By prof. dr. juris Jon Bing
Norway is a rather young democracy. In 1814 the long union with Denmark was dissolved and a new constitution adopted. One of the provisions of this constitution was to develop a criminal and civil code. The civil code was never really realised, but a general criminal code was being developed throughout the century and finally adopted in 1902. A central figure in this reform process was the prominent lawyer Bernhard Getz, and at June 29, 1889, the reform process took another step forward when one of the older codes (of 1842) was amended. This amendment included the introduction of a provision prohibiting the publication of information relating to the "personal or domestic affairs".
One may like to reflect on the timing. It was nine years after the milestone paper by Warren and Brandeis,which cause probably was the publication in the newspaper Saturday Evening Gazette of details from the marriage of Warren's daughter. The Norwegian reform seems to be of a related nature. The reason for its introduction by Getz is not known, but he probably was inspired by Denmark, where a similar reform took place at the same time.
This may be the reaction of legal systems to the dramatic developments in information technology taking place in the latter part of last century. The invention of the rotary press in 1863 made cheap newspapers possible, and society gossip was popular then as now. This created a market for the trade in personal information, causing instances of the invasion of privacy. The legal systems reacted - the US example is famous, but also in Norway a protection of privacy in criminal law was established. This provision - the criminal act sect 390 - remained the major regulatory measure until the enactment of the data protection legislation in 1978, though one should, of course, appreciate that the numerous rules of confidentiality also are part of the traditional legal regime.
However, the Norwegian privacy law also has a non- statutory component. Norwegian law will allow the court to apply civil law based on unwritten principles, without authority in statutes. This is rarely done, and a major example is of interest in our context.
In 1926, two men upset Norway by brutally slaying a local chief of police and other policemen by axe. The two men - one older and one younger - were caught and imprisoned, the older taking his own life while imprisoned. The incident stimulated the well- known author Gunnar Larsen to write a documentary novel (To mistenkelige personer, or: Two suspicious persons) which was published in 1926, and was very well received. After the war, in 1949, Tancered Ibsen, a pioneer in Norwegian movie industry and the grandson of the dramatist Henrik Ibsen, directed a film based on this novel. Before its opening, the youngest of the two "suspicious persons", protested. He had in the meantime been released from prison and established himself under a new name, married and had children. He feared that the release of the film would once more make his old crime topical, that he would be identified, and his new life shattered.
In its decision, the Supreme Court found that non- statutory principles of privacy had been infringed, prohibiting the public showing of the film, and emphasising the special nature of film as a medium:
"The film communicates to a larger number of persons than for instance a printed publication, and is very vivid in its portrayal. It will be seen, discussed and made subject to reviews in the newspapers. By this one will have to assume that details from the real event will be repeated in papers and illustrated journals, and it cannot be avoided that identity of [the younger criminal] - in spite of his changed name - will be unveiled for persons to which it formerly was unknown. Also among those who had prior knowledge of [his] relation with the murders of the police officers, but who has suppressed this knowledge from their consciousness, will recall their memories of that conviction, and its characteristic of [him] will once more be brought alive and result in reflections unfavourable to him."
Again one may reflect on the curious parallel to the earlier Red Kimono Case in the US in which Gabrielle Darley, a prostitute, had been prosecuted in a sensational murder trial, but had been acquitted. She went on changing her name, marrying and settling in a town where she was not known. Seven years later, the film The Red Kimono based on the trial, unveiled her identity and destroyed her new existence.
Again the two cases may be taken as indications of the law reacting to the potential of information technology - this time represented as the popular movies - to invade the privacy of individuals.
Norwegian law had at the end of the 1960's therefore two may components in its law on privacy, the prohibition in the criminal code against publishing private or domestic information, and the hovering existence of an unwritten privacy protection the extent of which was only glimpsed through a few court decisions, the most important being the first which has been mentioned above.
However, one should include a few more background facts on Norwegian law to appreciate the legal context into which the data protection legislation was introduced.
There are, as indicated, a large number of provisions on confidentiality, they being designed as a prohibition to give information of a specific nature to a third party, exceptions are, however, made with respect to certain third parties, which again are made subject to confidentiality obligations. In this way, a large system of "secure boxes" are created, but there are holes punched in them to channel relevant data into other secure boxes. For instance, the primary medical doctor is subject to rules on confidentiality, but certain patient data are to be communicated to the health authorities for statistical, research or planning purposes. These authorities are subject to other, though in detail somewhat different, rules on confidentiality. The resulting system is complex, though not unique for Norway it is slightly dissatisfying.
There is a well-developed law of administrative procedure that includes confidentiality clauses, and also an access right for parties to a case processed by the administration, limited to the documents of the case. There is further a freedom of information actthat give access to anyone to documents in a certain case, the case has to be identified either through the index of the authority in question or other means. This implies that the Norwegian freedom of information legislation is quite more limited than, for instance, the Swedish. It may be argued that these two acts are somewhat related in nature to the data protection legislation, indicating that in Norway data protection is more a matter of administrative procedure and due process than human rights.
Finally, it may be appropriate to mention that the Norwegian public administration at the end of the 1960's was introducing computerised system at a large scale. A social benefit system had been created in 1967 that pivoted on a number of large computerised files that included information on all individuals in Norway. Already a Central Personal Register was in existence, and a unique personal identity number (fødselsnummer) has been introduced in 1964 without any real political debate, the reform actually only appeared before the parliament as an explanatory note in the budget of the Central Bureau of Statistics. The main justification was not computerisation, but the complaint from employers who had to keep track of different reference numbers for the reports they were required to make to the tax authorities, the social benefit administration, the employment administration, etc.
It should be appreciated that Norway is a small country (4 million people), without any real subdivision into regional or local jurisdictions (though this level issues some regulations, and there are considerable regional differences in this inconveniently long and thin strip of land at the edge of the European continent). At the end of the 1960's it was quite modern, and the rather recent major reforms in the law of administrative procedure and freedom of information emphasised legal issues related to them.
The Council for the use of computers in government administration approached summer 1970 the Department of Civil Law at the Faculty of Law, University of Oslo with a request to undertake a study of "privacy and governmental data banks", which an approximate translation of that somewhat dated wording would read. At this Department, professor Knut S Selmer had taken the initiative to an activity exploring issues of computers and law.A research contract was negotiated, and it became the occasion of formally establishing the Norwegian Research Center for Computers and Law from January 1, 1971. Consequently, the early history of data protection in Norway is also to a large extent the history of the budding research activity of the NRCCL.
This research contract resulted in a monograph, exploring the existing literature - especially the works of Westin and Miller - and examining the use of computerised data processing within the Norwegian public administration.
Before this monograph has been published, two committees had been named by the Cabinet to report to the government on possible legislative action.
The first was charged to explore problems related to credit reporting, a problem that was not acute in Norway at that time, but which was much discussed due to the US initiative to legislate - and it was felt (quite rightly) that the issue would become more current also in Norway as credit cards and similar payment instruments became more popular. The chairman of this committee was Tore Sandvik, a professor of law at the University of Bergen. After its establishment, the mandate was broadened to include all data protection issues in the private sector. The committee reported in 1974.
In 1972, a second committee was created to explore the issues related to data protection in the public sector. The reason for the two committees should be understood on the background of the research being carried out within the NRCCL, this concerned the public sector, and the committee was not named before it could take advantage of the material produced within the project.
The chairman of this committee was Helge Seip, at that time secretary to the presidium of the Nordic Council, an intergovernmental agency of the Nordic countries set up to facilitate co-operation. He had, however, a broad experience that included experience as a minister in one conservative coalition government and president of the liberal party (Venstre). His committee reported in 1975.
One may note that at the time of the reports, the first legislation in Europe had been enacted. Obviously, the main impact in Norway was of the Swedish pioneering act of 1973, which was enacted before any of the committees reported. There was considerable pressure to adopt an act, but the government was hesitating. The main reason, if would seem, was the choice between a licensing system (as indeed became the result) and a system mainly based on direct regulation in substantial law. Also, though the two committees had co-ordinated their work prior to reporting, there were actually two proposed acts, which had to be co-ordinated.
The government bill was published in 1978.Under the Norwegian system, the Government bill is communicated to the Parliament, which splits in two chambers for the purpose of adopting legislation. The bill was adopted without major amendments and with full support of the different parties, and became the data protection act of June 9th, 1978. Two years went by, however, before the act entered into force, mainly due to the efforts necessary to set up the administrative body stipulated by the law, the Data Inspectorate. The act became effective of January 1, 1980. Regulations were issued under the authority of the act by the Ministry of Justice 1979, and enhanced March 10, 1981. A rather modest amendment of the act was made in 1987.
A new review was made at the 10th anniversary of the Data Inspectorate, this time by the Ministry of Justice (though they were also assisted by a former deputy director, Eirik Djønne).This was discussed in parliament spring 1992, and several amendments were suggested to the statute - among them the introduction of strict liability and general damages for errors in public registers. It is not believed, however, that a general review will take place until the directive of the European Communities on data protection also is available in its final form.
