(July 13, 2020) On July 6, 2020, the Norwegian Data Protection Authority issued a new prohibition on the collection of location data by the Norwegian National Health Authority (Folkehelseinstituttet, FHI) using the Norwegian COVID-19 contact tracing app, Smittestop. The decision comes after the Data Protection Authority evaluated the FHI’s response to the Data Protection Authority’s original decision, and found it lacking.
In its decision of July 6, 2020, the Data Protection Authority maintains, as it did in its original decision, that “Smittestopp has not constituted a proportional invasion of the individual user’s right to privacy.” As with the initial decision, the Data Protection Authority justified its decision on the basis of the current low-community spread of the coronavirus in Norway, the invasiveness of the central collection of data, and the low number of users of the app preventing effective tracing of contacts, which together made the invasion unproportional. The Data Protection Agency went on to explain that any new or updated version of the Smittestopp app, or other app with the same purpose, must comply with the prohibition and the Norwegian privacy protection framework before it can be made available for use in Norway.