraph 153 of the preamble presupposes, on the contrary, that there may be variations in the Member States' regulation of this balancing of interests:
"If such exemptions or exceptions vary from one Member State to another, the law of the Member State to which the controller is subject should apply."
This can hardly be interpreted in any other way than that the Member States can to a certain extent choose how they will proceed from a legal point of view to regulate the balance between freedom of expression and the protection of personal data. Skullerud et al., Privacy Ordinance (GDPR): Commentary edition (2018) p. 352 also points out this freedom of choice:
«[…] National adaptations can be made rather" template-wise ", through the establishment of pure exceptions from the regulation»
It is further stated that the regulation does not exist:
«[…] Prevents the establishment of national special regulations that positively regulate this treatment. Such special regulation can contribute to greater predictability and thereby ensure better protection of the various rights ».
The solution in the UK can serve as an example of the latter model. In the Data Protection Act 2018, Schedule 2 ('Exemptions etc from the GDPR') Part 5 ('Exemptions etc based on Article 85 (2) for reasons of freedom of expression and information') section 26 (9) lists a number of provisions in the GDPR that do not apply to the processing of personal data covered by the journalist exemption. However, the exception is limited by section 26 (3):
"The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes."
The publication "Data protection and journalism: a guide for the media", published by the Information Commissioner's Office, points out on page 37 the following about the corresponding exception in the previous Data Protection Act (1998):
«Organizations must also be able to explain why complying with the relevant provision of the DPA is incompatible with the purposes of journalism. In other words, there must be a clear argument that the provision in question presents an obstacle to responsible journalism. You should be able to show it was impossible to both comply with a particular provision and to fulfill your journalistic purpose. Alternatively, you can show that it was unreasonable in the circumstances to comply with a particular provision, by virtue of it being impractical or inappropriate. You must balance the detrimental effect compliance would have on journalism against the detrimental effect non-compliance would have on the rights of the data subject. "
It is in this that the processing of personal data is only exempted from the protection in the GDPR to the extent that it will be incompatible with the journalistic activity that the data subject can assert the rights in the GDPR.
The Privacy Board sees it as the solution chosen by the Norwegian legislature, where the Personal Data Act 2018 § 3 makes exceptions from most of the provisions in the GDPR, makes it very difficult to make the nuanced trade-offs between freedom of expression and personal data protection as both EU practice. the court and the advocacy of the GDPR presupposes that this must be done: If it is first assumed that the processing in question is covered by the exception in § 3, the registered person will largely fall outside the protection that follows from the GDPR. Such a legal situation may be difficult to reconcile with the state's obligations under Article 8 of the ECHR to ensure adequate protection of privacy, including the protection of personal data. For the tribunal, it is important to remember that the consideration for freedom of expression is not only taken care of by the Personal Data Act 2018 § 3, but also a number of other places in the GDPR. Of particular importance in this case is Article 6 of the GDPR, which in paragraph 1, letter f, provides guidance on a balance of interests where freedom of expression may constitute one of several legitimate interests.
As already mentioned above, the European Court of Justice stated in case C-73/07 that the consideration of freedom of expression dictates that the term journalism must be interpreted broadly ("broadly"). However, this did not prevent the Finnish Supreme Court, which had asked the European Court of Justice about the interpretation of Article 9 of the Directive, from concluding that the publication of large amounts of tax information on private individuals was not covered by the Finnish Personal Data Act. The Finnish Administrative Court stated, among other things:
«The term“ processing of personal data for journalistic purposes ”cannot be regarded as covering the largescale publication of the journalistic background file, almost verbatim, as catalogs, albeit split into different parts and sorted by municipality.
Since the disclosure of registered data on such a scale is equivalent to the disclosure of the entire background file kept for journalistic purposes by the company, such disclosure does not represent solely an expression of information, opinions or ideas. As stated above, with a view to reconciling the requirements of freedom of expression with the protection of privacy, the collection of data before publication has been made permissible under section 2 (5) of the Personal Data Act without any requirement of compliance with general conditions set out in section 8 of the Act. By contrast, the processing of personal data collected in the company's background file by publishing it and by rendering it available to the general public to the extent that has been done in the present case, and beyond the scope of the minimum requirements set out in section 2 (5) of the Act, cannot be regarded as compatible with the purpose of the Personal Data Act. »
From the quoted, which is taken from the EMD's judgment in Satakunnan Markkinapörssi OY and Satamedia OY v. Finland from 27 June 2017, Grand Chamber, case 931/13, section 22, page 9, it can be deduced that the Finnish Administrative Court distinguished between collection, storage and other forms of processing of personal data before publication, which were clearly covered by the journalist exemption, and the subsequent processing of the information in the form of publication, which was not covered by the exception. The fact that it was media companies that had published the tax information was not in itself sufficient for the relevant processing of personal data to be covered by the journalist exemption. The ban on such mass publication of tax information was not found to be a violation of the protection of freedom of expression in Article 10 of the ECHR. the other.
