The Norwegian Constitution of 1814 does not have a specific provision dealing with the protection of privacy.[1975] The closest provision is Article 102, which prohibits searches of private homes except in "criminal cases." More generally, Article 110c of the Constitution places state authorities under an express duty to "respect and secure human rights."[1976] In 1952, the Norwegian Supreme Court held that there exists in Norwegian law a general legal protection of "personality" which embraces a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis.[1977] A statutory protection for privacy is granted by section 390 of the Criminal Code 1902. Section 390 provides a penalty for violations of privacy caused by "public disclosure of information relating to personal or domestic affairs."[1978]
The Norwegian Constitution also protects freedom of speech (Article 100). Persons may not be liable in law for disseminating or receiving information, ideas, or messages if the information can be justified under the rubric of freedom of expression (i.e., the seeking of truth, the promotion of democracy, or the expression of an individual opinion).[1979] Postal communications may be censored only by institutions and by leave of a court of law.[1980]
The Telecommunications Act of 1995 imposes a duty of confidentiality on telecommunications providers. Under section 9-3 of the Act, telecommunications service providers must safeguard the secrecy of the content of telecommunications.[1981] Police may access this information upon a court order or by administrative order from the National Post and Telecommunications authorities.[1982] Individuals who unlawfully examine the content of an electronic transmission may be punished according to the Norwegian Criminal Code. However, employers may examine the content of e-mails sent and received by employees at their work place, if such e-mail is presumed to be work-related and the employees are warned beforehand of such monitoring.[1983]
Some of the protections safeguarding electronic communications may soon change. The Norwegian Parliament is about to adopt an electronic communications Act that will replace the Telecommunications Act and possibly allow for subsequent changes to the existing rules governing mobile phone and Internet usage.[1984] Current rules permit consumers to disclose very little personally identifiable information when purchasing a mobile phone. Persons who use unregistered mobile telephones and anonymous cash cards may communicate almost undetected. The chief public prosecutor of the Norwegian Economic Crime Unit has requested that the Parliament ban anonymous cash cards for mobile telephones and require that telecom and Internet companies keep logs of traffic data for a twelve-month period.[1985]
The regulation of personal data and information in Norway was formerly governed by the Personal Data Registers Act of 1978, but this law has been replaced by the Personal Data Act of 2000.[1986] The Personal Data Act protects the right to privacy by setting out safeguards to ensure that personal data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and to ensure adequate quality of personal data (section 1). Enforcement of the Personal Data Act is overseen by The Data Inspectorate (Datatilsynet), a body originally set up in 1980.[1987] The Inspectorate is placed under the administrative wings of the Ministry of Labor and Government Administration, but is otherwise expected to function completely independently of government or private sector bodies. The Inspectorate employed twenty-seven staff members as of 2002. The responsibilities of the Inspectorate include verifying that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified; identifying risks to protection of privacy; and providing guidance on measures to avoid or limit such risks.[1988] Decisions of the Inspectorate may be appealed to a quasi-judicial body, the Privacy Appeals Tribunal (Personvernnemnda). Decisions of the Tribunal may be appealed to civil courts on questions of law.[1989]
Although Norway is not a member of the European Union, the Personal Data Act was designed to bring Norwegian law into compliance with the EU Directive on data protection.[1990] The Personal Data Act covers all data that may be linked directly or indirectly to individuals.[1991] The Act applies to both the public and private sectors, and it covers both manual and computerized registers (section 3). As a point of departure, the Act requires that the Data Inspectorate be notified in advance of data-processing operations (sections 31-32). In some instances, a license must be acquired from the Data Inspectorate in order to process data. This is generally the case, for example, with the planned processing of sensitive information, such as information on racial origin, religion, or criminal record (section 33), and with the processing of personal data by the insurance, banking and telecommunications sectors (chapter 7 of the regulations to the Act). The Inspectorate also has the power to make on-site visits to data register licensees to