Part I of the Report

In Chapter 2, the background, authority, composition, and working method of the Committee charged with revising the Personal Data Registers Act (hereinafter, the Committee) are presented. The need for the revision of the Personal Data Registers Act is due in part to technological development, which is steadily creating new possibilities to collect, process, and use personal information, and in part due to Norway’s obligation to implement a European Union Directive on data protection.

The notions of privacy and data protection can appear both diffuse and wide-ranging. The Committee has therefore found it prudent to define precisely what meaning it assigns to these notions (see Chapter 3). In this way, the important frame of reference for the Committee’s work is made apparent.

As mentioned above, the reason for the Committee’s mandate is among other things the technological and social developments that have significance for the rules concerning privacy and data protection. Chapter 4 goes into some of these developments in depth and explains how they are of significance for such protection.

When a law is revised, the law itself marks the starting point for the evaluation. Chapter 5 gives an overview of the Personal Data Registers Act and its regulations, whereas Chapter 6 illustrates that privacy and data protection are also fostered through other types of legislation, rules arising from contract, and legal norms which exist independently of statute.

The Committee has considered it important to familiarize itself with international rules and the state of the law in other countries. In Chapter 7, the Council of Europe’s Convention for the protection of individuals with regard to automatic processing of personal data is discussed. In Chapter 8, an overview of the EU Directive 95/46 on the protection of individuals with regard to processing of personal data and on the free movement of such data (often called Data Protection Directive or Directive) is given. In Chapter 9, a short account of other international rules and certain other countries’ data protection legislation is given. A few foundational similarities are found – e.g. statutory rules are often combined with a regulatory agency that monitors compliance with the law. The common starting point, however, disappears due to a range of different regulatory mechanisms from country to country.

Part II of the Report

The Personal Data Registers Act applies to personal registers and the use of personal information in certain activities. The Committee proposes that the concept of register be maintained as a delimitation criterion for manual processing of personal information but that all electronic processing of personal information be covered independently of whether or not the information is part of a personal register. This is an extension of the current Personal Data Registers Act. The change is not very extensive, however, because one can relatively easily recover personal information about the individual which is stored electronically (the requirement of systematic organization of data has no independent significance).

According to the Committee’s proposal, the envisaged law applies to the processing of information about physical/natural persons. Information about legal persons will also often have a legitimate need for protection. This need will to a large extent, however, be grounded in other considerations than privacy and data protection – e.g. economic interests – and such interests should be taken care of in other legislation. Information about physical/natural persons that is connected to legal persons (e.g. a person is registered as an owner of an enterprise) will be personal information covered by the law. Information about deceased persons is covered to the extent that it is associated with a surviving individual. It is further proposed that the law apply to public and private enterprises, but that processing of personal information for purely personal purposes – as with the current Personal Data Registers Act – is not covered.

In Chapter 11, a series of new rights that the proposed law awards the individual are discussed. The right of access is extended in relation to the Personal Data Registers Act (see 11.2). In the first place, this implies an extended right to general information about the processing of personal data and an extended right of access to registered information about oneself. Second, a disclosure requirement (when the personal information is collected from the data subject and when personal information is obtained from third parties) is imposed on the party responsible for processing the data (hereinafter data controller). Third, the individual is given a claim to the reasoning behind completely automated decisions (the claim to access to the logic behind an automated decision, see 11.4).

Further, the Committee proposes certain rules which give the individual a right to oppose certain types of personal data processing (see 11.3). Two rights belong to this group. The right granted by the Personal Data Registers Act to demand that one’s name be blocked from use in direct marketing is proposed to be continued in the new law. The Committee supports the Data Inspectorate’s proposal to establish a central reservation register to make it easier for an individual to guard against him or herself receiving advertising material. The Committee also proposes to establish a right to demand manual review of certain entirely automatic decisions.

