News
Norway: The Norwegian DPA bans the government’s collection of supermarket data for statistical purposes
Statistics Norway (SSB) is a Norwegian government agency that is responsible for development of official statistics for public administration purposes. SSB recently ordered the major Norwegian food supermarket chains to transfer data about all individual purchases to the SSB, through a “live” data transfer, without any specific information being given to the customers. The purpose of the proposed transfer was for SSB to develop two different new statistics: Consumer statistic and dietary statistics. Upon transfer, the purchase data would be linked with payment data supplied by a major Norwegian payment services provider.
The SSB would however only use the data in aggregated form, where each purchase would immediately be pseudonymized and categorized into one of approximately 10 household groups, based on number of persons in the household, total household income, geographic location etc. The raw data on which the aggregated data was based would still be stored by the SSB, and it would therefore be possible to link the purchase data to payment data, thereby enabling the identification of the person behind each individual purchase.
Legal basis for the processing
SSB had found that they had legal basis for the processing in the GDPR Article 6(1)(c) (processing necessary for the compliance with a legal obligation) and in Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority). Processing under these articles also requires a basis in union law or member state law, ref. Article 6(3). In this respect, the SSB had invoked a broad provision in the Norwegian statistics act enabling the SSB to request data for statistical purposes. The provision in the statistics act, together with an individual decision made by the SSB to order the supermarkets and the payment service providers to supply the data, was in the opinion of the SSB valid legal grounds for the processing.
SSB had carried out two different data processing impact assessments (DPIAs) and had also carried out the cost-benefit analysis prescribed by the statistics act. In the DPIA, SSB found that the main detrimental effect for the data subjects was the “perceived effect” of a public government being in possession of data which are generally perceived to be part of the private sphere. The SSB found however that these effects could be counteracted by general security measures, and also by the general provision in the statistics act prescribing that individual personal data should not be processed for statistical purposes.
The Data Processing Authority’s findings and decision
The DPA found that the data collection was clearly within the area of the ECHR Article 8 and the right to respect for private and family life. This also means that any interference by a public authority must be prescribed by law, ref. Article 8.2, and that the more severe the privacy effects, the more is required of the legal basis. The DPA further stated that any data processing must be adequate, relevant and limited to what is necessary (data minimization), ref. the GDPR Article 5(1)(c), and that the data minimization requirement is also stricter the more severe the consequences are for the data subjects.
The DPA recognized the public benefit of the statistics, for example could nutritional statistics form the basis for beneficial public health work. The DPA also recognized that the SSB had good internal routines and systems for pseudonymization and aggregation of personal data, good internal access control systems etc.
Although the purchase data at the time of collection was not linked to individual persons, the DPA found that the data should be considered as personal data already from the collection, as it was quite easy to connect the data to individual persons after receiving the payment data. The DPA further found that the processing of this data constitutes processing of an enormous amount of data about private individuals in Norway, and also that this was an entirely new form of data collection from private business enterprises. The data collection was to be done without special information to the data subjects, who had no reason to expect that all data regarding their purchases was to be transferred to the government. The data subjects had no actual means to reserve themselves from this data collection, beyond resorting to paying in cash in the supermarkets, which is very unpractical.
The DPA found that the DPIAs were flawed, as they referred to a “perceived effect” and that this was an indication of the SSB’s failure to recognize the right to privacy as a fundamental right. The DPA found that such data collection could have significant detrimental effects on privacy, and that the total effect of the collection was quite significant.
Regarding the legal basis, the DPA found that the general provisions in the statistics act did not provide an adequately specific legal basis for the processing, particularly since the legal basis was not very clear, also since the statistics act leaves it up to the SSB to decide for itself whether or not the legal basis should be invoked. This situation differs from the corresponding regulation of medical research, where the actual decision as to whether the research project shall be carried out is left up to an independent board who will be able to carry out a neutral assessment, balancing the beneficial effects of the project against negative privacy consequences. Such a neutral balancing of interests is less likely to be carried out when the decision is left up to the public body in whose interest the data is collected. The DPA found that the assessments carried out by the SSB were lacking, particularly in relation to the principles of data minimization and proportionality as required under the GDPR.
In its assessment, the Norwegian DPA referred to case law from the ECHR and the CJEU, i.a. to case C-175/20 paragraph 83, where the CJEU in a decision from February 2022 had found that national law was not sufficiently clear to satisfy the proportionality requirement under the GDPR Article 5(1)(c).
Based on the above, the DPA found that the legal basis for the collection under Norwegian national law was not sufficiently clear, and that the SSB’s request on the supermarket chains was therefore invalid. Consequently, the DPA passed a decision on 26 April 2023 where they imposed a ban on the SSB’s proposed data collection from the supermarkets.
The DPA’s decision has triggered a discussion in Norway as to whether the current legislative practice in Norway of giving public authorities general and unspecified authority to collect personal data is in fact sufficient to ensure the privacy of the citizens of Norway. The decision suggests that such legislation should be more specific and that the Parliament, following a public debate, should take responsibility for the balancing between the public interests sought through the collection and the citizens’ privacy rights.
The DPA’s decision can be appealed to the Privacy Board within three weeks, and the Privacy Board’s decision may in turn be tried by the ordinary courts of Norway. Currently, we do not know whether the SSB has appealed the decision, however we would not be surprised if the SSB were to challenge the DPA’s decision.
Article provided by INPLP member: Øystein Flagstad (Gjessing Reimers, Norway)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010