Norwegian Social Service guilty of massive GDPR violations
Janne Cecilie Thorenfeldt, living in Norway, discovered that her employer which is also the Norwegian Social Service violated her data protection rights. So she took them to court. Read on to learn what happened.
In 2016, Janne Cecilie Thorenfeldt was involved in a car accident. As a result, she was entitled to a sick pay from the Norwegian Centralized Social Service Mastodont NAV. Coincidentally, Thorenfeldt was also an employee of NAV. After a while she became suspicious about colleagues having information about her that they were not supposed to have. That’s when Thorenfeldt realised that NAV did not have proper systems in place to separate their roles as employers and social service provider.
At first Mrs. Thorenfeldt tried to raise the issue internally and estblish wether or not there were proper systems in place to prevent improper data access. After many enquiries it was established that there are logs of access to her data. When she requested to see these logs, NAV refused to provide any information. They would only confirm data access if she were to ask if specific people had accessed her file.
NAV prefers to silence Thorenfeldt than put proper data protection processes in place
At this point Mrs. Thorenfeldt, who is also a labour union representative, realised that NAV was trying to sweep the case under the rug. At this point, she found herself in a whistleblower situation where she was taking the issue to the Norwegian Data Protection Authority (DPA).
"Everywhere I turned in NAV, they were asking what it would take to put a lid on this. I had burnt all bridges and in my future my only duties will be to copy insurance papers! There was no interest in solving the underlying issues."
After getting nowhere for more than 3 years she fiinally decided to take the issue to court. The case was litigated twice and both times the courts found that NAV committed massive violations of GDPR, but held that the institution is not liable.
Who cares about data protection in Norway?
EDRi member in Norway EFN only became aware of the case after it had been litigated through two instances. The story of Thorenfeldt brought to the forefront an issue that EFN wanted to shed light on. That is the Norwegian law’s lack of proper implementation of damage reparations from GDPR-violations.
If NAV cannot protect people’s data, everyone’s privacy in Norway is under threat
NAV is no small player in Norwegian society with about one third of the Norwegian government’s spending being funnelled to the Social Service system. Created in 2006, it seeks to centrally integrate all benefits given by the Norwegian government into one agency. To do so, it keeps mandatory extensive files on just about every Norwegian citizen.
Considering the immanence of the collected and stored personal information, data-privacy violations in NAV have a wide ranging impact on the entirety of Norwegian society. The agency keeps records on, for instance, health reports, economic history, family relations, institutional admissions and a whole range of other information with no or very small safeguards on accessing it.
"Norwegian society generally shows very little interest in digital rights issues. Unfortunately, Thorenfeldt’s struggle was met with the same media silence that most such issues are treated in Norway. As a result, EFN, one of the data protection and privacy organisations in Norway, was unable to learn about the case until it got thus far."
Law Professor Mads Andenæs joined the case and brought an appeal of the case to the ECHR, for violating both the right to privacy and the right to an effective remedy.
(1) The EFTA-Court is the court responsible for adjudicating questions with relation to the EFTA-agreement – The European Free Trade Association. Austria, Denmark, Portugal, Sweden and the United Kingdom was once part of EFTA but only Iceland, Liechtenstein, Norway and Switzerland, remains after the first mentioned countries joined the EU.
(2) The EEA – European Economic Area – is an extension of the EU Single Market into EFTA. The agreement covers Iceland, Liechtenstein and Norway. Switzerland has chosen to not be a part of this agreement. Per the EEA-agreement the EFTA-Court is responsible for adjudicating matters with relation to the EEA.
Read this article in Norwegian here.