Personvernnemnda (Norway) - PVN-2021-03

From GDPRhub
Personvernnemnda - PVN-2021-03
LogoNO Personvernnemnda.png
Authority: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale
Type: Complaint
Outcome: Partly Upheld
Decided: 22.06.2021
Published: 22.06.2021
Fine: NOK 250,000 NOK
Parties: Excempt from public disclosure
National Case Number/Name: PVN-2021-03
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Norwegian Privacy Appeals Board (Personvernnemnda) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board (Personvernnemnda) reduced an administrative fine from approximately €38,300 (NOK 400,000) to €23,950 (NOK 250,000) due to the DPA's long case processing time.

English Summary[edit | edit source]

Facts[edit | edit source]

This case is an appeal of the decision DT-20/02178 by the Norwegian DPA (Datatilsynet), in which it imposed a fine of NOK 400,000 (approx. €38,300).

The controller argued that the size of the administrative fine imposed, was too high and therefore appealed the decision with the DPA. The DPA reviewed their decision, but upheld it.

The case was therefore was submitted to the Privacy Appeals Board (Personvernnemnda) for consideration.

Holding[edit | edit source]

Personvernnemnda decided that the amount of the fine was correctly assessed by the DPA. However, they reduced it from NOK 400,000 (approx. €38,300) to NOK 250,000 (approx. €23,950) because of the long time it took the DPA to process the case. It took almost 16 months for the DPA to send the notices of orders and fines after all facts of the case were essentially clarified. According to the Personvernnemnda this processing time could generally be justified by the fact that the authortiy has limited resources. However, this did not apply here as the case was neither factually nor legally particularly complex. Personvernnemnda also noted that the fact that the DPA apologised for the long processing time was not sufficient compensation.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


    
                  
    The Data Inspectorate's reference: The Data Inspectorate's reference: 20 / 02178-10 The Privacy Board's decision 22 June 2021 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin)

The case concerns a complaint about the Data Inspectorate's imposition of an infringement fee of NOK 400,000 for having monitored an employee's e-mail box without a legal basis, cf. the Privacy Ordinance Article 6 No. 1 letter f, for failure to assess protests, cf. , cf. Article 13.

Background to the case

On 22 March 2019, the Norwegian Data Protection Authority received a complaint from A regarding illegal access and forwarding of e-mails to her employer, X AS.

The Data Inspectorate requested the employer's report, which was given in a letter on 24 May 2019. The employer reported on its forwarding of e-mails from A's e-mail box and stated that the access was justified under the e-mail regulations § 2 first paragraph letter a. The employer acknowledged that the case processing had not been in line with the e-mail regulations § 3.

The Norwegian Data Protection Authority notified the employer on 21 September 2020 that the Authority would make such a decision:

«1. Pursuant to the Privacy Ordinance, Article 58 no. 2 letter i is imposed [X AS], org.nr. […], To pay an infringement fee to the Treasury of NOK 400,000 for having monitored the complainant's e-mail box without a legal basis, cf. the Privacy Ordinance Article 6 No. 1 letter f, for failure to assess protests, cf. Article 21, and for lack of information, cf. Article 13.

2. Pursuant to Article 58 (2) (d) of the Privacy Ordinance, [X AS] is ordered to rectify its internal control and its written routines for access to employees' e-mail boxes, cf. Article 24 of the Privacy Ordinance, as this is deficient. "

The employer submitted its comments on the notification on 23 October 2020. The employer acknowledged that the forwarding of e-mails in the period 18 February to 25 March 2019 was in breach of the e-mail regulations § 2, and that the company lacked a processing basis in the Privacy Ordinance Article 6 no. 1 letter f. The employer also acknowledged non-compliance with the duty to provide information, cf. Article 13 of the regulation, cf. section 3 of the e-mail regulations.

On 7 December 2020, the Norwegian Data Protection Authority made a decision on orders and infringement fines in line with the notice issued.

After the postponed appeal deadline, the employer appealed in time to the Data Inspectorate's decision on 21 January 2021. The appeal only applies to the amount of the infringement fee (point 1 of the decision).

The Data Inspectorate confirmed in an e-mail to the employer on 15 February 2021 that section 2 of the decision is considered fulfilled.

The Data Inspectorate maintained its assessment of the size of the infringement fee and forwarded the case to the Privacy Board on 19 March 2021. The employer was informed of the case in a letter from the board on 23 March 2021, and was given the opportunity to comment. No further comments have been submitted.

The case was considered at the board's meetings on 18 May and 22 June 2021. The Privacy Board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem and Morten Goodwin . Secretariat leader Anette Klem Funderud was also present.

