Norwegian Legal Update, Summer 2020 – Data Protection and GDPR

| Innsikt

The year of 2020 has introduced new challenges in all aspects of life due to a global pandemic. Although COVID-19 has received much attention from a GDPR-perspective, we have also seen other important developments with regard to international transfers and enforcement actions. Get some key updates as well as expectations for the upcoming months in this short article.

The CJEU invalidates Privacy Shield (Schrems II)
Perhaps the most significant development so far in 2020 is the Court of Justice of the European Union landmark judgement 16 July regarding the transfer of personal data to the US, the so-called Schrems II case. The court states that EU-U.S. Privacy Shield framework is invalid. The EU Standard Contractual Clauses are still valid, but presupposes that the entity transferring data conducts an assessment regarding the level of protection offered in the receiving country.

The decision implies that all businesses who base their transfers of personal data to the US on the Privacy Shield framework must find another legal basis for such transfer. In practice, this is relevant for a large number of Norwegian and European businesses where suppliers, sub-suppliers or wholly/partly owned subsidiaries in the US receive, or have access to personal data

Read more about the decision and what businesses should do to ensure compliance with the GDPR’s strict data transfer rules.

2020 – the year of a global pandemic
When COVID-19 made its entry to the world in the beginning of 2020, so did a number of challenges for countries, governments and businesses. One apparent challenge, which was faced by both large, medium and small sized businesses, was the leeway in which management could operate towards employees and visitors in light of the pandemic. Questions arose regarding the possibility of mapping the health status of employees and other groups, such as visitors and customer- and supplier representatives. Many businesses also found it challenging to navigate what measures could be legally implemented towards employees and other groups, in order to fight the pandemic on office- and business grounds. In light of this, we drafted a short guidance in order to assist businesses when processing personal data regarding employees and other groups in relation to COVID-19. Read it here (only available in Norwegian).

Another challenge that materialized over the past few months, and which is still very present today, is that businesses experienced an increased amount of cyber attacks. Many organizations have been, or are still in a phase of reorganizing their operations and establishing alternative solutions to ensure continued business work capacity. Such reorganization may lead to vulnerabilities, due to a workforce placed in home office and a change in focus within IT-departments, from a strict security-focus to finding new potential solutions during/post-COVID-19. This state has left numerous hackers and other cyber criminals around the world in a position to mobilize themselves, in order to take advantage of the extraordinary situation. Businesses should therefore still be aware of a significant increase in cyber risks and attacks in relation to the current pandemic. Read more regarding how your business can combat the increased cyber risk here and here.

Appointment of new Norwegian data privacy commission
On 23 June 2020, the Norwegian government appointed a new data privacy commission. The overarching task of the commission is to assess the current status of data privacy in Norway. Research- and investigation results are to be published in a report by 1 December 2021. Read the press release by the Ministry of Local Government and Modernisation here (only available in Norwegian).

In the press release, the government stresses how important it is for Norway as a country to take part in digital and technological developments, in order to ensure a competitive and efficient private and public sector. However, the world has seen vast changes when it comes to both technological challenges and developments in recent years. The last data privacy commission handed its report on data privacy in Norway to the government in 2009. Since then, Europe has implemented new data protection legislation (GDPR), more people are solving everyday challenges through applications and companies have started buying and selling data in increasing speed. In light of this, the Government aims to ensure that Norwegian citizens’ personal data are protected whilst businesses and people enjoy the possibilities technology has to offer. Appointment of a data protection commission may be a step in the right direction to achieve the correct balance between commercialization and data protection.

The data privacy commission has received a wide mandate in order to balance the opportunities that technology holds, against each individual’s right to data privacy. Specific focus areas include data protection rights for consumers when using digital solutions, consequences for data privacy in the social media sphere and childrens’ right to data protection.

Two years of application of the GDPR – a report from the EU Commission
Right before entering summer, on 26 June 2020, the EU Commission launched its report «Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation«. You can read the full report here.

The report covers a number of areas, such as:

  • challenges for the implementation of the GDPR in the EU/EEA;
  • focus areas for the ongoing data privacy work within the EU bodies and member states moving forward;
  • a review of current transfer mechanisms;
  • presentations regarding ongoing EU-projects that will impact data protection legislation; and
  • guidance for supervisory authorities.

In the report, the EU Commission still answers positive on the question regarding whether the GDPR has strengthened individuals’ right to data protection. It is safe to say that the possibilities given to data protection authorities to impose extensive fines have played an important part in order for businesses to allocate resources towards becoming GDPR compliant.

However, the Commission does point out some apparent challenges regarding implementation of the GDPR across all member states, where transfer of personal data to countries outside the EU/EEA (so called third countries) has been highlighted as a particularly challenging field. When adding Brexit to the mix, this becomes an increasingly interesting topic. The UK exited the EU 1 January 2020, and is now considered a third country. However, the EU and the UK have entered into a withdrawal agreement establishing a transition period until 31 December 2020. During this period, the UK shall continue to apply the EU laws, including the rules of the GDPR. Moreover, during the transition period, the EU and the UK will negotiate the terms of a potential future partnership. Read more regarding what will be the situation after the transition period and how your business should prepare itself here.

Supervisory activities – are you ready for inspection?
2020 was forecasted as the year where data protection authorities would start their supervisory activities with full force. With the outburst of COVID-19, this focus naturally shifted somewhat towards increased guidance and collaboration between businesses and European data protection authorities. The Norwegian Data Protection Authority stated during the spring of 2020 that it would be cautious to impose extensive fines in a time where many businesses are fighting to survive.

However, supervisory authorities have not stopped carrying out their supervisory activities these past few months. The Norwegian Data Protection Authority has issued both warnings and notifications of potential fines for alleged breaches of data protection legislation, including:

  • Notification of NOK 3 million fine to Bergen municipality for unsufficient security in Vigilo, a digital solution used by schools, kindergardens and parents (read more about this in our article available in Norwegian here);
  • Notification of injunction to the Norwegian Institute of Public Health for lacking GDPR Article 30 protocol and risk assessment in relation to the application «Smittestopp» (read more on the Norwegian Data Protection Authority’s website, available in Norwegian here).

As the world slowly shifts back to a new state of normal, it is expected that data protection authorities will increase their inspection efforts. There is no reason to believe that the Norwegian Data Protection Authority will conduct business any differently. If you are running a business, this may be a good time to review existing framework documentation, in order to map out where you are in compliance with the GDPR, and where your documentation or routines are missing or outdated.