The tribunal uses similar considerations as a basis for assessing whether the Medical List is covered by the journalist exemption. As the EMD agreed with the Finnish ruling, which concerned media companies' publication of tax information of approx. 1.2 million named persons, the tribunal finds no reason to assess the journalist exemption for the Medical List's publication of the user assessments on the website in any other way. In contrast to the Finnish judgment, where the accuracy of the information was not questioned, the accuracy of the user assessments regarding health personnel on the Medical List was questioned. The tribunal has also noted that the EMD emphasized that the decision in Finland did not entail a total ban on publishing tax information, and that the court upheld the Finnish decision where it was assumed that mass publication of information to such an extent was not journalism. , but instead the processing of personal data.
The tribunal will also emphasize that it is the law's main rule on processing basis that applies if the processing of personal data is not "exclusively" processed for journalistic purposes, cf. the exemption provision in the Personal Data Act 2018 § 3. The doctor list states that the purpose of the service is that users can read about the various medical services before choosing a therapist. The tribunal has noted that the Medical List, in addition to offering its users to purchase additional services, offers special benefits for healthcare professionals when purchasing a "premium profile", where healthcare professionals pay for better visibility and can highlight a user assessment for marketing purposes. Such processing of personal data also indicates that the journalist exemption does not apply, cf. Prop. 56 LS (2017-2018) chapter 14.1 where it is stated:
"The law therefore applies in the usual way when the processing has partly other purposes, such as advertising for goods and services."
Following this, the Privacy Board has come to the conclusion that section 3 of the Personal Data Act 2018 must be interpreted in line with the guidelines that can be deduced from the case law of the European Court of Justice, including how this has been applied by the Finnish Supreme Administrative Court. The mass publication of patient experiences with doctors made by Legelisten.no is consequently not covered by the journalist exception in the Personal Data Act 2018 § 3.
8.4 Processing basis for processing personal data about the users of the website
The doctor's list collects contact information (e-mail address) from the users who submit assessments of health personnel. The Data Inspectorate has in its decision (item 8) decided that the Medical List's processing of this information must cease because the Medical List has no basis for processing.
The tribunal, like the Data Inspectorate, assumes that an e-mail address will in most cases have a design that makes it possible to identify the person who sent the e-mail. It therefore constitutes personal data. The Norwegian Data Protection Authority has further assumed that personal data fall into special categories of personal data, cf. GDPR article 9 no. 1, cf. article 4 no. 15. The medical list disputes this.
Article 4 (15) reads as follows:
"For the purposes of this Regulation
[…]
15) "health information" means personal information about a physical person's physical or mental health, including the provision of health services, which provides information about his or her state of health. "
The tribunal assumes that information about who your GP or dentist is, or information that you have been to a GP or dentist is not information that "provides information about the person's state of health" in itself, and thus does not fall into particular categories of personal information in Article 9. It is only when the information provides additional information, for example that the doctor you have had contact with is a psychiatrist or cancer specialist, that the information about the contact between the user and the doctor itself also provides information about the user's health and thus included in the category personal data that is subject to regulation in Article 9. Although the information about the state of health is also very limited in such a case, the tribunal assumes that the processing of this personal data must have a processing basis in Article 9 (2) in addition to Article 6 (1).
Both non-sensitive and sensitive personal data (special categories, cf. Article 9) may be processed if the data subject consents to the processing, cf. Article 6 No. 1 letter a and Article 9 No. 2 letter a. In Article 4 No. 11 is consent of the data subject defined as follows:
"[…] Any voluntary, specific, informed and unequivocal expression of will from the data subject where the person in question, by a statement or a clear confirmation, gives his consent to the processing of personal data concerning the person concerned."
It further follows from Article 7 (4):
«In assessing whether a consent has been given voluntarily, the greatest possible consideration shall be given to, among other things, the fulfillment of an agreement, including whether the provision of a service is made conditional on consent to the processing of personal data that is not necessary to fulfill the said agreement. . »
Clause 42 of the GDPR states, among other things:
"The consent shall not be considered voluntary if the data subject does not have a real freedom of choice, or is unable to refuse to give or withdraw a consent without it being to the detriment of the person concerned."