Finally, certain rules are proposed about the deletion of personal information (see 11.5). For the most part, it is proposed to keep the current provisions in the Personal Data Registers Act on amending, deleting, or supplementing incorrect or incomplete information or information which is not allowed to be registered. In addition, a general rule is proposed that personal information shall be deleted when an objective reason for keeping it no longer exists. Such general rules concerning deletion are laid down in the Data Inspectorate’s licenses for setting up a personal data register. New in relation to today’s regulation is the Committee’s proposal that the registered individuals be given an expanded right to demand that information about themselves be deleted or blocked.

In closing, Chapter 11 discusses some questions connected to deadlines for compliance with demands from the data subjects and costs connected to their rights (see 11.6).

In Chapter 12, the Committee proposes a broad spectrum of instruments for safeguarding privacy and data protection in connection with the processing of personal information. The Committee proposes to continue the licensing duty but to make it far less comprehensive than it currently is and to replace it with a series of measures that, among other things, will build on an obligation to submit reports in combination with more supervision from the Data Inspectorate. The Committee proposes in addition that the Data Inspectorate shall give advice to those who plan to process or who already process personal information, plus to carry out subsequent inspections. The proposals contain more rules than exist under the current law, and there will, like today, be the need for control through issuing regulations. Further, there are proposed rules about internal control, and, finally, the Committee has evaluated the need for sectoral codes of conduct, which are drafted by the data controllers themselves. Examples of new rules in the proposed law are provisions on the requirement to explicitly define the purposes for processing personal information, on the use of personal information for other purposes than those originally considered, on processing of sensitive personal information, and on use of the official personal identification number.

The Personal Data Registers Act regulates the use of personal information in certain types of activities (credit rating activities, data processing activities, addressing and distribution services and opinion polling and marketing surveys) in Chapters 5 – 8 of the Act. The Committee does not propose to continue such distinct regulation in the new law (see Chapter 13). Instead, the Committee proposes a series of new rules that will be applied to all types of electronic processing (together with certain types of manual processing). More general rules reduce the need for special rules for certain selected activities. It may be pertinent for the data controller to employ a data processor who processes personal information on behalf of the responsible party by contract. The Committee proposes a provision that restricts the data controller’s possession over personal information. If additional need for separate regulation of certain activities is shown, the Committee proposes that this be done through the issuing of regulations. In the Committee’s opinion, processing of personal information in credit rating activities should be controlled in greater detail through regulations.

Surveillance that involves electronic processing of personal data is encompassed by the proposed law, and some provisions in the proposed law also apply to other types of surveillance. In Chapter 14 of the Committee’s report, the Committee proposes that current rules concerning video surveillance be continued and supplemented on two counts. First, the Committee recommends that video surveillance resulting in actual picture recording be covered by a duty to report. Second, the Committee proposes that the Data Inspectorate be given the power to intervene and stop video surveillance and taping in connection with surveillance when it is commenced illegally, e.g. because the surveillance is not objectively justified. Finally, it is proposed that section 390 b of the Penal Code regarding the duty to warn about video surveillance of public places and work places be moved from the Code to the proposed new law on data protection.

In Chapter 15, the security of personal information is treated, i.e. the attempt to ensure that personal information is processed in accordance with the law. While the legal rules make demands as to how personal information shall and can be used, it is the safety measures’ organizational and technical requirements that shall safeguard that the legal rules are followed. The Committee gives an account of earlier studies and initiatives in the field, together with current law. A premise for the Committee’s considerations is that there is a great need for systematic measures to ensure compliance with the rules on the processing of personal information. And such attempts are a necessary part of the future regulation of the field of privacy and data protection. The Committee proposes more specifically that a statutory duty be created to establish and apply methods for information and data security for certain types of personal data processing.

Chapter16 deals with transfer of personal information to foreign countries. The Committee first gives an account of existing law and international regulations in the area. A premise for the Committee’s considerations is that it should be easier to transfer personal information to states that have implemented the EU Directive on data protection. Regarding transfer to states that have not implemented the EU Directive, it is decisive whether or not the actual state has an adequate level of data protection. If the receiving state does not have an adequate protection level, the transfer can take place if certain other specified conditions are met.

