JO - 2024/4601: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 66: | Line 66: | ||
}} | }} | ||
The | The Parliamentary Ombudsman held that complainants have the right to bring an internal appeal against the DPA's decision and to contest it on the merits, even when the decision does not affect them directly. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
An employer (the | An employer (the controller) accessed the email address of an employee (the data subject) over suspicions of internal fraud. It was later discovered that the data subject committed no fraud. | ||
The data subject filed a complaint with the DPA. She claimed that her right to data protection was violated and request the DPA to impose a fine. | The data subject filed a complaint with the DPA. She claimed that her right to data protection was violated and request the DPA to impose a fine. | ||
The DPA held that the controller violated Articles 5, 6, 13 and 14 GDPR. On these grounds, the DPA issued a reprimand against the controller and an order to bring internal processes into compliance. The DPA did not impose a fine. | The DPA held that the controller violated Articles [[Article 5 GDPR|5]], [[Article 6 GDPR|6]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR. On these grounds, the DPA issued a reprimand against the controller and an order to bring internal processes into compliance. The DPA did not impose a fine. | ||
The data subject filed an | The data subject filed an internal appeal before the Personvernnemnda (the Privacy Appeals Board of the DPA). In her appeal, she challenged the DPA’s decision not to fine the controller. | ||
The | The Board held that the data subject had no standing for appealing the decision and dismissed the appeal on procedural grounds. In this regard, The Board considered that the DPA’s decision put an end to the controller’s violation. On this basis, the Board held that the DPA’s decision not to inflict a fine, did not produce tangible and factual effects for the data subject. This, in turn, led to the conclusion that she was not a party to the decision and could not bring an appeal. | ||
The data subject further challenged the Board’s decision before the Sivilombudet (the Norwegian Parliamentary Ombud). She claimed that the Board was wrong in finding that she had no right to challenge the merits of the DPA’s decision. | |||
The data subject | === Holding === | ||
The Sivilombudet held that the data subject could challenge the DPA’s decision, and that she had the right to challenge both its procedure and its merits. In particular, she had the right to a review of the correctness and proportionality of the corrective measures inflicted by the DPA. | |||
On these grounds, the Sivilombudet ordered the Board to re-examine the data subject’s appeal, ensuring a full review of the DPA’s decision. | |||
==== On | ==== On internal appeals and Norwegian law ==== | ||
The Sivilombudet observed that the domestic rules on | The Sivilombudet observed that the domestic rules on internal appeals against the DPA were not entirely clear. However, the Sivilombudet also clarified that as a general principle, it is assumed that the right to bring an internal appeal is as least as broad as the right to request a judicial review<ref>In this regard, the Sivilombudet referred to both its own case law and that of the Supreme Court (see, respectively, SOM-2017-301 and HR-2017-1130-A)</ref>. Therefore, the Sivilombudet interpreted held that the data subject had a right to bring an internal appeal against the DPA's decision. | ||
The Sivilombudet also clarified that | The Sivilombudet also clarified that this broad interpretation of domestic law was justified in light of [[Article 78 GDPR#1|Article 78(1) GDPR]] and of the ''SCHUFA Holding'' and ''Land Hessen'' rulings of the CJEU<ref>CJEU, joint cases C-26/22 and C-64/22 ''SCHUFA Holding,'' 7 December 2023 (available [[CJEU - C‑26/22 and C‑64/22 - SCHUFA Holding and Others (Discharge from remaining debts) (Joined Cases)|here]]); case C‑272/19, Land Hessen, 9 July 2020 (available [[CJEU - C-768/21 - Land Hessen|here]]).</ref>. | ||
==== On the scope of the | ==== On the scope of the internal appeal ==== | ||
In the | In the ''SCHUFA Holding'' ruling, the Court held that [[Article 78 GDPR|Article 78 GDPR]] (''"Right to an effective judicial remedy against a supervisory authority"'') provides anyone with the right to a full judicial review of a DPA’s decision that concerns them. In the ''Land Hessen'' ruling, the Court clarified that under Article 78, a claimant may require an assessment of whether a DPA exceeded its margin of discretion by inflicting (or not inflicting) a corrective measure. | ||
On these grounds, the Sivilombudet concluded that in the case at hand, the data subject had grounds not only to challenge the DPA’s decision before the Board, but also to challenge it on the merits- in particular with regards to the DPA’s decision not to fine the controller. | |||
== Comment == | == Comment == | ||
Latest revision as of 09:15, 25 June 2025
| JO - 2024/4601 | |
|---|---|
 | |
| Court: | JO (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 78(1) GDPR Forvaltningsloven § 28 |
| Decided: | 21.05.2025 |
| Published: | |
| Parties: | Datatilsynet (NO) An unnamed data subject |
| National Case Number/Name: | 2024/4601 |
| European Case Law Identifier: | |
| Appeal from: | Personvernnemnda PVN-2024-1 |
| Appeal to: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Sivilombudet (in Norwegian) |
| Initial Contributor: | cci |
The Parliamentary Ombudsman held that complainants have the right to bring an internal appeal against the DPA's decision and to contest it on the merits, even when the decision does not affect them directly.
English Summary
Facts
An employer (the controller) accessed the email address of an employee (the data subject) over suspicions of internal fraud. It was later discovered that the data subject committed no fraud.
