WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Kingdom of Norway

Kingdom of Norway

Constitutional Privacy Framework

The Norwegian Constitution of 1814 does not have a specific provision dealing with the protection of privacy.[3916] The closest provision is Article 102, which prohibits searches of private homes except in "criminal cases." More generally, Article 110(c) of the Constitution places state authorities under an express duty to "respect and secure human rights."[3917] In 1952, the Norwegian Supreme Court held that there exists in Norwegian law a general legal protection of "personality," which embraces a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis.[3918] A statutory protection for privacy is granted by Section 390 of the Criminal Code 1902. Section 390 provides a penalty for violations of privacy caused by "public disclosure of information relating to personal or domestic affairs."[3919]

The Norwegian Constitution also protects freedom of speech (Article 100). Persons may not be legally liable for disseminating or receiving information, ideas, or messages if the information can be justified under the rubric of freedom of expression (i.e., the seeking of truth, the promotion of democracy, or the expression of an individual opinion) (Article 100(2)). Postal communications may be censored only within certain State institutions and by leave of a court of law (Article 100(4)).

Data Protection Framework

The Electronic Communications Act of 2003 and its accompanying regulations implement the requirements of the European Union (EU) Directive on Privacy and Electronic Communications (2002/58/EC). Under Section 2-9 of the Act, telecommunications providers must safeguard the secrecy of the content of telecommunications.[3920] The duty of confidentiality, however, does not prevent such information from being given to the prosecuting authority or the police, or to another authority pursuant to the law.[3921]

Article 6-2 of the accompanying regulation states that all electronic communication providers must keep records of all their end users. The consequence of this provision is that mobile phone cash cards can no longer be sold anonymously.[3922] After the passage of EU Directive 2006/24/EU on data retention on March 15, 2006, Norway’s law may change. Member countries must make laws necessary to comply with the directive no later than September 15, 2007.[3923] Member countries may postpone application of the directive to “the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail” until March 15, 2009.[3924]

Data Protection Authority

The regulation of personal data and information in Norway was formerly governed by the Personal Data Registers Act of 1978, but this law has been replaced by the Personal Data Act of 2000 (PDA).[3925] The PDA protects the right to privacy by setting out safeguards to ensure that personal data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and to ensure adequate quality of personal data (Section 1). Enforcement of the PDA is overseen by The Data Inspectorate (Datatilsynet), a body originally set up in 1980.[3926] The Inspectorate is placed under the administrative wings of the Ministry of Labor and Government Administration, but is otherwise expected to function completely independently of government or private sector bodies.

The responsibilities of the Inspectorate include verifying compliance with statutes and regulations that apply to the processing of personal data and that errors or deficiencies are rectified; identifying risks to protection of privacy; and providing guidance on measures to avoid or limit such risks.[3927] Complaints are normally handled by written procedures, but also by guidance meetings, by phone calls and e-mail. In terms of complaints enforcement, the Data Inspectorate has the tools mentioned in Sections 47 – 49 in the Act of April 14, 2000 No. 31 relating to the processing of personal data (Personal Data Act).[3928] Decisions of the Inspectorate may be appealed to a quasi-judicial body, the Data Protection Tribunal (Personvernnemnda). Decisions of the Tribunal may be appealed to civil courts on questions of law.[3929]

Although Norway is not a member of the European Union, the PDA was designed to bring Norwegian law into compliance with the EU Data Protection Directive.[3930] The PDA covers all data that may be linked directly or indirectly to individuals.[3931] The PDA applies to both the public and private sectors, and it covers both manual and computerized registers (Section 3). As a point of departure, the PDA requires that the Data Inspectorate be notified in advance of data-processing operations (Sections 31-32). In some instances, a license must be acquired from the Data Inspectorate in order to process data. This is generally the case, for example, with the planned processing of sensitive information, such as information on racial origin, religion, or criminal record (Section 33), and with the processing of personal data by the insurance, banking and telecommunications sectors (Chapter 7 of the regulations to the Act). The Inspectorate also has the power to make onsite visits to data register licensees to determine compliance with the Act (Section 44).

