– Equality before the law is a principle that we have in Norway, and now the Norwegian Data Protection Authority is in the process of undermining this, says Rune Aale-Hansen, CEO of Regnskap Norge. When the Norwegian Data Protection Authority proposed this week that Nav receive a fee of NOK 20 million for 12 different breaches of privacy, director Line Coll said the following: – NOK 20 million is relatively low compared to what it would have been if it had been a private actor, but we believe that it is the right amount when we have to give an infringement fee to a public agency such as Nav. SHOULD HAVE RECEIVED A HIGHER FINE: Rune Aale-Hansen in Regnskap Norge believes Nav is getting off too cheaply for its 12 offences. Photo: Regnskaps Norge Never before has such a large infringement fine been given to a public company. Coll justified the size of the fine of NOK 20 million by saying that Nav had deliberately broken the law and failed to carry out orders that they had previously received from the Norwegian Data Protection Authority. – This is aggravating and contributes to the amount being so high, she said. Nav refutes that the offenses were committed on purpose. Nav’s CEO Hans Kristian Holte believes that Nav has probably underestimated what is required to have good enough privacy protection for such large systems as Nav has. HIGH FINE: NAV chief Hans Kristian Holte must state that the Norwegian Data Protection Authority has announced a record fine for 12 breaches of privacy Photo: Anne Cecilie Remen / news Penal discount Accounting Norway is critical of the justification for the level of the fine to NAV. – When you treat public and private business differently, you undermine the legal security of private business. The Norwegian Data Protection Authority gives a penalty discount to Nav and it is not justified in law, says Aale-Hansen. But the Norwegian Data Protection Authority’s management disagrees with this. – We completely disagree with Nav getting a penalty discount. But if you only think about sentencing, I understand that the discussion about this. But the Norwegian Data Protection Authority has made a comprehensive assessment, also legally. In the regulations, provision has been made for different measurement practices for public and private parties, says communications director Janne Stang Dahl at the Norwegian Data Protection Authority. INSPECTION: The Norwegian Data Protection Authority’s inspection of Nav has uncovered as many as 12 breaches of the Privacy Act Photo: Anne Cecilie Remen / news Regnskap Norge believes that Nav is in a special position, since the agency manages so much personally sensitive information about the population. – Nav is the company that has the greatest insight into personal data and then you should make stricter demands on them than others to ensure that the law is complied with, says Aale-Hansen – How big should the fine be? – Based on what the Data Protection Authority said in the interview with news, Nav gets away with it, the Data Protection Authority itself says that it would impose a much higher fine on a private business, so Nav should strictly have had a higher fine, says Aale-Hansen. The framework for giving a fee under the Personal Data Protection Regulation, the so-called GDPR, is 20 million euros. – This means that, in the worst case, NAV has received a penalty discount of 90 per cent solely because it is a public enterprise, believes Aale-Hansen. Difference between private and public But the Norwegian Data Protection Authority believes that there is a difference between private businesses that can profit from breaching privacy and public agencies such as Nav that receive subsidies from the state. – If we propose an infringement fee that is even higher, then Nav will not have enough money to carry out its statutory duties towards the citizens, and then the state will have to give an additional grant to keep Nav running, says Stang Dahl in the Norwegian Data Protection Authority. The Norwegian Data Protection Authority hopes that the infringement fee will have an effect and lead to better protection of privacy at Nav. – The fee to Nav is both a deterrent and will hopefully lead to improvement and that they carry out the orders we believe they must do, says Stang Dahl. The largest infringement fine that the Norwegian Data Protection Authority has given a private company is NOK 65 million, and was for the dating app Grindr for breaking the Personal Data Act.
ttn-69
– Nav gets away cheaply – news Norway – Overview of news from different parts of the country
