Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Norway: Data Protection Authority Orders National Health Authority to Stop Collecting User Data from COVID-19 App

(June 19, 2020) On June 15, 2020, the Norwegian Data Protection Authority announced that it had ordered the Norwegian National Health Authority (Folkehelseinstituttet, FHI) to stop collecting personal location data from its COVID-19 app, Smittestop.

The Data Protection Authority had previously launched an investigation into the data collection associated with the app and asked the FHI to justify and explain its use.

The Norwegian app, which was launched in April, tracks the data location of its users by collecting both GPS and Bluetooth location data and downloading that information onto a central server once per hour, retaining the data for up to 30 days. It was designed to register “close contacts” with others, defined as coming within 6 feet of them for more than 15 minutes. According to the Data Protection Authority, however, the app may be registering contacts within 10 meters (about 33 feet).

Under Norwegian law, a person is protected against invasions of privacy as stated both in article 102 of the Norwegian Constitution and in the European Union’s (EU’s) legislation on personal data privacy protection—the General Data Protection Regulation (GDPR)—under which an individual’s location data may be collected only if absolutely necessary to achieve the aim of the measure.

The Data Protection Authority’s concern was twofold. First, it was concerned by the FHI’s failure to adequately explain the purpose of collecting the data, which included both contact tracing and the evaluation of measures taken to prevent the spread of COVID-19. Secondly, it was concerned that data regarding persons who had not been confirmed as COVID-19 positive was also being stored on a central server. The Data Protection Authority noted that this information could, and according to EU recommendations, should instead be saved on the individual cellphone until an infection had been confirmed.

The Data Protection Authority also noted that apps aimed at tracing contacts of COVID-19- positive persons may well be necessary and justified in crisis situations such as the current pandemic, but it emphasized that at present the app’s use could not be justified in Norway:

The pandemic is most serious, and the consequences thereof have already been shown to be great – both on a human and financial level. As we have previously emphasized, a digital solution for contact tracing may be a relevant, effective, and proportional measure in a crisis situation.

However, on the basis of today’s situation [in Norway] – with low community spread, low use of the Smittestopp app and without [the app’s] achieving the goals of [enabling] contact tracing and evaluation of the measures to stop the spread of the disease – we consider Smittestop to no longer be a proportional invasion of the single user’s right to privacy.

The Data Protection Authority further noted that the number of persons infected with COVID-19 in early June was estimated at 50 to 500 persons, which is less than 0.01% of the Norwegian population. At the same time only 592,924 users were actively using the app, approximately 14% of the population. Using an app-based tracing system under such circumstances was thus not proportional. Accordingly, central to the Data Protection Authority’s decision was its determination that the app collects and stores personal data that may not be necessary to achieve the purpose of contact tracing.

Moreover, since the app’s launch in April, both Google and Apple have improved the functionality of Bluetooth, and the Data Protection Agency therefore recommended that the FHI determine if the use of GPS is strictly necessary in the future, urging the FHI to use only proximity data and not location data when tracking the spread of COVID-19.

The FHI has now ceased all collection of data by the app and, according to its announcement, removed all data previously collected. However, the FHI has asked users not to delete the app while they reconfigure it to conform to the Data Protection Authority’s requirements and meet the Data Protection Authority’s deadline of June 23, 2020, to respond.