III. Privacy topics
Internet and consumer privacy
When the Norwegian law on property rights was amended in 2005, it was changed so that downloading material from the Internet is illegal if you have reason to believe that it has been uploaded without the permission of the owner. Uploading copyrighted material is still illegal. It is illegal to break digital copyright protection if it is "effective".1 The background is that most of the copyright protection designed to stop people from playing and ripping CDs on a computer can be broken by holding down the "shift" key. During the debate preceding the final changes to the Copyrights Act of 1961 it was argued that it would not make sense to criminalise something that was easy for anyone to do and that did not really involve actual code-cracking.
The law also emphasises that private consumers should be able to play/view legally obtained works on what can be considered "relevant equipment".2 This paragraph was added to ensure that consumers who had bought a CD could legally transfer that music to a cassette or a digital music player (iPod or mp3-player).
The property rights law is currently under revision again. The Government has appointed a working group to look into the challenges related to illegal file- sharing.3
The International Federation of the Phonographic Industry (IFPI) has requested that Norwegian ISPs block access to known file-sharing domains such as the Pirate Bay, but so far ISPs have declined to do this. The law firm Simonsen was granted permission from the Norwegian Data Inspectorate to register the IP-addresses of file-sharers on behalf of IFPI. They were not granted permission to get the name of the user connected to that IP-address. Simonsen filed several complaints with the police, but only a few were investigated. The Data Inspectorate has since revoked the permission while awaiting clarification of the legality of private investigations by rights holders, for example, in dedicated provisions to be inserted into the Copyright Act.4 Simonsen appealed the Inspectorate's decision in September 2009. The Privacy Appeals Board's decision is expected at the end of 2010 or in early 2011.
Consumers in Norway can stop unwanted direct telephone marketing by opting out via the Central Marketing Exclusion Register at the BrÃ¸nnÃ¸ysund Register Centre.5 All businesses that do direct marketing are required to remove all registrants from their list. By 2009, more than 1.7 million Norwegian consumers had opted out through this service.6 It is also possible to get a sticker from the nearest post office to put on your mailbox to avoid direct marketing materials lacking an address. It is not legal to send out marketing emails to anyone who has not actively given consent (opt-in). Businesses may send out marketing material to customers who have done business with them previously, but only for their own goods or services in the same category as the pervious purchase. A customer must be given an easy way to opt out.7
If a consumer has been subject to illegal marketing, he or she can issue a complaint with the Consumer Ombudsman.8 The Consumer Ombudsman has developed a series of guidelines for good marketing practice, including guidelines for e-commerce, telephone marketing and online marketing.
Under the pre-amended version of the Marketing Control Act, the Marketing Council and the Consumer Ombudsman could impose a suspended fine. This meant that the fine only had to be paid by repeat offenders. In 2009, the Act was updated to allow for an infringement fine as an alternative sanction. The fine can be issued for prior offences. However, this sanction can only be applied to cases that are in violation to clearly stated unfair practices, e.g., sending out "spam" to consumers via email.9
Internet banking has very high penetration in Norway. In 2009, 85 percent of the adult (over 16) population used Internet banking. Even in the group over 65 years of age penetration is 74 percent.10 Most banks use a BankID for secure logon. This type of login requires a token or a mobile phone that generates a code in addition to the customer's username and PIN. BankID can also be used as a digital signature.11 So far, there have been very few security breaches related to Internet banking in Norway. If a customer falls victim to a security breach, the burden of proof is on the bank to show that the customer has exhibited gross negligence or wilfully tried to deceive the bank.12
Norway implemented Directive 2007/64/EC on payment services in the internal market in 2009.13
In 2006 a government-appointed commission delivered its report on the protection of critical infrastructure and critical societal functions in Norway.14 One of the commission's recommendations is that all Internet service providers should be required to deliver security software as part of their service, and that all vendors of wireless networks should be required to deliver equipment with satisfactory security installations and user manuals in Norwegian.
