GDPR & Corona – How the Privacy Act changed in 2020

The year 2020 has been chaotic and unclear. The significant changes in society and business life due to the pandemic have made GDPR and privacy more important than ever. 

Arribatec had a lot of GDPR projects in 2020 and assisted several companies in compliance with the Privacy Act during this period. Here are the year’s most critical issues and changes, plus tips for what you should take into 2021 to make GDPR more manageable.

In 2020, more sensitive information, health information, has been obtained and stored than before due to covid-19 and many companies have started to keep visitor lists. The Danish Data Protection Authority has reported to the Data Protection Authority for breaching the privacy rules. FHI’s infection tracking app received massive criticism in connection with the GDPR. Hence, they had to stop the app.

Which GDPR changes occurred in Norway in 2020?

Arribatec has seen a sharp increase in GDPR inquiries around the country during 2020. Especially after the summer, we have seen increasing pressure from Norwegian companies that need guidance and assistance on the Privacy Act.

This indicates a sharpened focus on GDPR, which is very positive. The reason may be that the Norwegian Data Protection Authority is banning more and more Norwegian companies, and companies with one employee are being complained about and audit.

Unfortunately, many companies still struggle to comply with the legislation and lack an overview. The most significant proportion who now make contact have not yet started their GDPR work, which is very surprising two years after the GDPR became part of Norwegian law.

On the one hand, there are suppliers of apps and services that we are happy to inform you about more than you think. On the other hand, state initiatives such as the new Intelligence Services Act and digital border defence give the state much greater leeway in gathering information about the individual. Although the legislation sets limits on what can be collected, technological limitations mean that these filters are not perceived as realistic. Therefore, GDPR requires more focus than ever before.

What has happened to GDPR on an international basis in 2020?

Internationally, a lot has happened that affects the GDPR and how the law develops. This is also highly relevant for us in Norway.

One of the significant events is the  Schrems II judgment. This is a ruling that, in short, makes it more demanding to transfer data to so-called third countries, i.e. countries outside the EEA that the EU has not approved. What many people do not think about is that the USA is also such a third country.

There are several consequences of this judgment. One is that Privacy Shield was invalidated on a transfer basis. This is a framework that initially simplified this with transfers to the USA. The second is that the controller is now obliged to ensure that the level of protection is in line with what we have in the EEA. If a data processor is subject to laws that conflict with this protection, it may make the transfer of data impossible to carry out legally.

Another GDPR event in 2020 was when the EU court ruled that the general and undifferentiated collection of telecom data in bulk was contrary to the communications protection directive. The great thing about this is that the new Intelligence Act, which was adopted on 11 June this year, cannot be implemented in its current form.

It may sound strange that this is “super”, but it is the case that many people have been critical of this law because it opens up (slightly simplified) mass surveillance.

How has Corona affected GDPR for SME companies?

Covid-19 has enormously impacted privacy in both small and large companies worldwide. We now use digital solutions to a much greater extent than before, and GDPR has never been more relevant than during this pandemic.

Home offices present GDPR challenges

When we locked down in March, people had to throw themselves into a major restriction to continue operating. We noticed a huge demand for home office equipment, and webcams quickly became impossible to procure.

One of the challenges with many new people starting to use digital aids is that you don’t always see the consequences of the new work habits. This spring, some solutions for video meetings were in trouble due to a lack of security and privacy regulations, which the average user cannot be expected to understand.

Infection control, health information and GPDR

Naturally, there are consequences linked to covid-19 tracking and health information transparency in connection with covid-19 infection. The fact that in the GDPR law, a distinction is made between general personal data and sensitive data (weekend data) is often unknown to SME companies.

The Norwegian Data Protection Authority clearly states that not all information must be stored and shared further, even in a pandemic. The GDPR, therefore, still applies to the greatest extent.

Information about someone infected with the coronavirus is considered health information and must be treated as sensitive data in line with the regulations.

Information that a person is in quarantine is not defined as health information but as general personal data. According to the Norwegian Data Protection Authority, information that an employee/customer has returned from a so-called “risk area” or red country is also not to be considered health information.

