Norway: Datatilsynet bans Coronavirus tracing app processing
The Norwegian data protection authority ('Datatilsynet') announced, on 15 June 2020, that it had issued a decision ('the Decision'), on 12 June 2020, banning data processing associated with the COVID-19 ('Coronavirus') tracing app. In particular, Datatilsynet noted, among other things, that, further to the Data Protection Impact Assessment ('DPIA') conducted by the Norwegian Institute of Public Health ('FHI'), the FHI has not sufficiently proven that use of location data is strictly necessary for monitoring the infection, that using anonymised and aggregated data for research and analysis is not yet possible, and that app users are unable to submit their personal data for the fulfilment of the purposes they choose, including contact tracing and research.
In addition, the Decision highlights that data subject rights have not been complied with, as subject access requests had not been fulfilled and some data had been deleted. Therefore, Datatilsynet decided that the processing was disproportionate, the principle of data minimisation under Article 5 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') had not been complied with, and the data processing related to the app is unlawful.
UPDATE (29 June 2020)
EDPB publishes statement on Decision
The European Data Protection Board ('EDPB') published, on 22 June 2020, a statement on the Decision to ban the use of the Coronavirus tracing app. In particular, the EDPB highlighted that the basis for the Decision was that the app did not constitute a proportionate intervention in users' fundamental rights to data protection. In addition, the EDPB noted that users of the app could not consent to the use of their data for contact tracing purposes without also agreeing to the data being used for analysis and research. In light of this, the EDPB stated that it questions this lack of choice for users of the app.
You can read the statement here.