And further in point 43 of the preamble:
"To ensure that a consent is given voluntarily, it should not constitute a valid legal basis for the processing of personal data in a particular case if there is a clear imbalance between the data subject and the data controller, especially if the data controller is a public authority and it is therefore it is unlikely that the consent was given voluntarily with regard to all the circumstances that characterize the particular situation. The consent is assumed not to have been given voluntarily if it is not possible to give separate consent for different treatment activities, even if it is appropriate in the individual case, or if the fulfillment of an agreement, including the provision of a service, depends on the consent, despite that such consent is not necessary to fulfill the agreement. "
The Data Inspectorate has assumed that any consent from users is not voluntary because you are barred from submitting assessments if you refuse to consent, cf. Article 7 no. 4. Furthermore, the Data Inspectorate considers that the consents are in any case neither informed nor express as required by GDPR , so that they must be considered invalid. According to the Data Inspectorate's assessment, this means that the collected e-mail addresses must be deleted.
The Privacy Board has divided into a majority and a minority in assessing whether consent constitutes a valid basis for processing.
The majority of the Privacy Board (Haugstad, Borvik, Graasvold, Coll and Talsethagen) have reached a different result than the Data Inspectorate and believe that the Medical List can be based on consent as a basis for processing and storing e-mail addresses, or other contact information, to the users who leave subjective assessments of health personnel on the Medical List.
The majority points out, firstly, that all users can freely read and use the information on the Medical List, without leaving their e-mail address. It is only if the person in question wishes to enter a separate assessment of the health personnel the person in question has been with that the user's e-mail address / contact information is requested. In the tribunal's assessment, it is not natural to regard this as "the provision of a service, [which] is made conditional on consent", cf. Article 7 no. and rates, based on reviews submitted by different users. It is not the possibility to enter assessments that represent the service, but the processing, presentation and publication of the other submitted assessments. All users are free to use the service without submitting assessments by their own health personnel.
The majority will also point out that the Medical List is responsible for the processing of all the personal data published on the website, and is thus subject to various obligations pursuant to GDPR Chapter IV «Processor and data processor». Pursuant to Article 5, paragraph 1, letter d, it is also the responsibility of the data controller to ensure that the information is «correct and, if necessary, up-to-date; any reasonable measures must be taken to ensure that personal data which are inaccurate in the purposes for which they are processed are deleted or corrected without delay. " The medical list has prepared its own guidelines for submitting assessments by health personnel and has reserved a moderator role and an unreserved right to "at its own discretion and without justification to remove or fail to publish assessments". According to the guidelines, assessments by therapists given by therapists at the same clinic, by the therapist himself or by competitors are not accepted. It is also required that the assessments given must be based on own experience and not be submitted on behalf of others. According to the guidelines, no more than one assessment per therapist can be submitted from the same user. It has been reported that the Medical List in some contexts conducts examinations to clarify whether the users who have submitted assessments follow the guidelines. Although it must be assumed that these guidelines are not always followed and that the Medical List does not have a system that makes it possible to detect all cases of discrepancies, a scheme where the submitted assessments were also anonymous to the Medical List will clearly reduce the Doctor's ability to make controls and exercise their moderator role. It is also reasonable to assume that the fact that the user is identified, with for example his e-mail address, can in itself have a regulatory effect on the assessments submitted. The tribunal therefore believes that identifying the persons who submit assessments to the Medical List helps to ensure the quality of the information published on the website.
The next question is whether the consents given by the users meet the law's requirement to be an "informed and unambiguous expression of will", cf. Article 4 no. 11, and is given "explicitly", cf. Article 9, no. either directly or indirectly, health information is also provided).
In Skullerud et al .; The Privacy Ordinance (GDPR) Commentary edition, Universitetsforlaget 2018, page 67, the requirement for explicitness is described as follows:
"An express consent under the Regulation shall be an expression by the data subject that he or she accepts a specific processing of personal data. The consent can be expressed through an affirmative action or a statement that clearly states that the person in question accepts the processing of personal data. There is no requirement for writing. Other ways of giving consent can also satisfy the requirement for explicitness. However, there is reason to remind that it is the data controller who bears the risk that the consent is valid, and who must therefore be able to demonstrate that the registered person has expressly given consent. This can be demanding if consent is given only orally. "
The majority of the tribunal bases this on its assessment.
The Medical List states in its privacy statement that contact information is collected from those who choose to submit assessments of health personnel and that the contact information is used to offer additional services from the Medical List, and is used for the purpose of moderate assessments:
"To ensure the quality of assessments and ensure that they are in line with our terms and guidelines, contact you with information and any questions about your assessment."
In addition, the terms of use state the following:
«Each User can only write one assessment per therapist. Attempts to circumvent this may result in all reviews written by a User being removed. If a User after submitting an assessment of whether a therapist later wishes to update or change the content of the assessment, then a new assessment of the therapist can be written and sent from the same email address that the User used for the original assessment. Upon publication, this new assessment will automatically overwrite and replace the old assessment. "
In the opinion of the majority, the users thereby receive sufficient information about what the information they submit is used for. Furthermore, users give consent in the form of an affirmative action when they submit the requested information to the Medical List. The majority has doubted that this is a valid basis for treatment in the form of consent.