One may also mention that in the statutory revision of 1987, a Sect 8b was introduced, giving authority to issue regulations on data security. The Data Inspectorate had originally some limited power to require data security measures in the licences or regulations issued under Sect 8 (see below), but no general authority to require security measures for personal register. The work has been co-ordinated with the revision of the internal government instructions regarding classified documents, both such classifications required by civil considerations (like trade secrets) and those required by military considerations (like national security issues. This has not been a trivial task, as there are rather different interests to take into account, and co-ordination between several ministries. Autumn 1992 a draft bill for both a common regulation and a new statute on information security is to be adopted. It was felt that existing statutory authority was not sufficient for the new and rather comprehensive regulation, therefore the data protection act Sect 8b may have a rather brief life, and actually be repealed before it really has come into effect.
It will be apparent from the brief sketch of the legislative history that research was paralleling the development of the government bill. This research did partly have as its objective to arrive at a better understanding of the concept of data protection by analysing systems for the processing of personal information and the interests of the data subject at stake.
Today, through contributions of several persons, data protection is understood as a bundle of interests. The presentation in this paper represents the author's own preferred view, but it will only differ in details from what would seem to be some sort of consensus in Norwegian legal theory.
The basic premise of the concept is that data protection is related to decisions, and through them, to power. Someone has power with respect to another if that someone may, through his or her decisions, influence the welfare, health or prosperity of another person. In this, data protection becomes an interest related to safeguards to the rule of law or due process, the law of the procedure of public administration being seen as protecting some of the same interests.
This bundle of interest can be characterised as the interest to control the flow of personal information relating to the data subject. These include control of the primary collection of data (whether by observation, inspection or by submission of the data subject), the use the primary recipients make of the data, its storage by the primary recipient and the communication onwards to a third party. This third party, being the secondary recipient of the data, will then be subject to an interest in exercising an identical control. And so on through the chain of recipients.
The control is mainly related to the use made of the data in decisions - though "decisions" is used as a rather inclusive concept, and also for informal acts like "making up one's mind" or otherwise reacting on the basis of the data. The point is that the mere existence of the data is of little cause for concern: Data collected not to be used for individual decisions of any kind (as in statistical surveys) are not very important to the data protection issue, they only represent a potential for mis- use through unauthorised access, etc.
The general characterisation can be broken down into three rather more specific interests.
First, the individual has an interest in confidentiality. This is the interest in personal data not being collected through observation or inspection without his or her consent, and that also any submission of personal information should be voluntarily. It extends to an interest in control of the use made of the information by the primary recipient, and the data security relating to storage or erasure. It also obviously relates communication from this primary recipient to any third parties.
One may note that this "flow control" usually is achieved through the many regulations governing confidentiality of different professional groups, public servants, etc. This traditional regulation really is some sort of "stop- go"- regulation: The confidentiality of the primary recipient is determined by a certain legal regime, but this regime also contains rules penetrating the walls of confidentiality with obligation for communication: For instance, a medical doctor may be obliged to communicate information on certain diseases to specified authorities. The secondary recipient will in the same way be enclosed by walls of confidentiality, but again there may be communication apertures, and these may be different from those opened in the walls of cell of the primary recipient. In this way a rather complex system has been created by conventional regulation, and at least in Norway, none has a clear picture of the system as a whole.
Data protection legislation plays a complementary role to this conventional body of regulation.
The second interest is the interest in having adequate data for making a decision.
This interest may be further broken down into the principle of relevance and the principle of adequacy.
The principle of relevance is the obvious interest a data subject has in avoiding information to be taken on the basis of irrelevant information. The information may be irrelevant because it is erroneous or dated - and actually conventional regulations of defame to some extent already protect this interest. The information may also be irrelevant because there is no justified relation between the information and the objective of the decision: This is a very viable interest, defended in Norway for instance by making sex or political opinions as relevant criterion for job selection.
The principle of adequacy is something further: Though a certain fact may be relevant, it may be misleading without being interpreted in relation to another fact. Omissions may, of course, result in misleading information. And the data subject has an interest in a decision relating to himself or herself taking all types of relevant data into consideration.
In this aspect, the data protection concept reveals its relation to the law governing the procedure before the courts or in public administration. The courts will often have a responsibility to make sure that all relevant evidence has been presented, and the public administration likewise will be responsible to make its decision after satisfying itself that the facts and circumstances of the case are known. Data protection legislation will again supplement the more traditional regulation.
Finally, there is the interest in access of the data subject to the information relating to himself or herself. This has for many jurisdictions been perceived as the major objective for data protection legislation. But again this has to be considered in the context of the national law.
In Norway, there already exist two major pieces of access legislation briefly mentioned above. The first is the act of procedure for public administration, which in its sect 18 gives any party to a case within public administration access to the "documents" of that case. The second is the freedom of information act that gives anybody access to the "documents" of a certain case. This implies that the person requesting access must be able to identify the case. This may be done by outside sources (like a newspaper report), but may also be done through the journal (the file index) of the authority in question, and this journal is public without restrictions.
One will note that both these acts rely on the notion of "document", which is defined in the freedom of information act sect 3 and pursuant regulations of December 19, 1986:2202. The regulations extend the conventional document concept to an analogous concept for computerised systems. It may not formally be a completely satisfactory solution, but it makes these access laws also applicable to computerised systems.
One may also note that the right to access one's own file is contained in non- statutory basic principles of law. This was the decision of the Supreme Court in a case from the late 1970'swhere a patient requested access to his own patient journal at a hospital in order to decide whether he should sue the hospital for malpractice. The hospital denied the patient access, but the Supreme Court decided that though there was no statutory access right, this was implied by non- statutory principles. Since then the relevant legislation has been amended and contains today an explicit access right.
These interests are all related to the individual. During the 1980's, the legal theory has developed three additional interests that also are seen as part of or related to data protection, but which concern not the individual as such, but the individual as related to a group.
The first is the interest in controlling the surveillance level in society. It is especially the use of data base surveillance techniques that has triggered off this interest. The example may be that a convict population with respect to a certain crime is analysed, and certain characteristics having a statistical significant co- occurrence with their crime are identified. Then the same characteristics are used to combing through existing data bases, isolating a "suspect population", which then is made subject to increased surveillance. In this population, the majority probably are not actually guilty of the crime under investigation, but only victims to circumstances. The crime may be tax evasion, social benefit fraud, drug trafficking, terrorism etc, or there may be similar methods used for identifying probable AIDS victims, child molesters, etc.
The second in the interest in a robust society. This is the reverse side of the issue of a "vulnerable society" that has been a political issue in the Nordic countries due to the dependency on technology, and the social consequences failure may have.
One may mention one special historical episode that has formed the Norwegian attitude to this issue. Not only is there a concern for technology to fail and causing social disturbance, there is also a concern that the technology will aid unlawful elements if it cannot be destroyed in wartime or in a similar national crisis. The background is an episode in the Second World War, when Norway was occupied by Germany. In May 1944, the Germans wanted to mobilise Norwegian youth for "labour service", and three age groups were to be mobilised. There was reason to fear that they would be sent to the Eastern front. There were two alphabetical tabulators in the country that could be used to draft the youth, both by Watson Norsk A/S (better known today as IBM). The data was with the Nazi authorities, but they needed the machines to select the relevant persons. The resistance movement broke into the offices of both Watson and the insurance company operating the alternative machine (Norske Folk) and set off explosives. This episode has made a lasting impression in Norwegian politics, making both surveillance and vulnerability a sensitive issue.
The third of these collective interests is the interest in a friendly administration. This is seen as related to the computerisation of public administration, which in its early stages was related a tendency to cryptic codes in form letters, use of punched cards for requesting or applying for certain services, etc. There still is a concern for the introduction of computers to increase the possibilities of the public to communication with the administration (both public and private) rather than to reduce the availability. The Data Inspectorate has often indicated that this has been a concern in addition to data protection understood more strictly.
These six interests characterise the data protection concept generally accepted in Norway today. They represent an attempt to make operative the data protection concept, not an exhaustive definition.
Especially one has in the last years emphasised that one should not forget that data protection also has a core of privacy (as the two terms are used in this paper): An individual's perception of himself or herself as an autonomous person in a democratic society presumes that the individual may control who get access to personal information, especially of an intimate or sensitive nature. If this control is reduced by pragmatic reasons, this may over time influence this perception, with adverse effects for society.
Finally, one may question whether this theoretical discussion is reflected in the legislation itself. The Norwegian data protection act does not - define the concept. But there are several indications of the act operating with a decision oriented interest concept based on the three individual interests. Sect 10 prescribes, for instance, a balancing of interests - data protection against the objective served by a registering - in the licensing process. And Sect 7 limits access to registers that do not support individual decisions.
These two examples will have to suffice in stating that the legislation reflects the decision oriented interest concepts, and should be interpreted on this background.
The Data Inspectorate is established according to Sect 2. It is an independent public authority according to the Norwegian tradition. This implies that is part of the public administration, its budgets are passed up through the Ministry of Justice. The Ministry of Justice also is empowered under the act to issue regulation. The Ministry cannot, however, instruct the Inspectorate with respect to individual cases.
The Inspectorate is headed by a director. The first director to be named was Helge Seip, chairman of one of the committees preceding the act. He was succeeded in 1989 by Georg Apenes, a lawyer and former member of parliament for the conservative party (Høyre). The administration in addition consists of lawyers and a few computer scientists, altogether (1992) approximately 15 persons. Its address is Data Inspectorate, PO Box 8177 Dep, N- 0034 Oslo.
The Inspectorate is governed by a board named by the King in Council. This board has seven members. They are appointed not as representatives of political parties or interest groups, but in their personal capacity - with the exception of there being one member appointed in consultation with the organisation of employers, and one member appointed in consultation with the organisation of employees. As chairman of the board was named professor Knut S Selmer, who at that time was the chairman also of the Norwegian Research Center for Computers and Law, and who had played a major role in the research paralleling the development of the legislation. When he left his position at the NRCCL in 1990, he retained his position at the board, and consequently has functioned continuously from the creation of the Inspectorate.
With only two directors and one chairman of the board, there has been stability in the development of a policy within the Data Inspectorate. The style of the Inspectorate is also to seek contact with applicants and others in order to find consensus for a certain policy. However, the Inspectorate actively attempt to identify issues that are assessed to need a general policy decision, which through the appeal process (cf below) is passed on to a general political level. It is seen as proper that such controversies should be settled by the general policy makers as other major political conflicts of interests. In adopting this view, the Inspectorate avoids taking an adversary position in the appeals - the Inspectorate seeks clarification rather than approval.
The Data Inspectorate has, according to the legislation, several major tasks, cf Sect 3 and title 4.
It is charged with decision making authority in individual cases, especially on licensing of registers, but also in disputes with respect to access and correction of data in registers. Such individual decisions may be appealed to the Ministry of Justice. In cases whether the Ministry itself is applicant, the King in Council is the appeal authority. It has been questioned whether it is appropriate that a Ministry that itself is responsible for major sensitive registers, for instance related to the police and crime, should be the appeal authority, and this remains an issue of some concern.
It is also charged with authority to control and inspect registers in order to ascertain that they are operated according to the provisions in the act, the regulations or the licence.
And the Inspectorate is charged to comment on data protection aspects of pending legislation, reviewing the technological development, inform the public and take initiatives to promote a data protection policy. These aspects have been emphasised by the Inspectorate in the last few years. In order to strengthen the independence of the Inspectorate, and stimulate the general data protection discussion, the annual report of the Inspectorate takes the form of a statement to the Parliament (Stortingsmelding), submitted through the Ministry of Justice. The annual report for 1990 also contains an assessment of the first ten years of practice, and policy suggestions for further development. The discussion of this statement in the parliament was of major importance.
The data protection legislation is based on two basic concepts, the concept of "personal data" and the concept of a "register". Similar concepts are found in other national acts and in international legal instruments, but they differ in detail. A discussion of these concepts is, therefore, justified.
"Personal data" is defined in Sect 1 of the act as "data or assessments which directly or indirectly can be related to individuals, corporations or foundations that can be identified".
Initially one may observe that the definition is conventionally based on the distinction between anonymous and nominal data. We know that this is not a strict distinction. One may see personal data as consisting of an identifier and some related data.
Fig 1 - Personal data
The identifier - which commonly is a name, a personal number or some system- related PIN - is in itself personal data. This is rather clearly demonstrated by the unique PIN assigned each Norwegian, the "fødselsnummer" (see above). This is a 11 digit number. The six first digits represent the date of birth (this explains the name of the number, literally "birth number") as day- month- year. The next group of three digits indicates the sex (even numbers for females, odd numbers for males), the century in which the person is born (to distinguish new born children from those more than a hundred years old), and a serial number within each day. The last group of two digits are controls - the first digit is calculated according to an algorithm using the succeeding 9 numbers, while the 11th digit is the result of a calculation also including the first control digit. The anatomy may be indicated as below, using an authentic PIN:
Fig 2 - Norwegian PIN
One will appreciate that the "related data" itself does not have otherwise to be related to a person, or have any "private" nature. For instance will all information of an identified property - its size, the vegetation, what houses are built on the land etc - be "personal data" due to its relation to the owner through the land register (which is open to the public).
One should bear this in mind when one consider the next aspect of the definition, which certainly is the more controversial: The inclusion of information on "corporations or foundations". This phrase is in the legislative prose intended to include all and any legal person. This implies that according to the statute, data on a legal person is also "personal data". The rate of shares in IBM is consequently an example of personal data, or the area of square meters offered in the company's new premises just outside Oslo. The examples are mentioned mainly to emphasise that the notion of "personal data" is a much wider concept according to the law than its natural language implications, and that this obviously will have some consequences for legal policy issues related to the legislation.
The inclusion of data on legal persons is mainly practical. In Norway, a large number of businesses are privately owned and part of the owner's property. It is therefore in practice difficult to determine whether data actually is related to a legal or physical person. This was the major justification for not making the distinction at all. At the same time, it was considered to restrict the concept of "personal data" to that which is private in nature, but again it was maintained that it would in practice be difficult to distinguish between what is private and what is not.It is stated, however, that data on legal or physical persons should not be treated equally, as the data protection interests are of different strengths.
This aspect of the Norwegian law has been severely criticised initially when the legislation was adopted, not least by commentators in the United States. In practice, however, there have been few problems. Several other countries include some protection of legal persons in their data protection legislation, but few do this by the way of a statutory definition of "personal data", and it can be queried whether this is the most appropriate solution.
The definition mentions two alternatives for data - "data or assessments" ("opplysninger og vurderinger"). This is probably related to a distinction made in the act of procedure in public administration when somebody requests access to documents in his or her own case, a distinction which through a citation of this act in the data protection act Sect 7 also is relevant for the access rights according to these provisions. This somewhat subtle point will be discussed with respect to the access rights (cf below).
One should finally mention that the law operates with two general categories of personal data.
According to the act of procedure in public administration Sect 13, a general obligation of confidentiality is imposed on all public servants with respect to personal aspects ("personlige forhold"). According to Sect 13(2), some trivial data are excluded from this protection - place and date of birth, PIN, citizenship, martial status, occupation, domicile and place of employment if such information does not imply some further private information (like the fact that the address of the domicile is that of a prison or a hospital). These trivial personal data are, of course, personal data in the meaning of the data protection legislation, but are not subject to confidentiality measures in public administration. However, in a licence the Data Inspectorate may impose restrictive measures for such trivial data contained in a personal register, and will typically restrict communication of also this trivial data from the register to a third party.
According to the data protection legislation, a sub- set of personal data is qualified as "sensitive data" (Sect 6(2) - the catalogue is repeated in Sect 9, 16, and 26). Five categories are mentioned:
These five categories are used to trigger certain of the provisions in the legislation, and to ensure special protection of data that is perceived as generally of a sensitive nature.
A major issue of legal policy in the 1970's was how to qualify in which situations data protection legislation should apply. It was rather evident that it could not apply to any use of personal data. The computer industry argued that though the computer might be the occasion for the legislative concern, it was not the cause of this concern, which were similarly caused by manual systems. Many national statutes constructed a notion of a "system for personal data processing", a "file" or some similar concept. The Norwegian solution is the notion of a "personal register".
This is defined in Sect 1(2) as a "register, list etc where personal data are stored in such a way that data on any individual can be retrieved". The criterion used is that of retrievability, and in this way the Norwegian concept is closely related to the notion of a "system of records" as defined in the US Privacy Act of 1973 (Sect 3(a)(5)).
In explaining the concept, the legislative history takes as an example a system for filing letters. If the letters are filed according to a subject index, then the resulting file is not a "register", as one would have to search sequentially through the file to retrieve data on a certain person. If, however, the letters are filed alphabetically according to the name of the addresses, then it would be a "personal register". This works fine for manual systems, but with respect to a computerised system, it is difficult to find examples where the test of retrievability does not apply. Taking the example of the file of letters resulting from word processing, one may easily see examples where the document name used by the system contains a subject index, or contains the name of the addressee. In the first case, letters containing data on a certain addressee cannot be retrieved by searching the index of document names. But it would be trivial, of course, to use a universal search function that would search access documents. Such a function is incorporated in any moderately powerful word processing system, but is also available under any operating system: Under MS- DOS this is the command "find".
It has therefore been held that any computerised system containing personal data qualify as a "personal register" in the terms of the law. This also holds true if the system only potentially may be used to retrieve data on a specific person, but in practice is never used in this way.
Initially, it has been suggested that the notion of a register should be limited to "one physical unit".It has, however, in practice often been found necessary to apply a logical register concept. Also, in a computerised system, there usually will be more than one physical file that constitutes what from the user's point of view is one system. There may also be such an intimate functional relation between a computerised and a manual file that they have to be considered as one register.
The notion of a "register" implies that more than one data subject are included. But there is not any strict lower threshold. The retrievability test generally also requires the data to be organised in some way that aid the retrieval, but this is not always necessary. If the number of data subjects is low (but still sufficiently high to constitute a register), then the data on any individual may easily be located though the data is not organised to facilitate retrieval.
This was first discussed with respect to the infamous "beer registry case", purchases of beer were registered, and where the Data Inspectorate indicated that if the number of names was low, it would be a personal register even if the names were entered into the register according to the time the purchase was made.
It has also been argued that the retrievability test applied to a video recording - for instance made by a surveillance camera in a bank - is a personal register. Normally there would not be an index associated with the recording, but it was argued that viewing the recording constituted a search method sufficiently effective to meet the retrievability test. In a Supreme Court decision of 1991 this was one of the issues. The court states that it has difficulties to find sustenance in the statute or its legislative history for the argument that the video recordings in question should constitute registers. Though this is an obiter dictum, it may be taken as rather conclusive for the qualification of video recordings where there has not been generated or established an auxiliary index.
The register concept is, in principle, technology independent. But as we have illustrated, any computerised file containing personal data, will be a register. Combining this with the point made above on the inclusive nature of the concept of "personal data", we see that there hardly will be any computerised file not being a "personal register". In principle, the inclusion of copyright notices and name of programmers in the code of a program is sufficient for this program formally to be a "personal register".
In the Royal Decree of December 21, 1979, bringing the data protection act into operation, one category of registers was generally excluded by part II(1) pursuant to Sect 1(4), these were "books, journals etc which according to the data protection act Sect 1 are or contain personal registers". In this way, one avoided that the act actually would apply for the control of the printed word.
The register concept is, as its relatives in other national first generation data protection legislation, a child of the mainframe area. But the Norwegian law entered into force approximately at the same time as the personal computer was created. And this explosive development has distributed personal register to desktops, laptops and palmtops, challenging the basic legal policy of the data protection legislation. The register concept was designed to qualify situations where data protection issues were at stake, today it is much too inclusive.
Using the two basic concepts, the system of the data protection legislation can be roughly sketched into place.
First, the legislation applies to both the private and the public sector. In the private sector, it is limited to business activities and activities of associations and foundations. In other words, the personal or family sphere is not governed by the law.
Second, the law has three different systems.
A set of rather general substantive rules applies to any personal register (cf title 3).
Two sub- sets of personal registers are qualified to special attention: Those containing sensitive data or which are computerised. These registers must either be authorised in the regulations issued pursuant to the data protection act Sect 9(2), or must obtain a licence from the Data Inspectorate prior to their establishment.
Exception is made for those registers established under statutory authority (Sect 41). This is rather logical: If the parliament has authorised the establishment of a register by statute, this should not be a subject to be reconsidered by the Data Inspectorate. The problem is, however, that many registers established prior the data protection legislation is related to some activity with which the agency in question has been charged in statute, but it is not clear whether the register established to support this activity also is authorised in the statute. Even when a register is authorised in statute, the Data Inspectorate may regulate the operation of the register as they would in a licence.
Also, four types of businesses have been identified:
The data protection act introduces a licensing scheme for these types of businesses - they have to obtain a licence from the Data Inspectorate before starting their operations. If they also need personal registers in their operations - and this will typically be the case - such registers will be subject to the more general statutory provisions, and typically need prior licensing. The Norwegian statute has, therefore, a double licensing scheme.
Finally, a separate licensing scheme is introduced in title 9 for export of personal data - this will be dealt with in more detail below. Otherwise, this paper will mainly deal with the rules of establishing personal register, and the right of the data subjects with respect to such registers.
The establishment of any personal register has to comply with the substantive principle of Sect 6. This implements the principle of relevance mentioned above: The inclusion of personal data has to be justified in the administrative or business activity of the register operator.
One will note that this is a modest principle. There is no authority to see a register as a violation of the law just because one perceives the business as objectionable. One may think private detective agencies, match- makers or other such operations that may occasionally be somewhat shady as less attractive, but they are, however, justified in creating personal registers supporting their lawful operation. The decision of whether a certain business activity should be permitted in Norway is not one that has been delegated to the data protection authorities.
It is a modest principle, but it has nevertheless a substantive content. It applies to all registers, also to those which are operated according to regulations or licences issued under Sect 9, the relevance principle of Sect 6 in such cases constitutes a limitation of the authority delegated to the Data Inspectorate: The Inspectorate is not permitted to grant licence for the inclusion of data not justified by the objectives of the activity in question.
It is a partial implementation of the interest in adequacy. It would not be advisable to implement the principle of adequacy in full: Decision will not typically be made on the basis of the registered data alone, but will be supplemented by data from case files, etc. One may, however, see the right of corrections on behalf of the data subject as an expression of the same interest.
The personal registers to which this substantive basic principle applies are (1) manual registers containing (2) no sensitive data. These are only governed by the substantive provisions of the statute.
All other registers are in principle governed by regulations or license, these are (1) registers that are computerised, or (2) registers containing sensitive data, manual as well as computerised. Sect 9 requires that such registers are only established according to a prior licence, but according to sect 9(2), there may be issued regulation excepting certain types of registers from the requirement to obtain prior license. The regulations define such registers according to their purpose, and the following types of registers are governed by the regulations:
The scheme of the regulation is to indicate (1) the technology permitted, (2) the types of personal data permitted to be included in the register, and (3) the communication permitted from the register to a third party. In general, personal data from the regulated registers may not be communicated to a third party unless there is consent from the data subject or the communication is required by law. The registers are only permitted used for the purpose indicated by their category name.
There are, however, many variations in details among the different regulations. For instance, a register containing information on employees indicates 22 different types of data that may be recorded (Regulations, Sect 2- 12). But this list is supplemented by data that are permitted in agreements concluded between the organisations for employers and employees. There are major general agreements governing conditions for work etc, and the regulation actually delegates to the parties in further to detail regulate the lawful content of employee registers.
Actually, an agreed framework for data protection was negotiated and entered into force spring 1975 - five years before the legislation. The basis was a research project conducted by professor Kristen Nygaard at The Norwegian Computing Center, an independent research institute, and the Union of Iron and Metal Workers. In the act on working environment of February 4, 1977:4 Sect 12(3), the introduction of planning or management systems is made subject to a special participation procedure. The delegation to the parties in the working place is therefore in accordance to a long tradition, and can only be appreciated in this context.
Another example is the regulation for libraries (Regulations, Sect 2- 8), which do not permit inclusion of historical lending data in the registers. This is motivated by a concern for the combination of lender and the book information over time creating profiles of the likes and dislikes of the lender. It is an early example of the concern for the information created in "electronic footprints" that has been enhanced by consumer oriented electronic funds transfer, automatic traffic control, pay- by- view television and other transaction oriented systems that generate trivial data well suited for the establishment of profiles valuable for surveillance, direct marketing, etc.
Some of the regulated registers may contain sensitive information. This is the reason for only manual registers operated by lawyers or health personnel are permitted by regulation - computerised versions will have to be licensed. Registers of the press and publishing industry may, however, contain any information as long as they comply with the principle of relevance - and the justification is obviously the freedom of the press, which should not unduly be reduced by data protection legislation. One should note, however, that in those cases sensitive data is included, a qualified relevance principle applies, see below.
If not positively excepted, a computerised personal register or a manual register containing sensitive data will have to obtain a licence prior to its establishment.
One should note that in licensing a system, the authority of the Data Inspectorate is limited by the relevance principle of Sect 6(1). If the data is sensitive, the authority of the Inspectorate is limited further by a qualified relevance principle, in these cases it is not sufficient that the activities of the operator justify the inclusion of the sensitive data, it must be "necessary" (Sect 6(2)).
In deciding whether to award a licence, the Data Inspectorate is to identify data protection issues. Such issues should then be addressed in the licence, and Sect 11 mentions a number of typical provisions that may be included. If such measures are not sufficient to relieve the data protection concern, the Data Inspectorate has to make a further assessment: The advantages obtained by establishing the register should be balanced against the disadvantages in terms of data protection concern. One should note that a licence may be granted even if there are data protection concerns which cannot be solved. Such discretionary balancing of different interests is rather typical for the decisions by Norwegian public agencies, and nothing very special within the data protection legislation.
If a licence is awarded, the Data Inspectorate includes in the licence a number or provisions for the operation of the register. These must as a minimum which type of data is permitted included, and to what purpose the register may serve. In Sect 11(2) it is suggested that additional provisions are considered for a number of aspects:
One may see the licensing system as an exploratory tool, which keeps the Inspectorate in touch with current developments. On the other hand, the scheme generates a lot of work that may reduce the Data Inspectorate to a bureaucratic organisation spending most time on routine matters.
The regulations may be seen as a possibility of excepting typical routine registers from the licensing procedure, leaving them to be wholly governed by substantial law. But there are also two other strategies used by the Inspectorate.
One is the standard licence. For typical activities, like the records of primary schools, there have been developed standard licences that are applied if there not are strong reasons to deviate. For other extensive operations, as projects financed by the National Research Council, there has been issued a blanket licence that imposes a certain internal procedure on the establishment of registers by these projects, but which do not require a licence to be obtained in the individual case.
One may consider these developments as a gradual trend towards sectorised legislation. In fact, a standard licence is very similar to a regulation. It has certain advantages, for instance a greater flexibility for adapting its provision to the case at hand and to change its content. It also has drawbacks, a major disadvantage is that it is not published and made available to the public at large as regulations - and it may therefore be somewhat more difficult to check whether the provisions are satisfactory or that the operator is complying whit the provisions.
In the future development of the Norwegian legislation in order to harmonise or comply with the forthcoming directive of the European Communities one may expect a development of the sectorial approach either in the statute itself, or in a somewhat more extensive set of regulations.
The regime sketched above may appear rather strict, but one should bear in mind that registers authorised in special legislation do not fall fully within the scope of the data protection legislation. Norway is a small and open society, and there is a higher degree of trust - perhaps not wholly justified - between the citizen and the public administration, which gives that administration a great deal of leeway.
Mention has already been made of the Central Population Register. Its services are made available to many public agencies, but also private sector organisations may have limited access to this source of information. There are several other major systems that are made available to the private sector.
For instance are the key figures resulting from the annual taxation review available to the public. Traditionally, the lists have been displayed in the local tax office, but there has been published lists of taxable income and property since the 1920's. The tax authorities have created a system whereby this information may be purchased at a certain price, also in machine readable form. This is, of course, example of a commercial utilisation of a special type of personal register.
There is also a traditional system for real property modelled on the German "Grundbuch" system, which makes available information on ownership, leases, mortgages etc (the act is of June 7, 1935:2). During the past years, the local systems have been converted into a national computerised system, the conversion was finalised in October 1992. To achieve this, a private limited company was set up, Tinglysningsdata, which now is owned wholly by the state. In regulations issued pursuant to the real property registry act, this company has been granted monopoly for the sale of the information from this register (regulation issued by the Ministry of Justice June 29, 1989:527), and regulations have also been issued by the Ministry of Justice pursuant to the legislation governing the payment for the services of the justice administrative system governing the fees that can be claimed by Tinglysningsdata for their on- line services and print- outs. Again a special scheme for the exploitation of a personal register has been created.
A register has also been created for personal chattels used as security for loans, etc with related information (Løsøreregisteret). This will, for instance, contain information on court orders giving chattel as security to creditors when debtor has failed to meet his or her payments and related information. These data bases are daily copied to another state owned company in Oslo, The government computer center (Statens datasentral) pursuant to a regulation issued by the Ministry of Justice (1989:527), and information is communicated from this register to, for instance, credit reporting agencies for payment decided by the company. In this case, the access of the credit reporting agencies are governed by licence provisions issued by the Data Inspectorate.
A similar scheme has been introduced for a register on those persons in quarantine due to insolence proceedings in which they have been involved, a decision that is made by the court. In this case, however, information from the register is sold by the central registration unit situated in Brønnøysund.
These are some of the major services made available from the public to the private sector on the basis of registers containing personal data. There are several other examples, but perhaps not as clearly within the scope of the data protection legislation. One should note that this is a political issue that still is not settled, and that one may expect further developments. One will note, for instance, that the draft directive on data protection from the European Communities will have provisions that make it questionable whether the established solutions can be retained.
First we will again mention that the access right in the data protection legislation can only be understood as part of the other access rights, and in the introduction, the two major examples - access according to the freedom of information and the procedure in public administration legislation was briefly mentioned.
The access right is governed by the data protection act Sect 7. It is one of the provisions in the act that most directly concerns the data subjects, and it is therefore regrettable that it is difficult to understand and interpret.
The person requesting access is all data subjects, and the data subject is to be given access to all data relating to himself or herself in the register. Only the person himself or herself may exercise this right, at death the access right expires. For instance has a widower not been granted access to the data of his dead wife. The data subject may, of course, appoint a representative to exercise his or her access right, the operator of the register will, however, have to have sufficient evidence for the authority of the representative.
A register may exist in different versions due to back- up procedures, etc. In the legislative history there is discussion of whether a data subject will be permitted access to historical versions that are printed out, which is suggested not to be contained in the access right, though this is not directly reflected in the statutory text.
A schematic representation of the access right is indicated by the figure below:
Fig 3 - Access according to the Norwegian data protection act
Two broad distinctions are established, one between registers in the private and in the public sector, second between computerised and manual registers. In this way one has four general categories of registers. All registers in the public sector are in principle subject to access right, while in the private sector, this applies only to the computerised registers.
The data protection act makes itself a general exception for one type of registers. If the register only serves the purpose of generating statistics, general planning purposes or is only used in research, a limited access right is applied. This gives the data subject a right to learn which categories of personal data are contained in the register, but not to learn what those categories contain with respect to himself or herself. The data subject may learn the structure of the register, so to say, but not the contents of the structure.
The justification for this rather broad limitation of the access right is twofold.
First, the decision oriented data protection concept basic to the legislation would indicate that these are registers on which no individual decision is made, consequently the data protection issues are not prominent. It should be noted that the characterisation of the registers is not formal, but substantial - if a register established for research in fact is used to make one individual decision, it is not excluded from full access by data subjects.
Second, there was suggested a practical problem by the Central Bureau of Statistics (Statistisk sentralbyrå): Their files were organised in such a way that the production of statistics was optimised. They could easily produce a breakdown of the correlation between geographical location and the age of teachers, but would have grave practical problems retrieving all data relating to a specific identified person. The Bureau suggested that if their files were made subject to access, they would have to reorganise all their files, with substantial cost as a result, and also a file structure that increased the risk of unauthorised disclosure.This view was, perhaps, dictated by the data base technology available at the end of the 1970's, but in fact this limitation has not really been challenged.
In the Royal Decree ofDecember 21, 1979, bringing the data protection legislation into operation, part III made a further general exclusion of a type of registers - those necessary for the security of the nation or military preparedness are excluded from access. The reason for this exclusion is rather self evident. The Decree is interpreted not to exclude the register as such from access, but only to the extent this actually would endanger security. There is a dispute resolving mechanism for cases where the operator of the register and the Data Inspectorate do not agree to the qualification of the register, such disputes are settled in accordance with the general scheme by the Ministry of Justice.
Though formulated as an exception of a type of registers, it is interpreted as an exception of certain (or all) data contained in the registers. Likewise the act itself limits access with respect to certain data that it is deemed "unadvised" to communicate to the data subject. There may be to reasons for this decision, one is the health of the data subject, the second is protection of closely related persons.
Restricted access due to the health of the data subject is considered to be an exception that only rarely may be relevant. One should also be aware of the fact that access to medical files often will be governed by the health legislation (cf the note above on access to the journals of medical doctors). An example is the licence provisions for the National Cancer Register, which does not limit access, but which channels the information through the more recent medical doctor treating the data subject in order for him or her to exercise the assessment of whether access may have an adverse effect on the health of the data subject.
Restricted access to closely related persons is an exception with a different justification. As we mentioned above, personal data as name is not protected by the administrative confidentiality. The data subject may therefore in accessing his or her file gains information on other persons of a non- confidential nature. If this was the case, one might in some instances have difficulties in investigating certain matters. For instance, a sister or a spouse may be willing to assist in the investigation of a child abuse case, but might be more reluctant to do this if the data subject (the person under suspicion of child abuse) through accessing his or her file could gain information on this assistance. The adverse effect on the relations between such persons will be clear if we propose that the suspicion is cleared, but that ill feeling is generated through the access. The rather vague expression "closely related persons" are interpreted as denoting those persons actually close to the data subject, not only family by kin or marriage. The exception is rarely applied, but the Data Inspectorate has in licences for Social Welfare Offices authorised the operator of the register to exclude access to information on the source of certain personal data in exceptional circumstances.
For systems in the public sector, a rather more subtle exception is made. The data protection act Sect 7(2) makes the principle of the administrative procedure act Sect 18 applicable also to access based on the data protection act. The Sect 18 exception relies on a distinction between "internal" and other "documents". An internal document is an interim note or other materials that are produced while a case is under preparation. The party to the case has access to the documents of the case, but not the "internal" documents.
An analogous application is not quite straightforward, as the access based on the administrative procedure act refers to "documents", while the data protection act refers to "personal data in a register". The documents may, however, be computerised and consequently part of a register. In that case, access is limited for internal documents.
However, the administrative procedures act Sect 19 makes a further exception to the exception in Sect 18, and though the data protection act Sect 7 does not contain any reference to this, it is interpreted also to be applied with the administrative procedures act Sect 18. This grants access to "facts" contained in the internal documents, but not to "assessments". This distinction is generally taken to exclude "legal subsumption" from access. It is suggested that whether a person is "untidy" or "debauched" are examples of facts, while whether the person is a "thief" or guilty of "social benefit fraud" are examples of assessments.
On the basis of this interpretation, little is left of the exception for reduced access to internal documents, as all "facts" are available, only the rare cases of "legal subsumption" are excluded. But this explains the qualification of personal data as "data and assessments", where "data" refers to the facts, while "assessments" refers to the legal subsumption.
One might respectfully submit that it has not been necessary to draft this provision like a legal puzzle with a somewhat uncertain solution.
The other side of the coin is an extended access right in manual, private files. An employee in the public sector has access to his or her data in the manual personnel register, while the act does not grant employees in the private sector the same right. When the regulations were revised March 10, 1981, Sect 1- 5 was amended to give employees the same access to the registers of private employers. The provision is modelled after the administrative procedures act, and incorporate therefore an exception for "internal documents", which are somewhat more detailed specified in the regulations Sect 1- 5(2), and the corresponding extension of the access right to facts in Sect 1- 5(4), though the provision only recommends access to facts rather than requires such access.
This interpretation of the statute has recently been challenged with respect to a conflict with the Jehovah's Witnesses. Their manual file contains sensitive data, and is subject to licensing. According to Sect 11(2)(7) the licence may specify further the access right of the data subjects. But this provision cites Sect 7, and according to Sect 7 there is no right to access a private, manual register - though that register cannot be operated unless a licence has been obtained. It is therefore argued that the Data Inspectorate lacks the statutory authority to impose on the operator of such a register the duty to accept requests for access. Sect 7(5) and the Royal Decree of December 21, 1979, part I do, however, give authority to the Ministry of Justice to issue regulations on the right to access register, as is the case with respect to the personnel register mentioned above. The Data Inspectorate has suggested that the Ministry of Justice should issue such regulations.
