4. Other Privacy Considerations
4.1 Necessity and Proportionality
We have previously described various types of information processed in Altinn and some of the important societal goals that Altinn and the service owners aim to contribute to.
We further refer to the government’s digitalization strategy, which states that the work on innovation in the public sector must be intensified, the pace of digitalization of the public sector should increase further, and cooperation with the private sector should be strengthened. Laws and regulations must be adapted to digital solutions.
Our understanding is also that the overwhelming majority of users want digital solutions and expect them. Altinn’s approach to the realization of digital services aims to focus on the user, allowing the user as far as possible to control and take ownership of their own data.
In light of the societal goals Altinn and the service owners aim to contribute to, and the government’s ambitions for increased digitalization, our assessment is that the processing activities occurring in Altinn are necessary and in reasonable proportion to the purposes.
4.1.1 Data Minimization
In general, digitalized data processing allows for the handling of fewer potential personal data than alternative/previous solutions, for example, by further distribution of entire forms on paper – versus today’s possibility to only reuse or redistribute certain data fields.
However, Digdir, as the manager of Altinn, does not have the ability to review and override the service owners’ legal basis and assessments of which information is necessary for each service.
For common functionality in Altinn, assessments have been made of what is necessary, for example, in connection with logging of the user’s activities. It is also the case that the use of a public common component like Altinn means that individual public entities do not need to have copies of basic data registers, etc.
4.1.2 Accuracy
The information conveyed through Altinn originates from the authoritative sources of this information; various basic data registers and service owners. These receive their information from the private individuals and the entities the information pertains to. These will therefore have incentives to correct incorrect information registered with these agencies.
That the information is obtained from the authoritative sources ensures that Altinn can rely on the accuracy of the information. Reuse of information from basic data registers means that any errors can quickly be discovered by the registered individual, who can then contact the data source to correct the information.
4.1.3 Storage Limitation and Deletion
In the development of new components in Altinn 3, there is a focus on minimizing the storage of personal data. There is a goal to only store one instance of information, and plans to introduce stricter sanitation provisions – unless the registered individual themselves wishes to have the information stored in Altinn for practical reasons.
4.2 The Registered Individuals’ Rights
4.2.1 Right to Information and Access
As a general rule, the registered individuals should receive information about the processing before it is initiated, cf. GDPR art. 13 and 14. This is largely a duty of information that rests with the data controller who collects the personal data from the registered individual.
There are also practical exceptions from the duty of information in art. 14 no. 5, which applies to the processing of personal data not collected from the registered individual.
Altinn largely acts as a data processor for the service owners, who are data controllers, and therefore is subject to the duty of information in art. 13.
For cases where Altinn is the data controller for personal data we ourselves have not collected from the registered individual, for example, in the form of a copy of basic data registers, we consider that the exceptions in art. 14 no. 5 apply.
Nevertheless, Altinn has a privacy statement on its websites, with information about which personal data are processed about the individual.
4.2.2 Right to Rectification and Erasure
Rectification of the information conveyed by Altinn must occur at the source; respectively the managers of the basic data sources or the service owners, according to their regulations/routines for such rectification. If errors occur in common functionality in Altinn, the registered individual can contact Digdir v/ASF.
The registered individual has, according to GDPR art. 17, as a starting point the right to have personal data about themselves deleted by the data controller without undue delay under closer conditions, cf. no. 1 letters a to f and no. 2.
4.2.3 Right to Restriction of Processing
According to GDPR art. 18 no. 1, the registered individual, as a main rule, has the right to demand that the processing of personal data be restricted if specific conditions are met.
If the processing is restricted after no. 1, the information may be stored and otherwise only processed with the registered individual’s consent or for certain purposes, cf. GDPR art. 18 no. 2.
4.2.4 Right to Data Portability
The right to data portability entails two things:
- Individuals have the right to receive their personal data and to store it on a private device for further personal use.
- Individuals have the right to move, copy, or transfer their personal data from one entity to another.
The personal data that individuals wish to be provided must have been collected by the entity based on consent or contract. The right to data portability further applies only to information that the individual themselves has provided to the entity. Personal data not directly collected from the individual are not covered by this right, according to the Norwegian Data Protection Authority’s guide on the right to data portability.
Altinn collects very limited personal data directly from the registered individual in connection with the common functionality in the solution. This could, for example, involve an email address and phone number in connection with setting up notifications. These are details the registered individual can easily delete or use in other contexts.
Our assessment is that the registered individual’s right to data portability does not apply anyway due to the exception in GDPR art. 20 no. 3 concerning processing necessary for performing tasks in the public interest or in the exercise of official authority.
For any right to portability of the personal data collected by the entities using Altinn, the registered individual must directly contact these entities.
4.2.5 Right to Object
The right to object to the processing of personal data does not apply when the data controller can demonstrate that there are compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the registered individual, or for the establishment, exercise, or defense of legal claims, cf. GDPR art. 21 no. 1 and art. 6 no. 1 e).
Digdir assesses that the processing of personal data occurring in the common functionality in Altinn falls under the aforementioned exceptions.
4.2.6 Right Not to Be Subject to Automated Individual Decision-making
Digdir makes no automated individual decisions in Altinn.
The registered individual must exercise their right to object in this context against the individual service owner in Altinn, who is the data controller for their service and the use of personal data in these services.
4.3 The Registered Individuals’ Freedoms
4.3.1 Right to Privacy and Confidentiality of Communications
Norway’s human rights obligations set the outer limits for the level of privacy protection the citizens have.