The majority has been concerned that the Medical List must provide clear information to users in connection with obtaining consent. This is especially true in that the Medical List also in some cases processes sensitive personal data. The doctor list must give users access to be able to give a differentiated consent, something the majority has noticed that Legelisten.no now has in the form of check boxes. The fact that the website may have lacked this solution in the past does not mean that the consents submitted are considered invalid, and that the information has consequently been collected illegally. The majority presupposes that such access is also given in the future to be able to give a differentiated consent.
The majority's assessment of this question entails a reversal of the Data Inspectorate's decision, item 8. According to the tribunal's assessment, the Medical List has grounds for requesting and storing contact information about users who submit assessments on the website, cf. GDPR article 6 no. 1 letter a and article 9 No. 2 letter a.
The Privacy Committee's minority (Hannemyr and Tessem) believe that the Medical List has not obtained consent for the processing of users' e-mail addresses in a way that satisfies the consent requirements in the GDPR, and will justify its position in the following.
The Norwegian Data Protection Authority has pointed out the problem in that everyone who submits assessments must provide an e-mail address. Email addresses often contain names or are linked to the identity of individuals in other ways, for example by using the email address when registering on social media. In cases where health personnel in the specialist health service are assessed, the fact that you have visited the doctor in question may in itself say something about your state of health.
Health information belongs to a special category of information, cf. GDPR article. 9, and in this case only consent can be a valid basis for treatment.
The minority believes that the question of consent is about two different issues:
Has a valid consent been obtained for the processing of users' e-mail addresses that the Medical List does today, cf. GDPR Article 4, No. 11, Article 6 No. 1 letter a, Article 7 and Article 9 No. 2 letter a
If current practice is invalid, can the Medical List in the future arrange the collection of users' e-mail addresses for various specified purposes in a way that makes the treatment legal?
The minority will first discuss whether valid (ie voluntary, specific, informed and unambiguous) consent has been obtained for the e-mail addresses already collected:
The Medical List's consent form is designed so that it is not possible to consent to a service (such as being sent newsletters and updates), without at the same time agreeing to the Medical List processing health information for moderation purposes.
This is stated in the facsimile of the consent form below, which in any case gives an error message if the field that allows processing of health information is not ticked.
This is contrary to Article 7 (4) of the GDPR, which states that:
«When assessing whether a consent has been given voluntarily, the greatest possible consideration shall be given to, among other things, whether the fulfillment of an agreement, including the provision of a service, is made conditional on consent to the processing of personal data that is not necessary to fulfill the said agreement. . »
As the minority sees it, the consent form must allow you to check that you want to receive newsletters and updates, without at the same time agreeing to the Medical List processing information related to your health.
In this case, there is even talk of processing sensitive personal data, which makes the error more serious.
In addition, it appears from the privacy statement that Legelisten has posted on its website that Legelisten processes the e-mail address for purposes other than the two that appear on the consent form, such as marketing, and the opportunity to change the content of an assessment.
It appears from point 32 of the preamble that:
"If there are several purposes for the treatment, consent should be given to all."
This also means that the consent that the Medical List has so far obtained via this consent form is invalid.
The medical list has therefore never obtained valid consent for the processing of the users' e-mail addresses, and therefore has no valid basis for processing these. For the minority, it is obvious that personal data that has been registered illegally must be deleted.
The minority will then further discuss whether orders should be issued which, if followed, will make the processing of e-mail information collected from users of the website legal.
As the minority sees it, there is nothing to prevent the Medical List from processing users 'e-mail addresses, provided that the Medical List obtains the consents necessary to process the users' e-mail addresses for the specific purposes that the Medical List has listed in its privacy statement. In practice, this means some linguistic improvements that make the purposes clearer, but primarily that the Medical List changes the consent form so that it is possible to give specific consent for each of the various purposes stated, and that none of these consents is conditional on it also having to be ticked for another consent.
The minority therefore concludes that the Medical List must be given a clear order to change its consent form so that it satisfies the requirements set out in the law.
The tribunal's conclusion is formulated in line with the majority's view.
A joint board then proceeds to assess whether the consideration for the privacy of health personnel who are assessed on the Medical List dictates that anonymous assessments on the website should be prohibited, as A has stated in his complaint. The Norwegian Data Protection Authority has noted that anonymous statements are "negative for the privacy of the doctor, but positive for the privacy and freedom of expression of patients" and has in its decision placed decisive emphasis on the privacy and freedom of expression of users.
The tribunal agrees with the Data Inspectorate's assessment that users who post subjective assessments of health personnel on the website may appear to be anonymous to the health personnel referred to and to other users of the service. Anonymous statements are also covered by freedom of expression. It is probable that a requirement to publish the names of those who post reviews on the site would have a "cooling effect" on negative reviews to such an extent that the site will largely lose its information value. However, it is an important precondition for the protection of these anonymous statements that the data controller is aware of the identity of the statements and has the opportunity to make a certain check that the guidelines set for the statements are followed.
