9. Norway

In 2011 Norway passed the Data Retention Act (Datalagringsloven),

Act of 15 April 2011 no. 11.

which implemented the DRD in the national legal system. The Government got delegated power to determine the date for its entering into force. At the same time the case Digital Rights Ireland made its way through the justice system, causing national hesitation to make the law become effective. As per current, the law has not entered into force, nor is it repealed. Norway has initiated preparations for implementing the e-kodex Directive, but as of September 2023 the process is not completed.

Proposal for a new e-com act was publicly announced 2 July 2021, and deadline for feed-back set to 15 October 2021. Information about the preparatory process may be accessed here: Høring - Forslag til ny ekomlov, ny ekomforskrift og endringer i nummerforskriften - regjeringen.no (accessed 15 September 2023).

In 2021 the Retention of IP-addresses Act was passed.

Act of 18 June 2001 no. 131 (Lov om lagring av IP-adresser mv.)

The act amends NECA by supplementing it with a provision imposing an obligation on providers to register and store IP-addresses etc. (§ 2–8 a), and a provision setting out the procedure for police access to the data (§ 2–8 b). It further amended § 2–7 fifth para., to provide for a duty to delete retained data once the storage period expires. The act entered into force 1 January 2022.

The data retention rules are separated from procedural provisions concerning coercive measures related to private communication, production order and expedited data preservation.

Described in Section 5.3.4 and 5.4.4.

Prop. 167 L (2020-2021) is the main preparatory document to the act. It states that as electronic communication services are increasingly becoming internet based, and criminals commonly make use of such services, access to data related to the communications are important and sometimes vital to the possibility of the police to investigate and prosecute crime.

Prop. 167 L (2020-2021) Ch. 2.1

It is therefore important to ensure that the data are available to the police in criminal investigations. This purpose is accentuated in NECA § 2–8 a first para., according to which providers shall retain data so that they may be used “in the investigation of serious crime.”

Pursuant to NECA § 2–8 a, providers shall “store the data necessary to identify the subscriber on basis of:

The data on the list refer to the source of the communication. Destination data shall not be retained (§ 2–8 a first para., last sentence).

“Subscriber” (“abonnent”) as mentioned in § 2–8 a, is not a defined notion in the NECA, which instead offers definitions of “user” and “end-user” (§ 1–5 no. 14 and 15). The definitions comprise a natural or legal person who “uses electronic communications networks or -services for own use or as a resource in the production of other services” (“user” (no. 14)), or “enters into an agreement about access to an electronic communications network or -service for own purpose or to lend out to others” (“end-user” (no. 15)). Depending on the situation, a “subscriber” as mentioned in § 2–8 a, could possibly be “user” and “end-user.” This is further discussed in Section 9.4 in relation to the definition of “provider.”

A provider shall thus register and store data necessary to identify the person to whom an IP-address has been assigned. Identification may be based on data (provided by the police) about the IP-address that was used, and the time it was used (§ 2–8 a, point a). The provider must thus maintain a register that keeps track of the persons to whom IP-addresses (fixed or dynamic) were assigned at any time of the storage period.

When a provider arranges for an IP-address to be shared between several users at the same time, the source port number must be registered in addition to the time of the communication. As explained in Section 5.1.3.2, this is necessary to identify the equipment used to access the internet, and thereby the user. This is provided for in § 2–8 a point b.  

The data shall be stored for 12 months from the date “when the communication ended” (§ 2–8 a second para.), whereupon they shall be deleted (§ 2–7 fifth para., point 2).

As the obligation to retain data concerns “data necessary to identify the subscriber” based on the data mentioned in § 2–8 a, it seems a bit odd that the provision relates the storage period to the time when the “communication” ended. The meaning is probably 12 months from the time when the subscriber’s entitlement to the IP-address was terminated, that is, for instance with respect to dynamic IP-addresses, be when s/he logs off. That would correspond to point 4 of the Danish regulation of internet access data.

Section 6.4.2 «The point in time when the internet was accessed, and when the access was terminated”. A corresponding remark is made in relation to the Swedish regulation, see Section 10.3.

Pursuant to § 2–8 a first para., the obligation to retain data is incumbent on

The provision must be read in conjunction with the legal definitions set out in § 1–5 no. 3, 4 and 16, pursuant to which a “provider” is a natural or legal person who makes access to electronic communication networks or -services available to others (no. 16); an electronic communication service is “normally provided for remuneration” (no. 3); and to be “public” the service must be “available to the public or intended to be used by the public” (no.  4). It follows that the obligation is incumbent on internet access providers who offer the service to the public for remuneration.

It has been noted that actors such as libraries, hospitals and other public institutions, hotels, airports, cafes, and restaurants, offer their internet access as a service to others. This raises a question about the interpretation of “public” service. Prop. 197 L (2020-2021) Ch. 8.1.4 emphasises that large numbers of users is not sufficient per se to make the service public within the meaning of § 2–8 a. It is underlined that this type of actors rather is deemed to be “owners of private networks.” The interpretation entails that the Norwegian definition of “provider” is less broad than the Danish (see Section 6.5).

Prop. 197 L (2020–2021) makes clear that there shall be no legal differentiation between small and large providers in relation to data retention. Hence, a few big providers holding a 95% market share, and approximately 300 small providers sharing the remaining 5%,

2018 statistics. Prop. L 167 (2020-2021) Ch. 8.1.2.

all are subject to the obligation to retain and store data. There are different business models among providers, and they may enter into agreements settling who in the chain of services that shall fulfil the obligation.

Prop. 197 L (2020-2021) Ch. 8.1.2.

Data retained as per § 2–8 a may be accessed in accordance with the procedure laid down in § 2-8 b. The provision clarifies that the confidentiality obligation set out in § 2–9 does not prevent the police and prosecuting authority from accessing the data. Furthermore, it lays down conditions concerning purpose, criminality, and necessity, and provides some safeguards.

Pursuant to § 2–8 a retained data may be disclosed to “the police or prosecuting authority” in a criminal investigation. As indicated in § 2-8 a, the investigation must concern “serious crime”, and the relevant offences are further specified in § 2-8 b as follows:

Prop. 167 L (2020-2021) Ch. 2.1

The specification includes offences for which internet is deemed to be a practical and sometimes necessary tool to commit.

Prop. 197 L (2020-2021) Ch. 8.5.4.1.

Thus included are sexual offences of children, such as lascivious speech, grooming and solicitation of sexual services (§§ 297, 298, 305, 306 and 309), forcefully submitting a person to one’s own will, or use of threat (§§ 251, 263), breach of an official contact restraint order, etc. (§ 168), identity theft (§ 202), ruthlessness (266), offences targeting computer and electronic communication systems (§§ 201, 204 and 205), neglectful exposure of state secrets (§ 125) and disturbance of the peace of another state (§ 184). Finally, the Copyright Act § 104 protects the right to one’s own photograph, that is, the right of an identifiable person on a photograph. Making such photo public without consent from the identifiable person is punishable with a fine or imprisonment for a period not exceeding one year (§ 79).

The criminality condition for access to retained data is lower than the one applicable to secret collection of data related to electronic communication, as per strpl. § 216 b.

See Section 5.4.4.

For the latter the condition is imprisonment for a maximum period of at least 5 years, instead of 3 years as set out for retained data. The difference may be explained in light of the measures’ difference in scope; strpl. § 216 b providing access to traffic and location data including data related to internet communication, whereas NECA § 208 b is limited to concern internet access data.

Providing access to IP-addresses etc., is deemed to interfere with the right to private communication. To be lawful, such interference must be “necessary” to the investigation of a serious crime, as per § 2–8 b. A concrete assessment of the necessity of the data for the purpose of the investigation must be made, and it is implied that the assessment also involves proportionality.

Prop. 197 L (2020-2021) Ch. 8.5.4.3.

The assessment must balance the needs of the investigation against the interests in protecting private communication. Concretely, the condition entails that the request put forward to the e-com provider must not ask for more data than needed for the purpose. Necessity does not imply that the data must be critical to the investigation, but it is not sufficient that the data would be “nice” to have. For instance, if a different yet more cumbersome option is available, the necessity condition might not be fulfilled.

Prop. 197 L (2020-2021) Ch. 8.5.4.3.

The assessment is highly contextual as the right to private communication may weigh in differently depending on the circumstances of the case.

The assessment is to be conclusively made by the police or public prosecutor. The provider receiving the request shall not review the assessment.

Prop. 197 L (2020-2021) Ch. 8.5.4.3.

The request may be issued by the police or a public prosecutor. It shall be made in writing, stating what the investigation is about, the purpose of the request and the data necessary for that purpose. The request may go both ways, meaning that subscriber data may be disclosed based on data about the IP-address, and IP-addresses may be disclosed on basis of subscriber data (historic list of IP-addresses allocated to a subscriber).

Ch. 8.5.4.4, p. 57-58.

This opens the possibility for using data collected in the investigation as basis for a request to the provider, for instance to find out which IP-addresses a specific person used at a point in time relevant to the crime under investigation.

The request shall further confirm that the necessity assessment has been performed.

NECA § 2-8 b fourth paragraph, emphasises that data that are stored “solely” pursuant to § 2–8 a, may not be disclosed for purposes other than those already specified. Production orders issued pursuant to other provisions, e.g., in the Civil Procedural Code, the Copyright Act or other acts, may not compel disclosure of the data.

Retention of IP-addresses etc., is regarded as less intrusive than retention of traffic data, as the IP-addresses are not suitable for making profiles of subscribers’ internet habits. Hence there is no court review, and the procedure for gaining access is rather informal. However, the police and the prosecuting authority shall produce an annual report describing the collection of data (NECA § 2–8 b). The report shall be submitted to the National Authority for Electronic communication (Nkom).

The preparatory works show that the legislator considered whether the police should have access to retained subscriber data related to internet access, also in crime prevention. This is relevant, i.a., to intelligence activities in order to prevent and detect economic crime, serious crime, and protect national security. It was concluded that the issue needed further deliberation. As per current the data may be used for the purpose of criminal investigation only.

Prop. 167 L (2020-2021) Ch. 8.5.4.2.