Most Norwegian ISPs have agreed to follow a common approach to use a filter to stop both incoming and outgoing spam.15 Customers must be informed of the filter and how it works. The ISP should have user contracts that make it possible to sanction users that distribute spam, they should provide their customers with information on how to avoid spam, and they should make it easy to report spam.
The Norwegian Centre for Information Security (Norsk senter for informasjonssikring or NorSIS)16 is a Government-funded centre for information security. It targets small and medium-sized enterprises as well as public authorities and the general public. An important part of its mandate is to raise general awareness of information security matters through training and information. It also compiles and creates guidelines and tutorials concerning information security topics. One example is a major identity theft project led by NorSIS with participants from several public and private organisations.17
Online behavioural marketing and search engine privacy
There are no laws against online anonymity in Norway, and the use of anonymous Virtual Private Networks (VPNs) or anonymous proxies is legal, although not very common. Norway is debating whether to implement the Data Retention Directive. Currently, ISPs are allowed to store IP addresses for three weeks to enable them to handle complaints. Previously, the storage period for this information varied depending on how long the ISP felt the information was needed. In 2009 the Norwegian Data Inspectorate instructed all ISPs that the storage of IP addresses beyond three weeks would be in violation of the Personal Data Act.18
All the most common search engines used by Norwegian consumers (particularly Google) are run from other countries, and as such are beyond the control of Norwegian law.
Online social networks and virtual communities
There is very high Internet penetration in Norway â€“ 86 percent of Norwegian households have an Internet connection, and only 11 percent have not used the Internet over the last three months.19 According to TNS Gallup, in the first quarter of 2010 61 percent of Norwegian Internet users used Facebook daily or weekly, 57 percent said their communication is open on Facebook, while 40 percent were members of closed groups. Fifty-seven percent worried about privacy on Facebook.20 Norwegians are also active on many other social networking sites, but Facebook is the most popular.
The Norwegian Data Inspectorate established the service slettmeg.no (delete me) in March 2010. This service offers advice and guidance to people of all ages who find offending material about themselves on the Internet. This might include photos published without permission, fake profiles on various Internet services, incorrect personal information, or harassment. The service provides guidance for removing already deleted Web pages from Google's (and other search engines') indexes, and for deleting accounts on various social networking sites, etc. Published statistics show that a majority of the requests received by slettmeg.no have been about Facebook (more than 35 percent during the initial two months).21 It is also interesting to note that a lot of the requests are about deleting information that was published earlier by the person making the request.
Online youth safety
In practice, all young people in Norway use a computer and are on the Internet. The Norwegian Media Authority publishes a regular survey on young people's use of media. The survey poses questions to both young people and parents. The main findings from 2010 are: (a) children claim to have more alone time on the net than the parents believe; (b) parents claim to monitor Internet use by installing filtering/blocking software and checking log files to a greater extent than the children report; (c) most children have rules on how to use the Internet; the most common are not meeting anyone they only know from the Internet (54 percent) and not saying bad things to others on chat or via email (53 percent); (d) 50 percent of children say they are not allowed to pass out personal information on websites or in chat; (e) the trend over the last few years is that children know more on how to behave safely on the Internet; half of the children say that they do not pass out personal information because they have learnt about safe Internet use; (f) 23 percent have been asked for personal information by someone they don't know; most of the children ignored the request, but 5 percent say they gave the requested information and 22 percent gave some information; (g) 14 percent have experienced unwanted sexual comments on the Internet over the last year; 8 percent have been asked to send images of themselves naked over the Internet.22
There has been a lot of focus on empowering young people to use the Internet safely, with privacy as the main focus, over the last few years. The campaign "Du bestemmer" (You Decide) has been used by more than 400,000 students between the ages of nine and 17.23 In addition to focusing on safe Internet use, the campaign emphasised the children's right to privacy from teachers and parents as well. Open dialogue is encouraged as an alternative to filtering and "spyware". The campaign is funded by the Ministry of Government Administration, Reform, and Church Affairs and the Ministry of Education and Research.
NCIS (Kripos) has launched an initiative called "the Red Button". This is a button that organisations that provide Internet content aimed at young people can add to their site. When pressed, the button leads to the Kripos site, where the public can report sexual exploitation of children, human trafficking, or racism on the Internet.24
In 2009 the so-called "grooming paragraph" was added to the Penal Code.25 This means that it is now illegal to arrange a meeting with someone younger than 16 in order to engage in sexual activities. Paragraph 201 of the Code, which made it illegal to act in a sexually demeaning or indecent way in public without the other party's consent or in front of children under 16, was amended to include the use of telephones, Internet, or other means of electronic communication.26
Surveillance and control measures in the workplace are regulated by the Working Environment Act.27 The Act states that employers wishing to implement control measures must have a legitimate reason based on the nature of the business, and that the measures should not be an unnecessary burden on the workers. Information collected has to be handled in accordance with the Personal Data Act.
Employers should discuss the need for control measures and how they should be implemented with the union representatives. All workers shall be informed before the measure is put into place, and there should be regular evaluations.
In a recent study by Fafo28 (Institute for Labour and Social Research) 6,022 Norwegian workers answered a Web survey on monitoring and surveillance in the work place. The most common means of surveillance and monitoring are electronic access control (31 percent), systems that register time use or productivity (22 percent), surveillance of Internet sites visited by employees (20 percent), and monitoring of telephone use (16 percent).
As described earlier, in 2009 a chapter concerning the employer's right to examine an employee's email box, etc., was added to the Personal Data Regulations.29 This chapter clarified an issue that had previously been unclear, and restricted employers' access to employees' email in contrast to previous practice. In 2010, the Data Inspectorate issued a fine of NOK15,000 (approx. â‚¬2,000) to an organisation (Nordenfjeldske Kunstindustrimuseum) for accessing an employee's email without legal grounds and without notifying the employee.30
Health and genetic privacy
In 2005 Parliament approved the establishment of the Norwegian Labour and Welfare Organisation (NAV) to provide comprehensive welfare reform.31 NAV is a merger of three organisations: the National Insurance Organisation, the National Employment Service and the Social Welfare System. As of July 2007, NAV had data on more than 2 million users from these combined databases.32 The merger has raised concerns because the number of people with access to sensitive personal data has doubled, and the access restrictions are inadequate.
As part of the reform, NAV was granted access to clients' health records as part of its control regime. The Data Inspectorate objected to this, but was ignored. When the Data Inspectorate found that NAV did not give notification upon accessing health records, it issued an order requiring NAV to establish new routines where such notification should be given within four weeks. According to the Data Protection Act notification should always be given when accessing personal data from an external source. NAV appealed the order to the Privacy Appeals Board (case PVN-2009-22),33 but the board upheld the Data Inspectorate's ruling, emphasising that the right to information is important because it gives the data subject the opportunity to correct and supplement the information. The Appeals board cannot see that not informing the data subject serves this purpose.
No specific information has been provided under this section.
The Competition Act, Money Laundering Act, and Foreign Register Act all came into force in 2005, and allow the tax administration to request audit information from financial institutions and the tax collector to obtain audit information from third parties.34 The police are allowed to access this kind of information during open investigations. In 2006, amendments were proposed giving the police access if the information is needed to prevent and combat crime.35
The Money Laundering Act requires employees in financial, gaming, and other institutions involved in the transfer of funds to notify the Norwegian Economic Crime Unit if they suspect that a client may be laundering funds.36
The law regarding the transfer of funds into and out of Norway was amended in 2009 to give even more people access to the register of these transfers.37 Established in 2004 as part of the fight against money laundering and terror financing, the register contains information on transactions in and out of Norway. The following actors now have access to the register: the police (previously only a limited part of the police force working with financial crimes), the National Bank, the Financial Supervisory Authority, the tax authority, Customs and Excise, the Norwegian Labour and Welfare Administration, and the Ministry of Foreign Affairs.