The PDA provides strong protections for data subjects about whom data has been collected. The Act provides that all persons have a right to demand access to information which concerns them (Section 18). Also, according to the Act, all incorrect data must be corrected (Section 27), and all persons shall have the right to block their name from use in direct marketing (Section 26). The Act also restricts the flow of personal data to other countries in accordance with the rules laid down in Articles 25 and 26 of the EU Data Protection Directive (Sections 29-30). Again, similar to the EU Directive, data subjects must be informed that their personal data is being collected and of the name of the controller collecting the personal data (Sections 19-20). New in relation to the EU Directive, however, is that the Act imposes a duty of informing the subject when, on the basis of a personal profile, either the data subject is approached or contacted, or a decision directed at the data subject is made. In such a case, the data subject must be automatically informed of the data controller's identity, the data constituting the profile, and the source of these data (Section 21). Violations of the Act are punishable by fines or imprisonment (Sections 46 et seq.).[3932]

A decision of principle by the Data Protection Tribunal in late 2002 defines the scope of the Act, specifically as it applies to human biological material such as blood samples. The tribunal's decision overturned a Norwegian Data Inspectorate ruling on a case involving a medical researcher who wished to take human blood samples from his work at a university hospital with him to his new job.[3933] The Data Inspectorate ruled that blood samples constituted "personal information" for the purposes of the Act. On appeal, the decision was reversed by a majority of the Data Protection Tribunal, applying a view of "data" and "information" typical in the fields of informatics and information science. Further, the decision reflected a concern that the Act should not be radically extended in scope without such an extension being considered in Parliament.[3934]

The Tribunal found that audiotape recordings of a person's telephone conversation – recorded without the consent of that person by the other party to the conversation – do not fall within the scope of the PDA; such recordings per se could not constitute a "register" or "file" for the purposes of Section 3(1)(b), as they are not organized in a way that facilitates ready identification of specific individuals.[3935] The tribunal also found that the recordings could not qualify as a processing of personal data by automatic means (Section 3 (1)(a)), because manual intervention was needed to initiate and conclude the recording operation.

A decision by the Court of Justice of the European Communities in the criminal proceedings against Bodil Lindqvist[3936] has led to a change in policy of the Norwegian Data Inspectorate.[3937] The Inspectorate had exempted from the Act the posting of personal data on homepages for ostensibly private or domestic purposes. The Lindqvist decision, however, states that the exemption for "private" processing does not apply when the data can be accessed by an indefinite number of persons. Unless personal data posted on a web site is restricted so that only a small number of persons can legally access the material, the disclosure of this data now falls within the scope of the European Data Protection Directive and the PDA.[3938]

Statutory Rules Related to Privacy

In 2007, Norway amended its Working Environment Act to add provisions for whistleblowers. Under the amendments, workers may remain anonymous.[3939] In addition, the businesses must handle the employee’s information according to the PDA.

In January 2006, a new act was passed which created a central register for political parties and their candidates, allows disclosure of private individuals’ financial support to political parties, and prohibits anonymous contributions to political parties.[3940]

2006 also brought changes to The Child Welfare Act.[3941] These amendments make it mandatory for employees at private crisis centers that receive funding from the government to disclose information to the Child Welfare Authorities if they have reason to believe that a child is being neglected. The Data Inspectorate was very strongly opposed to this provision and “believes that it represents a serious infringement of the integrity of persons who contact a crisis centre in an emergency situation.”[3942]

The Norwegian Nationality Act, Section 7 was amended to require a police certificate when applying for Norwegian nationality.[3943] The police certificate will contain preliminary charges and indictments, even in situations where the offense was not prosecuted. Another provision that would have suspended the duty of confidence of all public authorities, and at the same time subjected them to a disclosure requirement if the immigration authorities needed information in their processing of nationality applications, was not adopted.

The Competition Act, Money Laundering Act and Foreign Register Act all came into force in 2005, and allow the tax administration to request audit information from financial institutions and the tax collector to obtain audit information from third parties.[3944] The police are allowed access during open investigations. In 2006, amendments were proposed that would give the police access if the police need the information to prevent and combat crime.[3945]

The Money Laundering law requires employees in financial, gaming, and other institutions involved in the transfer of funds to notify the Norwegian Economic Crime Unit if they suspect that a client may be laundering funds.[3946]

Wiretapping and Surveillance Rules

Wiretapping normally requires the permission of a court and is initially limited to four weeks.[3947] A Supervisory Board reviews the warrants to ensure the adequacy of the protections. A Parliamentary Commission of Inquiry was created in 1994 to investigate the post-World War II surveillance practices of Norwegian police and security services. The Lund Commission delivered a 600-page report in 1996, causing a great deal of public and political debate on account of its finding that much of the undercover surveillance practices, including wiretapping of left-wing political groups until 1989, had been instituted and/or conducted illegally and that the courts had not generally been strong enough in their oversight.[3948] This included keeping files on children as young as 11 years old.

