Norway, a European Economic Area member, has implemented the 1995 European Union Data Protection Directive on personal data but has not yet implemented the EU General Data Protection Regulation (GDPR). The enforcement authority for private data protection legislation is Datatilsynet (the Norwegian Data Protection Authority). Datatilsynet has aided Norwegians in removing search results online.
As of 2015, defamation is no longer a specific crime under Norwegian law, but crimes against personal life are still recognized. In addition, victims may be entitled to monetary compensation (damages) for defamation even if the act in question does not rise to the level of a crime.
Norway is not a member of the European Union, but instead is a member of the European Economic Area (EEA). As an EEA member it is nevertheless bound by the EU Data Protection Directive 95/46/EF, which was incorporated into the EEA agreements in 1999, and is thus bound by the 2014 decision of the European Court of Justice (ECJ) on the right to be forgotten. Norway is also bound by privacy protections found in the European Convention on Human Rights (EHCR).
The EU General Data Protection Regulation (GDPR), discussed in more detail in the survey of European Union law, is set to become directly enforceable in EU Member States in May 2018. As of yet, the Regulation has not been incorporated into the EEA Treaty. However, as with the previous EU Data Protection Directive 95/46/EF, the Norwegian government is planning to incorporate the new provisions into Norwegian law. Thus, the article 17 right to be forgotten is likely to become Norwegian law in 2018. This report, however, is based on the laws currently in force as of November 2017.
II. Domestic Legislation
A. Data Protections
Norway has adopted the following two regulations on privacy: (1) the Personal Data Act relating to the processing of personal data, and (2) the Personal Data Regulation. These both include provisions from the 1995 EU Data Protection Directive.
Section 27 of the Personal Data Act provides a right to erasure of erroneous content when “weighty considerations relating to protection of privacy so warrant.” As noted above, this right to be forgotten is derived from the ECJ’s 2014 decision involving Google. Section 9 of the Norwegian Personal Data Act provides how and when processing of data may be carried out. Under the Personal Data Act it is the Data Protection Authority, also known as the Data Inspectorate (Datatilsynet), that oversees compliance with the Act. Decisions by Datatilsynet can be appealed to the Personal Data Protection Board (Personvernsnemnda).
As of January 1, 2015, defamation is no longer specifically criminalized in the Norwegian Criminal Code (Straffeloven). Crimes against a person’s personal life are, however, still criminalized, and defamation acts may fall under this provision. Acts against a person’s personal life are penalized with either a fine or up to one year of imprisonment. Persons who are defamed have a specific right to damages, even when the defamation does not meet the threshold of being a crime against personal life.
III. Datatilsynet and Google
Already in 2014 Datatilsynet supported several Norwegians’ removal requests against Google. By 2015 Datatilsynet had acted on behalf of thirteen Norwegians, aiding them in their efforts to remove online content from Google’s search results. According to information from Google’s webpage, it has received a total of forty-seven requests from Norwegians, requesting removal of some 2,003 items.
In addition to removing search results, the Datatilsynet has determined that, in accordance with the 2014 ECJ decision discussed above, Norwegians may also demand that Google remove automatic search suggestions that pop up after one’s name, such as “John Doe alzheimers” or “John Doe criminal” (“Ola Nordmann Alzheimer” eller “Ola Nordmann kriminell”). By June 2015 only two such requests had been handled by the Norwegian Data Protection Authority.
Prepared by Elin Hofverberg
Foreign Law Research Consultant
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (1995 Data Protection Directive), 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX: 31995L0046:en:HTML, archived at https://perma.cc/WXE2-SETM.
 Decision of the EEA Joint Committee No 83/1999 of 25 June 1999 Amending Protocol 37 and Annex XI (Telecommunication Services) to the EEA Agreement, 2000 O.J. (L 296) 41, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:22000D1123(08), archived at https://perma.cc/TN6L-4HPB.
 §2 Lov om styrking av menneskerettighetenes stilling i norsk rett (menneskerettsloven) [Act on Human Rights Position in Norwegian Law], LOV-1999-05-21-30, https://lovdata.no/dokument/NL/lov/1999-05-21-30, archived at https://perma.cc/Q5YZ-L6HL.
 Nye personvernregler i EU, Regjeringen.no (Apr. 27, 2017), https://www.regjeringen.no/no/tema/statlig-forvaltning/personvern/nye-personvernregler-i-eu/id2340094/, archived at https://perma.cc/66AK-EMCP. The three EEA European Free Trade Association states of Iceland, Liechtenstein, and Norway are currently evaluating the Regulation for incorporation into the EEA Agreement. 32016R0679, European Free Trade Association, http://www.efta.int/eea-lex/32016R0679 (last visited Nov. 14, 2017), archived at https://perma.cc/74WG-4YCJ.
 Nye personvernregler i EU, supra note 5.
 Lov om behandling av personopplysninger (personopplysningsloven) [Personal Data Act], LOV 2000-04-14-31, https://lovdata.no/dokument/NL/lov/2000-04-14-31?q=LOV-200004-14-31, archived at https://perma.cc/NTH3-XG72; Personal Data Act, Act of 14 April 2000 No. 31 (unofficial English translation), https://www.datatilsynet.no/en/regulations-and-tools/regulations-and-decisions/norwegian-privacy-law/personal-data-act, archived at https://perma.cc/AW4A-XNU4.
 Personal Data Regulation (unofficial English translation), https://www.datatilsynet.no/en/regulations-and-tools/regulations-and-decisions/norwegian-privacy-law/personal-data-regulations2/, archived at https://perma.cc/F3MG-DXZ7.
 §27 Personal Data Act.
 Case C‑131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González, ECLI:EU:C:2014:317, http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0131&lang1=en&type= TXT&ancre, archived at http://perma.cc/TX38-MV8T.
 § 9 Personal Data Act.
 § 42 Personal Data Act.
 See, e.g., Personverdsnemda decision of Dec. 8, 2015, PVN-2015-06 Google, http://www.personvernnemnda.no/ vedtak/2015_06.htm, archived at https://perma.cc/PW6A-4FG6.
 Compare the revoked Norwegian Criminal Code of 1902: §§ 246 & 247 Almindelig borgerlig Straffelov (Straffeloven) [Criminal Code 1902], https://lovdata.no/dokument/NLO/lov/1902-05-22-10/KAPITTEL_2-16#§246, archived at https://perma.cc/LC5T-EK66.
 Én har fått medhold i Google-sletting, Datatilsynet (Oct. 28, 2014), https://www.datatilsynet.no/regelverk-og-skjema/lover-og-regler/avgjorelser-fra-datatilsynet/andre-avgjorelser-og-vedtak/eldre-vedtak/En-har-fatt-medhold-i-fjerning-av-Google-treff/, archived at https://perma.cc/MMJ9-BZRU.
 Kan få fjernet Googles forslag til søk, Datatilsynet (June 16, 2015), https://www.datatilsynet.no/aktuelt/ 2015/Kan-fa-fjernet-Googles-automatiske-forslag-til-sok/, archived at https://perma.cc/NFK4-5A6E.
 Transparency Report, Google, https://transparencyreport.google.com/government-removals/overview? authority_search=country:NO&lu=authority_search (last visited Nov. 7, 2017), archived at https://perma.cc/Z62Q-DAYM.
 Kan få fjernet Googles forslag til søk, Datatilsynet (June 16, 2015), https://www.datatilsynet.no/aktuelt/ 2015/Kan-fa-fjernet-Googles-automatiske-forslag-til-sok/, archived at https://perma.cc/RS4Q-MPKF.
Last Updated: 04/16/2018