The members Hannemyr and Tessem have the following special remarks to the tribunal's reasoning above: In the members' assessment, access to e-mail addresses does not entail any significant change in the data controller's ability or ability to check that the guidelines set are followed.
After this, A is not upheld in his appeal and the Data Inspectorate's decision is upheld on this point.
8.5 Processing basis for processing personal data about health personnel on the website
Like the Norwegian Data Protection Authority, the tribunal assumes that assessments of health professionals' professional practice published on the Medical List are processing of personal data within the meaning of the regulation, and are covered by the objective scope of the Personal Data Act 2018, cf. section 2 and GDPR article 2.
The personal information about health personnel treated on the Medical List can be divided into an objective and a subjective category. The objective category typically includes name, address, clinic name, qualifications and information on reactions from the Norwegian Board of Health. The subjective category includes the personal assessments that different users choose to post on the website. None of these categories contains special categories of personal data regulated by Article 9 of the GDPR. It is therefore sufficient that there is a basis for processing pursuant to Article 6 of the GDPR.
The tribunal initially notes that the relevant basis for processing pursuant to the Personal Data Act 2018 is Article 6 no. 1 letter f, which corresponds to the Personal Data Act 2000 § 8 letter f.
The Medical Association has stated that there is also a basis for processing pursuant to the Personal Data Act 2000 § 8 letter d, which after the entry into force of a new law is continued in Article 6 no. 1 letter e. Article 6 no. 1 letter e provides a basis for processing necessary to perform a task in the public interest. The use of this basis for processing presupposes, however, that the basis for the processing is laid down in Union law or in national law, cf. Article 6 no. 3. This is not the case for the processing of personal data that takes place on Legelisten.no and the tribunal does not go further. on this option.
Pursuant to Article 6 (1) (f) of the GDPR, personal data may be processed if:
"The processing is necessary for purposes related to the legitimate interests pursued by the controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedence and require the protection of the information […]."
The provision continues the Personal Data Act 2000 § 8 first paragraph letter f, and provides access to process information on the basis of a balance of interests, cf. Prop. 56 LS (2017-2018) page 32.
The exercise of the right to freedom of expression or freedom of information is a legitimate interest also pursuant to Article 6, paragraph 1, letter f. Freedom of expression is included as one of several considerations in the balancing of interests that must be carried out in accordance with this provision.
GDPR Article 6 No. 1 letter f sets a requirement that the company must have a necessary legitimate interest in the processing of personal data. That the interest is justified means that it must be legal and actually justified in the business, while the condition of necessity means that the purpose can not be achieved in a less privacy-intrusive way.
In addition to meeting the processing basis requirement in Article 6 of the GDPR, the processing of data must also comply with the basic principles of Article 5 of the GDPR for the processing of personal data, including that the processing must take place in a "lawful, fair and transparent" manner. with regard to the data subject, cf. Article 5, paragraph 1 a. The principles in Article 5 are relevant in the interpretation of the rules and the balancing of interests to be carried out in accordance with Article 6, paragraph 1, letter f.
Pursuant to Article 21 (1) of the GDPR, the data subject has the right to protest against the processing of personal data about him or her. The provision reads:
"The data subject shall at all times, for reasons related to the person's special situation, have the right to protest against the processing of personal data about the person, and which is based on Article 6 (1) letter e or f, including profiling on the basis of the said provisions. . The data controller shall no longer process the personal data, unless he or she can demonstrate that there are compelling justifiable reasons for the processing that take precedence over the data subject's interests, rights and freedoms, or to establish, assert or defend legal claims ».
Article 17 of the GDPR regulates the right to deletion. Article 17 (1) (c) states:
«1. The data subject shall have the right to have personal data about himself deleted by the data controller without undue delay, and the data controller shall have a duty to delete personal data without undue delay if one of the following conditions applies:
[…]
(c) the data subject objects to the processing in accordance with Article 21 (1), and there are no more compelling reasons for the processing […] »
Article 17 no. 3 then makes a number of exceptions from the right to deletion, including for the exercise of freedom of expression and information, cf. Article 17 no. 3 letter a. In the preparatory work for the Personal Data Act 2018, Prop. 56 LS (2017-2018) page 65, the ministry states:
«The provision gives the registered person the right to delete personal data on a number of different grounds, cf. Article 17 no. 1 letter a to f. However, the rule is largely related to whether the conditions for processing the personal data are met, and therefore entails first and primarily a clarification and no significant extension of the duty to delete. "
The tribunal will first assess whether the Medical List has a basis for treatment to receive and publish subjective assessments of health personnel from various users, including whether the Medical List should be ordered to facilitate a general reservation access for health personnel who do not want subjective assessments published on the website.
