Two recent decisions of the Norwegian Privacy Appeals Board
The Norwegian Data Protection Authority (NDPA) has a broad set of powers, including the power to deliver warnings, reprimands or impose fines on data controllers and processors for non-compliance with the new Personal Data Act and the GDPR. As the new Personal Data Act and the GDPR only recently came into force, there are not yet many decisions based on the new legal regime. However, some of the recent NDPA decisions were appealed to the Privacy Appeals Board (PAB) and the appeal decisions have referred to the new legislation. Two such recent decisions respectively concern the data subject's right to object to processing and the right to erasure.
In case PVN-2018-07, involving a data subject's demand for the erasure of a link between a blog post and the data subject's name on the Google search engine, the PAB reiterated that the presumption is that the data subject has a right to erasure, unless there are other overriding legitimate grounds for the processing (in accordance with the well-known Google Spain decision of the CJEU). The decision was subsequently based on a balance of the interests of the data controller or third party (the freedom of expression of the publisher of a blog post and the public's right of access to information), on the one hand, and, on the other hand, the right of the data subject to object to the processing and to demand erasure. In view of the fact that, among other things, the blog post in question was posted anonymously and consisted of the subjective opinion of the writer with references to third parties allegedly having the same opinion, the balancing act went in favour of the data subject. Google Norway (Google inc.) was therefore instructed to remove the link between the blog post and the data subject's name from its site.
The other case PVN-2018-11 involved an employee's right to object to processing and subsequent right to erasure of information stored in a personnel file by the data subject's employer. The file contained warnings given to the employee for questionable behaviour towards another employee. The PAB, contrary to the NDPA, decided in favour of the data subject/employee, emphasising that the exception from the data subject's right to object, namely that the controller can demonstrate "compelling legitimate grounds for the processing" was not met. The PAB held that, for "the right to object" to be effectively utilised in the protection of personal data, an undefined, probable, future legal proceeding against an employee should not suffice to meet the threshold for this exemption. The PAB did, however, also state that a case involving more serious charges than those present in this case, might have led to a different outcome.
In both these cases, the decision of the PAB was based on current law (i.e. post-GDPR implementation), and while the PAB disagreed with the NDPA's decision only in the latter of the two cases, this was arguably not due to the passing of the new legislation, but rather to disagreement on the specific balancing of interests. This is not to say that the new data protection legislation has not brought about changes – in many respects it most certainly has. It merely shows that not everything related to data protection has changed.
Contact: Gry Hvidsten, Specialist Counsel: firstname.lastname@example.org