Norway: Datatilsynet fines Argon Medical Devices NOK 2.5M for data breach notification delay
The Norwegian data protection authority ('Datatilsynet') announced, on 16 March 2023, its decision No. 21/03126-13, as issued on 8 March 2023, in which it imposed a fine of NOK 2.5 million (approx. €220,292) on Argon Medical Devices, Inc., for violation of Article 33(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach.
Background to the decision
In particular, the Datatilsynet explained that Argon Medical Devices, a company based in the US, had suffered a cybersecurity incident, following which the Datatilsynet had received a communication from a law firm, on behalf of Argon Medical Devices, stating that the latter had experienced an incident affecting the personal data of all of Argon Medical Devices' employees in Europe, including one employee in Norway.
Findings of the Datatilsynet
Further to the above, following its investigation, the Datatilsynet found that Argon Medical Devices had become aware of the personal data breach in question at least 67 calendar days before the notification was sent to the Datatilsynet, which resulted in a breach of Article 33(1) of the GDPR.
In this regard, the Datatilsynet noted, among other things, that Argon Medical Devices' account of how it had handled the breach and how it would handle breaches generally revealed some of the possible root causes of the inadequacy of Argon Medical Devices' measures. For instance, the Datatilsynet highlighted that Argon Medical Devices relies systematically and extensively on external consultants to determine whether a personal data breach should be reported in Europe. Further to this, the Datatilsynet explained that such compliance model generally slows down the breach notification process, in particular if it is not accompanied by clear instructions to the external advisors on the timeframe for their assessment, which should necessarily be shorter than 72 hours to enable a company to meet the deadline under Article 33(1) of the GDPR.
In conclusion, the Datatilsynet imposed on Argon Medical Devices a fine of NOK 2.5 million, which may be appealed within three weeks from the date of receipt of the decision by Argon Medical Devices.