Østre Toten municipality – Court Ruling (Norway, 2023)

This case is an appeal of a decision in which the DPA fined a municipality (the controller) about €352,555 (NOK 4,000,000) for violating Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web. The controller disagreed with the DPA on the part of the decision pertaining to the fine and asked them to reconsider their position. After the DPA had reviewed the case again, they found no grounds to change their decision and so, as per Norwegian procedures, referred the case to the Privacy Appeals Board. In their comments to the Privacy Appeals Board, the controller argued that the grounds for an administrative fine were non-existent. They also held that they had implemented sufficient technical and organisational measures available to them as per their internal resources and in line with Article 24 GDPR and Article 32 GDPR. The Privacy Appeals Board reviewed the case, both parties' arguments, grounds for imposing an administrative fine as per the GDPR, as well as the objective and subjective grounds for assessing if personal data breaches took place. After assessing the controller's personal data practices, the Privacy Appeals Board held that they agreed with the DPA in that the various deficiencies represented fundamental shortcomings in the controller's information security, resulting in violations of Article 24 GDPR and Article 32 GDPR. When assessing the subjective grounds, however, the Privacy Appeals Board noted that the DPA had taken an incorrect legal standpoint and interpreted the legality inaccurately. They disagreed with the DPA's interpretation that the Chief Municipal Executive was objectively responsible for the personal data breaches, regardless of him acting negligent. In the Privacy Appeals Board's view, the insufficient IT security must be sees against a lack of focus over time, long before the Chief Municipal Executive was employed