The Norwegian Data Protection Authority has given the Norwegian Customs a final decision on an administrative fine of NOK 400,000. The fine has been adjusted downwards in relation to the notice given in 2019. The case concerns the collection and use of information from cameras without legal basis.
The Norwegian Data Protection Authority initially notified a fine of NOK 900,000, but the Directorate of Customs complained and the final decision was in part reversed in that emphasis was no longer placed on lack of access control.
The fine is given according to the Personal Data Act of 2000, since the offense occurred before the General Data Protection Regulation (GDPR) came into force in 2018.
- It must be possible to expect that a public agency follows the legal provisions they are to administer, and has the ability to quickly rectify the situation. This has not been the case, and a reaction is needed. We should have confidence in public administration and especially those who exercise control, said General-director of the Norwegian Data Protection Authority, Bjørn Erik Thon, when the deadline for commenting on the notice to fine expired.
The Norwegian Data Protection Authority has in its decision to fine emphasized that the Norwegian Customs has monitored more than 70 million crossings, where the number of affected persons is estimated to be 7-8 million, without any legal basis for processing. The customs service can monitor cross-border traffic, but has also registered and stored data from cameras that the Norwegian Public Roads Administration has placed around the country, not in relation to cross-border crossing, and the Norwegian Directorate of Customs should not have access to these cameras.
The Norwegian Customs Directorate has processed information from both fixed and mobile cameras. These have captured traffic that cannot be characterized as crossing the border, and can therefore not be processed in accordance with the Customs Act.
Norwegian citizens have an expectation that there will be no use of surveillance methods that violate the right to privacy and involve unlawful interference with privacy. The Directorate of Customs had knowledge of the breaches without correcting the situation in time. In particular, it must be expected that a public agency is familiar with and complies with current privacy and data protection legislations, and quickly rectifies known breaches.
The Norwegian Data Protection Authority's assessment is that there was a breach of personal data security in connection with access control, but that in this context it is not necessary to react. There were more users in the Customs Service who had access to stored information than provided in the preparatory work for the Customs Act § 13-12. However, all of these had an official need for the information, and no misuse of the information has been established. The Norwegian Data Protection Authority sees that this has been handled satisfactorily by the Customs, and well therefore not to pursue this part of the case further.
Based on this, the final fine was adjusted downwards.