New decision from the Norwegian Data Protection Authority – clear call for notification and implementation of measures in the event of data breaches
The Data Protection Authority has imposed a fee of NOK 5 million on the Norwegian Labour and Welfare Administration (NAV) for having made CVs available without a legal basis for processing. Since 2001, NAV has made it a condition for receiving services and benefits that the recipients’ CVs are published on “arbeidsplassen.no”, a portal for employers and temporary worker intermediaries. The breach has affected approximately 1.8 million people and was discovered after an internal review at NAV.
NAV itself notified the breach to the Data Protection Authority when it was discovered in February 2021, and at the same time took immediate measures to reduce the effects of the breach. Employers’ access to CVs was closed and those affected were notified of the data breach and informed of damage-limiting measures. Employers and temporary worker intermediaries were also asked to delete any downloaded or stored information about candidates. NAV has also announced that they will carry out a manual review of decisions back to 2016 in order to uncover and overturn any invalid administrative decisions.
The unlawful publication was considered by the Data Protection Authority to be a breach of Articles 6, 5(1)(a) and 5(1)(f) of the General Data Protection Regulation (GDPR). According to Article 82(5) of the GDPR, the size of a potential fine for breaches of this type can be set to up to 20,000,000 euros (approx. NOK 200,000,000). Based on a discretionary assessment, the Data Protection Authority found that a fine of NOK 5 million was appropriate for the specific breach.
It is interesting in this context that the Data Protection Authority considered NAV’s handling of the case a mitigating circumstance when assessing the size of the fine. This is in line with the guidelines laid down in Article 83(2) of the GDPR, where letter (c) states that any measures taken by the controller or the processor to limit the harmful effects of the breach shall be considered a mitigating factor. Furthermore, NAV itself notifying the Data Protection Authority and subsequently submitting updates on measures and being available during the processing were highlighted as mitigating circumstances.
The Data Protection Authority has also previously taken such circumstances into account when assessing the size of a fine. Among others, this was highlighted in the decision on a penalty for violations to Østre Toten municipality in January 2021, where the Data Protection Authority emphasised that the municipality quickly notified them when the data breach was discovered, that the breach was notified to the citizens, that the flow of information was maintained, and that the municipality did its utmost to follow up the breach and limit its harmful effects.
Therefore, the Data Protection Authority’s decision must be understood as a clear call to data controllers and processors to notify data breaches as soon as they are discovered, take immediate action to limit the negative consequences of the breach and show a high degree of willingness to cooperate with the Data Protection Authority.