The Norwegian Supreme Court on "legitimate interests" as basis for data processing pursuant to GDPR

news
15 Dec 2021
Category
Insights

Decision of 7th December 2021 (the "Legelisten case")

The case concerned the issue of whether Legelisten.no (Legelisten), an internet-based service for anonymous sharing of information about, amongst others, general practitioners, specialty doctors and dentists, has legal basis for the registering and publishing of subjective user evaluations of health professionals.

The background of the case was complaints from health professionals who requested to opt out of being reviewed on the web site, based on experiencing negative and disagreeable comments able to influence the professional's role as "gatekeeper" for public benefits. The Norwegian Data Protection Authority (DPA) rejected the request on 6 October 2016, but after the Privacy Appeals Board sent the case back to the DPA for a new consideration, the DPA directed Legelisten to provide for a general access to opt out. Following this, an approximate number of 1 100 requests to opt out was received from medical personnel.

Following an appeal, the Privacy Appeals Board however ruled in decision of 21 January 2019 (dissent 5-2) that Legelisten had basis for processing pursuant to EU's General Data Protection Regulation (GDPR) article 6 no. 1 litra f concerning "legitimate interests", and that there was no obligation to open for such general access to opt out for health professionals. The GDPR applies pursuant to the Personal Data Act 2018 section 1 as Norwegian law. Article 6 lays down that processing of personal data is only legal if and to the extent that at least one of the following conditions are met:

[…]

f) processing is necessary for the purposes connected to the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Both the City Court and the Appeals Court found that the decision by the Privacy Appeals Board was valid and acquitted Legelisten. The case was appealed to the Supreme Court by the Norwegian Medical Association. Before the Supreme Court, the parties agreed that Legelisten safeguarded "legitimate interests" (patients' freedom of speech, consumer interests, competition considerations, other public considerations as improved health services and Legelisten's economic purpose), but the Medical Association argued that the necessity requirement in art. 6 no. 1 litra f was not fulfilled and maintained further that the balancing of interests had to favour the protection of privacy for health personnel, not the interests of the general public.

The Supreme Court's evaluations

The Supreme Court ascertained first that the courts have competence to examine the Privacy Appeals Board's decision in full, both the evidence and the legal assessments. Following this a unanimous Supreme Court concluded in the same manner as the preceding judicial authorities, following an overall assessment of the necessity-criteria and of the relevant interests in the case, that there is basis for data processing pursuant to GDPR art. 6 no. 1 letter f. The Supreme Court emphasised the following central factors in its deliberation:

  • Legelisten covers an important need for information for its users.
  • The users have few other sources of information about the quality of the services.
  • Health professionals who are reviewed on the web site offer services in competition with others based on the principle of free choice for customers.
  • Legelisten gives health service users the possibility to exercise their basic right of freedom of speech and even subjective evaluations have considerable information value.
  • Legelisten's measures to limit the data privacy disadvantages satisfies what may be reasonably expected, even if some evaluations may slip through in breach of Legelisten's own guidelines. The Medical Association on its side was of the opinion that Legelisten, in addition to existing measures, ought to prevent that reviews of health professionals on Legelisten became visible on top when name searches were made on Internet.
  • The legitimate interests cannot reasonably be efficiently realised by other and less radical measures, e.g. disengaging the user evaluations on Legelisten.no from the most used search engines (by name search) on the Internet entails that the legitimate interests behind the web page cannot be achieved as efficiently as present (the processing is, in other words, necessary).
  • Therefore: the general public's need for information about providers of health services must in this case outweigh the data privacy for health professionals.

DLA Piper's observations

This is the first decision of the Supreme Court after that GDPR was implemented in Norwegian law. In our view, the appraisals made by the Supreme Court in this case shows that the courts ascribe considerable weight to freedom of speech and (public) information interests, regardless of whether the weighing of interests concerns conflicting data privacy interests. Also, consumer interests were emphasized in the balancing of interests pursuant to GDPR art. 6 (1) letter f.

The decision does not provide any direct guidance regarding "legitimate interests" in general. However, amongst the interests that were accepted as legitimate in the case, the Supreme Court nevertheless provides some indications of which interests have more or less weight when stating that: "Legelisten's economic interests have, solitory seen relatively limited weight measured against the data privacy interests of health professionals".

The Supreme Court's conclusion and balancing of interests however builds on an assumption that the disadvantage for health personnel – and in so saying the weight of this factor in the balancing of interests – must be seen in view of that it is a question of performance of a profession and not merely personal matters. Negative comments will then presumably cause less affect, and health professionals must face factual criticism. There is no doubt that quoted statements from Legelisten show that characteristics of health professionals go beyond what may reasonably be called factual criticism, at the same time as it is emphasised in the decision that most of the comments are positive. There is reason to question whether the data privacy disadvantages for the one/those that are affected will have a larger space in the overall evaluation if it were not a question of a "group evaluation", such as in the present case. It may be possible that the information needs of the general public will then be weighed differently.  

Read the decision in its entirety here. 

This briefing is also available in Norwegian here

GDPR The Norwegian Supreme Court