determine compliance with the Act (section 44). The Personal Data Act of 2000 provides strong protections for data subjects about whom data has been collected. The Act provides that all persons have a right to demand access to information which concerns them (section 18). Also, according to the Act, all incorrect data must be corrected (section 27), and all persons shall have the right to block their name from use in direct marketing (section 26). The Act also restricts the flow of personal data to other countries in accordance with the rules laid down in Articles 25 and 26 of the EU Directive (sections 29-30). Again, similar to the EU Directive, data subjects must be informed that their personal data is being collected and the name of the controller collecting the personal data (sections 19-20). New in relation to the Directive, however, is that the Act imposes a duty of informing the subject when, on the basis of a personal profile, either the data subject is approached or contacted, or a decision directed at the data subject is made. In such a case, the data subject must be automatically informed of the data controller's identity, the data constituting the profile, and the source of these data (section 21). Violations of the Act are punishable by, i.a., fines or imprisonment (sections 46 et seq.).[1992]
The new law also provides specific rules for video surveillance. Video surveillance that does not create actual files falls under weaker protection than regular personal data registers. However, if the surveillance results in the actual recording of pictures, then the surveillance falls under the Act and the Data Inspectorate must be informed (section 37). The Inspectorate has the power to intervene and prohibit the surveillance if it does not conform with the Act. If the video surveillance is performed in a public place, there must be clear notice given, such as through use of a warning sign (section 40). However, the Criminal Procedure Act of 1981 allows police to perform covert video surveillance of public areas if the surveillance is of "essential significance" for investigating suspected criminal conduct that can result in more than six months imprisonment (section 202a).
General exemptions to the Personal Data Act are made for processing of data for purely private or purely artistic, literary or journalistic purposes (sections 3 and 7). Processing of data for historical, statistical, or scientific purposes is also treated leniently (see, e.g., section 11(2)). Some data registers kept for purposes of policing and/or national security are also taken outside the control competence of the Data Inspectorate (chapter 1 of the regulations to the Act).
Wiretapping normally requires the permission of a tribunal and is initially limited to four weeks.[1993] The total number of telephones monitored was 360 in 1990, 467 in 1991, 426 in 1992, 402 in 1993, 541 in 1994 and 534 in 1995.[1994] A Supervisory Board reviews the warrants to ensure the adequacy of the protections. A Parliamentary Commission of Inquiry was created in 1994 to investigate the post-World War II surveillance practices of Norwegian police and security services. The Lund Commission delivered a 600 page report in 1996, causing a great deal of public and political debate on account of its finding that much of the undercover surveillance practices, including wiretapping of left wing political groups until 1989, had been instituted and/or conducted illegally and that the courts had not generally been strong enough in their oversight.[1995] This included keeping files on children as young as eleven years old.
Provisions of the Criminal Procedure Act allow for wiretapping without the permission of the tribunal in two circumstances. First, section 216a allows wiretapping for narcotics investigations and in connection with cases involving national security, albeit with the permission of a magistrate court. Second, section 216b allows wiretapping in connection with some less serious offenses but requires the permission of a magistrate court.
New legislation to monitor the secret services was approved in 1995 following the Lund Commission's recommendations.[1996] The legislation created a new Control Committee to monitor the activities of the Police Security Services, the Defense Security Services, and the Defense Intelligence Services. The former Minister of Justice and the head of the Norwegian security police (POT) were forced to resign from the government in 1996 after it was revealed that the POT had placed a member of the Lund Commission under surveillance and requested a copy of her Stasi file from the German authorities four times.[1997] Later it was discovered that the POT had also investigated several key members of the Parliament who have oversight over the agency.[1998] In 1997, the Parliament agreed to allow people who were under surveillance by the POT to review their records and to obtain compensation if the surveillance was unlawful. The POT has records on over 50,000 people.[1999] The period for allowing access to these records has now terminated.
