The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
Norway protects the right to privacy in its Constitution and, following a European Economic Area (EEA) Joint Committee Decision in 2018, is bound by the European Union General Data Protection Regulation. Personal data may typically be stored for purposes of a public need and may specifically be used and shared to prevent the spread of contagious diseases.
Norway has launched a physical location tracking app, Smittestopp, to locate and prevent the spread of COVID-19. The app, which is available for download to Android, Google, and Huawei smartphones, uses both Bluetooth technology and GPS to track users who are in close proximity, defined as within two meters (about six feet) of each other for at least fifteen minutes. Downloading the app is voluntary, and once downloaded the app requires consent in order for the Norwegian Institute of Public Health to track the location of the person. The information is deleted after thirty days.
The Norwegian Data Protection Authority, Datatilsynet, is currently investigating whether the app complies with Norwegian and international data protection rules. An expert committee has recommended that changes be made to the app to enable further anonymization and prevent individual identification.
A. COVID-19 Infections
Norway has a low rate of infection and deaths related to COVID-19 and a high rate of testing. As of May 22, 2020, it had 8,309 confirmed cases and 235 fatalities from COVID-19, the equivalent of 43 deaths per million residents. Norway reported its first confirmed case of COVID-19 on February 24, 2020. On March 12, 2020, it reported its first fatality. On May 22, 2020, it reported no new deaths from COVID-19. During the prior week a total of 15 persons were reported to have died from COVID-19.
B. Smartphone Use
The use of smartphones is widespread in Norway. In 2019, Statistics Norway (Statistisk Sentralbyrå, SSB) reported that close to 100% of Norwegians age 9 to 79 have a cellular phone, and 95% have a smartphone, not counting any smartphone access persons may have via their work. Most users use either Telenor or Telia; Telenor has the largest market share of account subscribers with almost half of the market (48.9%), with Telia at 37.2%.
II. Legal Framework
A. Privacy and Data Protection
The Norwegian Constitution guarantees the right to privacy in article 102, which states that “[e]veryone has a right to respect for his or her personal life and family life, as well as his or her home and communication. House searches may not be conducted, except during criminal investigations. State authorities shall ensure the protection of personal integrity.” In addition, Norway is a signatory to the European Convention on Human Rights, which guarantees the right to privacy in article 8.
Norway regulates privacy rights and data protection in its Personal Information Act. Though not a European Union (EU) Member State, it is bound by the EU legislation on personal data, namely the General Data Protection Regulation (GDPR), because of its obligations as a member of the European Economic Area (EEA) and European Free Trade Agreement (EFTA). In 2018 the EEA Joint Committee signed on to the GDPR legislation in order to ensure harmonized rules on data protection within the EEA. The Personal Information Act incorporates the EU GDPR. Thus, the same rules for the collection of data apply in Norway as in the EU Member States.
In accordance with the GDPR as implemented in the Personal Information Act, “personal data” is defined as
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data may only be collected in the following situations:
a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c. processing is necessary for compliance with a legal obligation to which the controller is subject;
d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Thus, the general basis for the collection of information is informed, adequate, and voluntary consent. Specifically, consent is defined in article 4 of the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Moreover, as specified in article 7, such consent must “be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” A person’s consent remains revocable at all times. In addition, a person must be at least 13 years old to provide consent under Norwegian law. As implemented in Norwegian law, consent can also be given for the collection and processing of all sensitive data, as Norway has not provided additional provisions to further limit the sharing of sensitive information. Thus, there is no data that cannot be shared provided that prior adequate and voluntary consent has been given during the collection phase.
Legally, information may be stored without the consent of the data subject, if needed for a public purpose. However, in such cases the public interest in processing the data must clearly exceed the disadvantages to the person whom the data is about (the data subject) and must be approved by the Norwegian Data Protection Agency. The storage and sharing of data typically requires anonymization and pseudonymization. In accordance with the Personal Information Act the Personal Data Authority may allow the handling of personal data in individual cases, if in the public interest. Similarly, the government may issue specific regulations pertaining to data retention. The collection of personal data, allowing use also without consent, is regulated in a number of legal acts, including the Criminal Procedures Act and the Health Registry Act. The lawfulness of measures that may be used to contain contagious diseases is regulated in the Control of Communicable Diseases Act. The law allows for the collection and sharing of personal data in order to prevent disease. The permissibility of using personal data to trace contagious disease is specifically mentioned in the GDPR, and was also mentioned in the bill implementing the GDPR into Norwegian law. The GDPR allows for the use and sharing of personal information when needed for disease tracing.
