Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Norway modernizes its data protection law [2000] PLBIRp 36; (2000) 55 Privacy Laws and Business International Report 8

Norway modernises its data protection law

A MEMBER OF THE European Economic Area, Norway has legislated to follow the EU Data Protection Directive. The new data law is expected to enter into force on 1st January 2001.

The Personal Data Act was adopted on 14th April 2000. The purpose of the new law is "to protect natural persons from violation of their right to privacy through the processing of personal data." As personal data is understood to mean any information and assessments that may be linked to a natural person, the application of the law is wide.

The Act applies to data controllers who are established in Norway, and to controllers who are established outside the European Economic Area (the European Union plus Norway, Iceland and Liechtenstein), but make use of equipment in Norway. There is an exemption for using such equipment solely to transfer personal data through Norway.

When the law enters into force, it will repeal the Personal Data Registers Act of 1978. It is important to note that the Act does not limit the right of access to information guaranteed by the Freedom of Information Act, the Public Administration Act or any other statutory right of access to personal data.

NEW REGISTRATION SYSTEM

Data controllers will, in the future, have to notify the Data Inspectorate (the supervisory authority) before starting to process data automatically, or in the case of manual data, before establishing a file, which contains sensitive personal data. The processing of sensitive data by automatic means requires a licence. This does not apply, however, to sensitive data that data subjects have disclosed voluntarily. The Data Inspectorate may also define other areas to be subject to licensing.

Notifications have to be received at least 30 days before the processing starts. The Data Inspectorate is currently developing a notification system, which will be operational when the law enters into force. The Act does not include any exemptions on notification, but further regulations may be adopted.

EMPHASIS ON PROCESSING

The new Act builds on the core concepts of processing and consent. Processing is defined as "any use of personal data, such as collection, recording, alignment, storage and disclosure or a combination of such uses." Data subjects' consent is always needed for processing, apart from where the processing is necessary, for example to fulfil a contract (the same terms as in the directive). Consent is defined as freely given, specific and informed declaration by the data subject.

It is important to note that data subjects have a right to be excluded from direct marketing. A central preference service will be set up - further regulations are expected on this point. Controllers who conduct direct marketing campaigns must purge their mailing lists against the register prior to sending the first mailing, and thereafter at least four times a year. However, if the data subject has a current customer relationship with the organisation in question, the right to request a complete blocking against receiving any direct mail does not apply.

SPECIAL FEATURES

As the use of personal identification numbers is common in Norway, the Act includes special rules on their processing. They may be processed only when there is an objective need for identification.

The Act also specifically regulates the use of video surveillance. It applies to recordings which are possible to be searched according to personal data criteria. Recordings may not be disclosed to third parties unless the data subject has consented to that, or there is a statutory requirement.

TRANSFERS ABROAD

The Act states that all countries that have implemented the data protection directive ensure adequate protection, and personal data from Norway may be transferred to those countries. Personal data may also be transferred to third countries if the conditions set out in the directive are met.

The new law also mentions a possibility of transferring data if there is an obligation pursuant to an international agreement or as a result of membership of an international organisation. The law emphasises that special attention in judging adequacy should be given as to whether the country has ratified the Council of Europe Convention 108 on the protection of individual with regard to the automatic processing of personal data.

SUBJECT ACCESS RIGHTS

The law guarantees all the necessary access rights. Data controllers have to reply to inquiries within 30 days of receiving an inquiry. Subject access may be exercised free of charge.

Interestingly, data subjects may also request information on who has the day-to-day responsibility for fulfilling the obligations of the data controller.

SECONDARY LEGISLATION AWAITED

Many of the law's sections may be amended by further regulations, and it is therefore difficult to see how the new regime will work in practice. It is likely that secondary legislation will define transitional periods, the detail of the notification and direct marketing schemes, requirements for data security and further regulation for particular sectors, for example credit information services.

An English translation of Norway's new law can be found at the website of the Data Inspectorate, http://www.datatilsynet.no.