Norwegian Customs – €34,800 Fine (Norway, 2020)

The investigation started after the DPA was notified of a personal data breach from the Customs Authority regarding several issues concerning the use of the ANPR system. The ANPR database is a shared database, also used by the Norwegian Public Roads Administration. After an internal evaluation of the use of this database and the legal basis for the processing of the data, the Customs Authority sent a data breach notification to the DPA. The basis for this notification was the uncertainty of the wording of the law and whether it only applied to the border crossing, or if it also concerned traffic to and from the border. The dispute of the case was whether tolloven § 13-12 "grensekryssende trafikk" ("cross-border traffic"), read in conjunction with the preparatory works, limited the use of the ANPR system to the actual border crossing, or if internal, domestic traffic to and from the border was also covered by the law. In addition, the question was whether the Customs Authority could process personal data from the shared database of cameras which the Public Roads Administration was the controller of. The DPA held that the preparatory works' use of "border control" and "cross-border traffic" was synonymous, and that an expansion of the term to also cover internal domestic traffic would be in contravention to the principle of legality. The DPA held that the Customs Authority and the Public Road Administration were controllers for different processing operations with regards to the database. Highlighting that while it is a shared database, and some of the tasks laid out by law concerning surveillance of traffic overlapped between the Customs Authority and the Public Roads Administration, the two authorities were controllers for different parts of the database. The national law, tolloven § 13-12, did not grant the Customs Authority any legal basis for processing data from the part of the database where the Public Roads Administration was the controller.