Fact

A was reported sick from her sales position in X AS on 18 February 2019. At the time she was reported sick, she was in a conflict with her manager, department head B. A informed the relevant manager about the sick leave by SMS the same day and informed that she had activated absence report. The department head did not receive any absence notification when she tested the e-mail address shortly after. She then decided the same day to close A's external access to the employer's server, as well as initiated forwarding of all incoming e-mails from A's e-mail box to the department head's e-mail box. A was not notified. The exclusion and forwarding lasted in the period from 18 February to 25 March 2019. The department manager who received all of A's e-mails picked out company-related e-mails and forwarded private e-mails to A's private e-mail address. In the relevant period, the department head forwarded 26 private e-mails from A's e-mail box in the company to A's private e-mail address.

In an e-mail to the department head on 26 February 2019, A requested that the blocking of her user on the job server and forwarding of her e-mail to the employer cease. On 27 February 2019, the employer replied that the forwarding of incoming e-mails was necessary for the business and thus legal, and that incoming private e-mails would not be read, but placed in a separate folder.

From 25 March 2019, the automatic forwarding of e-mails ceased and the employer submitted an absence assistant with a message to send an e-mail to another e-mail address.

The Data Inspectorate's decision in brief

In its decision, the Data Inspectorate concludes that the employer's automatic forwarding of the contents of the employee's e-mail box lacked a basis for processing in the Privacy Ordinance Article 6 no. 1 letter f. The Authority further concludes that the employer has not complied with its duty to 26 February 2019 protested against the processing, cf. Article 21. Finally, the Authority concludes that the employer has also not complied with its duty to inform the employee that the forwarding of e-mails has started, cf. Article 13.

In addition to imposing an infringement fee for these conditions, the Data Inspectorate instructs the employer to improve its routines for accessing employees' e-mail boxes.

Regarding the imposition and measurement of the size of the fee, which is what is being considered by the tribunal, the Data Inspectorate takes as its point of departure the various elements in the Privacy Ordinance, Article 83 no. 2, letters a to k.

The Norwegian Data Protection Authority points out that the employer has violated four provisions in the Privacy Ordinance. There was no basis for processing in Article 6 for the monitoring of the employee's e-mail box and the forwarding of the e-mail box lasted for five weeks (principle of legality). The employer lacked technical and organizational measures for compliance with the privacy regulations (liability principle, Article 24), did not fulfill the obligation to provide the employee with information (Article 13) and did not consider the employee's protest against the treatment (Article 21).

The cases from the Privacy Board to which the company refers have been processed in accordance with the Personal Data Act 2000, and do not govern the Data Inspectorate's assessment of the amount of the fee pursuant to Article 83 of the Privacy Ordinance.

The Data Inspectorate points out that the violations took place approx. seven months after the Personal Data Act came into force on 20 July 2018 and the Privacy Ordinance was implemented in Norwegian law. As the regulation was adopted already in 2016, those responsible for processing had the opportunity and time to comply with the new rules. It also follows from long-standing practice from both the Data Inspectorate and the Privacy Board that automatic forwarding of employees' e-mail boxes is illegal, see among others PVN-2015-14, PVN-2016-09, and PVN-2018-16.

The Data Inspectorate will, after a review of the various aspects, impose an infringement fine of NOK 400,000 on X AS. The fee is approx. 0.2% of the company's turnover in 2019. It is in the bottom tier of what the regulation prescribes for the relevant violations.

Following a discretionary assessment, the Authority considers that a fee of this magnitude will be sufficiently effective, be in a reasonable proportion to the infringement and have a deterrent effect, cf. Article 83 no. 1 of the Privacy Ordinance.

In the assessment, the Authority emphasizes that the violations in the case involve continuous monitoring of incoming e-mail to an employee's e-mail box, and that this is a serious encroachment on the employee's privacy and her right to correspond freely. The violations are also a violation of the privacy of third parties who in good faith have sent e-mails to the employee.

In the assessment, the audit further emphasizes the company's finances, and in an aggravating direction that correspondence to a person's e-mail address is at the core of the right to privacy as e-mails may contain information worthy of protection, and that it was the general manager who initiated the illegal forwarding. Article 5 (2) of the Privacy Ordinance presupposes a strong foothold in the management of the data controller. Despite promises not to read private e-mails, the department head opened private e-mail, and took a picture which she sent to A's mobile phone.

The employer's (X AS ') view of the size of the fee in brief

The company accepts that the forwarding from the employee's e-mail box is in violation of the e-mail regulations § 2. The company has only appealed the part of the Data Inspectorate's decision that applies to the size of the infringement fee that is set significantly too high.

The Norwegian Data Protection Authority has erroneously and consistently assumed that the inspection of the e-mail was carried out by the company's general manager. That is not correct. The inspection was carried out by the department manager (Profit Center Manager) at the company's department in Y.

Even if the infringement fee has been imposed independently of subjective guilt, it must be taken into account in determining the size of the fee that forwarding was initiated by an employee in a position subordinate to the general manager of the company.