Provisions of the Criminal Procedure Act allow for wiretapping without court permission in two circumstances. First, Section 216(a) allows wiretapping for narcotics investigations and in connection with cases involving national security, albeit with the permission of a magistrate court. Second, Section 216(b) allows wiretapping in connection with some less serious offenses but requires the permission of a magistrate court.

The PDA provides specific rules for video surveillance. Video surveillance that does not create actual files falls under weaker protection than regular personal data registers. However, if the surveillance results in the actual recording of pictures, then the surveillance falls under the Act and the Data Inspectorate must be informed (Section 37). The Inspectorate has the power to intervene and prohibit the surveillance if it does not conform with the Act. If the video surveillance is performed in a public place, there must be clear notice given, such as through use of a warning sign (Section 40). However, the Criminal Procedure Act of 1981 allows police to perform covert video surveillance of public areas if the surveillance is permitted by court order and is of "essential significance" for investigating suspected criminal conduct that can result in more than six months imprisonment (Section 202(a)).[3949]

Some data registers kept for purposes of policing and/or national security also taken outside the control competence of the Data Inspectorate (Chapter 1 of the regulations to the Act).

Legislation to monitor the secret services was approved in 1995 following the Lund Commission's recommendations.[3950] The legislation created a new Control Committee to monitor the activities of the Police Security Services, the Defense Security Services, and the Defense Intelligence Services. The former Minister of Justice and the head of the Norwegian security police (POT) were forced to resign from the government in 1996 after it was revealed that the POT had placed a member of the Lund Commission under surveillance and requested a copy of her Stasi file from the German authorities four times.[3951] Later it was discovered that the POT had also investigated several key members of the Parliament who have oversight over the agency.[3952]

Many other laws contain provisions relevant to privacy and data protection. These include the Administrative Procedures Act of 1967 and the Criminal Code of 1902.[3953] The Criminal Code first prohibited the publication of information relating to "personal or domestic affairs" in 1889.[3954] The Criminal Code also prohibits the unauthorized opening of sealed correspondence, including cracking security mechanisms.[3955] The Criminal Code also prohibits covert monitoring or recording of telephone conversations or other conversations in closed settings.[3956]

Anti-terrorism Measures

In April 2002, the Norwegian Parliament adopted amendments to the Norwegian Penal Code, which include prohibitions against "terrorist acts."[3957] Many privacy advocates and non-governmental organizations have expressed concern that the prohibition against "terrorist acts" is too broad and imprecise, and may result in persons becoming victims of arbitrary, inaccurate, or politically motivated charges.[3958]

A report from an official Norwegian commission tackled the controversial issue of balance between crime prevention and privacy in the light of global terrorism and organized crime.[3959] In response, Norway passed a law that makes it easier for the police to use bugging of non-telephonic conversations between criminals, a practice known as "romavlytting" in Norwegian, and other means of covert investigation.[3960]

Norway created a database of asylum seekers which contains biometric information such as fingerprints.[3961] This database was opened to the police in criminal investigations even though the original intent of the database was to help establish the identity of asylum seekers.[3962]

To safeguard human rights and fundamental freedoms in light of the threat of terrorism, the Norwegian government granted the Norwegian Institute for Human Rights the status of a national human rights institution in 2002. The Institute monitors Norway's adherence to international human rights standards and has four main areas: (1) human rights and power, (2) human rights and development, (3) human rights and diversity and (4) human rights and conflicts.[3963]

Recent Developments

Norway recently created a Personal Privacy Commission, which has a December 8, 2008 deadline for “delivering a comprehensive status report outlining the challenges facing the protection of personal privacy” to the Storting (Parliament).[3964] The commission's work will be part of the information considered for creating guidelines for security technology in the European Union.

The government established the Norwegian Labour and Welfare Organisation (NAV) to provide comprehensive welfare reform.[3965] It was a merger of three organizations: The National Insurance Organization, The National Employment Service and the Social welfare System. As of July 2007, the NAV has data on more than 2 millions users from these combined databases.[3966] This merger has raised concerns because the number of people with access to sensitive personal data has doubled, but there are no adequate access restrictions on the system.