The rules regarding the treatment of personal information must take into account freedom of expression, see Chapter 17. The Committee proposes that a general exception be made from parts of the bill where it is necessary to find a reasonable balance between freedom of expression and protection of privacy. The term freedom of expression, is not only intended to refer to superior rules such as section 100 of the Constitution and Articles 8 and 10 of the European Convention on Human Rights, but also to freedom of expression as an interest in itself. In this chapter, the Committee gives a number of examples of the balancing of freedom of expression with privacy and data protection.

Chapter 18 deals with the regulatory agency’s organization, placement and tasks.

Concerning the Data Inspectorate’s tasks, it is proposed that great emphasis be placed on giving advice and controlling that the law is followed. Processing license applications will take less time and resources than it currently does.

The Committee unanimously advocates that the Data Inspectorate be independent of the government and the Ministries (except regarding administrative matters). This involves that the government and Ministries shall not be able to instruct the Data Inspectorate on the interpretation of the law and the exercise of discretion either generally or in individual cases, and that the Ministry of Justice shall no longer handle complaints about the Data Inspectorate’s decisions. Complaints shall, according to the proposal, be handled by a newly created organization, the Data Protection Tribunal. This Tribunal shall also be independent of the Ministry of Justice (except regarding administrative matters). In other respects, the Committee advocates that both the Data Inspectorate and the Data Protection Tribunal shall administratively fall under the government and the Ministry the king appoints (currently the Ministry of Justice).

The Committee is not unanimous on all the issues associated with the organization and placement of the regulatory agency. The Chairman of the Committee as well as Committee members Apenes, Kristiansen, Meinich and Schartum advocate that with the new organization of the regulatory agency there will no longer be a need for a board of directors in the Data Inspectorate, whereas members Bredengen, Gundersen, Hestnes, Håøy and Koch believe that today’s board arrangement should be continued. Concerning the appointment of members to the Data Protection Tribunal, the majority of the Committee’s members made up of Bredengen, Gundersen, Hestnes, Håøy, Koch, Kristiansen and Meinich, advocate that the Tribunal should have five members and that all of them should be appointed by the King. A minority in the Committee, made up of the Chairman and members Apenes and Schartum, are of the opinion that the Tribunal should have seven members and that two of these should be appointed by the Parliament, whereas the rest should be appointed by the King.

Chapter 19 deals with which sanctions can be used if the law is broken. Criminal responsibility continues with some minor changes, inter alia, that violation of the law, under extremely aggravating circumstances, may result in a jail sentence of up to two years. Criminal responsibility for corporations should be regulated by the current provisions of the Penal Code. Moreover, the Committee recommends introducing a general liability for breaking the law when the breach results in economic loss and the tort feasor cannot show that he or she was not responsible for the damage. The Committee does not advocate the right to indemnification for non-economic loss (reparation) but proposes instead that a duty be placed on the tort feasor to ensure that the violation of the law has the least possible consequences for the data subject (a duty of restoration). The Committee proposes further that the Data Inspectorate should be able to impose enforcement damages if the statutory duties are not followed.

In Chapter 20, the economic and administrative consequences of the Committee’s proposals are explained. For the Ministry of Justice, the proposals will mean that it will no longer have to use resources on handling complaints about the Data Inspectorate’s decisions. The Ministry must, however, see to it that a Data Protection Tribunal is established and set aside funding for it. For the Data Inspectorate, the proposals allow it to use resources that are currently needed for processing license applications for work on advising and law enforcement. The Data Inspectorate will have a need for much greater resources than today, especially in the initial stages of establishing the new regulatory regime. For the data controller, the proposal involves some costs that follow from an increased number of individual rights and from the requirements to take security measures, etc. Exactly how great the costs will be is hard to identify beforehand due to the fact that they depend on, among other things, how many will take advantage of the rights the proposed law gives.