Also in licences, access rights may be extended beyond that of the statutory provisions. With respect to schools, there is standard licence that extends access rights.
As mentioned above, personal data also includes data on legal persons. This has caused IBM to apply for exception to the access rights for two registers. One of them is a register of companies and their installed computer facilities, both from IBM and competitors. The sources are newspapers, reports from the marketing division etc, and the register is used to support marketing. The other register contains some information on their own customers used in marketing support. The Data Inspectorate emphasised that the registers only contained information on legal persons, and that they were used in a competitive situation, granting an exception to the access rights for these two registers.
The access rights in Norway are, taken as a whole, quite comprehensive. But the data protection legislation has made its provisions obscure and unnecessarily complex. A revision will probably result in a simplification.
The data protection act Sect 8 contains a rather obvious provision that protects the data subject from retaining false information in a register.
Four categories of data are indicated.
Obviously, any of these qualifications may be a matter of dispute. Whether data is incorrect, may be disputed (though some data may represent notorious facts where the correctness may be objectively ascertained). Also, whether data are incomplete, may be a matter of dispute - this is, however, an important issue related to the interest of adequacy: The data in the register alone may be quite misleading. The data may be unlawful on the basis of the relevance principle of Sect 6 - but it may be disputed if for instance a business objective justifies the inclusion of certain data. And finally, it may obviously be disputed whether data have lost their relevance because they have become dated.
An example of the latter consideration is a provision in the licence for the aliens register operated by the police, where data is to be deleted if the alien is granted Norwegian citizenship: One is not have different classes of citizens.
The correction of the data may also take three forms:
An example may illustrate the choice between alternatives. There exist also in Norway computerised information retrieval services based on the editorial material of newspapers, journals, etc. The first was based on Aftenposten, the largest daily newspaper for its ATEKST service. The problem of rectification realised itself - obviously a newspaper item might contain data on a person that the person contested, or which actually was amended by subsequent items. This was solved by the data subject being granted a right to append to the item a comment, and the fact that a comment is appended, is noted in the title of the document containing the item.
Likewise, the newspapers will communicate sensitive information. It was feared that the information system might in practice function like an informal criminal justice record. This motivated the inclusion of a provision in the licence that excluded from the public version of the system information on crimes when seven years has passed from the time of the crime. This exclusion applies not to crimes related to execution of jobs or public office, or when the case is of "major importance to the public".
It follows further that if the data has caused to the communication or use of erroneous or incomplete data, the operator of the register should seek to limit damage with respect to the data subject.
The provisions of Sect 8 may, as mentioned, easily be contested, and there may not only be a difference of opinion, but also a conflict of interests between the data subject and the operator of the register. If the operator will not make the correction, deletion or supplement required by the data subject, the data subject may appeal to the Data Inspectorate, which is empowered under the act to make a decision to what measures shall be taken. This is, of course, a decision that the operator may appeal - first to the Ministry of Justice, and then challenge the decision before the courts. This is, however, rather theoretical - in practice the operator hardly will pursue the matter beyond the appeal to the Ministry of Justice.
When the decision becomes final, the operator is liable to criminal sanctions according to Sect 38 if he or she does not comply with the measures indicated.
In the revision of 1987, a new Sect 8a was introduced in the data protection statute. This simply states that anyone can require his or her name blocked for the use of a register for direct mail or the distribution of similar material.
This supplements the licence provisions for operating a direct mail or address brokerage (see above). It has been introduced in the general and substantive part of the statute in order for the data subject to be given this right also when the operator of the register is not such a business, for instance when a register of the customers of a department store or a bank is used for direct mail purposes for the services offered by the store or the bank. The licence of the professional operators includes requirements of citing the source of the address on the label, and not to include the PIN on the outside of an envelope.
In practice, the blocking takes the form of establishing one special register containing the names of those persons who have made the request. Any output from the register is matched to this "exclusion register" to delete these names from the mailing. This method has been chosen in order to also block the names if updating of the register would re- introduce a blocked name.
In the perspective of the data subject, the criminal sanctions of the data protection legislation (Sect 38- 40) are of less interest, and will not be discussed in this paper.
Under Norwegian law, liability is generally based on negligence. There may be argued that in general, negligence is not sufficient for finding an operator of a register liable for an economic loss that is suffered by a data subject due to erroneous data in the register. This would represent an instance of pure economic loss, and it is argued that there - in addition to negligence, there should also be justified cause for relying on the data. This discussion has emerged without any special reference to data protection, and is mainly developed in the doctrine without statutory authority, and with few cases on which to rely.
The data protection legislation has only one special liability clause in Sect 40, which relates to credit reporting services. Strict liability is imposed if a data protection violation causes economic loss for the data subject. The provision is strengthening the position of the data subject compared to the background law as negligence (and justified reliance) is not required, the liability is strict. But it is limited to economic loss. In the ease of credit reporting, erroneous personal data may more easily cause such loss than in general. But nevertheless, the characteristic of a data protection violation is not the economic loss, but rather the immaterial aspects. However, in Norwegian law, liability for anything but economic loss (including general damages) would require statutory authority.
The general statute on damagesSect 3- 6 is a statutory authority for awarding damages for non economic loss. This section refers in rather general terms to loss suffered by libel and invasion of privacy, but the legislative history makes it clear that it is presumed that such damages only can be claimed if the provisions of the criminal code with respect to libel and privacy invasion can be applied.
This leaves the data subject in a somewhat unsatisfactory situation. Though he or she may claim for damages for economic loss under the general non- statutory law on "pure economic loss", this is not a typical effect of the failure of an operator to comply with the data quality requirement of the data protection legislation or the conditions set out in a licence. It is hoped that the right to damages with be strengthened in the future revision of the law.
Norway is one of the original parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of June 27, 1980. It has also been active in drafting the different recommendation that the Council of Europe has adopted in pursuant of the convention. It also is a member of the OECD, and has not taken any reservations with respect to its Guidelines Governing The Protection of Privacy And Transborder Flows Of Personal Data of September 23, 1980.
No other international instruments specific to data protection apply. But, as noted above, Norway will through the European Economic Space Agreement have to comply with the directives of the European Communities, including those on data protection.
The data protection act title 9 governs export of data from Norway. When the regulations were introduced, a licence system was set up pursuant to Sect 36 and 37. But at the revision of the regulations in 1981, this was replaced by a simplified system of notification, cf regulations Sect 8- 1.
According to the regulations, notification is necessary for two situations.
The first is the export of a register that either is computerised, or which contains sensitive data, ie those registers that are subject to license according to Sect 9. But there is a duty to notify the Data Inspectorate also for those registers that do not need a licence according to regulations issued pursuant to Sect 9.
The second is the export of personal data collected in Norway if the purpose of the export is the inclusion in a Sect 9 register (see above). The provision is interpreted to require some sort of organised activity in Norway (collection). The Data Inspectorate has, for instance, not seen the establishment of a post box address in Norway as sufficient to qualify the en bloc transfer of the main from the box and to Sweden as "collection" in the meaning of the act.
One will also notice that the purpose of the export has to be the inclusion of a Sect 9 register. This may be a rather slippery criterion: The sender may not know the intention of the foreign institution requesting the data; the recipient may decide at a later stage to create a register; or the register may be manual, the data collected in Norway may be trivial, but data included in the register on the nationals from other countries may be of a sensitive nature, making the register qualifying under Sect 9. In spite of the possible difficulties in interpreting and applying this provision, it has in practice not created many problems - mainly because it is not very actively promoted by the Inspectorate.
The regulations Sect 8- 1(2) make an exception from the duty to notify the Data Inspectorate if international agreements, or membership in international organisations oblige Norway to make the data or registers available. This, for instance, will apply to organised international co-operation in health care or among police authorities.
Notification should be made on a specified form sufficiently time prior to exportation give the Data Inspectorate time to deny export. The Data Inspectorate is actually given the authority to deny export even when this would be in violation to the Council of Europe treaty. This is, however, only a theoretical possibility. The Inspectorate has been rather reserved in exercising its authority - examples include a case where a foreign bank established itself in Norway, but maintained its customer files in Belgium. In this case, the Inspectorate required the content of the register to be within the scope of the regulatory provisions applying to the registers of banks (regulation Sect 2- 4), and that the registers were used according to the general principles for such registers (regulation Sect 2- 1).
The provisions on transnational flows are somewhat unexciting. The issue of the territorial application of the data protection act is much more stimulating. The general problem is what sort of relation there should be between a certain state and the operation of a register sufficient for that state to apply its national data protection legislation to the register. The issue of the proper law of data protection has simply not been solved on the international level, though it was discussed in the work preceding the Council of Europe Conventional and the OECD Guidelines.
This attractive and juicy problem will not be addressed here in general. It must suffice to indicate that the criteria for qualification - typically access by national users to the register - make positive conflicts of authority rather probable.
Norway has some few associated territories, the more interesting is Spitzbergen, an Arctic island with mining and research activities. Spitzbergen is according to a treaty of 1920under Norwegian sovereignty, though there is a rather large Russian mining colony at Barentsburg. An interpretation of the Spitzbergen act implementing the treaty in national law Sect 2 implies that the data protection act does not apply to Spitzbergen. This is currently under reconsideration, and the first data protection act directly to apply to Russians may conceivably be the Norwegian.
