A. Implementation of Directive 95/46/EC
Significant changes to privacy or data protection law
None to report
Significant changes to other laws affecting privacy or data protection
Amendments to the Act relating to the implementation of penalties and the General Civil Penal Code – introduction of the duty to inform, requirements regarding previous good conduct, and notification to the aggrieved party etc.
The amendment entails an extended duty to inform the aggrieved party or the survivors of the aggrieved party, which means that it also applies during pre-release day leave and when punishment is served outside prison. The notification shall inter alia comprise the time and conditions of serving the punishment if the conditions directly affect the aggrieved party or his/her survivors. These conditions may relate to place of residence, whether the convicted person is to be prevented from contacting certain persons, and if the convicted person changes his/her address.
When the amendments were on an ordinary round of consultations, the Data Inspectorate stated that, the proposed amendments are based unilaterally on the aggrieved party's standpoint, and that the consequences for the convicted person would have to be examined further. The Data Inspectorate also required the information provided to be kept to a minimum, and no reason could be found as to why the aggrieved party needed at all times to know the convicted person's address, including during the probation period. It should be sufficient to know that the convicted person is no longer in prison. The Data Inspectorate also pointed out that Norwegian Correctional Services are under a general obligation to inform the convicted person of this duty to inform.
At the same time, new and stricter rules were adopted relating to prisoners' use of electronic communications in prison. The Data Inspectorate argued that it was unclear whether the proposed tightening up was in fact necessary and claims that the right to electronic communication in our present technological society must be likened to traditional post and telephone services if this is possible in the light of the correctional services' available resources.
Amendments to the rules on publication of lists of assessed taxes
In 2004 the rules governing the publication of lists of assessed taxes were tightened up, making the lists available for individual searches for only three weeks after publication. The lists of assessed taxes were then posted electronically on the tax authority's website and provided in hardcopy at the tax offices. In 2007 an amendment to the law again gave media access to complete lists of assessed taxes on CD ROM. The Government stated that its reasons included a wish to strengthen the critical debate on the tax system.
The Date Inspectorate deems the amendment to the law as unfortunate. The question relating to the publication of lists of assessed taxes has been of concern to the Data Inspectorate for several years. It is the Data Inspectorate's opinion that it contravenes key principles relating to the protection of personal data when information that individual Norwegian citizens are obliged to submit is used for entertainment, is made the object of searches and can be sold via mobile telephones in the form of SMS services or similar. It is also questionable that the lists of assessed taxes are published before the time limit for appeals against the tax assessment has expired.
New rules on “grooming”
New rules that make it a criminal offence to meet a child with the intention of committing sexual offences have been introduced. The Data Inspectorate stated that it is commendable that politicians are attempting to find means of preventing sexual abuse of children. However, it was pointed out that, from a personal data protection perspective, exactly which measures are attached to the penal provision represents an interesting question, i.e. which investigative methods the police are to have at their disposal in order to achieve the provision's objective.
B: Major case law
None to report
C: Major specific issues
Supervisory inspection of the prison service
The Data Inspectorate has strongly criticised the Ministry of Justice and Police following an inspection of the treatment of sensitive personal data taking place in the prison service. The serious breaches of the law that have been revealed show that the right of privacy of more than 30,000 former prisoners and their next-of-kin has not been observed.
For several years, the Data Inspectorate has received complaints from inmates in Norwegian prisons relating to the handling of personal data in the prisons. Most of the complaints have concerned the lack of proper protection of information about the prisoners and their next-of-kin.
After the inspection, the Data Inspectorate concluded that there is an unofficial and open personal register at Ila Prison (“inmates by number”). The register contains very sensitive personal data. Furthermore, the use of personal data in the applied professional system lacks a legal basis. The basic rights of the registered persons under the Personal Data Act in respect of the right of access, correction and deletion are not being followed.
Extensive leaks from the telecom companies – formal complaint
During the period from about 28 July to about 7 August 2007 the websites of several telecom companies were used to harvest personal data information. The harvesting of personal data started with a list of possible personal ID numbers stored by a data program. These were subsequently compared with an official website in order to weed out numbers that were not in use. Thereafter the numbers were used to search and find individual persons' name and address via the telecom operators' websites. Few of the affected persons had any connection to the telecom enterprises and very many were upset and surprised that this affected them of all people.
The Data Inspectorate holds that the obviously most serious breaches concern the inadequate safeguarding of information, response with additional information, and the fact that several enterprises did not bother to notify the victims of the incident. The failure to notify affected persons is proof of a lack of respect for individual persons' right of privacy.
The Data Inspectorate decided to make a formal complaint on the breach of the provisions of the Personal Data Protection Act relating to the safeguarding of information and on the provision governing the duty to notify the Data Inspectorate. Several of the registered persons also made formal complaints. Initially, the formal complaints were dropped by the prosecuting authority but are now being reconsidered.
