Nils arne Grønlie
A contracting party to the European Economic Area (“EEA”) Agreement, Norway implemented the EU Data Protection Directive 95/46/EC in April 2000 with the Personal Data Act 2000 (“Act”). Enforcement is through the Data Protection Authority (“DPA”).
Definition of Personal Data
Any information and assessments that may be linked to a natural person (the Act section 2, number 1).
Definition of sensitive Personal Data
Information relating to a) racial or ethnic origin, or political opinions, philosophical or religious beliefs, b) the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act, c) health, d) sex life, or e) trade union membership (the Act section 8).
National Data Protection Authority
The Data Protection Agency
Unless an exemption applies, data controllers who process personal data by automatic means must notify the DPA so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended and a new notification shall in any event be given three years after the previous notification was given.
The notification shall, inter alia, include the following information (as outlined in the DPA’s standard electronic notification form):
■ the purpose(s) of the processing;
■ the controller’s contact details and sector;
■ whether sensitive personal data are processed;
■ whether a data processor processes data on behalf of the controller; and
■ whether the data will be transferred outside the EEA.
Data Protection officers
There is no requirement in Norway for organizations to appoint a data protection officer.
Collection and Processing
Data controllers may collect and process personal data when any of the following conditions
■ the data subject consents;
■ there is statutory authority for the processing;
■ the processing is necessary to fulfill a contract to which the data subject is party, or to take
steps at the request of the data subject prior to entering into such a contract;
■ the processing is necessary to enable the controller to fulfill a legal obligation;
■ the processing is necessary to protect the vital interests of the data subject;
■ the processing is necessary to perform a task in the public interest;
■ the processing is necessary to exercise official authority, or
■ the processing is necessary to enable the controller or third parties to whom the data is disclosed to protect a legitimate interest, except where such interest is overridden by the interests of the data subject.
Where sensitive personal data is processed, one of the above conditions must be met plus one of
a further list of additional conditions.
Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies. The notification shall include information on the identity of the controller, the purposes of the processing, whether the data will be disclosed and if so, the identity of the controller, the fact that the provision of data is voluntary and any other circumstances that will enable the data subject to exercise his rights pursuant to the Act.
Data controllers may transfer personal data out of the EEA if any of the following conditions are met:
■ the data subject has consented to the transfer;
■ there is an obligation to transfer the data pursuant to an international agreement or as a result of membership of an international organization;
■ the transfer is necessary for the performance of a contract with the data subject, or for the
performance of tasks at the request of the data subject prior to entering into such a contract;
■ the transfer is necessary for the conclusion or performance of a contract with a third party in
the interest of the data subject;
■ the transfer is necessary in order to protect the vital interests of the data subject;
■ the transfer is necessary on order to establish, exercise or defend a legal claim; or
■ the transfer is necessary or legally required in order to protect an important public interest, or there is statutory authority for demanding data from a public register.
The DPA may allow transfers even if the above conditions are not fulfilled if the data controller provides adequate safeguards with respect to the protection of the rights of the data subject.
Transfer of a data subject’s personal data to non EU/EEA countries is allowed if the countries provide adequate protection for the security of the data, or if the transfer is covered by standard contractual clauses approved by the European Commission, or subject to an organization’s Binding Corporate Rules. Countries which have implemented Directive 95/46/EC meet the requirement as regards an adequate level of protection.
Transferors are required to seek permission from the DPA for any transfers of personal data;
(i) not based on the conditions above; (ii) to countries outside the EEA; or which do not have an adequate protection level; or (iii) to entities (outside the jurisdictions mentioned in (ii)) which do not have Binding Corporate Rules or are not a member of the US Safe Harbor scheme.
(the Act section 30 second paragraph).
For transfer of data to the United States, compliance with the US/EU Safe Harbor principles satisfies the requirements of Norway’s transfer law.
Data controllers and processors shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data.
Data security breaches which have resulted in the unauthorized disclosure of personal data where confidentiality is necessary, is subject to notification to the DPA. DPA guidance and practice indicates that data subjects may need to be notified provided the discrepancy may be
detrimental to the interests of the data subject (e.g identity theft, forgery, harassment).