Norway is proposing to increase the police’s storage of DNA samples to everyone who is convicted to a prison sentence.[3967] A committee appointed by the Ministry of Justice and the Police suggested that anyone sentenced for a crime should have to give up their DNA for the central DNA database.[3968] Previously only felons in cases of murder, violent crimes and serious crimes related to narcotics had to give up their DNA.[3969]

Sandok, the Norwegian Armed Forces Health Register came into force in 2006.[3970] The register may contain personal, service and health data about Defense personnel; information about physical and social environments; and health information – all obtained without the person’s consent.[3971]

In October 2005, production of biometric passports started in Norway.[3972] The Data Inspectorate expressed serious concerns regarding the security of the passports because the data stored on the RFID chips is not encrypted.[3973] The chip contains a digital photo and personal information of the holder. The digital photo in the chip can be measured against the facial features of the person traveling with the passport, which is intended to make it easier to authenticate passport holders and reduce risks of theft and fraud.

Open Government

The 1970 Act on Public Access to Documents in the (Public) Administration provides for public access to government records. Under the Act, there is a broad right of access to records. The Act has been in effect since 1971. The Act does not apply to records held by the Parliament, the Office of the Auditor General, the Ombudsman for Public Administration, or other parliamentary institutions. There are exemptions for internal documents; information that "could be detrimental to the security of the realm, national defense or relations with foreign states or international organizations"; subject to a duty of secrecy; "in the interests of proper execution of the financial, pay or personnel management"; the minutes of the Council of State, photographs of persons entered in a personal data register; complaints, reports and other documents concerning breaches of the law; answers to examinations or similar tests; and documents prepared by a ministry in connection with annual fiscal budgets. The King can make a determination that historical documents in the archive that are otherwise exempted can be publicly released. If access is denied, individuals can appeal to a higher authority under the act and then to a court.

International Obligations

Norway is a member of the Council of Europe (CoE) and has signed and ratified the CoE's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) and has signed ETS No. 181.[3974] It has signed and ratified the European Convention on Human Rights.[3975] Norway has signed and ratified, the CoE's Convention on Cybercrime.[3976] Moreover, Norway is a member of the Organization for Economic Cooperation and Development (OECD). It has adopted the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980), together with the OECD Guidelines for Cryptography Policy (1997) and Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002).[3977]

[3916] The Constitution of the Kingdom of Norway, English version available at <> (this URL (as of July 20, 2007) links to the text of the Constitution as it existed in 1995; more recent amendments to the Constitution, particularly to Article 100 (freedom of speech – see infra), are not reflected therein); the current Norwegian version (Kongeriget Norges Grundlov), with latest amendments as of September 30, 2004, is available at <>.
[3917] Lee A. Bygrave & Ann Helen Aaro, Norway, International Privacy, Publicity and Personality Laws 333 (M. Henry ed., 2001).
[3918] Id. at 340.
[3919] Id. at 334.

[3920] The Electronic Communications Act (ekomloven), July 4, 2003, No. 83, available at <> (unofficial English translation).
[3921] Id.

[3922] E-mail from Morten Foss, Legal Adviser, The Norwegian Post and Telecommunications Authority, to Kenneth Farrall, IPIOP Law Clerk, Electronic Privacy Information Center (EPIC), June 14, 2004 (on file with the EPIC).
[3923] Eur. Parl. Dir. 2006/24/EU available at <>.
[3924] Id.

[3925] The Data Inspectorate's homepage <>.
[3926] Id.

[3927] Id.
[3928] E-mail from Gunnel Helmers, Data Inspectorate, Norway, to Ula Galster, International Policy Fellow, EPIC, April 29, 2005 (on file with EPIC). For more information on the Data Inspectorate's investigation procedures and tools of empowerment, see <>.
[3929] Bygrave & Aarø, at 337.

[3930] Id. at 336.
[3931] Lee A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits 48 (The Hague: Kluwer Law International, 2002).

[3932] See also Bygrave & Aarø, supra, at 339-340.

[3933] See appeal decision in case 8/2002, available at <>.
[3934] Lee A. Bygrave, "The Body as Data? Reflections on the Relationship of Data Privacy Law with the Human Body," edited text of speech given at an international conference organized by the Office of the Victorian Privacy Commissioner on the theme "The Body as Data," Federation Square, Melbourne, September 8, 2003, available at <$FILE/Bygrave%20paper.pdf>.