New Freedom of Information Act and regulations
A new Freedom of Information Act has been adopted and is proposed to come into effect on 1 July 2008. The proposed regulations related to the new Freedom of Information Act, which have been on a round of consultations, instruct a number of public bodies and departments to make their electronic post records available on the internet. It also suggests that documents should be made public as far as possible. This publication of large amounts of information about individuals is of concern to the Data Inspectorate. A mass harvesting of personal information is capable of providing extensive profiles of individual persons. This information may be useful for marketing purposes but could also be used for ID theft. Those wishing to steal an identity are able to obtain a virtually complete overview of individual persons' actions and preferences.
The Data Inspectorate has seen a number of examples of municipalities having published personal information that should not have been available on the Internet. Some of the documents have contained information about date of birth and ID numbers, others concern individuals in a crisis situation who have sought help from the municipality, while others have been job applications complete with scanned diplomas and references. When the mistake is a fact, it can have dire consequences for the person in question. Departments and municipalities experiencing that confidential personal information is published often explain the event as human error. The Data Inspectorate is of the opinion that repeated "accidents" indicate system failure at the enterprise.
Working life – access to employee's e-mails – formal complaints
In 2005, the Data Inspectorate made two formal complaints against two enterprises for breach of the Personal Data Act's provisions relating to the duty to inform in relation to access to employees' e-mails. In 2006 the prosecuting authority dropped both cases. The Data Inspectorate appealed against both discontinuations but they were maintained by the Director General of Public Prosecutions. However, the Director General of Public Prosecutions requested that the Public Prosecutor should investigate further to discover whether employees in one of the enterprises had withheld information from the Data Inspectorate. In October 2007 this case was also discontinued.
In 2006 the Data Inspectorate filed a formal complaint against a publisher for breach of the Personal Data Act. The background to the case was that the manager of the publishing company via a “surveillance account” automatically made blind copies of ingoing e-mail correspondence to the head of the publisher's office in Sweden. The employee's personal e-mail account was protected by means of a user name and a personal password. Thereafter, the publisher accessed the employee's ingoing e-mails through the “surveillance account”. The employee who downloaded and opened his ingoing e-mails was not informed about the downloading of the e-mails, the accessing of them, the purpose of the action or any disclosure of the information.
Both the publishing company and the publisher were in 2007 charged with breaching their duty to inform and both were issued with fines, which they accepted.
Road toll chips – AutoPASS
In the spring of 2007 the Data Inspectorate received information that all passings through the road toll stations were routinely photographed. This information did not correspond to the official specification of requirements relating to AutoPASS or to the information previously received by the Data Inspectorate on the subject from the Directorate of Public Roads. Consequently, the Directorate of Public Roads was asked to confirm/refute that all passings through the road toll stations in Norway are photographed. On the basis of the reply from the Directorate of Public Roads, the Data Inspectorate found that photographs are taken of all vehicles that pass through the road toll stations. However, the photos are only forwarded in the system if the passing is invalid or when making random checks. Another restraining factor is the fact that the internal memory of the camera is limited and that the photographs that are not forwarded are therefore overwritten relatively quickly. The Data Inspectorate finds it regrettable that neither the general public nor the Data Inspectorate has been informed of the matter at an earlier stage. It is assumed that the system will be improved.
The 100 most recent passings are stored in the AutoPASS chip
In the beginning of the notification year, the Data Inspectorate revealed that the 100 most recent passings through the road toll stations made by AutoPASS users were recorded in their AutoPASS chip. Furthermore, other passing points were also recorded. The Data Inspectorate also reacted to the fact that this personal information was stored on remote-readable chips, completely without confidentiality protection. The most serious contravention is nonetheless that the approximately one million users of AutoPASS have not been actively informed that the chip on their windscreen also has storage capacity for information on time and place of the one hundred most recent passings.
New health research law
In the summer of 2007 a proposal for a new law on medical and health-related research was presented to the Storting. In the opinion of the Data Inspectorate, the proposal contains several unclear issues, including with regard to the scope of the Data Inspectorate's authority under the law. The formal key rule of the proposal is that research on health information must be based on consent from the person the information pertains to.
However, the draft legislation contains such a large number of opportunities to disregard consent that the de facto and practical key rule of the need for consent could easily become that consent is unnecessary.
The draft legislation also introduces a new legal concept, notably “general consent”. This form of consent extends further than what is at present accepted and can be compared with accepting an agreement without being allowed to read the terms and conditions. The fact that this is defined as “consent” according to the draft of the Health Research Act is unfortunate in the opinion of the Data Inspectorate. We are in danger of undermining the individual's basic right to information and self-determination, which could become a strain on the trust that is essential between society and the doctor. The Data Inspectorate has requested the Storting to consider the positive and negative effects of the Act more closely before adopting it.