B. Data Retention and Location Tracking
The telecommunications sector is regulated by the Electronic Communication Act. However, location tracking is primarily regulated through the Personal Information Act as, per the GDPR, the definition of personal data includes location data. As mentioned above, the Personal Information Act authorizes the Personal Data Authority to handle and retain personal data in individual cases, if in the public interest. Similarly, the government may issue specific regulations pertaining to data retention. Telecommunication service providers may store data, including location data, but only for as long as needed; they must delete or anonymize the data when no longer needed.
Datatilsynet, the Norwegian Data Protection Authority, is the supervisory authority for the collection and use of personal data in Norway. Violations are subject to monetary fines, including compulsory fulfillment fines that run until the violation has been corrected. Violations are also subject to damages for nonmonetary losses caused by the breach of the data protection rules.
D. COVID-19 Tracing Legislation
On March 27, 2020, the Norwegian Ministry of Health and Care Services issued a regulation on tracing and epidemic contagion related to COVID-19. The regulation was adopted with the purpose of making it easier to track COVID-19 cases and prevent community spread based on authorization provided by temporary emergency legislation pertaining to COVID-19, known as the Corona Act. The regulation gives the FHI power to establish an electronic system for tracking COVID-19 infections. Participation in the system must be voluntary and must include “comprehensive, understandable, and easily accessible information, including on the processing of personal data.”
III. Electronic Measures to Fight COVID-19 Spread
A. Smittestopp Voluntary COVID-19 Tracing App
On April 16, 2020, Norway introduced a mobile app, called Smittestopp (which means infection stop), to trace persons infected with COVID-19. Interest in the app was initially high, but usage has since waned. On April 17, 2020, close to a million users were reported as having downloaded the app. As of April 30, 2020, the Norwegian Public Health Agency (Folkehelseinstituttet, FHI) reported that about 900,000 Norwegians were actively using the app (about 20.5% of the population age 16 and above). On May 7, the FHI reported that they needed more users to use the app for it to work properly. As of May 19, 2020, the FHI reported that 641,824 users actively used the app. Most of the users are located in the Norwegian capital, Oslo, with about 100,000 users. Oslo has a population of about 680,000. As of May 20, 2020, no municipality had more than 20% of active Smittestopp app users.
Smittestopp traces the movements of users with the explicit purpose of determining whether a user has been in close contact with another user who later developed COVID-19. “Close contact” is defined as within two meters (about six feet) for a minimum of fifteen minutes. Initial reporting suggests that it is possible that locations on separate sides of a wall may erroneously be recorded as within close contact, because they are registered as within two meters.
The app records the movements of users, provided that the user actively chooses to share its location data with FHI. The data obtained and stored is reportedly pseudonymized but the location of a user may nevertheless be identifiable, which is why, according to the developer, no analysts may look directly at the data. According to Helse Norge, the Norwegian Health Network that services all e-health resources for Norwegians, the data is stored on the smartphone and uploaded to the app once every hour, provided that there is an internet connection. The app also has a number of privacy protection features. For example, stored data is automatically deleted after 30 days. Smittestopp has a 16-year-old age requirement for use.
Persons who have been in close proximity to another user who develops the disease will get a text message instructing them to take additional measures to determine if they have contracted COVID-19. However, users who are notified are not required to self-isolate.
B. Supervisory Authority Investigation of the App
On April 27, 2020, Datatilsynet announced that it was about to launch an investigation into the use of the Smittestopp app because the central registration and collection of users’ location data may be an infringement of privacy. Datatilsynet, is the supervisory authority for the collection and use of personal data in Norway. It explained that the purpose of the investigation is to ensure that the app complies with the Norwegian regulation on tracing and epidemic contagion related to COVID-19. As noted above, the regulation requires that the system be voluntary and include “comprehensive, understandable and easily accessible information, including on the processing of personal data.”