[3935] See appeal decision in case 1/2005, available at <>.

[3936] See decision of November 6, 2003 in Case C-101/01.
[3937] See EU Data Protection Directive (1995/46/EC), OJEC of November 23, 1995 No L. 281 p. 31, Article 3(2), second indent, available at <!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett>.
[3938] Id.

[3939] Act 2005-06-17 No 62: Working Environment Act, amended 2007-02-23 No 10, available in English at <>.

[3940] Act 2005-06-17 No. 102: The Political Parties Act, entry into force January 1, 2006, available in English at <>.

[3941] Act 1992-06-17 No. 100: The Child Welfare Act, amended January 1, 2006, available at <>.
[3942] The Data Inspectorate’s 2006 annual report to the EU Art. 29 Data Protection Working Party, May 31, 2007, <>.

[3943] Act No. 2005-6-10 No 51, Norwegian National Act, amended June 2007 available at <>.

[3944] The Ministry of Justice and the Police and The Ministry of Finance, “The Norwegian Government’s Action Plan for Combating Crime 2004-2007” at page 5, available in English at <>.
[3945] The Data Inspectorate’s annual report to the EU Art. 29 Data Protection Working Party, supra.

[3946] "New Money Laundering Law Passed," Aftenposten, May 29, 2003, available at <>.

[3947] See generally Criminal Procedure Act, Chapter 16 a.
[3948] "Judicial Inquiry into Norwegian Secret Surveillance," Fortress Europe Circular Letter (FECL) 43 (April/May 1996), available at <>.

[3949] Act of 22 May 1981 No. 25, amended by Act of 30 June 2006 No. 53 available in English at <>.

[3950] Act No. 7 of February 3, 1995 on the Control of the Secret Services.
[3951] "Minister Resigns," Statewatch Bulletin, November-December 1996, Vol. 6, No 1.
[3952] "Minister Steps back after New Snooping Scandal," FECL 49 (December 1996/January 1997), available at <>.

[3953] See generally Bygrave & Aarø, supra, at 334-335.
[3954] See Prof. Dr. Juris Jon Bing, Data Protection in Norway, 1996, available at <>.

[3955] Bygrave & Aaro, supra, at 334.
[3956] Id.

[3957] International Helsinki Foundation (IHF) Report, "Human Rights in the OSCE Region: Europe, Central Asia and North America 2003 (Events 2002)"<>.
[3958] Id.

[3959] See "Mellom Effektivitet og Personvern," NOU 2004:6.
[3960] Ot.prp nr. 60 (2004-2005), The Norwegian Ministry of Justice and the Police (2005), available in Norwegian at <>.

[3961] Data Inspectorate, 2005 Annual Report to the EU Art. 29 Data Protection Working Party, October 3, 2005 available at <>.
[3962] Rundskriv H19/03: Ikrafttredelse avendringer i utlendingsloven og utlendingsforskriften, The Norwegian Ministry of Local Government and Regional Development (2003).

[3963] Norwegian Center for Human Rights, “Annual Report 2006,” at 1, available in English at <>.

[3964] Aftenposten, “Norwegians could accept surveillance” June 6, 2007 available in English at <>.

[3965] Norwegian Labour and Welfare Organization <>.
[3966] Id.

[3967] NOU 2005:19, The Norwegian Ministry of Justice and the Police (2005).
[3968] Norwegian Board of Technology, “overview of Security Technologies,” at 63, April 2006, available in English at <>.
[3969] Id.

[3970] Id.
[3971] Id.

[3972] Press Release, Ministry of Justice and the Police, “New Electronic Passports“ September 27, 2005 <> (in Norwegian).
[3973] Press Release, Data Inspectorate, “Passports Have Inadequate Security” October 10, 2005 <> (in Norwegian).

[3974] ETS No 108 signed March 13, 1981, ratified February 20, 1984, entered into force October 1, 1985; ETS No. 181 signed November 8, 2001, available at <>.
[3975] Signed November 11, 1950; ratified January 15, 1952; entered into force September 3, 1953.
[3976] Signed November 23, 2001, ratified June 30, 2006; entered into force October 1, 2006.

[3977] Available at <>.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback