I. Legal framework
Constitutional privacy and data protection framework
The Norwegian Constitution of 1814 does not have a specific provision dealing with the protection of privacy.1 The closest provision is Article 102, which prohibits searches of private homes except in "criminal cases." More generally, Article 110(c) of the Constitution places state authorities under an express duty to "respect and secure human rights."2 In 1952, the Norwegian Supreme Court held that there exists in Norwegian law a general legal protection of "personality", which incorporates a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis.3
The Norwegian Constitution also protects freedom of speech (Article 100). Persons may not be legally liable for disseminating or receiving information, ideas, or messages if the information can be justified under the rubric of freedom of expression (i.e., the seeking of truth, the promotion of democracy, or the expression of an individual opinion) (Article 100(2)). Postal communications may be censored only within certain State institutions and by leave of a court of law (Article 100(4)).
Privacy and data protection laws and regulations
The processing of personal data and information in Norway was formerly governed by the Personal Data Registers Act of 1978, but this law has been replaced by the Personal Data Act of 2000 (PDA).4 The PDA, together with regulations issued pursuant to it,5 constitutes the central legislation on protection of personal data in Norway. The legislation protects the right to privacy by setting out safeguards to ensure that personal data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and to ensure adequate quality of personal data (PDA Section 1).
Although Norway is not a member of the European Union, the PDA was designed to bring Norwegian law into compliance with the EU Data Protection Directive 95/46/EC.6 The PDA covers all data that may be linked directly or indirectly to individuals.7 The PDA applies to both the public and private sectors, and it covers both manual and computerised registers (Section 3). As a point of departure, the PDA requires that the Data Inspectorate be notified in advance of data processing operations (Sections 31-32). In some instances, a licence must be acquired from the Data Inspectorate in order to process data. This is generally the case, for example, with the planned processing of sensitive information, such as information on racial origin, religion, or criminal record (Section 33), and with the processing of personal data by the insurance, banking and telecommunications sectors (Chapter 7 of the regulations supporting the Act).
The PDA provides strong protections for data subjects about whom data has been collected. The Act provides that all persons have a right to demand access to information that concerns them (Section 18). Also, according to the Act, all incorrect data must be corrected (Section 27), and all persons shall have the right to block their name from use in direct marketing (Section 26). The Act also restricts the flow of personal data to other countries in accordance with the rules laid down in Articles 25 and 26 of the EU Data Protection Directive (Sections 29-30). Again, similar to the EU Directive, data subjects must be informed that their personal data are being collected and of the name of the controller collecting the personal data (Sections 19-20). New in relation to the EU Directive, however, is that the Act imposes a duty of informing the subject when, on the basis of a personal profile, either the data subject is approached or contacted, or a decision directed at the data subject is made. In such a case, the data subject must be automatically informed of the data controller's identity, the data constituting the profile, and the source of these data (Section 21). Violations of the Act are punishable by fines or imprisonment (Sections 46 et seq.).8
A decision of principle by the Privacy Appeals Board in late 2002 defines the scope of the Act, specifically as it applies to human biological material such as blood samples. The board's decision overturned a Norwegian Data Inspectorate ruling on a case involving a medical researcher who wished to take human blood samples from his work at a university hospital with him to his new job.9 The Data Inspectorate ruled that blood samples constituted "personal information" for the purposes of the Act. On appeal, the decision was reversed by a majority of the Privacy Appeals Board, applying a view of "data" and "information" typical in the fields of informatics and information science. Further, the decision reflected a concern that the Act should not be radically extended in scope without such an extension being considered in Parliament.10
The Board found that audiotape recordings of a person's telephone conversation â€“ recorded without the consent of that person by the other party to the conversation â€“ do not fall within the scope of the PDA; such recordings per se could not constitute a "register" or "file" for the purposes of Section 3(1)(b), as they are not organised in a way that facilitates ready identification of specific individuals.11 The board also found that the recordings could not qualify as a processing of personal data by automatic means (Section 3 (1)(a)), because manual intervention was needed to initiate and conclude the recording operation.
A decision by the European Court of Justice in the criminal proceedings against Bodil Lindqvist12 has led to a change in policy of the Norwegian Data Inspectorate. The Inspectorate had exempted from the Act the posting of personal data on homepages for ostensibly private or domestic purposes. The Lindqvist decision, however, states that the exemption for "private" processing pursuant to Article 3(2) of the Data Protection Directive does not apply when the data can be accessed by an indefinite number of persons. Unless access to personal data posted on a website is restricted so that only a small number of persons can legally access the material, the disclosure of this data now falls within the scope of the Data Protection Directive and the PDA.13
In 2009, a chapter concerning the employer's right to examine an employee's email box, etc., was added to the Personal Data Regulations.14 Following this amendment, an employer may only explore, open, or read email in an employee's email box: when it is necessary to maintain daily operations or there is other justified interest of the business, such as in case of justified suspicion that the employee's use of email constitutes a serious breach of the duties that follow from the employment, or may constitute grounds for termination or dismissal.