Many other laws contain provisions relevant to privacy and data protection. These include the Administrative Procedures Act of 1967 and the Criminal Code of 1902.[2000] The Criminal Code first prohibited the publication of information relating to "personal or domestic affairs" in 1889.[2001] The Criminal code also prohibits the unauthorized opening of sealed correspondence, including cracking security mechanisms.[2002] The Criminal Code also prohibits covert monitoring or recording of telephone conversations or other conversations in closed settings.[2003] In December of 2000, a Norwegian news service reported that Norwegian military and police intelligence units entered into an agreement with the country's fifteen largest companies to perform Internet surveillance.[2004] The system was reported to be similar to the United States FBI's Carnivore system, which intercepts and monitors any information sent across the Internet. The Norwegian Justice Department confirmed the existence of the system, but sources claimed that it has not been implemented on a large scale. The Norwegian Parliament has demanded a review of the project, which was created to defend the national information technology infrastructure.
The 1970 Act on Public Access to Documents in the (Public) Administration provides for public access to government records.Under the Act, there is a broad right of access to records. The Act has been in effect since 1971. The Act does not apply to records held by the Parliament, the Office of the Auditor General, the Ombudsman for Public Administration, or other parliamentary institutions. There are exemptions for internal documents; information that "could be detrimental to the security of the realm, national defense or relations with foreign states or international organizations"; subject to a duty of secrecy; "in the interests of proper execution of the financial, pay or personnel management"; the minutes of the Council of State, photographs of persons entered in a personal data register; complaints, reports and other documents concerning breaches of the law; answers to examinations or similar tests; and documents prepared by a ministry in connection with annual fiscal budgets. The King can make a determination that historical documents in the archive that are otherwise exempted can be publicly released. If access is denied, individuals can appeal to a higher authority under the act and then to a court.
A news report early in the year 2000 indicated that Norway's Data Protection Registrar intended to investigate the merged banking giant Postbanken/DnB, which had been criticized for using postal employees to collect information and make lists of potential clients. The investigations were to determine whether the postmen and women were breaching regulations governing the privacy of postal service clients.[2005] An article published in February, 2002, indicates the state welfare agency, Trygdeetaten, would like to order banks to advise of any "unusual" transactions involving accounts held by welfare recipients. The proposal, which would require the relaxation of existing privacy laws, has prompted opposition from the banking industry and some politicians. The banking industry has warned against law changes which would threaten client confidentiality. The agency, however, feels that it is the only way they will be able to "crack down" on welfare cheating.[2006] In May, 2003, a new money laundering law was passed which requires employees in financial, gaming, and other institutions involved in the transfer of funds to notify the Norwegian Economic Crime Unit if they suspect that a client may be laundering funds.[2007]
In addition to data protection regulations that contain privacy provisions, Norway has also addressed privacy issues stemming from threats of terrorism and human rights violations. The European Convention on Human Rights and Fundamental Freedoms of 1950 and the International Covenant on Civil and Political Rights of 1966, both of which contain a catalogue of basic human rights, including express rights to privacy, have recently been incorporated into Norwegian law.[2008] In April, 2002, the Norwegian parliament adopted amendments to the Norwegian Penal Code, which include prohibitions against "terrorist acts."[2009] Many privacy advocates and NGOs have expressed concern that the prohibition against "terrorist acts" is too broad and imprecise, and may result in persons becoming victims of arbitrary, inaccurate, or politically motivated charges.[2010]
Norway has also agreed to support UN Security Council resolution 1368, which reconfirms the right to individual or collective self defense, and resolution 1373, which outlines the measures member states of the UN must implement in order to prevent and suppress terrorist activities.[2011] Other steps Norway has taken to counteract terrorism are to call for the establishment of the International Criminal Court in The Hague, to ratify all UN Conventions against international terrorism in force, and to sign the UN Convention for the Suppression of the Financing of Terrorism.[2012] To safeguard human rights and fundamental freedoms in light of the threat of terrorism, the Norwegian government granted the Norwegian Institute for Human Rights the status of a national human rights institution in 2002. The Institute monitors Norway's adherence to international human rights standards. One area of particular concern that the Institute is monitoring is Norway's treatment of persons in pre-trial detention.[2013]
Norway is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) and has signed ETS No. 181.[2014] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2015] Norway has signed, but not ratified, the Council of Europe's Convention for Cybercrime.[2016] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.