The data subject filed a complaint with the DPA. She claimed that her right to data protection was violated and request the DPA to impose a fine.
The DPA held that the controller violated Articles 5, 6, 13 and 14 GDPR. On these grounds, the DPA issued a reprimand against the controller and an order to bring internal processes into compliance. The DPA did not impose a fine.
The data subject filed an internal appeal before the Personvernnemnda (the Privacy Appeals Board of the DPA). In her appeal, she challenged the DPA’s decision not to fine the controller.
The Board held that the data subject had no standing for appealing the decision and dismissed the appeal on procedural grounds. In this regard, The Board considered that the DPA’s decision put an end to the controller’s violation. On this basis, the Board held that the DPA’s decision not to inflict a fine, did not produce tangible and factual effects for the data subject. This, in turn, led to the conclusion that she was not a party to the decision and could not bring an appeal.
The data subject further challenged the Board’s decision before the Sivilombudet (the Norwegian Parliamentary Ombud). She claimed that the Board was wrong in finding that she had no right to challenge the merits of the DPA’s decision.
Holding
The Sivilombudet held that the data subject could challenge the DPA’s decision, and that she had the right to challenge both its procedure and its merits. In particular, she had the right to a review of the correctness and proportionality of the corrective measures inflicted by the DPA.
On these grounds, the Sivilombudet ordered the Board to re-examine the data subject’s appeal, ensuring a full review of the DPA’s decision.
On internal appeals and Norwegian law
The Sivilombudet observed that the domestic rules on internal appeals against the DPA were not entirely clear. However, the Sivilombudet also clarified that as a general principle, it is assumed that the right to bring an internal appeal is as least as broad as the right to request a judicial review[1]. Therefore, the Sivilombudet interpreted held that the data subject had a right to bring an internal appeal against the DPA's decision.
The Sivilombudet also clarified that this broad interpretation of domestic law was justified in light of Article 78(1) GDPR and of the SCHUFA Holding and Land Hessen rulings of the CJEU[2].
On the scope of the internal appeal
In the SCHUFA Holding ruling, the Court held that Article 78 GDPR ("Right to an effective judicial remedy against a supervisory authority") provides anyone with the right to a full judicial review of a DPA’s decision that concerns them. In the Land Hessen ruling, the Court clarified that under Article 78, a claimant may require an assessment of whether a DPA exceeded its margin of discretion by inflicting (or not inflicting) a corrective measure.
On these grounds, the Sivilombudet concluded that in the case at hand, the data subject had grounds not only to challenge the DPA’s decision before the Board, but also to challenge it on the merits- in particular with regards to the DPA’s decision not to fine the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Background to the case
An employer accessed an employee’s – As – email account on suspicion of complicity in embezzlement. A subsequently complained to the Norwegian Data Protection Authority, because she believed that the employer had violated several provisions of the General Data Protection Regulation (GDPR) when conducting the access. The Norwegian Data Protection Authority concluded that the employer had had a legal basis for accessing the email account, but believed that procedural provisions in the email regulations had been violated. In a decision on 28 November 2022, the Norwegian Data Protection Authority ordered the company to establish internal controls and procedures for accessing employees’ and former employees’ email accounts and other electronically stored material, cf. GDPR Article 58(2)(d).
On behalf of A, B (the representative) complained about the decision on 18 December 2022. In the complaint, he claimed, among other things, that the company should have been fined for the violation. The representative claimed that it constituted a violation of GDPR Article 83 to fail to issue a fine for the violations in the case. Based on the complaint, the Data Inspectorate found reason to partially amend the decision. In an amending decision on 5 September 2023, the Data Inspectorate concluded that the company had violated GDPR Articles 5, 6, 13 and 14 when carrying out the inspection of the email box. The violations concerned procedural obligations, including requirements for accountability, transparency, prior notification and data minimization. In the amending decision, the company was also required to improve its internal control. The Data Inspectorate issued a reprimand to the company as a corrective measure (reaction) for the violations, cf. GDPR Article 58 No. 2 letter b. The Data Inspectorate pointed out that the violations affected a limited number of persons, and that the violations of the accountability principle and the transparency principle that had been established mainly only affected the complainant. In the Authority's assessment, the case was not of such a nature that a fine was an appropriate response. The Authority stated in its decision that the choice of corrective measures was not an individual decision that could be appealed by the complainant, cf. Section 28 of the Public Administration Act.
On 18 September 2023, the representative appealed the Authority's decision. He stated, among other things, that the failure to impose a fine in the case was not in line with the EU Data Protection Council's guidelines. The Authority found no reason to change the decision, and the case was sent to the Data Protection Board.
In its decision of 28 May 2024 (PVN-2024-1), the Data Protection Board concluded that the complaint that a fine was not imposed had to be rejected. The Board indicated that A did not have the right to appeal. The decision to reprimand was not decisive for the complainant's rights and obligations, and the decision was not directed at her, as required by the Public Administration Act.
On behalf of A, the representative filed a complaint with the Civil Ombudsman.
Our investigations
We found reason to investigate the issue of the right to appeal. In a letter dated 8 January 2025, we asked the Data Protection Board whether the right to an effective remedy, cf. GDPR Article 78(1), could mean that the data subject had a right to appeal against the Data Protection Authority's decision, including the decision on reaction/corrective measures against the controller in their complaint case.