There is a rather extensive offshore activity on the Norwegian continental shelf of the North Sea. This activity is governed by the petroleum act Sect 2 of this act make the data protection legislation applicable to activity related to the exploration, production, and transportation of petroleum products. This is extended outside the continental shelf itself as far as this follows from international public law or a bilateral agreement with another state, cf Sect 1(2).
The data protection act is also interpreted to apply to Norwegian representations abroad - ie embassies and consulates.
Even more tenuous is the relation with Norwegian merchant vessels in foreign waters. One interesting case concerned Norwegian cruise liners in the Caribbean. The shipowner was a Norwegian company, who had contracted with a local catering firm to employ personnel like cabin attendants. The local company maintained a register of passenger ratings of the attendants. The Norwegian Ministry of Justice held that the data protection legislation applied to this register, though the ship never entered Norwegian territorial waters, the catering company was foreign, and the employees were foreigners.
As stated, a general discussion will not be offered. Today, it still is an open issue what link is necessary to establish that Norwegian data protection legislation applied. In the past, there has been suggested for Swedish law that any system that may be accessed by terminals on the territory, falls within the scope of data protection.Bergmann has suggested several possible additional types of relevant relations: Domicile of the data subjects, business site of the operator of the register, the most favourable data protection law, the place of the data processing and the lex rei sitae of the computerised system. One may also indicate that it may be too simplistic to operate with "data protection law" as subject for the choice of law, this must perhaps be further qualified.It would seem that at the moment, a territorial relation is sufficient to establish application of the Norwegian legislation, but there may also be an additional policy element. Both with respect to the offshore activities and the case of the Caribbean yacht it may have been a relevant element that data protection is seen as related to the provisions governing an employment situation with respect to security and welfare, and that therefore the relation to the territory has to be less than in cases where it is questioned whether the data protection legislation applies to contractual situations between parties, which lack the "power relation" between data subject and operator of the register thought to be so important with respect to the Norwegian concept of data protection.
Over the past few years there has been an interesting development with respect to data protection at the Norwegian courts. The development concerns the relation between some elements of information technology used for supervision, either of the public or of employees. In closing, a few remarks on this development may be appropriate.
The first case is in itself quite famous, generally known as the Photographic evidence case.In several areas of Norway, automatic traffic control systems have been introduced. They are rather conventional in their technology, a car passes across a wire loop underneath the road surface, inducing sufficient electricity to make it possible to time its passing. Using two such loops, its speed may easily be calculated. If the speed exceeds the maximum, a photograph is taken by an automatically operated camera.
The owner of the car in question protested when presented a fine for speeding, as the car had been reported stolen in relation to the burglary of his home. This made the criminal police interested in the photograph, which turned out to portrait the driver of the stolen car, and to include a number of objects in the car that had been reported stolen from the home of the owner of the car. The photograph was consequently claimed as evidence by the police.
The problem was that it had been presumed in the discussion of the regulations applying to automatic traffic control that such evidence only should be used for road traffic purposes, and this presumption was explicitly expressed by the relevant committee in the parliament.The use of excess information was to be limited due to privacy considerations. The Ministry of Justice issues instructions limiting the use of the photographs according to this view. The Supreme Court observed that this represented an attempt to restrict the freedom of the courts to admit evidence at their discretion, and such a restriction could not be legally imposed without authority in law, and the instructions of the Ministry of Justice lacked such authority. On this rather formal basis, the Supreme Court held that the court was authorised to permit the evidence.
The second case has become known as the "Snack bar case". This case relates to a possible embezzlement from the cash register of a snack bar. In the snack bar, a video camera has been installed which displayed on a monitor in the back room a view of the shop. In this way the person on duty could relax in the back room and be altered when a customer entered the shop. The owner of the shop noticed that the trade seemed to be less than indicated by the purchased goods. Without altering his staff, he connected the video camera also to a recorder, and in this way he recorded 14 hours. Extracts of this record were copied over to a tape, and was maintained to prove that cash was handed over to the operator of the snack bar without that person entering the sum in the cash register.
The Supreme Court discussed at some length whether any statutory provisions applied to the case, and concluded that they did not. But the Court went on to state that such surveillance represented a major violation of privacy of a non- statutory nature. Again we see that information technology provokes a reaction from the legal system - the use of video recordings for surveillance is seen as a violation of the non- statutory privacy protection. And on this basis, the Supreme Court refused the recordings to be permitted as evidence.
This was a criminal case, and the rules of evidence may there be more severe, and more favourable to the accused than in civil cases. Our third case is, however, a civil case, decided by the Appeal Court of Agder. In this case, the owner of a pub suspected that beer was sold without payment being registered. The employer compared the consumption of beer with the total income from this sale, and concluded that trick was related to the way in which the employees filled the glass from the tap (in Norwegian this gadget is called "the tap tower", and the case takes its name from this phrase). Again the employer installed a video camera showing in its frame the tap tower and the hands of those employers drawing beer. A case of dismissal was initiated against three of the employees, and the first instance court decided to allow the video records to be used as evidence, drawing a distinction between the Supreme Court criminal case and the current civil case.
The Agder appeal court was, however, rather definite in its decision. It stated that the Supreme Court decision held such clandestine recordings as a grave violation of the privacy of the employees. It would be inappropriate to allow such recordings as evidence in civil cases, the court argues, as this might encourage circumvention of the rule laid down by the Supreme Court. The appeal court makes, however, a reservation with respect to possible extraordinary circumstances that would justify such recordings being permitted as evidence.
One should note that before the last decision, an amendment of the general criminal code had taken place.This amendment prohibits constant or regular video surveillance in a public place (as the criminal code defines that phrase) unless information of this is given by signs or other adequate means. Following the snack bar case, a further proposal has been introduced to make a similar rule govern video surveillance by employers. Therefore, it may be argued, this is a special case in which the courts have been in line with the legislators, though slightly ahead of their time.
However, there is a fourth case that emphasises this line of argumentation, and which is not related to video recordings, but another example of information technology turned to the purpose of surveillance of employees.
This is the E- mail case, decided by the first instance court of Asker and Bærum. This case is also a dispute of whether a dismissal was justified. A conflict was brewing between the executive director and an employee of the Norwegian branch of Memorex. The employee felt that the director was being unfair, and was reading his private electronic mail. To prove his point, he wrote an e- mail addressed to the European corporate headquarters in Italy, but did not transmit the mail. The letter he stored in his private area of the e- mail system. The director actually accessed that area, read the letter, and dismissed the employee. The court held that as there was no agreement or warning that the private areas could be accessed by management, such access was a violation of privacy. Again, no statutory authority could be cited, but the court went ahead and applied non- statutory principles.
Looking at these four cases, one may see a certain pattern. All of them relate to the use of information technology for surveillance. The difference between the "Photographic evidence case", where the photographs were allowed used as evidence, and the three others, would mainly seem to be the fact that in the automatic traffic control, due notice was given. Automatic traffic control is, of course, mainly a preventive measure, and in order to the control to have a preventive effect, signs are displayed as clearly as possible. This was not done in the other three cases, here the surveillance was clandestine.
Consequently, one may conclude that this recent case law indicates that electronic surveillance - by any means - is a violation of privacy if the subject of surveillance has not agreed, or at least been notified, of the surveillance. The recent statutory amendments and bills also support this conclusion.
And in closing it may be of some minor interest to note that the interaction between data protection (or privacy) and information technology has not found a balance in the current legislation. Both technological developments, and external influences like the directives expected from the European communities, will cause major changes in the current legislation. We may expect such changes in the relative near future.
Consequently, this paper has a limited interest in time as a discussion of Norwegian law. But the development has for those of us interested in data protection primarily a promise: Data protection will remain a current issue for the foreseeable future - in Norway, and in Europe.
 In this paper, the term "privacy" is used to denote the traditional set of rules protecting the publication of intimate personal data, while the term "data protection" is used for the protection based on the data protection act and related regulation. This distinction roughly corresponds to the Norwegian distinction made between "personlighetsvern" and "personvern".
 Cf Otto Mejlænder Den norske Straffelov, Malling, Kristiania 1889:59- 61
 In this paper, the terms "data" and "information" are used loosely as synonyms, and not according to definitions like those common in computer science.
 "The right to privacy", Harvard Law Review 1880:193.
 Rt 1952:1217.
 The spokesman for the Court, Judge Qvigstad, at Rt 1952:1220- 1221. The translation is the author's own.
 In the citation, the name of the criminal has been replaced by neutral indicators in square brackets.
 Melvin v Reid, 112 Cal App 285, 197 Pac 91 (1931)
 This decision was based on an obscure provision of the Californian constitution stating that all individuals had a right to "pursuing and obtaining happiness" - it has later been repealed.
 Act of February 10, 1967 - "Forvaltningsloven".
 Act of June 19, 1970 - "Offentlighetsloven".
 Rådet for databehandling i staten.
 At this time, the author of this paper was his research assistant, and was doing much of the practical work - professor Selmer at this time being both dean of the Faculty and Director of the Department.
 This was funded as a sub- department of the Department of Civil Law, but was in 1981 made into a full department of the Faculty.
 Erik Samuelsen Statlige databanker og personlighetsvern, Norwegian University Press 1972.
