Data Protection Laws and Freedom of Expression: Norway 
Constitutional/Primary Law Background - see also ECHR
Article 100 of the contemporary Norwegian Constitution (1814 as revised 2016) prohibits censorship and other preventive measures (except for child/youth protection in relation to moving pictures) and guarantees freedom of expression including imparting and receiving information, ideas and messages. This is subject to legally prescribed limits which must be justified on grounds relating to this freedom (namely, truth seeking, promotion of democracy and freedom to form opinions) which must be particularly weight as regards the expression of opinion. The State is also obliged to create conditions facilitating open and enlightened public discourse. Whilst there is no constitutional protection of data protection as such, Article 102 establishes a right to respect for private and family life, home and correspondence, obliges the State to protect personal integrity and prohibits searches of private homes except in criminal cases.
The original 1814 Constitution including protection of freedom of expression (whilst still allowing for punishment where an individual was shown inter alia willingly disobedient to the law or an utter of false and injurious accusations against anybody) (s. 100) and prohibited searches in private houses except in criminal cases (s. 102). The provisions in the paragraph above date from amendments made in 2007.
First-Generation Statutory Law
|
Norway adopted first-generation legislation in form of the Act relating to Personal Data Registers on 9 June 1978. The initial more specific regulations were completed in the following year.
Special Expression Derogation
Although Norwegian primary legislation passed in 1978 included no provision in favour of the media, secondary legislation adopted in 1979 exempted internal databases of the periodical press that held sensitive data from the general requirement to obtain a license for this so long as they adhered to certain security guarantees. A full exemption was also set out for books, journals, magazines and the like but only where these had been published prior to data protection legislation coming into force.
Broad Expression Derogation
There was no provision specifically within this area.
Personal Exemption
Pursuant to Paragraph 1, the Act was only applicable to personal data registers in central or local government institutions as well as in private enterprises, societies or foundations.
Knowledge Facilitation Framework
The provisions were limited to ‘statistical research or general planning purposes’ (para. 7) and only excluded the application of the retroactive transparency rule.
|
Parliamentary Debates
Special Expression Derogation
No relevant discussions.
Broad Expression Derogation
Not applicable.
Personal Exemption
No relevant discussions.
Knowledge Facilitation Framework
The knowledge facilitation derogation was briefly mentioned both in parliamentary debates and the report of the drafting Committee on Justice. The proposed law data subjects with (reactive) right to information on registered data but excluded registers only used for (statistical) research purposes from this. This was criticized in the parliamentary debate.[1] The Report of the Committee on Justice noted that the proposed law contained a provision making it possible to exempt certain types of data registers from the requirement for DPA authorization.[2] It explicitly stated, however, that ‘it did not see any reasons for generally exempting research and statistical data registers from this requirement’.[3]
Second-Generation Statutory Law
|
Norway adopted second-generation legislation implementing Directive 95/46 through the Personal Data Act and the accompanying Regulations 2000.
Special Expression Derogation
Norway exempted processing exclusively for artistic, literary or journalistic purposes completely and unconditionally from all the data protection provisions with the exception of data security measures and certain specific provisions on video surveillance (Data Protection Act, s. 7).
Broad Expression
There was no relevant provision.
Personal Exemption
The implementing Act stated that it did not apply to the processing of personal data carried out by a natural person for exclusively personal or other private purposes (ibid, s. 3(c)).
Knowledge Facilitation Framework
The second-generation Data Protection Act contained limited derogations for knowledge facilitation purposes. The processing of personal data for historical, statistical or scientific purposes was not deemed incompatible with the original purpose of the collection, if the public interest in the processing being carried out clearly exceeded the disadvantages for the natural person (ibid, s. 11). Moreover, the subject access provision was exempted from applying to the processing of personal data exclusively for historical, statistical or scientific purposes so long as the process will have no direct significance for the data subject (ibid, s. 18). Sensitive data could be processed for historical, statistical or scientific purposes if necessary and the public interest in such processing clearly exceeded the disadvantages it may have entailed for the natural person (ibid, s. 9). Nonetheless, the processing of sensitive data required a license from the Data Protection Authority, unless volunteered by the subject (ibid, s. 33) or where the research is subject to stipulated safeguards and the subject to consented to all aspects (DP Regulation, s. 27-7).