We referred to two decisions from the European Court of Justice that concluded that a person who believes that he or she has been the victim of a data protection violation can bring the supervisory authority's decision before the courts. The first was the decision of the European Court of Justice on 7 December 2023 in the joined cases C-26/22 and C-64/22 Schufa, and the second was the decision of the European Court of Justice on 26 September 2024 in case C-768/21 Land Hessen. In these decisions, the CJEU assumed that the right to an effective remedy implies the right to a full judicial review of the supervisory authority's decision in a complaint case, including a review of whether the complaint case has been handled in a manner that is appropriate, necessary and proportionate, and further, whether the supervisory authority's exercise of discretion has been within the margin of discretion granted to the supervisory authority in the GDPR. At the same time, we pointed out that it is assumed that persons who have the right to bring an action regarding the validity of a decision normally have at least an equally broad right to appeal against the decision.
In a letter dated 24 February 2025, the Data Protection Board answered our questions. The Data Protection Board understood the CJEU's decisions to mean that they did not appear to clarify the question of who has standing to bring an action, but instead concerned the scope of the court's right of review once an action has been brought. Based on such an interpretation, the Norwegian Data Protection Board held that the decisions of the European Court of Justice did not indirectly grant an extended right of action – and thus not an extended right of appeal – beyond what follows from national rules. In the Board's view, the complainant had neither a right of appeal nor a right of appeal against the Data Protection Authority's decision, because the decision to reprimand had no demonstrable actual effects for her – beyond the interest that may have been in the desire that the Data Protection Authority should have reacted more strictly. In the Board's view, it was the business complained of – to which the decision to reprimand was directed – that could demand that the Data Protection Authority's decision be reviewed by the courts on the basis of GDPR Article 78(1). If the decision on corrective measures had had actual effects for the complainant, for example in the event of an ongoing data protection infringement where the Data Protection Authority's decision on corrective measures would have had an impact on whether – and if so when – the infringement ceased, the complainant would, in the Board's view, however, have fulfilled the condition of legal interest in bringing an action. The Board assumed that in that case she would also have had a right to sue as a starting point.
The representative was sent the Data Protection Board's letter. In the letter of 17 March 2025, he commented, among other things, that the Data Protection Board misinterpreted the decisions of the European Court of Justice. He further claimed that it is sufficient for the right to judicial review that the complainant is dissatisfied with how the Data Protection Authority has handled the case. The comments were forwarded to the Data Protection Board, which had no comments in return.
The Ombudsman's view of the case
The question in the case is whether A also has a right to complain about the part of the Data Protection Authority's decision of 5 September 2023 that concerns corrective measures as a follow-up to the data protection breach against A, cf. Section 28, first paragraph, of the Public Administration Act.
The Ombudsman will then first review the legal principles in the GDPR regarding the right for individuals to complain to the Data Protection Authority when they believe their personal data is being processed unlawfully. The main rules on the right to appeal against the Data Protection Authority's decisions under the rules of the Administrative Procedure Act are then reviewed. Finally, the provision on individuals' right to judicial review in GDPR Article 78 No. 1 is reviewed. This is because it is generally assumed that the right to appeal under the Administrative Procedure Act should not be narrower than the right to judicial review. Because the activities of the courts lie outside the ombudsman's area of work, the ombudsman does not, however, go into more detail about the conditions regarding the subject matter of the lawsuit, party affiliation and lawsuit situation in Section 1-3 of the Disputes Act (the general conditions for bringing a lawsuit).
Legal principles on the right to appeal to the Data Protection Authority
The EU General Data Protection Regulation (2016/679) of 27 April 2016 – commonly referred to as the GDPR – applies as Norwegian law, cf. Personal Data Act § 1.
It follows from GDPR Article 77 that anyone who believes that their personal data are being processed in a way that is contrary to the regulation has the right to complain to the national supervisory authority. In Norway, this is the Data Protection Authority. The Authority shall, according to Article 57(1)(f), handle complaints received and, to the extent appropriate, investigate the subject matter of the complaint and inform the complainant of the progress and outcome of the investigation.
The Data Protection Authority shall handle all complaints received “with all due diligence” («med omhu» in Danish translation) cf. the judgment of the European Court of Justice of 16 July 2000 in case C-311/18 Facebook Ireland and Schrems, paragraph 109. The right to complain to the Authority is intended to be a mechanism that will effectively protect the rights and interests of the data subjects, cf. The judgment of the Court of Justice of the European Union on 7 December 2023 in cases C-26/22 and C 64/22 Schufa, paragraph 58. In the same place, it is clarified that the right of appeal is not a form of request (petition in English, and similar procedure in Danish).
In order to process complaints received, the Data Inspectorate is given authority in Article 58(1) to conduct investigations, require access to information and request the provision of information necessary to decide the case.