Norwegian public entities must base their operations on the European Convention on Human Rights (ECHR) to determine which rights the citizens in Norway are entitled to1.
For privacy, ECHR article 8 is the central provision.
ECHR article 8 no. 1 states that “Everyone has the right to respect for his private and family life, his home and his correspondence.” The right to privacy is encompassed by this provision.
Like several other human rights, ECHR article 8 does not grant absolute rights. The conditions under which the rights in no. 1, including the right to privacy, can be restricted are detailed in no. 2.
It is necessary to distinguish between an interference and a violation. Thus, it must first be assessed whether there is an interference in one or more of the rights in ECHR article 8 no. 1. If there is an interference, it must be checked if this interference fulfills the conditions in ECHR article 8 no. 2. The interference must be “in accordance with the law” and “necessary in a democratic society” and pursue a legitimate aim. The conditions have been further developed through case law2. The condition “necessary in a democratic society” expresses a proportionality assessment. In this assessment, the extent to which the other conditions are met and whether they are in proportion to the seriousness of the interference is considered. The greater the interference, the more important it is that mechanisms are in place to safeguard the individual’s legal security. There is no violation of the right if the conditions in the second paragraph are met.
In the General Data Protection Regulation, the relationship between interference and violation is directly followed from recital 4 and is expressed among other things in the exceptions in the GDPR, see for example article 23. Similar to ECHR article 8 no. 2, interference and exceptions must, in general, be established by law, follow a legitimate aim, and be proportional3.
The ECHR obligates the states that have ratified the convention. The obligations involve both negative and positive obligations. Negative obligations mean that states must refrain from actions that result in violations. Positive obligations mean that states must ensure a level of protection that prevents rights from being violated, according to ECHR Article 1. In the following, “member state” refers to a state that has ratified the ECHR, and “third country” refers to a state that has not ratified the ECHR.
Digdir utilizes American cloud services where the location is set to Norway and the EU/EEA.
When a cloud service provider operates in Norway and the EU/EEA, essentially, no data transfer occurs. Therefore, there is no transfer mechanism that a third country’s intelligence legislation can be considered in extension of.
One might say that the use of cloud services in Norway and the EU/EEA could potentially allow intelligence services from third countries to access information, affecting the right to privacy under ECHR Article 8. Digdir assumes that all countries conduct intelligence activities. A country’s intelligence legislation can provide important indications of the risk level. However, the intelligence legislation cannot be decisive. There is still a risk of intelligence activities even if it is not possible to identify the legislation to which the data processor is subject.
Subsequently, one must assess whether the level of protection that the citizen is entitled to under the provisions of the General Data Protection Regulation is fulfilled. This must be assessed specifically. Based on case law, it might be said that relevant elements could include:
- Proportionality
- Legal protection mechanisms that make an intervention more proportional
- The ability to foresee one’s legal position
- The opportunity to complain
- The possibility to stop the problematic data processing
- Whether the Data Protection Authority can impose a stop.
- Access to courts
Digdir assumes that GDPR Article 32 is again the central provision for such an assessment, and in the assessment, it is relevant to see which legal protection mechanisms the registered individual has. We, therefore, refer to the chapters on assessing intelligence risk and the overall assessment of the data processor.
Generally, however, it should be noted that consideration is also given to the registered individual’s right to privacy by:
- Limitation of purpose
- Data minimization
- Disclosure of personal data in registers only to entities with a lawful basis for processing
- Protection of personal data
- Limited scope of personal data in logs
Digdir, therefore, considers, after a comprehensive assessment, that the processing of personal data for which we are responsible in Altinn 3, does not constitute an intrusion into the registered individual’s correspondence, nor into the registered individual’s family life and home.
4.3.2 Protection Against Discrimination and Freedom of Thought, Conscience, and Religion
ECHR Article 9 establishes that everyone has the right to freedom of thought, conscience, and religion; this right includes freedom to change his religion or belief, and freedom, either alone or in community with others and in public or private, to manifest his religion or belief, in worship, teaching, practice, and observance.
The freedom to manifest one’s religion or beliefs shall be subject only to such limitations as are prescribed by law and are necessary in a democratic society in the interests of public safety, for the protection of public order, health or morals, or for the protection of the rights and freedoms of others.
Article 14 establishes a prohibition against discrimination. The exercise of the rights and freedoms set forth in the ECHR shall be secured without discrimination on any ground such as sex, race, color, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth, or other status.
Our assessment is that Altinn, neither by itself nor as a data processor for any of the service owners, discriminates against anyone or restricts anyone’s freedom of thought, conscience, or religion.
4.3.3 Protection of Freedom of Expression and Information
Freedom of expression consists of the right to speak and to give or receive information (freedom of information) without interference from authorities. The right to freedom of expression is enshrined in ECHR art. 10, ICCPR art. 19, and in the Norwegian Constitution § 100.
Consideration is given to the registered individual’s right to freedom of expression by enabling the registered individual to exercise their right to request access to registered personal data, as well as to point out errors in the registered information at the data sources.
Although the EU Charter is not part of the EEA Agreement, it can still have significance in the interpretation of other legal sources and thus have indirect significance in EEA law. Halvard H. Fredriksen discusses this in more detail in the article «The Significance of the EU Charter of Fundamental Rights for EEA Law». ↩︎
See, for example, the ECHR Big Brother Watch and others. ↩︎
See, for example, the ECHR CENTRUM FÖR RÄTTVISA v. SWEDEN (case no. 35252/08) paragraph 246 et seq. with further references. ↩︎