|
Parliamentary Debates
In 1995, the Government appointed a Committee to review the Act Relating to Personal Data Registers of 1978. On the basis of this Committee’s work, the Government developed a draft law.[4]
Special Expression Derogation
With regard the special expression derogation, the Government Committee recommended that such exemptions could not be limited to selected professional journalists. Rather than a formal occupational status, the journalistic purposes of the processing of personal data should be decisive.[5] Although the Committee emphasized the function of the press as the fourth state authority, it argued that there was no need for exceptions to most data protection provisions.[6] Discussing in particular the obligation to notify a person whose data were obtained from a third party, the Committee noted, however, that such an obligation may jeopardize journalistic freedom of expression and should only apply in a modified form. Similarly, the right to access to one’s data may conflict with the journalistic principle of source protection. With regard to publishing content online, the Government Committee argued that such publication would constitute a transfer of data abroad. However, the Government Committee considered that publications on the Internet pursuing a journalistic, literary or artistic purpose should be exempted from the rules applicable to transnational data transfers.[7]
The Committee on Justice Report noted that the protection of individuals’ privacy, on the one hand, and freedom of information and freedom of expression on the other could conflict. A settlement of this conflict should aim to preserve both.[8] The Committee noted that the draft bill exempted files exclusively used for special expression purposes from ordinary data requirements. It cautioned that both the DPA and the Department of Justice would need to keep an eye on this area in order to see whether or not the protection of privacy would be satisfactory. If not, new law would become necessary.[9] The Committee on Justice agreed with the Government Committee on the exemption of online publications for journalistic, literary or artistic purposes from the ‘processing and transmission rules’.[10] It noted, however, that publications which are private in nature or pursue journalistic, literary or artistic purposes on the Internet would fall under the exemption but that otherwise rules on data transfers abroad in particular would apply.[11]
In the Odelstinget (Lower House), Jan Petter Rasmussen MP (Labour Party) stated that the exemptions for data files kept for journalistic purposes had been broadly supported within the Committee on Justice but, echoing the Committee’s reasoning, argued that the DPA and the Department of Justice would need to keep watch in this area in order to ensure that protection of the individual’s private sphere was not set aside.[12]
Broad Expression Derogation
Not applicable.
Personal Exemption
With regard to the personal exemption, the Government Committee considered that the processing of information for financial purposes qualifies as non-private.[13] Any economic activities which exceed the level of a hobby, including political activities, should not fall within the personal exemption.[14] The Committee further observed that most people will use electronic devices for various personal and leisure activities, including for sending and receiving correspondence or downloading information from the Internet. While generally falling within the scope of the law, the control of such processing would constitute an undesirable intrusion into private life, particularly given that the privacy consequences of such a form of data processing would be modest. As a regulation of such private activities would, moreover, be unnecessarily resource intensive, such processing of data for private purposes online should be excluded from the Act’s scope.[15] It was also argued that the exemption would also apply to personal home pages on the Internet with information of a private or personal nature. However, the exemption would again not extend to economic activities that exceed the normal activity of a hobby, such as political activity.[16]
Knowledge Facilitation Derogation
The Government Committee considered that the use of personal data for research and statistical purposes would not conflict with the purposes of the Data Protection Act. The benefits of research generally outweigh the interests of the individual to protect his/her personal data.[17]
In its report the Committee on Justice noted that the bill covers data processing for historic research, and statistical purposes, but contains special provisions for these kinds of data processing.[18] The Committee supported this, regarding it as important that “there be special rules for these fields”.[19]
Third-Generation Statutory Law
|
Norway adopted third-generation data protection law which as a non-EU EEA inter alia transposed as well as implemented the GDPR on 15 June 2018. Some amendments have been made sbuseqnetly including an important one related to special expression (see below).
Special Expression Derogation
As originally enacted, section 3 of the Norwegian Data Protection Act unconditionally exempted data processing for journalistic purposes or for academic, artistic or literary purposes from all data protection provisions other than those related to data integrity and security (GDPR, arts. 24, 26, 28, 29 and 32). However, as a result of amendments made on 2 September 2021 (which came into effect 1 January 2022), a new provision was adopted which not only extended to this area the article on notifying data breaches to the data protection authority (GDPR, art 33) but other than for media covered by the Media Liability Act stated that exemptions only applied insofar as necessary to exercise the right to freedom of expression and information. It was further stated that in applying this later test particular consideration had to be given to (i) society's interest in the processing or publications it leads to, (ii) behavioral norms, ethical guidelines and self-regulatory schemes or similar that contribute to safeguarding the data subject's privacy during processing, (iii) negative consequences which application of the data protection provisions may have on freedom of expression and information and (iv) the consequences the processing may have for the data subject and whether they have a special need for protection.
Broad Expression
No specific provision.