The tribunal will first say something about the privacy disadvantages that apply to the registered health personnel on Legelisten.no.
The assessment of the privacy disadvantages must be seen in connection with the purpose of the treatment. It is then relevant to look at whether the treatment takes place in the interest of the health personnel, or whether the treatment has negative consequences for the health personnel mentioned. Although most assessments on the Medical List are positive (The Medical List itself states that the positive assessments make up 75%), there is no doubt that negative assessments are also published which for various reasons are perceived as burdensome or offensive to the health personnel mentioned. Although the Medical List has introduced a feedback function that gives health personnel the opportunity to make general comments, the statutory duty of confidentiality will often prevent the doctor (or other health personnel) from commenting on the matter. This means that the doctor in reality often has limited opportunities to counter negative assessments. Furthermore, it can be very random who chooses to post reviews and who does not. This means that there is great uncertainty associated with how representative the published assessments are, compared with the assessments of the total group of patients the health personnel in question treat.
Doctors have an important task in managing society's resources, which means that in many situations they can not comply with a patient's request for, for example, further referral to the specialist health service, to be prescribed a type of medicine or to print a sick note. The doctor is also required to notify the child welfare service in the event of concern about the child's care situation at home, as well as the duty to notify the county doctor if there are health conditions in a patient that indicate, for example, loss of driving license. These examples show that in many situations the doctor has to make unpopular decisions, which in turn can result in negative subjective assessments from patients even if the doctor has made good professional assessments and has performed his social duty in accordance with the law. The tribunal understands that the doctor in such situations may experience negative subjective assessments as unreasonable, incorrect and unfair and it can not be ruled out that such statements may result in the doctor in question being disqualified in favor of another with several positive assessments. Furthermore, the doctor has a duty to provide health care and he or she can not choose difficult or dissatisfied patients.
The question is whether these privacy disadvantages outweigh the legitimate interests pursued by the data controller. The tribunal does not agree with A that the Medical List's interest in processing the information must be regarded as exclusively financial, but assumes, like the Data Inspectorate, that a broad assessment must be made of, among other things, consideration of freedom of expression, consideration of consumer interests, possible competition considerations and other non-profit considerations, weighed against the data subjects' privacy considerations. Commercial and economic interests also constitute legitimate (legal) interests, although the weight of these, in isolation, will often be less measured against privacy.
It follows from the regulation's point 4 that the right to protection of personal data is not an absolute right and that "it must be seen in connection with the function it has in society, and weighed against other fundamental rights in accordance with the principle of proportionality."
In the specific balancing of interests, the tribunal has been divided into a majority and a minority.
The majority (Haugstad, Borvik, Graasvold, Coll and Talsethagen) have come to the conclusion that the various legitimate interests discussed below, together mean that the privacy considerations of the registered must give way and that the processing of personal data that takes place on the Medical List is necessary for the purpose and legally in accordance with Article 6 (1) (f) of the GDPR.
The majority points out that the subjective statements of the individual patient are in principle statements that are protected by the freedom of expression, cf. Article 100 of the Constitution and Article 10 of the ECHR. The freedom to make statements is a fundamental right. The room for maneuver must be large. Both positive and negative statements are basically wanted as a contribution to the public debate.
Furthermore, the majority point out that it is an important, statutory principle within the Norwegian health service that the individual citizen has the right to free choice of health services. If the right to free choice of health services is to be real, it is important that arrangements are also made to exchange experiences about health personnel so that it is possible to make informed choices. Although the information on the website is based on experiences from individual patients and that the registered assessments are therefore not necessarily representative, the majority's assessment is that the website enables more informed choices for users than if it did not contain such assessments.
The information that is published is related to the health professionals' professional practice, not to their private or family life. In the majority's view, this means that the privacy disadvantage is less than if the personal data were of a more sensitive nature, and for example concerned the privacy of the persons.
The majority assumes that at least the main group of health personnel mentioned on the Medical List is to be regarded as public persons (persons who play or have played a role in public life), and who to a greater extent than private individuals must accept that the interest in privacy must give way to the public's interest in finding information about them by name search on the Medical List.
The tribunal refers to the Article 29 group's criteria in guide WP 225 point 2: «Does the data subject play a role in public life? Is the data subject a public figure? ». The guidelines of the Article 29 group are also relevant in accordance with the GDPR, cf. Article 94 of the GDPR, which states in paragraph 2 that:
"References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party [Article 29 Working Party] on the processing of personal data reduced by Article 29 of Directive 95/46 / EC shall be construed as references to the European Privacy Council established by this Regulation. "
In the tribunal's case PVN-2018-07, the tribunal stated:
"There is no clear definition of what a public figure is or who is considered to play a role in public life. The Data Inspectorate mentions as examples of public figures “public officials with senior positions, such as ministers, politicians or directors. […] Well-known business persons or persons in regulated professions such as lawyers, doctors or the like ”, but states that the examples are not exhaustive and that an overall assessment must be made. The tribunal agrees with that assessment. "
In the present case, the majority takes similar considerations into account.