Our recommendation to be sure that we spread the correct information would be to check the facts directly with the authorities and the Danish Data Protection Authority’s corona update from time to time.

What are the GDPR rules for visitor lists/logging in connection with Corona?

Many companies that previously kept little personal information have now had to register visitors/guests to facilitate the work with infection tracking if an infection should occur. In this connection, it is essential to remember that privacy laws and regulations must be followed, as names, telephone numbers, e-mails etc., are personal data regulated by the GDPR.

You must still have a valid processing basis for this registration, and this processing basis must be documented. If you are not required to do this in regulation, it will be a balancing of interests that will be the most appropriate basis for processing.

You must also take care of the other aspects of the GDPR, such as data minimisation (do not collect more than you need), obligation to provide information and processing security, to name a few. It must also be documented how long you keep the personal data after the visit. Within a reasonable time, there must be a structure for destroying the visitor lists afterwards.

If the Norwegian Data Protection Authority conducts an inspection, all this must be documented before collecting visitor lists. Then it is essential to control your papers and know where everything is for you.

What happens to infection tracking apps and GDPR?

An infection-tracking app has a potentially significant consequence for privacy. In an infection tracking app, you will typically provide location data, which can be perceived as very intrusive and can put privacy at risk in the event of leaks. If health information is also processed in this app, then sensitive data is also processed, which is subject to stricter storage requirements.

There were several problems with the Smitestopp app that FHI launched in Norway earlier this year. On 15 June 2020, FHI stopped all data collection following a notice of prohibition from the Norwegian Data Protection Authority.

One of the reasons for this was that the personal data was not stored on the individual’s device but uploaded to the cloud. This meant that users no longer had control over their data.

In addition, the Norwegian Data Protection Authority objected to risk assessments on parts of the solution and that the processing protocol had imprecise wording.

There was also a debate related to this, which is about a shift in purpose. That is, the risk that data that has been collected is used for new purposes once it has been collected without obtaining consent or providing a valid basis for processing again. These are all things that companies must familiarise themselves with if they operate infection tracking based on personal data.

Not all tracking violates the GDPR.

NRK recently wrote an article about how the use of bank cards, buses and mobile phones reveals significant differences in behaviour between cities during the pandemic. The authorities closely monitor our digital traces to map our movements, but this is anonymised mass data and therefore does not violate the Privacy Act.

What should one take away from GDPR tips and advice into 2021?

For the individual company, the most important thing to take with them into 2021 will be to understand the value of operating with a good reputation in privacy.

At Microsky, we have seen that protecting the privacy and familiarising yourself with GDPR legislation has become more critical than ever. We use more and more platforms and systems where it isn’t easy to see what is happening behind the scenes. Making the actors who process our data accountable is necessary.

To a greater and greater extent, we see that users and customers attach importance to this when making their choices, and companies that take GDPR seriously will be in a stronger position. Perhaps even more important – those actors who do not take GDPR seriously will have a lot to lose and are in great danger of getting into trouble with the Norwegian Data Protection Authority. At the same time, they may lose customers and reputation.

We see more and more companies in Bergen municipality receiving heavy fines that they could have avoided if they had been more thorough in their GDPR work. In some cases, the company does not provide specific enough training to its employees on routines and consequences, which can result in user errors. It is the company’s responsibility that the employees know the regulations and have the competence to process personal data according to them. A corporate course in GDPR can be beneficial.

We recommend signing up for the Norwegian Data Protection Authority’s newsletter and checking out the podcast Personvenpodden. Here is a lot of helpful information about what is happening in the GDPR world so that you stay up to date in 2021. We also recommend the GDPR Portal to manage all your documentation.

How to make GDPR manageable

In our opinion, it should be as much a matter of course as complying with other applicable laws and regulations. Fortunately, complying with privacy legislation does not have to be an impossible task. If you haven’t started on this part, you really don’t have time, but it’s better to get started now than to think it’s too late.

It is essential to have good supporters who know the legislation inside out, who can give helpful advice and keep up to date. Having a sparring partner on GDPR can save the company time, money and headaches. Arribatec can provide good GDPR help for small and large companies. Contact us for a price quote and get support from our Certified Data Protection Officers with mapping, documentation and maintenance.