Four years after GDPR, Norway hopes for safer data transfer to US
Like most countries, Norway has data privacy laws that go beyond the General Data Protection Regulation (GDPR). For example, there are laws on credit referencing and on camera surveillance in a salaried context; there are laws on employer access to employee business records and employee business emails; and there are laws on data collection in the health sector.
The Norwegian Data Protection Authority (DPA), Datatilsynetnot only ensures GDPR compliance; it also applies the regulations specific to each country.
“Four years after the GDPR came into effect, we have seen a massive mindset shift across businesses in a positive direction,” Tobias Judin, head of the international section of Datatilsynet, told Computer Weekly. “We see that they are now investing a lot more in their compliance efforts than they did before GDPR. We are very impressed with some of the initiatives.
But some companies have yet to do all that is necessary to align their processes with GDPR. To some extent, it’s because the regulations are so complex.
The Norwegian DPA has imposed fines, mainly on public sector entities, when data processing took place without a legal basis or without adequate security. Some private sector organizations have also been fined – for example, for illegal camera surveillance and illegal credit referencing. In one case, data was sent to China without data processing agreement.
But the heaviest penalties have been imposed on data controllers in the United States. The largest fine to date was imposed on Grindr, a US-based LGBTQ+ social networking site. The Norwegian DPA fined Grindr around €6.5 million for sharing user data with third parties for advertising purposes. Users have not validly consented to the sharing of their data – and in this case, the mere fact that they are Grindr users could be considered sensitive information.
“Generally, under GDPR, you must have a legal basis to share personal data,” Judin said. “A legal basis may, for example, be consent, that sharing is necessary to provide the service, or that the company’s legitimate interest in sharing the data outweighs the rights and freedoms of users. For special category data, however, the threshold is even higher. In practice, you would normally need explicit consent to share it.
“Special category data includes data about a person’s health, religion, ethnic origin, political opinions, sexual orientation or sex life.”
Grindr is currently attractive against the fine.
GDPR today and tomorrow
“The current regulations are working well on substance,” Judin told Computer Weekly. “The rules allow important tasks to be done in the public interest – and businesses can process personal data to keep their businesses alive. The GDPR enables these things to happen, while protecting the fundamental human right of privacy. data confidentiality.
“But on the procedural side, greater enforcement is needed. We would expect that, four years later, the biggest players, especially the biggest tech companies, would have changed their ways to provide more transparency, more user choice, and more user control. We would expect less harmful and intrusive business practices using personal data. But that did not materialize significantly.
One thing that could help the app is to have a better way of dealing with cases that have Europe-wide consequences. The current situation is that many of the biggest complaints and issues are only referred to the DPA of the country where the infringing company’s head office is located. The result is that some data protection authorities are overwhelmed with huge files, when the problem could be better dealt with at European level.
“We are seeing a push towards more globally harmonized rules, global convergence,” Judin said. “At the moment, one of the biggest problems is that it is very difficult to transfer personal data, for example to the United States or other countries outside of Europe.
“At the same time, we all use the Internet. It is global in nature. This creates a lot of headaches for Norwegian companies and companies all over Europe. It also creates problems for American companies which cannot always receive data because of the rules. We need to make sure that every country has the same high level of data protection – then we can share data to a much greater extent. But it will be extremely hard. »
Judin added: “At this time, it is problematic to transfer personal data to the United States. It might even be problematic to use US service providers, even if the data is stored in Europe, as they are still subject to US jurisdiction. We don’t want to lower our level of data protection just to be able to use US services. »
New framework agreement with the United States
A new framework is currently being negotiated between Europe and the United States. The framework is often referred to as Privacy Shield 2.0, in reference to the second of two previous agreements which have been declared invalid by the European Court of Justice – Privacy Shield. The first agreement was called Safe Harbor.
The main problem is the Foreign Intelligence Surveillance Act (FISA)article 702. This is one of the laws specifically highlighted by the Court of Justice of the European Union in its decision against the Privacy Shield in July 2020. FISA dates back to 1978, long before the Internet. Section 702 was added as an amendment in 2008 to allow intelligence agencies to collect foreign intelligence from non-Americans located outside the United States, whether the data is on servers located inside or outside the United States. outside the United States.
“We also have surveillance laws in Europe,” Judin said. “But we demand access to be ‘necessary and proportionate’ and we need effective legal remedies and independent oversight. We would accept US surveillance laws if we had these assurances.
“The new framework will be very important. We don’t know the details yet, but we know the US side is ready to make changes. There will probably be a new executive decree and a new administrative body that will be able to deal with complaints from European citizens.
“On the other hand, some people aren’t very happy with what they’ve seen so far. One of those people is Max Schrems, the Austrian data protection campaigner, who says that so far the deal being negotiated does not meet the standards set by the European Court of Justice. Schrems and others are actually ready to challenge the new framework even before it’s finalized.