On May 12, 2020, Datatilsynet initiated the investigation. On May 20, 2020, it asked the FHI to provide additional information no later than June 1, 2020, on how the FHI has balanced the need for the app (presumably the public need for contact tracing during a pandemic) with the protection of users’ personal data. Datatilsynet noted in its press release that, “[i]f you do not have an overview of which personal data is used for what purpose, one cannot determine if it necessary to use that personal data to achieve each of these goals.”
Following the announcement of the investigation, an expert group suggested improvements to the Smittestopp app, particularly the use of non-static Bluetooth IDs. The expert group also suggested using privacy differentiation for analytical purposes.
C. Privacy & and Other Critiques of the App
In addition to the supervisory authority investigation mentioned above, concerns have also been raised internationally that the current design of the app is problematic in relation to the international framework for collecting personal data, even though using the app is voluntary. Specifically, the European Data Protection Board, which oversees compliance with the GDPR and the Data Protection Law Enforcement Directive, has voiced concerns that apps that collect and store information in the way the Norwegian app does violate those privacy protections.
Another critique of the app is that it was launched too soon, before municipalities were ready to use it. As of May 10, 2020, only three municipalities had the technology available to send notification texts to their residents, Drammen, Tromsø, and Trondheim. Reportedly, as of May 16, no case had been discovered with the help of the app, as notifications of potential exposure was limited to users in these areas.
On the other hand, the app has also been criticized by IT experts for not collecting and sharing enough data—specifically the app’s establishment of a 15-minute contact requirement for information sharing—on the ground that contact for shorter intervals of time may also result in the spread of COVID-19, and that such information must be recorded in order to better develop the app.
D. Use of Telecommunication Data for Determining Travel Restriction Compliance
Norway implemented travel restrictions, both to and from the country as well as domestically within Norway, during the month of March 2020. The travel restrictions were coupled with monetary fines or prison of up to six months, including for persons breaching the domestic travel restrictions. Telecommunications data was used to measure compliance with these restrictions. Initial reports on how many Norwegians were present outside their home municipality were based on numerical data from the telecommunications systems, reporting the number of mobile users in a given area compared to the number of permanent residents, but there were no reports of people being individually targeted by that approach. Instead, as described by the telecommunications company Telenor, the data only provides information on how many mobile users are present in a given area (connected to a given cellular tower), not who or how close from each other they are.
Update: June 16, 2020
On June 16, 2020, the Norwegian Data Protection Authority determined that the Norwegian COVID-19 tracing app was not a proportional invasion in the individual user's privacy rights based on the current situation in Norway, with low community spread, and because few persons had downloaded the app.
Prepared by Elin Hofverberg
Foreign Law Specialist
 On May 22, 2020, Norway ranked below the world average for both deaths per million and number of total infections. Coronavirus, Worldometers (last updated May 22, 2020), https://perma.cc/93LJ-8FNK.
 Coronavirus, Worldometers, supra note 1.
 Coronavirus, Worldometers, supra note 1.
 Fakta om Internet tog mobil, Andel som har tilgang til ulike elektroniske tilbud, personer 9-79 år, SSB, https://perma. cc/A8GD-7VL6; Statisk sentralbyra, Norsk mediebarometer 2019 at 5 (May 19, 2020), https://perma.cc/XQL3-7NYL; see also Number of Mobile Phone Users in Norway from 2011 to 2019,Statista, https://perma.cc/8K84-DZLJ; Forecast of Smartphone User Numbers in Norway from 2018 to 2024, Statista, https://perma.cc/L4E6-LUGH.
 Fakta om Internet tog mobil, supra note 8.
 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, https://perma.cc/XP8C-Z7HJ; see also NIM, «Smittestopp» og retten til privatliv (May 4, 2020), https://perma.cc/2DWB-USXN.
 Lov om behandling av personopplysninger (Personopplysningsloven) (LOV-2018-06-15-38) (hereinafter Personal Information Act), https://perma.cc/BK6V-66KK (in English translations, also known as the “Protection of Data Act”).