It is pointed out that Article 13 of the Article 29 Working Party's Guide WP 225 states:
«However, by way of illustration, politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfill a role in public life. There is an argument in favor of the public being able to search for information relevant to their public roles and activities. »
Health personnel mentioned on Legelisten.no hold public authorizations and licenses. These are regulated professions that play a role in public life and many are responsible for managing public welfare benefits. However, there are different categories of healthcare professionals listed on the Medical List, including GPs, contract specialists, specialists, dentists, psychologists and chiropractors. These receive public funding to varying degrees, and to varying degrees have a gatekeeper function when it comes to access to public welfare goods. Although the degree of "public person" varies somewhat for the different groups, the majority have not found reason to assess them differently. All categories safeguard important societal interests related to the population's health, and how they provide their health services is an important societal issue.
The doctor's list's dissemination of subjective user assessments of named health personnel, including how patients experience encounters with health personnel, has, in the majority's view, a general interest and the service contributes to safeguarding important consumer interests. The publication is a relevant source of information about other patients' experiences with healthcare professionals. In the Norwegian market, there are currently no other players that provide such structured and clear user assessments as are on the Medical List. The number of registered health personnel is large, and includes all GPs in Norway. This has an impact on the information value of the assessments. The GP section is the most visited pages, and is also the group of health professionals with the most assessments.
The majority has also emphasized that the mention of health personnel from users is subject to a certain control of the Medical List. The fact that the Medical List carries out such a check of the information that is published contributes to the website not becoming a junk "gaping stick". Such a moderator role obviously does not imply any safeguard against incorrect or frivolous statements. The majority also agrees with the Consumer Council's experience with similar services, which shows that consumers have a great understanding of what such assessment sites are, and that there are strengths and weaknesses with such services.
The majority of the tribunal also believes that this type of subjective assessment from users can contribute to increasing the quality of GPs' health services. Descriptions of how patients experience being met by the doctor are an important factor in assessing the quality of the health service. If poor feedback can help improve the doctor's patient treatment, it's positive. The majority assumes that accessibility, punctuality, communication and trust are important elements in the health service and represent conditions that to a large extent the doctor or other relevant health personnel have the opportunity to influence themselves.
Several doctors and the Norwegian Medical Association have referred to the health personnel's special role in society as "gatekeepers" for a number of "benefits", and that in many contexts they have to make unpopular decisions contrary to a patient's wishes. They have further pointed out that the fear of negative assessments can, in the worst case, influence the health personnel's decision. The majority see that unpopular decisions contrary to patients' wishes can trigger negative assessments on the website, even if the doctor has acted correctly on the basis of a professional assessment. The majority have not found it to be decisive. With regard to the allegation that someone may be influenced to make professionally incorrect decisions for fear of negative publicity, the majority assume that doctors and other health personnel are professionals in their professional practice. The majority expect health professionals, like other professions who also make unpopular decisions, to strive to make their decisions on the basis of good professional judgment without being pressured by their users. Rejection of sick leave and other social security benefits, as well as rejection of requests for medication and expensive examinations by specialists, are part of the medical practice. To the extent that doctors are unable to take care of and follow up this responsibility properly, there are administrative sanction options with the Norwegian Board of Health that are assumed to take care of this. In the majority's view, this cannot justify a general right of reservation.
According to the majority, a general right of reservation will reduce the value of the Medical List as a source of information about certain aspects of the quality of health services in Norway. The development following the Data Inspectorate's decision, where 20% of GPs almost immediately asked to make reservations against assessments on the website, shows that the website's information and usefulness will be significantly reduced if such a general reservation access is introduced. A general reservation access will counteract the consumer considerations outlined above. The majority therefore believes that there is no basis for implementing privacy-promoting measures in the form of a general right of reservation as the Data Inspectorate has assumed. The majority believes that the limited reservation access that is currently practiced based on a specific assessment of whether there are very special circumstances that require a reservation access is sufficient.
After this, the majority assumes that the legitimate interest of the Medical List in communicating the users' subjective statements outweighs the consideration for the health personnel's privacy. The medical list has a basis for treatment for collecting and publishing subjective assessments of health personnel, cf. Article 6 no. 1 letter f, without health personnel being given a general right of reservation.
It is emphasized that the Medical List's legitimate interest in processing this information applies as long as it is correct and relevant for the purpose of the Medical List with its website, cf. in the implementation of the orders that follow from the Data Inspectorate's decisions points 2 to 7 and 10.
