The privacy saga with Norwegian Social Service continues
We promised you an update to Janne Cecilie Thorenfeldt’s case taking the Norwegian Labour and Welfare Administration (NAV) on the European Court of Human Rights (ECHR). Since EDRi member Elektronisk Forpost Norge (EFN) reported about the massive GDPR violations of the Service, here is what happened.
We promised you an update to Janne Cecilie Thorenfeldt’s case taking the Norwegian Labour and Welfare Administration (NAV) on the European Court of Human Rights (ECHR). Since EDRi member Elektronisk Forpost Norge (EFN) reported about the massive GDPR violations of the Service, here is what happened.
NAV has been embroiled in several data protection scandals over the years. One of the biggest scandals was the Norwegian Social Security Scandal. It resulted in at least 80 people being wrongfully convicted of social security fraud and more than 2400 having their benefits clawed back.
"We saw the consequences of a lack of governance in the Norwegian Social Security scandal, it seems that NAV has neither learned nor is willing to learn from this. Despite being invited multiple times to engage in debate with us, they have consistently refused."
Norwegian Data Protection Authority fined NAV 20 million NOK
As a consequence of Janne Cecilie’s complaint, the Norwegian DPA started an investigation. 4 days after EFN published their article, NAV was hit with a record fine of 20 million NOK, partly on the basis of what Janne Cecilie is seeking compensation for.
NAV’s record on handling personal information is evidently inconsistent. It’s been less than 2 years since they were hit with a then-record fine of 5 million NOK for sharing information about its users lacking a legal foundation.
"The deeper we dig, the more problems we find. We are afraid we are only scratching the surface."
NAV disagrees with what privacy means
"The fact that the Norwegian Data Protection Authority gave us a notice of a fine of NOK 20 million for breaching the Personal Data Act has received a lot of attention in the press. The fact that we believe the Norwegian Data Protection Authority makes claims for which there is no coverage did not receive the same publicity. Part of the reason for the disagreement between us and the Norwegian Data Protection Authority is the number of employees who have access to personal data. The Norwegian Data Protection Authority believes there are too many. We don't think so."
Instead of accepting the record fine, which amounts to about 0.0037 per cent of NAVs’ turnover of 2022, they have chosen to double down on their privacy violations, claiming that it is not a problem that so many employees have access to such an amount of personal data. This runs counter to the experience of Elisabeth Thoresen in the AAP-action committee.
"It is too easy for individual employees in NAV to snoop on anyone. I find that when the AAP action contacts the NAV office with general questions, the notices in NAV's subject systems on me as a private person appear in the log. A person I know has had more than 8,600 notices over 5 years in her folder. It is difficult to understand how this is compatible with Holthe saying that there are not too many notices."
Janne Cecilie’s case is still pending before the ECHR, but updates around the scandal continue to emerge. Follow the EDRi-gram newsletter to keep up to date with Thorenfeldt’s story.
Read the original article in Norwegian here.
Contribution by: EDRi member, Elektronisk Forpost Norge (EFN)