If the investigations reveal violations of provisions in the GDPR, the Data Inspectorate is obliged to intervene in an appropriate manner with the means listed in Article 58(2), cf. the judgment of the Court of Justice of the European Union on 26 September 2024 in case C-768/21 Land Hessen, paragraph 33. The Data Inspectorate may, pursuant to Article 58(2), impose various types of corrective measures on the controller to mitigate the data protection breach. The Data Protection Authority has discretion to choose which – or which – corrective measures are appropriate and necessary in the individual case, cf. State of Hesse Section 37. The discretion shall be exercised in a manner that ensures effective enforcement of the GDPR and a uniform and high level of protection of personal data, cf. State of Hesse Section 38. The Data Protection Authority may, exceptionally and based on the special circumstances of the case, refrain from adopting a corrective measure, for example if the complained personal data breach has ceased and the undertaking has taken adequate measures, cf. State of Hesse Sections 43-46.
One of the corrective measures that may be adopted by the Data Protection Authority is a violation fine. The general conditions for violation fines are given in Article 83. Violation fines may be given in addition to – or instead of – other corrective measures depending on the circumstances of the case, cf. Article 58(2)(i). The Board, an independent EU body established under Article 68 of the GDPR with the task of monitoring and ensuring the consistent application of the GDPR, has issued guidelines on the calculation of administrative fines ('Guidelines 04/2022 on the calculation of administrative fines under the General Data Protection Regulation'). The Board has also endorsed a guide published by the WP 29 Working Party (an advisory group established under the former Data Protection Directive 95/46/EC) on the use of administrative fines as a tool to ensure consistent application of the Regulation ('Guidelines on the application and setting of administrative fines under Regulation 2016/679 (WP 253)').
The right of appeal to the Norwegian Data Protection Authority is an important mechanism for ensuring effective protection of individuals' fundamental rights and interests provided for in the GDPR. Furthermore, the Ombudsman understands that the Norwegian Data Protection Authority has discretion in how to enforce established violations of the GDPR, including which corrective measures are appropriate to decide as a result of the data protection breach. However, this discretion has clear limits, both expressly provided for in the provisions of the GDPR and in the guidelines issued by advisory bodies to ensure uniform practice in enforcement.
Legal basis in the Administrative Procedure Act on the right to appeal against individual decisions
The Administrative Procedure Act applies to the case processing of the Norwegian Data Protection Authority and the Data Protection Board, cf. Prop. 56 LS (2017-2018) chapters 26.5 and 27.5. The GDPR does not provide its own rules on how cases should be processed by the Norwegian Data Protection Authority beyond the framework for complaint processing reviewed in the section above. The same applies to the Data Protection Board's case processing, since the GDPR does not regulate administrative access to appeal.
It is clear that the Norwegian Data Protection Authority's decision on 5 September 2023 in this case was an individual decision pursuant to Section 2, first paragraph, letter b, of the Public Administration Act. Individual decisions can be appealed by a party or other person with a legal interest in appealing in the case, cf. Section 28, first paragraph, of the Public Administration Act. During the case processing at the Norwegian Data Protection Authority, both A and her employer were treated as parties, but the decision states that the choice of corrective measures is not an individual decision that can be appealed by the complainant. The Ombudsman assumes that this means that the Data Protection Authority assumed that the complainant, here A, is only a party to parts of the decision on 5 September 2023, and therefore only has the right to appeal parts of the Norwegian Data Protection Authority's decision. The Privacy Board also seems to have assumed this since parts of A's complaint against the Norwegian Data Protection Authority's decision have been processed on the merits.
The reason why A is considered a party to parts of the decision is explained in more detail in the Data Protection Board's decision in this case (PVN-2024-1), under the section "The Data Protection Authority's choice of reaction". Here, the board refers to its own administrative practice, which assumes that a person whose personal data is processed by a data controller is "considered a party in a case where the Data Protection Authority assesses whether the data controller has processed the personal data of the data subject in accordance with the law". The Data Protection Board then pointed out that the Data Protection Authority's decision to issue a reprimand instead of a violation fine is not a decision that determines the rights and obligations of the complainant, or a decision that is "directed against" the data subject, cf. the definition of who is a party in Section 2, first paragraph, letter e, of the Public Administration Act. In the letter to the Civil Ombudsman on 24 February 2024, the Data Protection Board writes on page 1 that it is clear that the complainant in case PVN-2024-1 was not a "party" to the case. The Civil Ombudsman interprets this to mean that the Data Protection Board is referring to its previous position that the complainant is not a party to the decision to determine the sanction, but that she is otherwise a party to the case when it comes to the assessment of the lawfulness of the processing of her personal data. The term "party" in the Public Administration Act, section 2, first paragraph, letter e, is defined as a person "to whom a decision is addressed" or "to whom the case otherwise directly applies". In the Ombudsman's statement on 18 December 2020 (SOM-2019-5140) point 2.1, it is indicated that the term "party" shall be determined specifically with the starting point in "the issue that the relevant law establishes", cf. Ot.prp.nr.3 (1976–1977) page 57. During the investigation, the Civil Ombudsman did not go into further detail about whether A can be considered a party because the case “otherwise directly concerns” her, cf. the Public Administration Act, section 2, first paragraph, letter e, second alternative. The topic for the Ombudsman has been the question of whether A has a legal interest in appealing in any case and thus a right to appeal against the Data Protection Authority’s decision. If she has a right to appeal, she will initially become a party to the appeal, cf. SOM-2019-5140, cf. Ot.prp.nr.38 (1964-1965) page 99.
