Norwegian DPA upholds prohibition of data collection through contact-tracing app

The Norwegian Data Protection Authority (DPA) issued a new prohibition on the collection of location data by the Norwegian National Health Authority (Folkehelseinstituttet, FHI) using the Norwegian COVID-19 contact-tracing app Smittestop.

The Norwegian DPA confirmed its original decision, stating that ‘Smittestopp has not constituted a proportional invasion of the individual user’s right to privacy.’ The DPA cited, as the reasons for the disproportionate invasion into privacy, the low community spread of the Coronavirus in Norway, the invasive nature of the central collection of data, and the low number of users of the app, preventing effective tracing of contacts. For Norway to update the current contact-tracing app or launch a new one, apps would have to comply with this prohibition, as well as the Norwegian privacy protection framework before launching it for public use.