Prop. 56 LS (2017–2018) Lov om behandling av personopplysninger(personopplysningsloven) og samtykke tildeltakelse i en beslutning i EØS-komiteen ominnlemmelse av forordning (EU) nr. 2016/679 (generell personvernforordning) i EØS-avtalen, https://perma.cc/CE8N-UN6R; Ny personopplysningslov, Regjeringen (Oct. 30, 2019), https://perma.cc/W9Y7-S4VL. For an overview of Norway’s implementation of GDPR see Detlev Gabel & Tim Hickman, GDPR Guide to National Implementation: Norway, White & Case (Norway 13, 2019), https://perma.cc/AS6S-3EYE. For more on the implementation process in EEA countries generally see Line Coll & Rolf Riisnæs, Implementing the GDPR in Norway, Wikborg Rein (June 29, 2018), https://perma.cc/6EFX-H45W.
 For additional information on the EU see the EU survey in this report.
 GDPR art. 4(1).
 Id. art. 6(1).
 Id. arts. 4, 6(1), 7.
 GDPR art. 4(1).
 Id. art. 7(2).
 Id. art. 7(3).
 Personal Information Act § 5.
 GDPR arts. 9(2)(a), 54; Personal Information Act, e contrario.
 GDPR arts. 6(1)(a), 7.
 GDPR art. 89(1); Personal Information Act § 9.
 Personal Information Act § 9.
 GDPR art. 25(1).
 Personal Information Act § 7.
 See, e.g., § 216(b) Straffeprossessloven [Criminal Procedures Act] (LOV-1981-05-22-25), https://perma.cc/RL46-GHG8; § 11 Lov om helseregistre og behandling av helseopplysninger (helseregisterloven)[Health Registry Act] (LOV-2014-06-20-43), https://perma.cc/DD4Q-F8XX.
 Id. §§ 3-6.
 Prop. 56 LS (2017–2018) at 264.
 GDPR recital 112.
 GDPR art. 4(1).
 Personal Information Act § 7.
 Ekomloven § 2-7.
 Personal Information Act § 20.
 Id. §§ 26, 29.
 Id. § 30.
 Id. § 1.
 FOR 2020-03-27-475 § 2.
 HelseNorge, supra note 62.
 Id; FHI, supra note 64.
 Helse Norge, supra note 62.
 Personal Information Act § 20.
 § 2 FOR 2020-03-27-475.
 Id. (translation by author).
 Ekspertgruppe foreslår forbedringer i Smittestopp-appen, Regjeringen (May 20, 2020), https://perma.cc/4FQA-SHSX; Jeanine Lilleng et al., Ekspertgruppen for kodegjennomgang av løsning for digital smittesporing, Endelig rapport for kildekodegjennomgang av løsning for digital smittesporing av koronaviruset (May 18, 2020), https://perma.cc/8DZU-5THM; see also Caroline Simonsen, Rapport: Sikkerhet og personvern ikke godt nok ivaretatt i Smittestopp-appen, NKR (May 20, 2020), https://perma.cc/2JKJ-K3N9 . FHI har mottatt rapport fra ekspertgruppen om Smittestopp, FHI (May 20, 2020), https://perma.cc/4XK5-8AQZ.
 Press Release, Ministry of Justice and Public Security & Ministry of Foreign Affairs, Stricter Border controls Being Introduced – Norwegian Airports Not Closing (Mar. 15, 2020), https://perma.cc/KK6H-8E5C. For example, only Norwegian citizens and residents were allowed to enter the country, and the government asked all travelers to spend two weeks in quarantine following any international travel. In addition, Norwegians were also not allowed to travel to vacation properties outside their home municipality between March 16, 2020, and April 20, 2020. Forskrift om karantene, isolasjon og forbud mot opphold på fritidseiendommer mv. i anledning utbrudd av Covid-19 (FOR-2020-03-15-294), https://perma.cc/8NMX-GMUE; see also Elin Hofverberg, Norway: Government Prohibits Staying in Vacation Properties Outside of Home Municipality over Coronavirus Spread, Global Legal Monitor (Law Library of Congress, Mar. 19, 2020), https://perma.cc/QH5K-BRB9; Koronasituasjonen: Hytteforbudet, Regjeringen (Apr. 14, 2020), https://perma.cc/28MZ-C9TZ.
 FOR-2020-03-15-294 § 6.
Last Updated: 12/30/2020