The SSB would however only use the data in aggregated form, where each purchase would immediately be pseudonymized and categorized into one of approximately 10 household groups, based on number of persons in the household, total household income, geographic location etc. The raw data on which the aggregated data was based would still be stored by the SSB, and it would therefore be possible to link the purchase data to payment data, thereby enabling the identification of the person behind each individual purchase.
Legal basis for the processing
SSB had found that they had legal basis for the processing in the GDPR Article 6(1)(c) (processing necessary for the compliance with a legal obligation) and in Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority). Processing under these articles also requires a basis in union law or member state law, ref. Article 6(3). In this respect, the SSB had invoked a broad provision in the Norwegian statistics act enabling the SSB to request data for statistical purposes. The provision in the statistics act, together with an individual decision made by the SSB to order the supermarkets and the payment service providers to supply the data, was in the opinion of the SSB valid legal grounds for the processing.
SSB had carried out two different data processing impact assessments (DPIAs) and had also carried out the cost-benefit analysis prescribed by the statistics act. In the DPIA, SSB found that the main detrimental effect for the data subjects was the “perceived effect” of a public government being in possession of data which are generally perceived to be part of the private sphere. The SSB found however that these effects could be counteracted by general security measures, and also by the general provision in the statistics act prescribing that individual personal data should not be processed for statistical purposes.
The Data Processing Authority’s findings and decision
The DPA found that the data collection was clearly within the area of the ECHR Article 8 and the right to respect for private and family life. This also means that any interference by a public authority must be prescribed by law, ref. Article 8.2, and that the more severe the privacy effects, the more is required of the legal basis. The DPA further stated that any data processing must be adequate, relevant and limited to what is necessary (data minimization), ref. the GDPR Article 5(1)(c), and that the data minimization requirement is also stricter the more severe the consequences are for the data subjects.
The DPA recognized the public benefit of the statistics, for example could nutritional statistics form the basis for beneficial public health work. The DPA also recognized that the SSB had good internal routines and systems for pseudonymization and aggregation of personal data, good internal access control systems etc.
Although the purchase data at the time of collection was not linked to individual persons, the DPA found that the data should be considered as personal data already from the collection, as it was quite easy to connect the data to individual persons after receiving the payment data. The DPA further found that the processing of this data constitutes processing of an enormous amount of data about private individuals in Norway, and also that this was an entirely new form of data collection from private business enterprises. The data collection was to be done without special information to the data subjects, who had no reason to expect that all data regarding their purchases was to be transferred to the government. The data subjects had no actual means to reserve themselves from this data collection, beyond resorting to paying in cash in the supermarkets, which is very unpractical.
The DPA found that the DPIAs were flawed, as they referred to a “perceived effect” and that this was an indication of the SSB’s failure to recognize the right to privacy as a fundamental right. The DPA found that such data collection could have significant detrimental effects on privacy, and that the total effect of the collection was quite significant.
Regarding the legal basis, the DPA found that the general provisions in the statistics act did not provide an adequately specific legal basis for the processing, particularly since the legal basis was not very clear, also since the statistics act leaves it up to the SSB to decide for itself whether or not the legal basis should be invoked. This situation differs from the corresponding regulation of medical research, where the actual decision as to whether the research project shall be carried out is left up to an independent board who will be able to carry out a neutral assessment, balancing the beneficial effects of the project against negative privacy consequences. Such a neutral balancing of interests is less likely to be carried out when the decision is left up to the public body in whose interest the data is collected. The DPA found that the assessments carried out by the SSB were lacking, particularly in relation to the principles of data minimization and proportionality as required under the GDPR.
In its assessment, the Norwegian DPA referred to case law from the ECHR and the CJEU, i.a. to case C-175/20 paragraph 83, where the CJEU in a decision from February 2022 had found that national law was not sufficiently clear to satisfy the proportionality requirement under the GDPR Article 5(1)(c).
Based on the above, the DPA found that the legal basis for the collection under Norwegian national law was not sufficiently clear, and that the SSB’s request on the supermarket chains was therefore invalid. Consequently, the DPA passed a decision on 26 April 2023 where they imposed a ban on the SSB’s proposed data collection from the supermarkets.
The DPA’s decision has triggered a discussion in Norway as to whether the current legislative practice in Norway of giving public authorities general and unspecified authority to collect personal data is in fact sufficient to ensure the privacy of the citizens of Norway. The decision suggests that such legislation should be more specific and that the Parliament, following a public debate, should take responsibility for the balancing between the public interests sought through the collection and the citizens’ privacy rights.
The DPA’s decision can be appealed to the Privacy Board within three weeks, and the Privacy Board’s decision may in turn be tried by the ordinary courts of Norway. Currently, we do not know whether the SSB has appealed the decision, however we would not be surprised if the SSB were to challenge the DPA’s decision.
Article provided by INPLP member: Øystein Flagstad (Gjessing Reimers, Norway)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