There is a long tradition in Norway for making data on tax-assessed personal income publicly available. Traditionally, the data were set out on lists that were available in paper form at a local city hall or tax office. The press has been given access to the information electronically for many years. With the development of the Internet and newspapersâ€™ online platforms, some newspapers decided to make the income data available to their readers in a searchable database. In 2004 the rules governing the publication of such data were tightened, making the lists available for individual searches for only three weeks after initial publication. The data lists were then posted electronically on the tax authority's website and provided in hardcopy at local tax offices, and it became illegal for the general media to publish their own database. In 2007 an amendment to the law again gave the mass media access to complete lists of income data. The Government said its reasons included a wish to strengthen the critical debate on the tax system.38 The mass media presently offer gratis online search facilities for looking up personal income data. The Privacy Commission appointed by the Government in 2007 recommended scaling back the online availability of income data so that such online search facilities would only be available from the tax authority's website.39 In 2010 the opposition parties in Parliament proposed banning the publication of assessed taxes. Part of their reasoning is that technological development has made the information more entertainment than grounds for debate on the tax system â€“ there are now iPhone applications to search the "tax lists", a Facebook application that lists your friends' income, etc. The proposal failed, but the majority of the Parliamentary Standing Committee on Finance and Economic Affairs recommended that the rules for publication should be changed, so that the access given to the tax information is more in line with the original intention of the system (public debate and control) and less for entertainment purposes.40
- 1. Act of 12 May 1961 No. 2, amended 2009, Â§ 53a, available at http://lovdata.no/all/tl-19610512-002-045.html.
- 2. Id.
- 3. The Norwegian Ministry of Culture, "Referansegruppe om ulovlig fildeling" ("Reference Group on Illegal File Sharing"), at http://www.regjeringen.no/nb/dep/kud/tema/medier/opphavsrett/Referansegr....
- 4. The Norwegian Data Inspectorate, "Simonsen fÃ¥r ikkje forlenga konsesjonen" ("Simonsen Does Not Get Extended Permission"), http://datatilsynet.no/templates/Page____2825.aspx.
- 5. The Central Marketing Exclusion Register, at http://www.brreg.no/english/registers/exclusion/exclusion.html.
- 6. The Consumer Ombudsman, "Endringer i den nye markedsfÃ¸ringsloven" ("Changes in the New Marketing Control Act"), 1 June 2009, at http://www.forbrukerombudet.no/index.gan?id=11039418.
- 7. Act of 9 January 2009 No. 02, MarkedsfÃ¸ringsloven (The Marketing Control Act), available at http://lovdata.no/all/hl-20090109-002.html.
- 8. The Consumer Ombudsman's, homepage available in English at http://www.forbrukerombudet.no/index.gan?id=490&subid=0.
- 9. All 2009 updates to the Marketing Control Act are available in English at http://www.forbrukerombudet.no/index.gan?id=11039818&subid=0.
- 10. Statistics Norway, "Purpose and Nature of Activities on the Internet the Last 3 months", available in English at http://www.ssb.no/english/subjects/10/03/ikthus_en/tab-2009-09-24-05-en.....
- 11. BankID's homepage, at https://www.bankid.no/.
- 12. Act of 25 June 1999 No. 46 Finansavtaleloven (Financial Contacts Act), amended in June 2010, available at http://www.lovdata.no/all/hl-19990625-046.html
- 13. Act 19 June 2009 No. 81, available at http://www.lovdata.no/all/hl-20090619-081.html.
- 14. Governement White Paper, NOU 2006:6 NÃ¥r sikkerheten er viktigst, English summary available at http://www.regjeringen.no/upload/JD/Vedlegg/Norwegian_CIP_Commision_-_Re....