The DPA is responsible for enforcement of the Act, and DPA’s decisions may be appealed to the Privacy Appeals Board (Nw: Personvernnemnda). If the DPA becomes aware that a data controller is in breach of the Act, it may issue an order requiring the controller to rectify the position. In connection with orders, the DPA may impose a coercive fine which will run for each day from the expiry of the time limit set for compliance with the order until the order has been complied with.
Failure to comply with an order is a criminal offence and may be punished with fines or imprisonment.
The DPA may also issue fines (Data Offence Fines) up to a maximum of 10 times the National Insurance Basic Amount (approx. EUR 90,000). Physical persons may only be fined for a data offence for deliberate or negligent violation. A business may not be fined for a data offence for a violation that is due to factors outside the control of the business. In evaluating whether to impose a data offence fine and in determining its size, special consideration will be given to:
■ how seriously the violation has infringed the interests the Act is designed to protect;
■ the degree of culpability;
■ whether the violator could, by guidelines, instructions, training, inspection or other
measures, have mitigated the violation;
■ whether the violation was committed to promote the violators interests;
■ whether the violator has, or could have, achieved any benefit from the violation;
■ whether this is a repeat violation;
■ whether other sanctions following from the violation are imposed on the violator, or a person acting on his behalf, for instance punishment of a person for a criminal offence, and
■ the violator’s financial capacity.
The controller shall compensate damage suffered as a result of the fact that personal data have been processed contrary to the provisions of the Act, unless the damage is not due to error or neglect on the part of the controller.
The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be “personal data” for the purposes of the Act).
Pursuant to the Marketing Control Act (Nw: Markedsføringsloven) section 15, it is prohibited in the course of trade, without the prior consent of the recipient, to send marketing communications to natural persons using electronic methods of communication which permit individual communication, such as electronic mail, telefax or automated calling systems (calling machines).
Prior consent is however not required for electronic mail marketing where there is an existing customer relationship and the contracting trader has obtained the electronic address of the customer in connection with a sale. The marketing may only relate to the trader’s own goods, services or other products corresponding to those on which the customer relationship is based.
At the time that the electronic address is obtained, and at the time of any subsequent marketing communication, the customer shall be given a simple and free opportunity to opt out of receiving such communications.
“Electronic mail” in the context of the Marketing Control Act means any communication in the form of text, speech, sound or image that is sent via an electronic communications network, and that can be stored on the network or in the terminal equipment of the recipient until the recipient retrieves it. This includes text and multimedia messages sent to mobile telephones.
Direct marketing emails must not conceal or disguise the identity of the sender. If the email is unsolicited, it shall clearly state that the email contains a marketing message. upon reception of the message (The Norwegian E-commerce Act, Nw: Ehandelsloven, section 9).
Online Privacy (including cookies and Location Data)
Traffic Data – Traffic data is defined in Norwegian Regulation relating to Electronic Communications Networks and Electronic Communications Services (Nw: Ekomforskriften F16.02.2004 nr 401) section 7-1 as data which is necessary to transfer communication in an electronic communications network or for billing of such transfer services.
Processing of traffic data held by a Communications Services Provider (“CSP”) (Nw: Tilbyder) may only be performed by individuals tasked with invoicing, traffic management, customer enquiries, marketing of electronic communications networks or the prevention or detection of fraud.
Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication (Electronic Communications Act section 2-7 (Nw: Ekomloven). However, Traffic Data can be retained if it is being used to provide a value added service and consent has been given for the retention of the Traffic Data.
Location Data – Location data may only be processed subject to explicit consent for the provision of a value added service which is not a public telephony service, and the users must be given understandable information on which data is processed and how the data is used. The user shall have the opportunity to withdraw her consent. See Norwegian Regulation relating to Electronic Communications Networks and Electronic Communications Services section 7-2.
Norwegian law yet albeit there is a proposed amendment currently in process. The proposed
amendment to Norwegian law seems to be in line with the amended E-Privacy Directive.