The employee shall be notified wherever possible and given an opportunity to speak before the employer makes the examination, and also to be present during the examination, if possible.
In 2007, Norway amended its Working Environment Act to add provisions for whistleblowers. Under the amendments, workers may remain anonymous.15 In addition, the businesses must handle the employee's information according to the PDA.
In January 2006, a new statute was enacted which created a central register for political parties and their candidates.16 The legislation mandates disclosure of private individuals' financial support to political parties if this support is greater than a particular amount of money (Section 20), and prohibits anonymous contributions to political parties (Section 17(2)).
2006 also brought changes to the Child Welfare Act.17 These amendments make it mandatory for employees at private crisis centres that receive funding from the government to disclose information to the Child Welfare Authorities if they have reason to believe that a child is being neglected. The Data Inspectorate was very strongly opposed to this provision and "believes that it represents a serious infringement of the integrity of persons who contact a crisis centre in an emergency situation."18 The Act was amended again in 2009 to stipulate that all government institutions and all institutions working with parents and children have to disclose information necessary for the Ministry, the Child Welfare Authorities and the Health authorities to do their duty. When life or health is at stake child welfare workers can give information to health care workers. This includes the suspicion that a pregnant woman is abusing substances that can lead to the child being born with permanent damage. But the amendment also states that parents' and children's right to privacy shall be respected while they are in an institution (Section 5-9a).19
The Norwegian Nationality Act, Section 7, was amended in 2007 to require applicants for Norwegian nationality to provide a police certificate.20 The police certificate shall contain preliminary charges and indictments, even in situations where the offence was not prosecuted. However, a proposed provision that would have suspended the duty of confidence of all public authorities, and at the same time subjected them to a disclosure requirement if the immigration authorities needed information whilst processing nationality applications, was not adopted.
A statutory protection for privacy is granted by Section 390 of the Criminal Code 1902. Section 390 provides a penalty for violations of privacy caused by "public disclosure of information relating to personal or domestic affairs".21
Data protection authority
Monitoring and enforcement of the PDA is overseen by The Data Inspectorate (Datatilsynet), a body originally set up in 1980.22 The Inspectorate is placed under the administrative wings of the Ministry of Government Administration, Reform, and Church Affairs, but is otherwise expected to function completely independently of government or private sector bodies. The Inspectorate is generally regarded as an important institution in Norwegian society.
The responsibilities of the Inspectorate include verifying compliance with statutes and regulations that apply to the processing of personal data and verifying that errors or deficiencies are rectified; identifying risks to protection of privacy; and providing guidance on measures to avoid or limit such risks.23 The Inspectorate also plays a role in raising public awareness of privacy through various campaigns and publications.24
Complaints are normally handled by written procedures, but also by guidance meetings, by phone calls, and by email. In terms of complaints enforcement, the Data Inspectorate has the tools mentioned in PDA Sections 47-49. Decisions of the Inspectorate may be appealed to a quasi-judicial body, the Privacy Appeals Board (Personvernnemnda). Decisions of the Privacy Appeals Board may be appealed to civil courts on questions of law.25
The Inspectorate has the power to make onsite visits to data register licencees to determine compliance with the PDA (Section 44). The Data Inspectorate also has the authority to issue fines. Physical persons may only be fined for a data offence involving deliberate or negligent violation. The Data Inspectorate may also impose a coercive fine which will run for each day from the expiry of the time limit set for compliance with the order until the order has been complied with.26
The Data Inspectorate is responsible for the service/website slettmeg.no (delete me), which provides assistance to persons that have found information about themselves on the Internet which they need help to remove (for example taking down the Facebook account of a relative that has died). The establishing of this service was a result of a suggestion from the Privacy Commission, which was appointed by the Government in 2007 and submitted its final report in 2009.27
Major privacy and data protection case law
In June 2010 the Norwegian Supreme Court ruled in the case between Lyse Tele (Altibox) and Sandrew Metronome28 on the disclosure of the identity of a subscriber with a given IP address at a given time. The subscriber had made available copyrighted material belonging to Sandrew Metronome, but they were not able to take out a law suit in a civilian court without the identity of the file-sharer. The Post and Telecommunications Authority exempted Lyse Tele's professional secrecy in the case, but Lyse Tele claimed that this was not enough. The Court of Appeal ruled that Lyse Tele would have to provide Sandrew Metronome with the identity of the file-sharer in this case, but that they should not be given access to his equipment as they had asked in order to secure evidence. Both parts appealed to the Supreme Court, but the appeals were rejected.
In 2007 a book on local history from life on a group of farms in the South of Norway was published. The author describes life on his own farm, including his divorce. His ex-wife subsequently sued to have the description of the divorce removed from the book. The case made its way to the Supreme Court, which ruled in favour of the author.29 The judges emphasised the consequences for biographies and history works if the author were convicted. They stressed, too, that it is the author's own story that is told. As long as the descriptions are not incriminating, intimate or untrue, the ex-wife had no right to be protected from her former husband's description of their divorce.
