Data Protection in Norway

From GDPRhub
Data Protection in Norway
No.png
Data Protection Authority: Datatilsynet (Norway)
National Implementation Law (Original): Personopplysningsloven
English Translation of National Implementation Law: n/a
Official Language(s): Norwegian
National Legislation Database(s): Lovdata.no (in NO) - (private foundation)
English Legislation Database(s): Lovdata.no (partial, unofficial), UiO (partial, unofficial)
National Decision Database(s): Lovdata.no (paywall/subscription)

Legislation

History

The first major case that the Supreme Court of Norway decided on regarding the right to privacy was To mistenkelige personer (Two Suspicious Individuals) (Rt-1952-1217) in 1952. The case concerned a movie based on a crime novel, which was based on actual events from 1926. One of the sentenced men filed for an injunction to stop the movie from being published, as he argued that he had served his time for the events depicted, and that the movie would interfere with his right to privacy. The Supreme Court agreed with this view and stopped the publishing of the movie. The Sykejournal-judgement from 1977 (Rt-1977-1035) concerned a patient’s right to access of their medical records, which was granted by the Supreme Court. Both cases were decided on as a matter of unwritten law, and not on the basis of legislation.

Norway passed the Personal Data Registers Act of 1978, which was in force until the enactment of the Personal Data Act of 2000, which built on Directive EC/95/46.

National constitutional protections

In 2014, human rights inspired by the ECHR was incorporated into the Constitution. The right to privacy now follows from § 102 of the Constitution.

National GDPR implementation law

The national implementation of GDPR follows from the Personal Data Act of 2018 (personopplysningsloven), as well as sectorial adjustments in laws regulating, amongst other, patients and healthcare, and police records.

Age of consent

The age of consent is 13 years following § 5 of the Personal Data Act. There is, however, no general age when the child can handle processing of personal data on their own. There are some excemptions that give children the power to consent in some instances, such as relating to information society services in GDPR art. 8.

Freedom of Speech

For the processing of personal data “exclusively” for journalistic purposes, or for academic, artistic or literary purposes, only Article 24, Article 26, Article 28, Article 29, Article 32, and Article 40- Article 43 applies, following § 3.

Employment context

Special categories of personal data can be processed in an employment context when it’s necessary for duties or rights under labour law following § 6.

Research

Personal data can be processed on the basis of Article 6(1)(e) if it’s needed for archival in the interests of the public, or for purposes related to scientific or historic research, or statistics following § 8.

Special categories of data can be processed without consent from the data subject if the processing is necessary for archival purposes in the interests of the public, for purposes related to scientific or historic research, or statistic purposes, and where the interests of society is clearly greater than the interest of the individual following § 9.

Other relevant national provisions and laws

One notable inclusion in the Norwegian implementation is that fake cameras, or signs that gives the impression of an area being monitored, are prohibited if real cameras processing personal data would be prohibited in the same place.

National ePrivacy Law

The Electronic Communications Act implements parts of the ePrivacy Directive, including the placement of cookies which is regulated under § 2-7b. Spam emails are regulated under The Marketing Control Act § 15. In addition, there is a Central Marketing Exclusion Register where consumers can opt-out of marketing, in which case businesses cannot contact them unless certain conditions are met (former consent/request or existing business relationship).

Oversight of the Electronic Communications Act is placed with the Norwegian Communications Authority (Nasjonal Kommunikasjonsmyndighet - "NKOM"). Similar to other EFTA-countries (Iceland, Lichtenstein), directive 2009/136/EC is not per se implemented, as it is not amended to the EFTA-agreement. The lack of implementation is due to the creation of The Body of European Regulators for Electronic Communications ("BEREC"). Due to uncertainty concerning the EFTA-countries connection to BEREC with regards to the EFTA-agreement (and sovereignity), the amended 2009-directive requiring an explicit consent for the placement of cookies does not apply.

However, the legal situation concerning the placement of cookies is still uncertain. The legislator decided to adopt internal rules, similar to the requirements under article 5 in the amended 2009/136/EC directive, to avoid divergent rules from the rest of the union. The wording of § 2-7b of the Electronic Communications Act is therefore identical to the wording of article 5 in the ePrivacy-directive.

However, the adopted law did not meet the standards set out in the amended directive (and later upheld in the Planet-49 case). The national law is currently ambiguous, in large part due to statements in the preparatory works explicitly allowing for the use of the "implicit" consent construction - requiring Do Not Track-signals and the like to indicate that one does not consent. Another reason is seemingly the lack of enforcement, and lack of will to enforce, the current law by NKOM. In part, it is questionable if the clearly stated requirement of "consent" in the wording of § 2-7b, read in conjunction with Article 2(f) in the implemented directive 2002/58/EC, and the clearly stated goal of adopting national legislation for the purpose of EU harmonization, can support the statement in the preparatory works with regards to "implicit" consent.

Data Protection Authority

The Norwegian Data Protection Authority (Datatilsynet) is the national data protection authority for Norway.

The Norwegian Communication Authority (NKOM) oversees the Electronic Communications Act and is the responsible authority when it comes to, for instance, the placement of cookies or other instances that regards the implementation of the ePrivacy Directive within the Electronic Communication Act. If the cookies constitutes personal data, The Norwegian Data Protection Authority will handle the complaint.  

The Norwegian Data Protection Authority handles complaints filed with them. An appeal can be brought to Personvernnemda, an independent administrative body following § 15 of the Personal Data Act.

→ Details see Datatilsynet (Norway)

Judicial protection

Courts

There is one court system with three instances in Norway - the District Courts (first instance); The Courts of Appeal (second instance); and the Supreme Court (third and last instance). The courts are divided into judicial districts, which is one of several elements that may decide which regional court that gets to decide the case (verneting in Norwegian). Judges in Norway are generalists rather than specialists. As such, there is no specialized chambers in the courts for privacy matters.

Complaints can be filed directly with the lower instance court pursuant to § 1-3 of the Dispute Act. If the filing concerns the validity of a decision by Personvernnemda, the State act as defendant pursuant to the Personal Data Act § 25.