The Civil Ombudsman has previously stated several times about the condition of legal interest in appealing, including in the Ombudsman’s statement of 28 November 2018 (SOM-2017-301):
“Whether a person has a legal interest in appealing depends on the extent to which the decision in question has factual and legal effects for the person concerned. The starting point is that the complainant has a legal interest in appealing if his connection to the case is of such a nature and strength that it is reasonable and natural that he be given the opportunity to have the decision reviewed by a higher administrative authority. A specific overall assessment of the factual circumstances of the case must be made. The requirements that are made may vary from administrative area to administrative area, and based on the specific circumstances of the individual case. The concept of legal interest in appealing is taken from the concept of legal interest in the former Civil Procedure Act, Section 54. It was assumed that everyone who has legal standing should also have the right to appeal the decision, cf. Ot.prp. no. 38 (1964–65) pp. 98–99. In SOM-2017-301, the Ombud pointed out that it is generally assumed that the right to appeal an individual decision is in any case no narrower than the right to bring the decision before the court. Legal sources related to the right to bring a case before the courts regarding public law matters are thus also relevant to the question of legal interest in bringing a complaint.
In HR-2017-1130-A, the Supreme Court has assumed that the concept of "legal interest in bringing a complaint" in Section 28 of the Public Administration Act has approximately the same content as the requirement for independent interest in bringing a case in Section 1-3 of the Dispute Act, although there may be certain nuances, see section 37. The conditions for the right to bring a complaint and the competence to bring a case will not necessarily coincide in all cases, for example if strong considerations argue against others than the party itself having access to bring a case, cf. HR-2017-1130-A section 57.
The definition of who has a legal interest in bringing a complaint and thus the right to bring a complaint under the Public Administration Act was originally intended to exclude complaints that were in the nature of interference by unauthorized persons in the case, cf. Hans Petter Graver and Henriette N. Tøssebro, Alminnelig forvaltningsrett, 6th edition, Universitetsforlaget, 2024 p. 504, with reference to the Administrative Committee's recommendation (NUT 1958: 3) p. 276. Graver/Tøssebro write in the same place that the ministry in the proposition seems to have advocated a somewhat more restrictive delimitation, but that practice and theory after the Public Administration Act was passed have moved in the direction of the Administrative Committee's more liberal delimitation. Graver/Tøssebro assume in the commentary edition that the general principle of reasonableness and the right to defend one's own interests and rights indicate that one gives the right to appeal to anyone affected by the decision, and does not cut anyone off based on a more formalistic interpretation of the expression "legal interest in appealing".
Karnov's legal commentary states that the scope of the right of appeal will also depend on a balance between the interests of the complainant on the one hand and the interests of the party on the other, cf. Marius Stub, Karnov's legal commentary, Administrative Procedure Act, note 3 to section 28. It is pointed out here that the broader the right of appeal, the more uncertain the party's position becomes. The legal commentary further assumes that decisions imposing administrative reactions or sanctions can be appealed by the person against whom the decision is directed, but not by a person who solely believes that the administration should have reacted more strictly (or more leniently). In the proposal for a new Administrative Procedure Act in Prop. 79 L (2024–2025), the condition of legal interest in appealing is proposed to be continued, but with a linguistic change based on the model of the Dispute Act, see the proposition, point 20.5.4.1 Right of appeal for parties and others who are significantly affected by the decision. The circle of persons entitled to appeal is proposed to be the same as under current law, cf. page 457.
In the Ombudsman's view, there is legal doubt as to whether A meets the condition of legal interest in bringing an appeal. Since the condition of legal interest in bringing an appeal must be assessed comprehensively and specifically – and may vary from administrative area to administrative area – case law or legal theory relating to other areas of law will not be directly transferable when interpreting legal interest in bringing an appeal in cases concerning the GDPR. The consideration of the possibility of reviewing the Data Protection Authority's decision – aimed at the objective of ensuring that the appeal mechanism safeguards a uniform and high level of protection for personal data – may indicate that it is reasonable and natural that the person who has complained to the Data Protection Authority be given the opportunity to have the decision reviewed in its entirety by the Data Protection Board. The complainant – as a party to a complaint case with the Authority – is in any case not to be considered as an outsider in the case.
A complaint based on possible inadequate enforcement of a data protection violation may also be based on something other than a pure desire for a stricter reaction. The complaint may be a principled objection that the case does not appear to have been handled by the Norwegian Data Protection Authority in line with the legal rules that have been given. The requirement for clear factual effects as a condition for legal interest in lodging a complaint does not necessarily safeguard the consideration that enforcement of the GDPR concerns the protection of individuals' fundamental rights. The factual effects of the Norwegian Data Protection Authority's decision on corrective measures (or failure to take such measures) may be difficult for the individual to demonstrate. However, it is clear that possible inadequate enforcement of a complaint case by the Norwegian Data Protection Authority can generally have both legal and factual effects on individuals' legal protection. The Ombudsman's preliminary conclusion is therefore that there is some doubt as to whether the complainant has a legal interest in lodging a complaint regarding the Norwegian Data Protection Authority's decision on reprimand in this case, cf. Section 28, first paragraph, of the Public Administration Act. The question is whether the EU Court of Justice's treatment of the right of appeal in the GDPR and the right to judicial review has significance for the assessment and decision of whether the complainant has a legal interest in appealing under Section 28, first paragraph, of the Public Administration Act.