Of previous relevant practice from the Privacy Board, infringement fines in similar cases are mostly NOK 75,000, cf. PVN-2015-14, PVN -2016-9, PVN-2016-09 and PVN-2018-16.

Although the Privacy Ordinance facilitates the imposition of a higher fee level than that which follows from practice under the Privacy Information Act from 2000, in the company's assessment it is unreasonable and clearly contrary to previous practice when the Data Inspectorate increases the fee in the present case by 533%. to the above practice, from 75,000 kroner to 400,000 kroner.

In determining the fee, it must also be taken into account that it is an individual breach, cf. Article 83, no. 2 letter e, that the company has fully cooperated with the Data Inspectorate to remedy the violation (letter f) and that sensitive personal data is not was affected (letter g).

The single breach is more than 1 ½ years back in time, shortly after the EU's complex privacy regulation was implemented as Norwegian law.

Account must also be taken of the employee's lack of participation in having an absence assistant activated. Had the employee contributed to this, one would have avoided, or largely shortened the period for monitoring the employee's e-mail box.

The degree of guilt on the part of the employer indicates that a possible fee must in any case be set significantly lower than NOK 400,000.

The Privacy Board's assessment

In the case of processing of personal data without a basis for processing, as well as in the event of a breach of the provisions of the Privacy Regulation Articles 13 and 21, to which this case applies, the supervisory authority may, pursuant to Article 83 (5) cf. , in the case of an enterprise, of up to 4% of the total global annual turnover in the preceding financial year, where the highest amount is used. It follows from Article 83 (1) that the supervisory authority, in its assessment, must ensure that the imposition of infringement fines is effective, proportionate and dissuasive.

Both in the assessment of whether a fee is to be charged and in the calculation of the fee, the elements in the Privacy Ordinance Article 83 no. 2 letters a to k shall be taken into account in each individual case.

According to letter a, emphasis shall be placed on the nature, severity and duration of the infringement. In this case, the violation consisted of illegal access by automatic forwarding of e-mail over a period of five weeks, at the same time as the employee himself was shut out of the server and did not even have access to his own e-mail box. It is explained that the employee also used the e-mail address for private purposes and that the employer forwarded a total of 26 private e-mails in the relevant period.

The tribunal assumes that many of the private e-mails were e-mails from the school to the employee's children, but that they did not deal with information of special categories, cf. Article 9. The absence of such information is nevertheless not decisive, as the employer in advance could not know if the emails contained information of particular category. The tribunal assumes that the employer, at least in some cases, also read the content of the private e-mails. This is confirmed by documents in the case which show that the employer took a picture of the text in a private e-mail and forwarded it as an SMS to the employee. Emphasis is placed in the aggravating direction that the scheme continued even though the employer was aware that the employee also used the e-mail address for private purposes. The same applies to the fact that the scheme continued after the employee protested the treatment, without it appearing anywhere what assessment and balancing of considerations has been made by the employer in that connection, cf. Article 21.

The exclusion of the employee from access to the e-mail box and forwarding of all e-mails that came to her was implemented on the same day as she announced that she was ill. The employee was not notified and was not given the opportunity to comment. No circumstances have been reported that indicate that it was necessary for the employer to inspect immediately. The employer's procedure is in violation of the Act, cf. the Working Environment Act § 9-5 and regulations on the employer's access to e-mail § 3. The questionable procedure is given weight in an aggravating direction when measuring the size of the fee.

The fact that the employee was in a conflict with her manager when she was reported sick, means that the employer's procedure becomes extra reprehensible. No circumstances have been reported that indicate that there was a suspicion of gross breach of the employee's duties. Nor can the tribunal see that there is a basis for criticizing the employee for not having participated sufficiently, cf. the description that the exclusion and forwarding took place almost immediately after the employee reported sick, without her attempting to be involved.

Overall, the tribunal assumes that this is a gross violation of the rules.

There is no doubt that the employer in this case has acted intentionally. The employer is obliged to familiarize himself with the rules that apply in the area and any ignorance of the rules is only excusable if it is careful, cf. the principle in the Penal Code § 26. In this case, there is no careful legal error. This applies regardless of whether the inspection was carried out by a general manager or a department manager.

Following this, the tribunal agrees with the Norwegian Data Protection Authority that an infringement fee shall be imposed, and that a fee in the order of NOK 400,000 in the present case is in any case not too strict.

The tribunal has emphasized that the Privacy Ordinance provides for a higher fee level than that which applied under the Personal Data Act from 2000. Previous practice regarding the level of the fee therefore has limited weight.

The violations took place approx. seven months after the Personal Data Act 2018 came into force and the Privacy Ordinance was implemented in Norwegian law. The tribunal agrees with the Norwegian Data Protection Authority that the data controller has had sufficient time to comply with the new rules.