Personal Exemption – see GDPR, art. 2(2)(c)
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Section. 8 specifically authorses processing necessary for archival purposes in the public interest, scientific or historical research and statistical purposes in accordance with Article 89(1) GDPR under the Article 6(1)(e) public interest task and/or exercise of official authority legal ground. Sensitive data may be processed for these purposes without consent if the community’s interest in the treatment taking place clearly exceeds the disadvantages of the individual and the necessary guarantees in Art. 89(1) GDPR are complied with (sec. 9). The processing of such sensitive data without consent requires (in addition to potentially further requirements which might be set out under secondary legislation) prior consultation with the Data Protection Authority (the Privacy Ombudsman) or the completion of a Data Protection Impact Assessment (sec. 9). Such processes are also necessary if sensitive data are processed with the consent of the data subject (sec. 10). The same arrangements are also extended to the processing of criminal-related data (s. 11). Under sec. 17, such processing if in compliance with Art. 89(1) GDPR and where processing has no legal effect or direct effect for the data subject is exempt from subject access, the right to rectification and the right to restrict processing so long as compliance would at least seriously impede achievement of the objectives or, in the case of subject access, require a disproportionate effort.
|
Parliamentary Debates
Consultations on the new Personal Data Act took place in 2017. The responsible Ministry for Justice and Public Security proposed to keep the existing provisions on the special expression and knowledge facilitation in place. It maintained that it was not necessary to include a general reference to the freedom of expression and information in the proposed legal text and that it was neither necessary nor appropriate to incorporate a proportionality assessment as the Regulation provides.[20]
Special Expression Derogation
Pursuant to the report of the Ministry of Justice and Public Security, the consultative hearings showed that there may be reason to look more closely at how freedom of expression and information should be regulated in the Personal Data Act.[21]
The Norwegian Press Association, the Norwegian Editors Association and the Norwegian Journalists Association in a joint statement argued that preferential treatment should not be limited ‘exclusively’ for journalistic purposes. Notwithstanding the blurry limits of what constitutes ‘journalism’, these Associations maintained that an obligation to state what information is used for before engaging in journalistic activities would be contrary to the principle of freedom of information.[22] The Data Inspectorate echoed this concern, stating that it would be practically challenging to assess whether processing takes place exclusively for journalistic, literary or artistic purposes.[23] This was particularly so with respect to statements published on the Internet.
In their joint statement, the Norwegian Press Association, the Norwegian Editors Association and the Norwegian Journalists Association moreover argued that the legal provisions should not include guidance on a specific assessment of necessity or proportionality regarding special expression derogations. The Consumer Council and the Norwegian Data Protection Authority, in contrast, noted that a necessity assessment should be included in the legal text to meet the requirements of Art. 85 GDPR. The Data Inspectorate concurred with regard to the necessity of a proportionality assessment, observing that a lack thereof may result in excessive derogations in favour of freedom of expression. The inclusion of a necessity of assessment would, however, not significantly change practice. On the contrary, it would ensure that special expression derogations were interpreted sufficiently broadly to safeguard freedom of expression.[24]
Another point of contention was which data protection provisions could be derogated from to safeguard freedom of expression. In particular, the role and supervisory responsibilities of the Data Inspectorate and the Privacy Board in this regard were discussed. Pursuant to the above mentioned joint statements of the Norwegian Press, Editors and Journalists Association, access to information by these supervisory authorities was incompatible with the necessity to protect journalistic sources. The Ministry in response assured that the supervisory competences must be exercised in line with human rights safeguards for the freedom of expression and information.[25]
With regard to academic expression, the National Research Ethics Committee maintained that covered academic statements should not be limited to scientific publications, observing that research, teaching and dissemination to a public audience should be covered by the derogation. The Norwegian Centre for Research Data similarly stated the line between research and academic statements was difficult to draw and that the derogation should be broad to adequately protect academic freedom of expression and working methods, especially in qualitative research.[26]
Broad Expression Derogation
There were no substantive debates.
Knowledge Facilitation Framework
Pursuant to the report of the responsible Ministry of Justice and Public Security, all consultative bodies commenting on the proposed Act emphasized the need for a legal regulation that provides a supplementary legal basis for research beyond the general legal basis.[27] However, it was disputed whether such a legal basis should be incorporated in a General Personal Data Act or in specialized laws. The Ministry agreed that a supplementary legal basis should be established that allows for the processing of personal data for research purposes in the public interest, which does not make any distinctions on the basis of how research is funded or organised. Such supplementary legal basis should also apply to processing for archival and statistical purposes. The Ministry thereby proposed to adopt the GDPR’s approach, which found broad support in the consultative process.[28]
The Ministry also considered that rules on processing special categories of personal data for archiving, research and statistical purposes without consent should be regulated in special legislation, not a general Personal Data Act. It nonetheless proposed to include it, noting that such processing would be conditional upon the societal advantages outweighing personal disadvantages for affected individuals.[29]
[1] MP Petter Furberg (party unknown), p.351; MP Gunn Vigdis Olsen-Hagen (party unknow), p 355 in Forhandlinger i Odelstinget nr. 24; 1978, 18 mai – Lov om personregistre m.m; MP Petter Thomassen (party unknown), p.360, in Forhandlinger i Odelstinget nr. 24; 1978, 18 mai – Lov om personregistre m.m.