Legal principles on the right to an effective remedy
It follows from Article 78(1) of the GDPR that there shall be a right to an effective judicial remedy against the supervisory authority's decision. Article 78(1) of the GDPR reads as follows:
"Without prejudice to any other administrative or non-judicial review, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision concerning them taken by a supervisory authority."
The provision is mentioned in the recital to GDPR Article 143. Regarding the right to a judicial review, the recital states, among other things, the following
“(…) every natural or legal person [should] have the right to an effective judicial review before the competent national court against a decision taken by a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the supervisory authority’s power to conduct investigations, to adopt corrective measures and to accept or reject or dismiss complaints. However, the right to an effective judicial review does not extend to measures taken by supervisory authorities which are not legally binding, such as opinions or advice from the supervisory authority.”
In Kuner, Bygrave and Docksey, The EU General Data Protection Regulation (GDPR) A Commentary, 2020, on page 1130, it is assumed that a decision having legal effects means “a measure, whatever its nature or form, which is ‘intended to have legal effects that are binding on, and capable of affecting the interests of, the applicant by bringing a distinct change in his legal position’”.
The wording of Article 78(1) of the GDPR alone suggests that only the person to whom the decision is addressed has the right to an effective remedy. A decision on corrective measures from the Data Protection Authority in a complaint under the GDPR will always be directed at the controller and/or a data processor.
The Court of Justice of the European Union has issued several preliminary rulings (judgments in which the Court of Justice of the European Union provides an interpretation of EU law provisions at the request of national courts) on the interpretation of Article 78(1) of the GDPR. In the Ombudsman's view, these clearly suggest that the person to whom the complaint is made also has the right to a full judicial review of the Authority's decision. The Ombudsman will below review these decisions from the Court of Justice of the European Union that deal with how the right to an effective remedy should be understood.
The Court of Justice of the European Union's decision of 7 December 2023 concerns the joined cases C-26-22 and C-64/22 Schufa. The case concerned a legal action brought by two complainants who considered that the processing of their personal data in a debt register was unlawful. Their complaint had been unsuccessful in its appeal by the national supervisory authority, as the supervisory authority considered that the processing of their personal data was lawful. One of the interpretative questions that the CJEU was to rule on in the case was whether the right to judicial review under Article 78(1) of the GDPR of a decision by a national supervisory authority is limited to assessing whether the complaint from the data subjects had been processed and examined to a reasonable extent, or whether the decision is subject to full judicial review.
The CJEU initially stated that when interpreting a provision of EU law, regard must be had not only to its wording but also to the context and purpose of the regulation, see paragraph 48. As regards the wording, the CJEU pointed out that the decision of the German supervisory authority in the complainants’ case was a legally binding decision as referred to in Article 78(1) of the GDPR. 1. The CJEU pointed out that a supervisory decision rejecting or dismissing a complaint from an individual who considers that he or she has been subject to a breach of the GDPR constitutes a decision having legal effects, see paragraph 50. As regards the context of the regulations, the CJEU pointed out that the national supervisory authorities are responsible for supervising compliance with the GDPR and that they are obliged to handle complaints from individuals with “all due diligence”, see paragraph 56. Furthermore, in paragraph 57, the CJEU pointed out that where the supervisory authority finds that there has been a breach of the provisions of the Regulation, they are obliged to react in an appropriate manner.
The Court emphasised that the right to lodge a complaint with the supervisory authority is intended as a mechanism suitable for effectively protecting the interests and rights of data subjects, see paragraph 58. In that context, the CJEU stated that the right to effective judicial protection would not be fulfilled if the exercise of the supervisory authority's powers, including the power to investigate and the power to take corrective measures, were subject only to limited judicial review, see paragraph 59. The CJEU further stated that the purpose of the GDPR is to ensure a high level of protection for natural persons in the EU. In the event of limited judicial review of the supervisory authority's handling of a complaint, the purpose of the objectives of the Regulation would be jeopardised, see paragraph 62. In light of these points, the CJEU concluded that Article 78(1) of the GDPR 1 shall be interpreted as meaning that a decision on a complaint, which has been adopted by a supervisory authority, is subject to full judicial review, see paragraph 70.
When it came to the scope of the courts' right of review, the CJEU pointed out that the national supervisory authority has a margin of discretion in how to enforce a complaint, including which corrective measures to take pursuant to GDPR Article 58(2), see paragraph 68. The margin of discretion means that the national court shall not determine what is an appropriate reaction based on its own opinion of the case, but that the court shall check whether the national supervisory authority has remained within the limits of its discretionary discretion, see paragraph 69.
In the CJEU's preliminary ruling of 26 September 2024 in case C-768-21 Land Hessen, the scope of the court's right of review pursuant to GDPR Article 78(1) was elaborated. The case concerned a lawsuit from an individual who believed that the supervisory authority's enforcement of his complaint had been inadequate and that the company should have been fined. The question of interpretation that the CJEU had to decide on in this case was whether the GDPR should be interpreted as meaning that the supervisory authority is obliged to always adopt corrective measures when establishing a breach of the regulations, cf. GDPR Article 58(2), or whether the supervisory authority may refrain from taking corrective measures based on the circumstances of the case, see paragraph 20.