- 15. IKT-Norge, Bransjenorm for felles innsats mot utbredelse av e-postspam (Business Norm for a Common Effort against the Proliferation of E-mail Spam), at http://ikt-norge.no/PageFiles/348/bransjenorm%20-%20endelig.pdf.
- 16. See the NorSIS website, at http://norsis.no/omsis/english.html.
- 17. See the projectâ€™s website, with a identity theft self assessment test, available in English at http://www.idtyveri.info/.
- 18. Johansen, Hegtun, Haugnes, "Nettselskaper mÃ¥ slette dataspor" ("ISPs Must Delete Digital Traces"), Aftenposten 8 September 2009, available at http://www.aftenposten.no/forbruker/digital/nyheter/data/article3112805.ece.
- 19. See Statistics Norway, at http://www.ssb.no/ikt_en/.
- 20. See TNS Gallup, at http://www.tns-gallup.no/?did=9091935.
- 21. More information available at http://www.slettmeg.no/5250-tall-og-statistikk-mars-2010 and http://www.slettmeg.no/7675-tall-og-statistikk-april-2010.
- 22. Medietilsynet, Barn og digitale medier (Children and Digital Media) (2010), available at http://www.medietilsynet.no/Documents/Trygg%20bruk/Rapporter/Barn%20og%2....
- 23. See http://dubestemmer.no/en/.
- 24. In English at https://tips.kripos.no/cmssite.asp?c=1&nm=0&menu=-1.
- 25. Act of 22 May 1902 No. 10 amended in June 2010, available in Norwegian at http://lovdata.no/all/hl-19020522-010.html.
- 26. Id. at Â§ 201.
- 27. Act 2005-06-17 No. 62: Working Environment Act, amended 2007-02-23 No. 10, supra.
- 28. Mona BrÃ¥ten, "Kontroll og overvÃ¥king i arbeidslivet"(Control and Monitoring at Workplace"), Fafo 2010, available (summary in English) at http://www.fafo.no/pub/rapp/20166/20166.pdf.
- 29. Regulations on the Processing of Personal Data, Chapter 9, supra.
- 30. Norwegian News Agency, "FÃ¥r 15000 I bot for Ã¥ ha lest e-post til ansatt" ("Fined NOK 15.000 for Reading Employee Email"), in Aftenposten, 11 August 2010 available at http://www.aftenposten.no/jobb/article3764372.ece.
- 31. Norwegian Labour and Welfare Organisation, at http://www.nav.no/page?id=1073743655.
- 32. Id.
- 33. Full ruling available at http://www.personvernnemnda.no/vedtak/2009_22.htm.
- 34. The Ministry of Justice and the Police and The Ministry of Finance, "The Norwegian Government's Action Plan for Combating Crime 2004-2007" at 5, available in English at http://www.regjeringen.no/upload/kilde/jd/rap/2004/0035/DDD/PDFV/247688-....
- 35. The Data Inspectorate's 2006 Annual report to the EU Art. 29 Data Protection Working Party, supra.
- 36. Act of 6 March 2009 No. 11 on Measures to Counter Money Laundering and Funding of Terrorism, especially Section 18.
- 37. Lov 2004-05-28 No. 29 om register over opplysninger om valutaveksling og overfÃ¸ring av betalingsmidler inn og ut av Norge (valutaregisterloven), (Law of 28 May 2004 NO. 29 on the Register of Information on Currency Exchange and Transfer of Funds into and out of Norway (Currency Registry Act)), amended in June 2009, available at http://lovdata.no/all/hl-20040528-029.html.
- 38. The Data Inspectorate's 2007 Annual report to the EU Art. 29 Data Protection Working Party, 12 June 2008, at http://datatilsynet.no/templates/Page____2327.aspx.
- 39. NOU 2009:1, supra, Section 13.5.6.
- 40. Innst. 134 S (2009â€“2010), available at http://www.stortinget.no/no/Saker-og-publikasjoner/Publikasjoner/Innstil....