Data Protection in Norway

From GDPRhub
Revision as of 14:21, 16 January 2020 by (talk) (→‎Courts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Data Protection in Norway
Data Protection Authority: Datatilsynet (Norway)
National Implementation Law (Original): Personopplysningsloven
English Translation of National Implementation Law: n/a
Official Language(s): Norwegian
National Legislation Database(s): (in NO) - (private foundation)
English Legislation Database(s): (partial, unofficial), UiO (partial, unofficial)
National Decision Database(s): (paywall/subscription)



The first major case that the Supreme Court of Norway decided on regarding the right to privacy was To mistenkelige personer (Two Suspicious Individuals) (Rt-1952-1217) in 1952. The case concerned a movie based on a crime novel, which was based on actual events from 1926. One of the sentenced men filed for an injunction to stop the movie from being published, as he argued that he had served his time for the events depicted, and that the movie would interfere with his right to privacy. The Supreme Court agreed with this view and stopped the publishing of the movie. The Sykejournal-judgement from 1977 (Rt-1977-1035) concerned a patient’s right to access of their medical records, which was granted by the Supreme Court. Both cases were decided on as a matter of unwritten law, and not on the basis of legislation.

Norway passed the Personal Data Registers Act of 1978, which was in force until the enactment of the Personal Data Act of 2000, which built on Directive EC/95/46.

National constitutional protections

In 2014, human rights inspired by the ECHR was incorporated into the Constitution. The right to privacy now follows from § 102 of the Constitution.

National GDPR implementation law

The national implementation of GDPR follows from the Personal Data Act of 2018 (personopplysningsloven), as well as sectorial adjustments in laws regulating, amongst other, patients and healthcare, and police records.

Age of consent

The age of consent is 13 years following § 5 of the Personal Data Act.

Freedom of Speech

For the processing of personal data “exclusively” for journalistic purposes, or for academic, artistic or literary purposes, only Article 24, Article 26, Article 28, Article 29, Article 32, and Article 40- Article 43 applies, following § 3.

Employment context

Special categories of personal data can be processed in an employment context when it’s necessary for duties or rights under labour law following § 6.


Personal data can be processed on the basis of Article 6(1)(e) if it’s needed for archival in the interests of the public, or for purposes related to scientific or historic research, or statistics following § 8.

Special categories of data can be processed without consent from the data subject if the processing is necessary for archival purposes in the interests of the public, for purposes related to scientific or historic research, or statistic purposes, and where the interests of society is clearly greater than the interest of the individual following § 9.

Other relevant national provisions and laws

One notable inclusion in the Norwegian implementation is that fake cameras, or signs that gives the impression of an area being monitored, are prohibited if real cameras processing personal data would be prohibited in the same place.

National ePrivacy Law

The Electronic Communications Act implements parts of the ePrivacy Directive, including the placement of cookies which is regulated under § 2-7b. Spam emails are regulated under The Marketing Control Act § 15. In addition, there is a Central Marketing Exclusion Register where consumers can opt-out of marketing, in which case businesses cannot contact them unless certain conditions are met (former consent/request or existing business relationship).

Data Protection Authority

The Norwegian Data Protection Authority (Datatilsynet) is the national data protection authority for Norway.

The Norwegian Communication Authority (NKOM) oversees the Electronic Communications Act and is the responsible authority when it comes to, for instance, the placement of cookies or other instances that regards the implementation of the ePrivacy Directive within the Electronic Communication Act. If the cookies constitutes personal data, The Norwegian Data Protection Authority will handle the complaint.  

The Norwegian Data Protection Authority handles complaints filed with them. An appeal can be brought to Personvernnemda, an independent administrative body following § 15 of the Personal Data Act.

→ Details see Datatilsynet (Norway)

Judicial protection


There is one court system with three instances in Norway - the District Courts (first instance); The Courts of Appeal (second instance); and the Supreme Court (third and last instance). The courts are divided into judicial districts, which is one of several elements that may decide which regional court that gets to decide the case (verneting in Norwegian). Judges in Norway are generalists rather than specialists. As such, there is no specialized chambers in the courts for privacy matters.

Complaints can be filed directly with the lower instance court pursuant to § 1-3 of the Dispute Act. If the filing concerns the validity of a decision by Personvernnemda, the State act as defendant pursuant to the Personal Data Act § 43(5).