The CJEU initially pointed out that complainants whose data protection rights have been violated do not have a subjective right to request that the controller be imposed with a corrective measure, including a fine, see paragraph 41. At the same time, the CJEU pointed out that the supervisory authority is obliged to intervene with one or more corrective measures pursuant to GDPR Article 58(2). 2, when, having regard to all the circumstances of the specific case, it is appropriate, necessary and proportionate to remedy the data protection breach and ensure full compliance with the GDPR, see paragraph 42. The CJEU therefore considered that it could not be excluded that the national supervisory authority could exceptionally and taking into account the particular circumstances of the specific case, fail to adopt a corrective measure, for example where the infringement had ceased, see paragraph 43. A prerequisite was that a failure by the supervisory authority to take corrective measures did not undermine the requirement for effective enforcement of the Regulation, see paragraph 46. The CJEU then made certain observations relating to the use of infringement fines. The CJEU pointed out that the purpose of infringement fines was to strengthen the enforcement of the Regulation. With reference to paragraph 148, the CJEU pointed out that in the case of minor infringements of the GDPR, or where a fine would constitute a disproportionate burden for a natural person, a reprimand may be given instead of a fine, see paragraph 47.
The CJEU concluded that it is up to the national court to assess whether the supervisory authority's handling of the complaint from the data subject was in line with the rules in the GDPR, including whether the framework for discretion under Article 58(2) of the GDPR was complied with by the supervisory authority, see paragraph 49.
In the Ombudsman's view, the decisions of the CJEU clearly point in the direction that the person who has complained to the supervisory authority may also demand judicial review of the supervisory authority's handling of the complaint in its entirety. The Ombudsman will elaborate on this in the following.
First, both cases before the CJEU concerned actions brought by individuals who considered that the supervisory authority’s enforcement of their complaints was incorrect or inadequate. It was against this factual background that the CJEU stated how the right of review should be understood. Reference is made in particular to the introduction in paragraph 49 of the Land Hessen case, which states:
«Since decisions on complaints adopted by a supervisory authority are subject to full judicial review (judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 70), it is for the referring court to ascertain whether the HBDI dealt with the complaint concerned with all due diligence and whether, in adopting the decision at issue in the main proceedings, the HBDI complied with the limits of the discretion conferred on it by Article 58(2) of the GDPR…”
In the Ombudsman’s view, this paragraph in particular from the ECJ’s decision in C-768-21 Land Hessen suggests that all aspects of the Data Protection Authority’s decision may also be subject to judicial review by the complainant.
Secondly, the purpose of the right to judicial review suggests that the person who has complained to the supervisory authority may also demand a judicial review of how the supervisory authority has handled the complaint. The Ombudsman finds it difficult to reconcile the decisions of the European Court of Justice with the fact that it is primarily the person against whom the corrective measure is directed, i.e. the business, who should have the right to judicial review under Article 78(1) of the GDPR. If the provision in Article 78(1) were to be interpreted in this way, it would in practice mean that judicial review was reserved for cases where the business believes that the supervisory authority's enforcement of the case is unlawfully strict.
Thirdly, the consideration of effective legal protection dictates that it is not only the business that has the right to judicial review of the supervisory authority's decision, but that this also applies to the person protected by the regulations. Although the European Court of Justice emphasises that it is not the case that the individual who has been subjected to a data protection breach has any subjective right to the Norwegian Data Protection Authority to enforce a case in a particular way, the consideration of effective enforcement of the GDPR in order to ensure uniform practice and a high level of protection is emphasised by the European Court of Justice as a fundamental consideration. There would be an imbalance in the right to judicial review if the Data Protection Authority's failure to adopt a corrective measure, including a fine, could not be brought before the court by the complainant to whom the case relates. This would lead to a fundamental imbalance in the possibility of judicial review of the Data Protection Authority's exercise of authority in complaint cases.
In the Ombudsman's assessment, the decisions of the Court of Justice of the European Union must be understood as meaning that the right to an effective remedy means the right to review of the overall handling of the case, where decisions on the use of - or failure to use - corrective measures are part of the review. In the Ombudsman's view, the decisions of the Court of Justice of the European Union also clearly point in the direction of both the respondent and the complainant being entitled to request judicial review of the complaint case decision in its entirety.
Does the complainant have a right to judicial review of this case?
Judicial review under Article 78(1) of the GDPR seems to require that two conditions are met. First, it must there must be a legally binding decision, and secondly, there must be a connection to the case, "which concerns them".
The Ombudsman believes that it is beyond doubt that the Data Protection Authority's decision of 5 September 2023 was in itself "a legally binding decision", as referred to in Article 78(1). The Ombudsman finds reason to highlight paragraph 50 of the judgment of the Court of Justice of the European Union of 7 December 2023 in the joined cases C-26-22 and C-64/22 Schufa. Here, the Court of Justice of the European Union finds that the supervisory authority's decisions in the contested cases were legally binding decisions as referred to in Article 78(1). Based on paragraph 143, legally binding decisions also appear to be limited to such decisions that are not legally binding, such as advice and guidance. The crux of the case is therefore whether the Data Protection Authority's decision of 5 September 2023 - including the part that concerned the reprimand against the business - must be considered to also apply to the complainant, cf. the condition for judicial review in Article 78(1).
