Maren Winter - stock.adobe.com
Four years into GDPR, Norway hopes for safer data transfer to US
Much of the data on the internet ends up on US servers at some point, and that is not always compatible with the General Data Protection Regulation, says Norwegian data protection authority
Like most countries, Norway has data privacy laws that go beyond the General Data Protection Regulation (GDPR). For example, there are laws on credit referencing and on camera surveillance in an employee context; there are laws on employers’ access to employee work files and employee work emails; and there are laws on data collection in the health sector.
Norway’s data protection authority (DPA), Datatilsynet, ensures more than just GDPR compliance – it also enforces country-specific regulation.
“Four years after the GDPR came into force, we have seen a massive change of mindset in companies in a positive direction,” Tobias Judin, head of Datatilsynet’s international section, told Computer Weekly. “We see that they are now investing a lot more in their compliance efforts compared to what they were doing pre-GDPR. We are very impressed with some of the initiatives.”
But some companies have not yet done all that is needed to align their processes with the GDPR. To some extent, that is because the regulation is so complex.
Norway’s DPA has imposed fines, mostly on public sector entities, where data processing has taken place without a legal basis or without adequate security. Some private sector organisations have also been fined – for example, for illegal camera surveillance and for illegal credit referencing. In one case, data was being sent to China without a data processing agreement.
But the biggest penalties have been issued to data controllers in the US. The largest fine to date was against Grindr, an LGBTQ+ social networking site based in the US. The Norwegian DPA fined Grindr about €6.5m for sharing user data with third parties for advertising purposes. Users did not validly consent to having their data shared – and in this case, just the fact that they are Grindr users could be considered sensitive information.
“As a general rule, pursuant to the GDPR, you need to have a legal basis to share any personal data,” said Judin. “A legal basis can, for example, be consent, that sharing is necessary to provide the service, or that the company’s legitimate interest in sharing the data outweighs the users’ rights and freedoms. For special category data, however, the threshold is even higher. In practice, you would normally need explicit consent to share it.
“Special category data encompasses data about someone’s health, religion, ethnicity, political views, sexual orientation or sex life.”
Grindr is currently appealing against the fine.
GDPR now and in the future
“The current regulation works well in terms of substance,” Judin told Computer Weekly. “The rules allow important tasks to be carried in the public interest – and companies can process personal data to keep their businesses alive. GDPR allows these things to occur, while at the same time protecting the fundamental human right of data privacy.
“But on the procedural side, more enforcement is needed. We would expect that ,four years in, the biggest players, especially the biggest tech companies, would have changed their ways to provide more transparency, more user choice, and more user control. We would expect less harmful and intrusive business practices using personal data. But this has not materialised in any significant way.”
Read more about the GDPR
- GDPR has been in place for over 18 months now, but its implementation is only really just becoming clearer as regulators begin to fine organisations that fail to meet the rules.
- As GDPR fines and penalties increase, organisations must prioritise compliance to avoid financial and reputational damages. Learn about the top challenges and their solutions.
- Swedish data protection coordinator talks to Computer Weekly four years into the General Data Protection Regulation.
One thing that might help in enforcement is to have a better way of addressing cases that have European-wide consequences. The current situation is that a lot of the biggest complaints and the biggest issues go only to the DPA in the country where the violating company is headquartered. The result is that some DPAs get swamped with huge cases, when the problem could be better handled on a European level.
“We are seeing a push towards more harmonised rules on a global scale, global convergence,” said Judin. “Right now, one of the biggest issues is that it is very difficult to transfer personal data, for example to the US or other countries outside Europe.
“At the same time, we all use the internet. It is global in nature. It creates a lot of headaches for Norwegian companies and companies all over Europe. It also creates problems for US companies that cannot always receive data because of the rules. We need to ensure that every country has the same high level of data protection – then we can share data to a much bigger extent. But that’s going to be extremely hard.”
Judin added: “Right now, it’s problematic to transfer personal data into the US. It might even be problematic to use US service providers, even though the data is being stored in Europe, because they are still subject to American jurisdiction. We are not willing to lower our level of data protection just to be able to use US services.”
New framework agreement with the US
A new framework is currently being negotiated between Europe and the US. The framework is often referred to as Privacy Shield 2.0, in reference to the second of the two previous agreements that were ruled invalid by the European Court of Justice – Privacy Shield. The first agreement was called Safe Harbor.
The main issue is the Foreign Intelligence Surveillance Act (FISA), Section 702. This is one of the laws specifically highlighted by the Court of Justice of the European Union in its ruling against Privacy Shield in July 2020. FISA dates to 1978, well before the internet. Section 702 was added as an amendment in 2008 to allow intelligence agencies to collect foreign intelligence from non-Americans located outside the US, whether the data sits on servers located inside or outside the US.
“We have surveillance laws in Europe as well,” said Judin. “But we require access to be ‘necessary and proportionate’ and we require effective legal remedies and independent oversight. We would accept US surveillance laws if we had these assurances.
“The new framework will be very important. We don’t know the specifics yet, but we do know the US side is willing to make changes. There will probably be a new executive order and a new administrative body can handle complaints from people in Europe.
“On the other hand, some people are not very pleased with what they have seen so far. One of those people is Max Schrems, the Austrian data privacy activist, who says that so far, the agreement being negotiated does not meet the standards set out by the European Court of Justice. Schrems and others are actually ready to challenge the new framework even before it has been finalised.”