The minority (Hannemyr and Tessem) agree that there are several legitimate interests in publishing assessments of health personnel on the website, and can mainly refer to the review the majority has of these considerations above. In the concrete balancing of interests, however, the minority has come to a different result than the majority.
There are significant privacy disadvantages associated with being "assessed" as a person on a public website, where very negative personal characteristics are sometimes associated (examples found by a relatively superficial review: "bad", "insecure", "cold" "not very empathetic"). «Self-centered»). The reviews are not only read by potential customers, but also by children and other family and friends. The physician list discloses all reviews to Google and other search engines (although it is technically possible not to make such disclosure). The fact that the Medical List has chosen not to use privacy-enhancing technology to shield the subjective assessments from disclosure to search engines means that the assessments not only appear on the Medical List, but that they also appear on the search results page when a general Internet search is performed on the person's own name. not related to the person's profession.
Although the Medical List claims that they carry out a quality control of the assessments, the assessments do not appear to be quality-controlled. For example, doctors who publicly express themselves critically about alternative forms of treatment incur particularly many negative assessments. If the quality control of the Medical List had worked better, or privacy-enhancing measures such as refraining from disclosing personal information to Google and other search engines had been used, consumer considerations could have been given heavier weight.
As the minority sees it, however, the assessments published by the Medical List are poorly quality assured, and also lack privacy measures that could have been used. These are factors that suggest that the privacy disadvantages must outweigh the consumer considerations.
The minority believes that the limited reservation access that is currently offered presupposes that doctors who wish to use it must submit a "self-declaration" about very personal matters, including information about their own health, in order for the desire to reserve at all to be assessed by the Medical List. This in itself is a privacy disadvantage. In addition, there is the fact (cf. letter from Legelisten 5 July 2018) that Legelisten in at least two cases on its own initiative has disclosed personal information they have obtained through this self-declaration to third parties, apparently without being aware of the duties incumbent on it persons responsible for processing in connection with extradition. The limited reservation access that the Medical List offers therefore does not remedy the privacy disadvantages that have been mentioned, and has on at least two occasions contributed to enlarging these disadvantages.
The minority therefore agrees with the Data Inspectorate's decision and their justification for remedying the mentioned privacy disadvantages by ordering the Medical List to introduce a general right of reservation.
With regard to the objective personal information, a joint board believes that the Medical List has a legitimate interest in processing this information as long as it is correct and relevant for the purpose of the Medical List with its website, cf. Article 5 letter c and d. its decision points 2 to 7 and 10 given various orders related to the correction and deletion of information, in that, among other things, deletion deadlines have been set for certain types of information. Section 10 also provides orders for information to health personnel that is discussed. The orders shall ensure that the personal information on the website is correct and up-to-date and is not stored longer than is deemed necessary for the purpose. These orders have been accepted by the Medical List and are not a topic for the case in the Privacy Board. The question for the tribunal is whether health personnel who do not wish to be registered on the website can demand that all information about themselves be deleted, as A states in his complaint.
The Privacy Board assumes that the privacy disadvantages associated with the publication of the objective personal information are clearly less than the disadvantages associated with the subjective assessments. A joint committee therefore refers to the majority's review of the Medical List's legitimate interest above with regard to subjective assessments. In the tribunal's assessment, that review indicates that the Medical List has a basis for processing the collection and publication of this information in Article 6, paragraph 1, letter f. A is thus unsuccessful in its appeal.
Items 1 and 2, and 4 and 6 of the resolution are unanimous. Point 3 and point 5 of the decision have been handed down with such a dissent as appears above. Points 3 and 5 entail a reversal of the Data Inspectorate's decision, otherwise the Data Inspectorate's decision is upheld, with the exception that the point on exemption from the licensing obligation has lapsed.
8.6 Decision
The doctor's list is responsible for the processing of all personal information published on the website.
The Medical List's publication of assessments of health personnel on the website is not covered by the exception for the processing of personal data exclusively in journalistic activities, cf. the Personal Data Act § 3.
The medical list has a treatment basis for collecting and storing contact information about the users who submit assessments of health personnel to the website, cf. Article 6 no. 1 letter a and Article 9 no. 2 letter a.
The doctor's list is not required to publish the identities of the users who submit assessments of health personnel to the website.
The medical list has a basis for treatment for collecting and publishing subjective assessments of health personnel, cf. Article 6 no. 1 letter f, without health personnel being given a general right of reservation for such assessments.
The medical list has a basis for processing to collect and publish objective information about health personnel on the website, cf. Article 6 no. 1 letter f, without health personnel being given a general right of reservation for such information.
Oslo, 21 January 2019Mari Bø Haugstad
Manager