Datatilsynet notifies largest privacy fine in Norway ever
The Norwegian Data Protection Authority has notified The Norwegian Public Roads Administration of NOK 4 million in administrative fine. The case concerns the failure to delete personal data collected in toll roads. The notification provides guidance on GDPR's application in Norway and confirms that the Norwegian regulator will follow practice of European data protection regulators. This signals a stricter regime for companies operating in Norway.
According to the notification, the NPRA has not deleted personal data such as chip number, location and time of vehicle passage in its database, pursuant to GDPR Articles 5 and 17. Further, the database lacked technical functionality that allowed deletion of such information, as required by GDPR Article 25.
The assessment of the Norwegian Data Protection Authority places particular emphasis on the fact that the noncompliant system did not include privacy by design, such as automatic deletion.
GDPR Articles 25 states that companies shall have appropriate technical and organisational measures that are designed to implement data protection principles, such as data minimisation. GDPR recital 78 states that companies should adopt internal policies and implement measures that meet principles of data protection by design. Further, such measures could consist of minimising the processing of personal data, pseudonymising personal data, as well as transparency with regard to the functions and processing, to create and improve security features.
The director of the Norwegian Data Protection Authority stated in the press release that "[t]he Norwegian Public Roads Administration has processed personal data illegally. The deletion function has been missing, and there are enormous amounts of information that has not been necessary to store. It is serious that the system was not designed according to the privacy rules. People should be able to travel without unnecessary registrations being made".
An administrative fine of NOK 4 million is the highest the Norwegian Data Protection Authority has so far notified in Norway.
According to the notification, the Norwegian Data Protection Authority requests the NPRA to delete personal data, such as the chip number, location and time of vehicle passage, which are stored beyond the time that the NPRA can legally retain the personal information. The reason is that such personal information is no longer necessary for the purpose for which it was originally collected or processed.
The element that could turn the case into a landmark decision (if the notification is final), is the Norwegian Data Protection Authority's reference to the decision on October 30, 2019 by the Berlin Commissioner for Data Protection, which issued a EUR 14.5 million fine on a German real estate company, Deutsche Wohnen SE. The German company had failed to establish a GDPR compliant data retention and deletion procedure for tenants’ personal data. The German authority considered retaining data substantially longer than necessary a breach of the GDPR, in three respects: first, Deutsche Wohnen SE did not have a legal ground to store personal data longer than was necessary; second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and, finally, it was an infringement of the general processing principles set out in Article 5.
According to the notification from The Norwegian Data Protection Authority, the NPRA's noncompliance has clear similarities to the German case, whereby i) personal data stored in the system could not be deleted, ii) personal data was not misused, iii) the database was created prior to GDPR, iv) the company did not check to what extent personal data was deleted, and v) the company did not implement privacy by design.
In essence, the Norwegian Data Protection Authority shows a willingness to enforce GDPR by using increased administrative fines, in line with European practice. Although the Norwegian regulator is known to not imposing larger fines, the reference to a decision by a German authority may signal an expected stricter regime. Some parts of GDPR, such as privacy by design and data minimization, are quite strict and may be difficult for companies to comply with, in particular when dealing with legacy IT systems. We recommend companies to review its retention policies and databases in order to verify compliance.