[2] See chapter 4 of the original draft bill in Ot. Prp. Nr.2 (1977-78) Om lov om personregistre m.m, p101-2.
[3] Innst. O. nr 47 (1977-78), Innstillning fra justiskomiteen om lov om personregistre m.m, p.7.
[4] See Ot.prp. nr 92 (1998-99), “Om lov om behandling av personopplysninger (personopplysningsloven)” for the Governments draft bill and its underlying reasoning. Accessible on http://www.regjeringen.no/nb/dep/jd/dok/regpubl/otprp/19981999/otprp-nr-92-1998-99-.html?id=160088.
[5] Government Committee on the Data Protection Law, ’Et bedre personvern – forslag til ny lov om behandling av personopplysninger’ (27 May 1997) NOU:1997:19 http://www.regjeringen.no/en/dep/jd/documents-and-publications/nouer/1997/nou-1997-19/18.html?id=140988 (last accessed 28 October 2020).
[6] Ibid.
[7] Ibid, 147.
[8] Justice Committee, ‘Innstilling fra justiskomiteen om lov om behandling av personopplysninger (personopplysningsloven)’ (22 February 2000) Inst. O. nr. 51 (1999-2000) http://www.stortinget.no/no/Saker-og-publikasjoner/Publikasjoner/Innstillinger/Odelstinget/1999-2000/inno-199900-051/3/ (last accessed 28 October 2020).
[9] Ibid, 20.
[10] Ibid, 20.
[11] Ibid, 21.
[12] MP Jan Petter Rasmussen, (Labour Party) in “Odelstinget - Møte tysdag den 7. mars 2000 kl. 21.45”, Minutes available on http://www.stortinget.no/no/Saker-og-publikasjoner/Publikasjoner/Referater/Odelstinget/1999-2000/000307/1/ (last accessed 28 October 2020).
[13] The Commission of the Data Protection Act, NOU 1997: 19, Et bedre personvern – forslag til ny lov om behandling av personopplysninger, chapter 10.1.3.4, Ministry of justice and public service , 06.04.2013, http://www.regjeringen.no/en/dep/jd/documents-and-publications/nouer/1997/nou-1997-19/18.html?id=140988
[14] Ministry of justice and public service, Ot. Prp. Nr. 92 (1998-99), Om lov om behandling av personopplysninger, chapter 10.5, Ministry of justice and public service, 06.04.2013, http://www.regjeringen.no/nb/dep/jd/dok/regpubl/otprp/19981999/otprp-nr-92-1998-99-/16.html?id=160104
[15] Ibid, chapter 16.
[16] Ibid.
[17] The Commission of the Data Protection Act, NOU 1997: 19, Et bedre personvern – forslag til ny lov om behandling av personopplysninger, chapter 21 §8, Ministry of justice and public service, 06.04.2013, http://www.regjeringen.no/en/dep/jd/documents-and-publications/nouer/1997/nou-1997-19/22.html?id=140992
[18] The report does not clarify which provisions are refered to.
[19] Innst. O. nr. 51 (1999-2000), “Innstilling fra justiskomiteen om lov om behandling av personopplysninger (personopplysningsloven)”, chapter 2, accessible on http://www.stortinget.no/no/Saker-og-publikasjoner/Publikasjoner/Innstillinger/Odelstinget/1999-2000/inno-199900-051/16/ , cited 22/01/2013
[20] Justis- og Beredskapsdepartement, ‘Prop. 56 LS (2017-2018) Lo vom behandlig av personopplysninger (personopplysningsloven) og samtykke til deltakelse i en beslutning i EØS-komiteen om innlemmelse av forordning (EU) nr. 2016/679 (generell personvernforordning) i EØS-avtalen’ https://www.regjeringen.no/no/dokumenter/prop.-56-ls-20172018/id2594627/... (last accessed 23 July 2020).
[21] Ibid.
[22] Ibid.
[23] Ibid.
[24] Ibid.
[25] Ibid.
[26] Ibid.
[27] Justis- og Beredskapsdepartement, ‘Prop. 56 LS (2017-2018) Lo vom behandlig av personopplysninger (personopplysningsloven) og samtykke til deltakelse i en beslutning i EØS-komiteen om innlemmelse av forordning (EU) nr. 2016/679 (generell personvernforordning) i EØS-avtalen’ https://www.regjeringen.no/no/dokumenter/prop.-56-ls-20172018/id2594627/... (last accessed 11 April 2021).
[28] Ibid.
[29] Ibid.
Twitter
Email