Norwegian Social Service guilty of massive GDPR violations

Janne Cecilie Thorenfeldt, living in Norway, discovered that her employer which is also the Norwegian Social Service violated her data protection rights. So she took them to court. Read on to learn what happened.

By Elektronisk Forpost Norge (guest author) · November 23, 2023

In 2016, Janne Cecilie Thorenfeldt was involved in a car accident. As a result, she was entitled to a sick pay from the Norwegian Centralized Social Service Mastodont NAV. Coincidentally, Thorenfeldt was also an employee of NAV. After a while she became suspicious about colleagues having information about her that they were not supposed to have. That’s when Thorenfeldt realised that NAV did not have proper systems in place to separate their roles as employers and social service provider.

At first Mrs. Thorenfeldt tried to raise the issue internally and estblish wether or not there were proper systems in place to prevent improper data access. After many enquiries it was established that there are logs of access to her data. When she requested to see these logs, NAV refused to provide any information. They would only confirm data access if she were to ask if specific people had accessed her file.

NAV prefers to silence Thorenfeldt than put proper data protection processes in place

At this point Mrs. Thorenfeldt, who is also a labour union representative, realised that NAV was trying to sweep the case under the rug. At this point, she found herself in a whistleblower situation where she was taking the issue to the Norwegian Data Protection Authority (DPA).

"Everywhere I turned in NAV, they were asking what it would take to put a lid on this. I had burnt all bridges and in my future my only duties will be to copy insurance papers! There was no interest in solving the underlying issues."

- Janne Cecilie Thorenfeldt

After getting nowhere for more than 3 years she fiinally decided to take the issue to court. The case was litigated twice and both times the courts found that NAV committed massive violations of GDPR, but held that the institution is not liable.

Who cares about data protection in Norway?

EDRi member in Norway EFN only became aware of the case after it had been litigated through two instances. The story of Thorenfeldt brought to the forefront an issue that EFN wanted to shed light on. That is the Norwegian law’s lack of proper implementation of damage reparations from GDPR-violations.

If NAV cannot protect people’s data, everyone’s privacy in Norway is under threat

NAV is no small player in Norwegian society with about one third of the Norwegian government’s spending being funnelled to the Social Service system. Created in 2006, it seeks to centrally integrate all benefits given by the Norwegian government into one agency. To do so, it keeps mandatory extensive files on just about every Norwegian citizen.

Considering the immanence of the collected and stored personal information, data-privacy violations in NAV have a wide ranging impact on the entirety of Norwegian society. The agency keeps records on, for instance, health reports, economic history, family relations, institutional admissions and a whole range of other information with no or very small safeguards on accessing it.

"Norwegian society generally shows very little interest in digital rights issues. Unfortunately, Thorenfeldt’s struggle was met with the same media silence that most such issues are treated in Norway. As a result, EFN, one of the data protection and privacy organisations in Norway, was unable to learn about the case until it got thus far."

- Tom Fredrik Blenning, Executive Director, EFN

The Norwegian Supreme Court did not choose to use its powers to take over the case. At this point the only viable way to take this forward was to appeal either to the EFTA-court(1), which is the supranational judicial body responsible for the three EFTA members who are also members of the European Economic Area(2): Iceland, Liechtenstein and Norway. Or reach out to the European Court of Human Rights (ECHR).

Law Professor Mads Andenæs joined the case and brought an appeal of the case to the ECHR, for violating both the right to privacy and the right to an effective remedy.

Lately, Janne CecilieThorenfeldt has been involved in discovering further violations in NAV. Follow the EDRi-gram newsletter to keep up to date with Thorenfeldt’s story.

(1) The EFTA-Court is the court responsible for adjudicating questions with relation to the EFTA-agreement – The European Free Trade Association. Austria, Denmark, Portugal, Sweden and the United Kingdom was once part of EFTA but only Iceland, Liechtenstein, Norway and Switzerland, remains after the first mentioned countries joined the EU.
(2) The EEA – European Economic Area – is an extension of the EU Single Market into EFTA. The agreement covers Iceland, Liechtenstein and Norway. Switzerland has chosen to not be a part of this agreement. Per the EEA-agreement the EFTA-Court is responsible for adjudicating matters with relation to the EEA.

Read this article in Norwegian here.

Contribution by: Michael Puntschuh, Board member, EDRi member, Elektronisk Forpost Norge (EFN)