 NOU 1974:22 Persondata og personvern. One may note that this is the first time the Norwegian equivalent of "data protection" - "personvern" - is used in a written publication. The term itself was coined by professor Selmer in a talk on the subject.
 NOU 1975:10 Offentlige persondatasystem og personvern,
 Ot prp nr 2 (1977- 78) Om lov om personregistre mm
 Lov om personregistre mm, 1978:48
 Act of June 12, 1987:55.
 St meld nr 43 (1990- 91) Om personvern - erfaringer og utfordringer og om Datatilsynets årsmelding for 1990, Ministry of Justice, Oslo 1991.
 At the time this paper is written, Norway has just accepted the European Economic Space Agreement, and through this the directive will be binding and require amendments of the national legislation.
 Important is a study of the Directorate of seamen which co-ordinated all administrative activities relating to persons employed in the Norwegian merchant navy. Cf Ragnar Dag Blekeli Personvern og offentlig forvaltning, Papers on Computers and Law 11/1975, Norwegian Research Center for Computers and Law, Oslo, 1975. The Directorate has no been phased out. Also the early articles of Knut S Selmer were influential, for instance "Elektronisk databehandling som verktcentsy i offentlig og privat administrasjon", Samtiden 1976:85, 77- 83. The anthology of Ragnar Dag Blekeli and Knut S Selmer (eds) Data og personvern, Norwegian University Press, Oslo 1977 summed up the understanding of data protection at the time the government bill was drafted.
 One may not exclude that this is a bias inherited from the emphasis on data protection in public administration in the first studies.
 One will appreciate that with respect to a certain data subject, that data subject may will profit from certain facts being omitted that in a typical situation would be considered relevant. Therefore the emphasis on types of data in the text: We are considering, one might say, an abstract or ideal decision.
 Forvaltningsloven, February 10, 1967.
 Offentlighetsloven, June 19,1970:63.
 Rt 1977:1035.
 Act on medical doctors (legeloven) of 13.6.1980:42 sect 46.
 What in German is called "Rasterfhandung".
 Aktuelt 2/1985:19.
 St meld nr 43 (1990- 91) for 1990.
 A review of the discussion can be found inLov&data 31/1992:4- 6.
 Cf Ot prp nr 1 (1977- 78) Om lov om personregistre m.m. , Oslo 1978:25- 26.
 Cf Eirik Djønne, Tove Grønn and Tor Hafli Personregisterloven med kommentarer, Tano, Oslo 1987:28- 29.
 Cf Jon Bing "'Personal Data System': A Comparative Perspective on a Basic Concept in Privacy Legislation", in Jon Bing and Knut S Selmer (eds) A Decade of Computers and Law, Norwegian University Press, Oslo 1980:72- 91.
 Cf Ot prp nr 2 (1977- 78) Om lov om personregistre mm, Ministry of Justice, Oslo 1978:69.
 This is unlike how the retrievability test is applied in the US law.
 Cf Eirik Djønne, Tove Grønn and Tor Hafli Personregisterloven med kommentarer, Tano, Oslo 1987:29- 30.
 Cf Eirik Djønne, Tove Grønn and Tor Hafli (eds) Personregisterloven med kommentarer, Tano, Oslo 1987:30- 31.
 Though in transaction oriented environments there may be generated a computer record of the transactions which include a time- stamp, and which then become a time encoded index to the persons recorded by the camera
 Rt 1991:616, cf also Lov&data 28/1991:8- 9.
 There is only a formal "controller of the file" where such has been appointed in a license. Otherwise the "operator" will be the person responsible according to the law of the type of organisation applicable, whether limited company, charitable foundation, or public authority.
 Cf Niels Schweigaard "Bedriften, de ansatte og datamaskinen", Ragnar Dag Blekeli and Knut S Selmer (eds) Data og personvern, Norwegian University Press 1977:241- 257.
 Cf Eirik Djønne, Tove Grønn and Tor Hafli (eds) Personregisterloven med kommentarer, Tano, Oslo 1987:80.
 Curiously, this provision follows the substantive provision in Sect 6(1) containing the relevance principle. But as all registers containing sensitive data falls within the scope of Sect 9 on licensing and regulations, it is not really a substantive provision addressed to operators of registers, but a limitation of the authority of the Data Inspectorate to either issue regulations or license registers.
 At the time this paper is written, it has not been decided whether Norway will accept the European Economic Space Agreement or apply for membership in the Communities at a later date.
 Cf regulations issued by the Ministry of Finance pursuant to the freedom of information act Sect 8(3).
 Cf Jon Bing Juridiske aspekter ved etablering og distribusjon av elektroniske tjenester, Prosjekt 5: Standardiserte formidlingskanaler, Nasjonal infrastruktur for edb, Statskonsult, Oslo 1992.
 Data Inspectorate's decision, Jnr 80/530.
 Cf Ot prp nr 2 (1977- 78) Om lov om personregister mm, Ministry of Justice, Oslo 1978:75.
 Cf Ot prp nr 2 (1977- 78) Om lov om personregister mm, Ministry of Justice, Oslo 1978:55.
 This exception is not reflected in the simplified figure above.
 Data Inspectorate license, jnr 80/1115.
 Data Inspectorate license, jnr 80/490.
 The definition of a "document" is found in the freedom of information act Sect 3, and this definition also applies to the administrative procedures act. Pursuant to the freedom of information act Sect 3, regulation ofDecember 12, 1986:2202 was extended to computerised material (see above). Any document contained in the file of a word processor, electronic mail server etc will consequently also be part of a register in the meaning of the data protection act.
 Cf Lov&data 32/1992:7.
 In Norway a child may be permitted to kindergarten partly on social indications. As there is a lack of capacity, the parent may emphasise the problems which constitute these social indications. The same information mas - lawfully - passed on to the social welfare authorities. In this case the Data Inspectorate recommended that the data subject was allowed to supplement the data.
 Cf Data Inspectorate license, jnr 81/1896.
 Licensed December 30, 1985, jnr 85/702- 10. The subsequent licenses corresponded to this.
 In the version available for the newspaper's own journalist, the information was still accessible.
 Jon Bing Journalister, aviser og databaser; CompLex 14/87, Norwegian University Press, Oslo 1987:23- 25.
 Cf Jon Bing Juridiske aspekter ved etablering og distribusjon av elektroniske tjenester, Nasjonal infrastruktur for edb - Prosjekt 5: Standardiserte formidlingskanaler, Statskonsult, Oslo 1992:80- 98 and Viggo Hagstrøm "Informasjonsansvar - om villedning av annen enn kontraktpart"; Tidsskrift for rettsvitenskap 2/1989:204.
 Skadeserstatningsloven, June 13, 1969:26.
 Cf Jon Bing and Cato Schiøtz "Oppreisning for enkelte personvernkrenkelser"; Jussens venner 1977:241- 270.
 In the debate following the 10th anniversary report in the parliament, several members suggested strict liability for loss caused by errors in public register, cf Lov&data 31/1992:4- 5.
 Cf Jon Bing "Transnational Data Flows and the Scandinavian Data Protection Legislation"; Folke Schmidt (ed) Scandinavian Studies in Law, 1980:67- 96.
 Cf Eirik Djønne, Tove Grønn and Tor Hafli (eds) Personregisterloven med kommentarer, Tano, Oslo 1987:157.
 Data Inspectorate decision, jnr 84/894
 Cf Jon Bing "Reflections on a data protection policy for 1992"; proceedings of Access to public sector information, data protection and computer crime: Legal challenges and opportunities created by the prolific growth of electronic information services, Commission of the European Communities and Council of Europe, Luxembourg 27- 28 March, 1990.
 The Spitzbergen treaty of February 2, 1920 between the United States of America, Denmark, France, Italy, Japan, the Netherlands, United Kingdom, Ireland, Sweden, and Norway.
 Lov om Svalbard, July 17, 1925:11.
 Petroleumsloven, March 22, 1985:11. The former act governing offshore activity was interpreted in the same way.
 Cf circular of the Data Inspectorate, jnr 86/323.
 Letter of November 6,1981.
 Cf Jon Bing "Impact of Developing Information Technology on Data Protection Legislation", Organisation for Economic Co- operation and Development, OECD/ICCP(86)5, Paris, 1986.
 Cf Michael Bogdan "Dataflykt över gränserna och den svenska datalagstiftningen", Förvaltningsrättslig Tidskrift 1978/1- 26.
 Michael Bergmann Grenzüberschreitender Datenschutz; Nomos, Baden- Baden 1985.
 Cf Jon Bing "Impact of Developing Information Technology on Data Protection Legislation", Organisation for Economic Co- operation and Development, OECD/ICCP(86)5, Paris, 1986:51- 53 and François Rigaux "La loi applicable à la protection des individus à l'régard du traitement automatisé des données à charactère personnel", RCDIP 1980:443- 478.
 Cf Norsk Retstidende 1990:1008, Lov&data 25/1991:3- 4.
 Innst S nr 98 (1986- 87) page 14.
 There are few formal rules of evidence in Norwegian law, the court is traditionally allowed rather freely to determine what evidence is to be permitted.
 Norsk Retstidende 1991:616, Lov&data 28/1991:8-9.
 Cf Lov&data 33/1992.
 Statute of March 15, 1991:5, taking effect from July 1, 1991.
 Cf Lov&data 32/1992:8-9.