The latest available accounting figures on www.proff.no show that X AS in 2019 had a turnover of approx. 168,000,000 kroner. The fee of NOK 400,000 amounts to just over 0.2% of the company's turnover in 2019. The tribunal agrees with the Norwegian Data Protection Authority that it is in the lower tier of what the Privacy Ordinance prescribes for breaches of Articles 5, 6, 13 and 21.

The tribunal has nevertheless come to the conclusion that the fee must be reduced due to the Authority's long case processing time.

It is a general and basic principle, both in criminal and administrative law, that cases must be decided within a reasonable time. This principle is expressed in Article 6 (1) of the European Convention on Human Rights (ECHR), which directly applies to criminal sanctions, but which, according to the case law of the European Court of Human Rights (ECHR), also applies to administrative sanctions that can be equated with punishment. It further follows from the Penal Code § 78 letter e that when sentencing in a mitigating direction "it must be taken into account" that "it has been a long time since the offense, or the case processing has taken longer than reasonable based on the nature of the offense, without the offender being charged for this". And the Public Administration Act § 11 a first paragraph imposes on the administrative body a duty to "prepare and decide the case without undue delay". This provision also states that cases must be decided within a reasonable time.

Article 83 (2) (a) to (k) of the Privacy Ordinance provides guidance on a whole range of factors that must be included in the assessment of whether to respond with an infringement fee for the infringement, and the same factors are also decisive in determining the amount of the fee. It follows from letter k that emphasis shall be placed on "any other aggravating or mitigating factor in the case". In line with what has been pointed out in the section above, it is clear to the tribunal that long case processing time must be given importance for the sanction issue in cases of violations of the ordinance, and that this aspect must be anchored in letter k.

The tribunal's assessment is that the preparations with a view to deciding this case began with the Authority's requirement for a report on 9 May 2019. In the tribunal's assessment, it must be assumed that the facts of the case were essentially clarified with the company's reply letter 24. May 2019, and the tribunal can also not see that after this time it remained time to make time-consuming legal assessments. The Authority's notification of orders and infringement fines was nevertheless not sent to X AS until 21 September 2020, ie almost 16 months after the Authority had received the reply letter. The long case processing time in the notice is justified by the fact that the audit has limited resources, but since this case is neither actually nor legally particularly complex, the tribunal assumes that the lack of resources has had the consequence that the case processing has been characterized by long periods of inactivity. This is very unfortunate. For the sake of order, the tribunal will note that it has no objections to the case processing time from the notification was sent on 21 September 2020 until the final decision was made on 7 December 2020.

The tribunal has also noted that the audit in the notice to the company has apologized for the long case processing time, but in the tribunal's assessment this is clearly not sufficient as compensation. The case processing time is justified by the audit with limited resources. It is certain convention law that lack of resources is not recognized by the EMD as an excuse, and the tribunal here confines itself to referring to the presentation of the convention law included in NOU 2003: 15 (From fine to improvement: A more nuanced and effective sanction system with less use of punishment) s 102 second column. This must, as the tribunal sees it, apply regardless of whether the long case processing time represents a violation of Article 6 of the ECHR or not.

Following an overall assessment, the tribunal has come to the conclusion that the infringement fee shall be reduced at its discretion by NOK 150,000 due to the long case processing time at the audit.

The Tribunal has noted that the Authority in the notification of 21 September 2020 reviews the elements in Article 83 no. 2 that are relevant to the facts in this case. In this context, the case processing time is not considered. The tribunal is of the opinion that the Authority has a duty to account for its assessment of the significance of the case processing time for the sanction issue. The Tribunal refers here to the Civil Ombudsman's decision of 17 August 2012 in case 2011/2718 (imposition of an infringement fee under the Aquaculture Act), where the Ombudsman states the following:

With regard to the length of the case processing time, I have noticed that the directorate on the first page of the decision of 5 July 2011 regretted that the processing of the case took "disproportionately long time". In the answer here, it appears that the directorate assessed the length of the case processing time when determining the infringement fee, but that this did not have decisive significance. Long case processing time must be given importance during the reaction assessment, see NOU 2003: 15 «From fine to improvement» section 5.7.11 (page 102). With regard to the case processing time that elapsed beyond the period in which the case processing was stopped pending the Ministry's assessment of Grl. § 96, the directorate's assessment should have appeared in the reasons for the decision, cf. § 25. »

The tribunal considers that this statement has general relevance to the requirement for the content of the reasoning in cases where the administration imposes an infringement fee, and the tribunal assumes that the Authority hereafter makes an assessment of the significance of the case processing time for the sanction issue.

X AS is subsequently upheld in part in the appeal.

Conclusion

The Data Inspectorate's decision to impose an infringement fee on X AS is upheld with the change that the fee is set at NOK 250,000.

The decision is unanimous.

Oslo, 22 June 2021

Mari Bø Haugstad

Manager