Another relatively recent Supreme Court ruling of note concerned a suit instigated by an American snowboarder, Andy Finch, who claimed damages for the unauthorised use of a photograph of himself by a TromsÃ¸-based organisation that had used the photograph as part of a campaign to promote TromsÃ¸ as a suitable venue for holding the Winter Olympics.30 A problem for Finch was that while damages for unauthorised use of personal photographs are available under copyright legislation, such damages may only be awarded to residents or citizens of Norway â€“ and Finch did not fall into this category of persons. However, the Supreme Court upheld Finch's claim by finding that there exists a right to control the use of one's personal image in photographic form that is independent of statute and that this right inheres not just in residents or citizens of Norway. In making this finding, the Court relied on older case law, notably its famous decision of 1952 referred to at the beginning of this report.
- 1. The Constitution of the Kingdom of Norway, English version available at http://www.constitution.org/cons/norway/dok-bn.html (this URL (as of 20 July 2007) links to the text of the Constitution as it existed in 1995; more recent amendments to the Constitution, particularly to Article 100 (freedom of speech â€“ see infra), are not reflected therein); the current Norwegian version (Kongeriget Norges Grundlov), with latest amendments as of 30 September 2004, is available at http://www.lovdata.no/all/nl-18140517-000.html.
- 2. Lee A. Bygrave & Ann Helen Aaro, Norway, International Privacy, Publicity and Personality Laws 333 (M. Henry ed., 2001).
- 3. Id. at 340.
- 4. The Personal Data Act of 14 April 2000 No. 31, in English at http://www.datatilsynet.no/upload/Engelsk%20lov%20ny%20utgÃ¥ve%20til%20publisering.pdf.
- 5. Regulations on the Processing of Personal Data of 15 December 2000 No. 1265, in English at http://www.datatilsynet.no/upload/Engelsk%20forskrift%20ny%20utgÃ¥ve%20til%20publisering.pdf.
- 6. Bygrave & AarÃ¸, at 336.
- 7. Lee A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits (The Hague: Kluwer Law International, 2002) at 48.
- 8. See also Bygrave & AarÃ¸, supra, at 339-340.
- 9. See appeal decision in case 8/2002, available at http://www.personvernnemnda.no/vedtak/2002_8.htm.
- 10. Lee A. Bygrave, "The Body as Data? Biobank Regulation via the 'Backdoor' of Data Protection Law," 2 Law, Innovation and Technology, at 1â€“25 spec. 20 (2010).
- 11. See appeal decision in case 1/2005, available at http://www.personvernnemnda.no/vedtak/2005_1.htm.
- 12. See decision of 6 November 2003 in Case C-101/01, Bodil Lindqvist v Ã…klagarkammaren in JÃ¶nkÃ¶ping, European Court Reports 2003 I-12971 Â§ 47.
- 13. Id.
- 14. Personal Data Regulations, Chapter 9.
- 15. Act of 17 June 2005 No. 62, Working Environment Act, amended by Act of 23 February 2007 No. 10, available in English at http://www.arbeidstilsynet.no/binfil/download2.php?tid=92156.
- 16. The Political Parties Act of 17 June 2005 No. 102, entry into force 1 January 2006, available in English at http://www.ub.uio.no/ujur/ulovdata/lov-20050617-102-eng.pdf.
- 17. The Child Welfare Act of 17 June 1992 No. 100, amended 1 January 2006, available in Norwegian at http://www.lovdata.no/all/nl-19920717-100.html.
- 18. The Data Inspectorate's 2006 Annual report to the EU Art. 29 Data Protection Working Party, 31 May 2007, http://www.datatilsynet.no/templates/Page____1857.aspx.
- 19. Id.
- 20. The Norwegian Nationality Act of 10 June 2005, amended June 2007, available in English at http://www.ub.uio.no/ujur/ulovdata/lov-20050610-051-eng.pdf.
- 21. Bygrave & AarÃ¸, supra, at 334.
- 22. See the Data Inspectorate's homepage, supra.
- 23. Id.
- 24. See for example http://www.datatilsynet.no/templates/Page____140.aspx.
- 25. Bygrave & AarÃ¸, at 337.
- 26. Id.
- 27. Government White Paper, NOU 2009:1 Individ og integritet (Individuals and Integrity), available at http://www.regjeringen.no/pages/2143156/PDFS/NOU200920090001000DDDPDFS.pdf.
- 28. Norwegian Supreme Court, Case No 2010/226, "BegjÃ¦ring om bevissikring utenfor rettssak" ("Request for the Securing of Evidence Outside of the Court"), available in Norwegianat at http://www.domstol.no/DAtemplates/Article____23918.aspx?epslanguage=NO.
- 29. Norwegian Supreme Court, Case No. 2009/1047, "SpÃ¸rsmÃ¥l om krenkelse av privatlivets fred ved utgivelse av lokalhistorisk bok" ("Question Regarding Violation of Privacy by the Publishing of a Book on Local History"), available at http://www.domstol.no/DAtemplates/Article____22343.aspx?epslanguage=NO.
- 30. Norwegian Supreme Court case No. 2009/2318-A, reported in Norsk Retstidende (Norwegian Law Reports) 2009, at 1568.