In its response to the Ombudsman, the Data Protection Board has assumed that the complainant would have had both a right of complaint and a right of action if she could demonstrate that the Data Protection Authority's decision on corrective measures had had actual effects on her, for example in the event of an ongoing data protection violation. The Ombudsman assumes that whether a data protection violation is ongoing or not will be a factor that is important for whether the Data Protection Authority is required to take a decision on corrective measures pursuant to Article 58(2) of the GDPR, cf. the judgment of the Court of Justice of the European Union of 26 September 2024 in case C-768/21 Land Hessen, paragraphs 43-46. However, in the Ombudsman's view, the matter does not seem relevant to the question of the right of review.
In the Ombudsman's view, the decisions of the Court of Justice of the European Union do not support an interpretation that the complainant's right to judicial review requires such actual effects of the exercise of authority as the Data Protection Board has assumed. The data protection violation in case C-768/21 Land Hessen, for example, had ceased when the complainant brought legal action against the Authority's decision in his complaint case because he believed that enforcement was too weak. The Ombudsman therefore finds no basis in the decisions of the Court of Justice of the European Union that the condition for the right to review requires that the use - or failure to use - of corrective measures by the Authority has actual effects on the complainant.
The Ombudsman's conclusion is on this basis that the decisions of the Court of Justice of the European Union, reviewed above, indicate that the complainant has the right to judicial review of the Data Protection Authority's decision of 5 September 2023, including the choice of corrective measures, because the decision "applies" to her individual complaint case, cf. GDPR Article 78, paragraph 1.
Does the right to judicial review mean that the complainant also has a legal interest in appealing under the Public Administration Act?
The arrangement with the Data Protection Board as the appeal body for the Data Protection Authority's decision was continued with the introduction of the GDPR, see Prop. 56 LS (2017-2018) point 27.5. The purpose of the right of appeal to the Data Protection Board was to have a low-threshold appeal system. In this regard, the Ministry pointed out that it could represent a great burden for both citizens and businesses to have to go to court in the event of disagreement about the Data Protection Authority's decision. In the Ombudsman's view, these assumptions indicate that the Data Protection Board should be able to review the Data Protection Authority's decision to the same extent as the courts would do in a judicial review of the case. In the Ombudsman's view, the decisions of the Court of Justice of the European Union clearly point in the direction of the complainant having the right to full judicial review of the Data Protection Authority's decision. The subject of the review will then be whether the Authority has processed her complaint "with all due diligence", and whether the choice of corrective measures pursuant to GDPR Article 58 No. 2 was within the margin of discretion granted to the Authority in the regulation, cf. C-768/21 Land Hessen paragraph 49. The question is whether the right to judicial review implies that she also has a legal interest in bringing an action under Section 28 of the Administrative Procedure Act.
As mentioned under the legal principles, it is generally assumed that the right to appeal a decision should in any case not be narrower than the right to appeal administratively against the decision. In its letter to the Civil Ombudsman, the Data Protection Board has assumed that the complainant would have had a right to appeal against the Data Protection Authority's decision if she had also had a right to bring an action. The Ombudsman agrees with this principle. The conclusion that the complainant - based on the decisions of the European Court of Justice - initially appears to have a right to judicial review of all aspects of the Data Protection Authority's decision implies that she also has a legal interest in bringing an action. On this basis, the Ombudsman does not find it necessary to conclude on the question of whether the complainant has a legal interest in bringing an action also independently of the express provision in GDPR Article 78(1) on the right to an effective remedy.
The Civil Ombudsman therefore assumes that the complainant had a legal interest in appealing against the Norwegian Data Protection Authority's decision of 5 September 2023 to reprimand the employer for violating the GDPR by accessing the complainant's email account, cf. Section 28, first paragraph, of the Public Administration Act. The complaint against the decision on corrective measures should therefore not have been rejected by the Data Protection Board in the Ombudsman's view.
Conclusion
The Civil Ombudsman understands the right to an effective remedy in GDPR Article 78(1) – interpreted in light of the decisions of the Court of Justice of the European Union – so that both the business and the complainant are in principle entitled to judicial review of all aspects of the Norwegian Data Protection Authority's decision in the case. Judicial review involves checking whether the Norwegian Data Protection Authority has handled the case "with all due diligence", and whether the choice of corrective measures pursuant to GDPR Article 58(2) was within the margin of discretion granted to the Authority in the regulation. cf. C-768/21 Land Hessen paragraph 49.
The consequence of a complainant's right to judicial review is that the complainant meets the condition of legal interest in bringing an action pursuant to Section 28, first paragraph, of the Public Administration Act. There are no factors, as the case is explained, that indicate that the right to appeal should be narrower than the right to judicial review. The Ombudsman therefore finds it unnecessary to consider whether the complainant would have had a legal interest in bringing an action independently of the right to judicial review.
The Civil Liberties Ombudsman requests the Privacy Board to re-assess the complaint from A against the Data Protection Authority's decision of 5 September 2023 in light of the Ombudsman's comments in this statement.
