Contributed By Advokatfirmaet Haavind
Norway does not have any specific laws regulating the metaverse. The general rules that apply in the physical world will also apply in the metaverse. These include, but are not limited to, contract law, rules on personal data protection and regulations on intellectual property.
A key legal challenge when applying Norwegian law in the metaverse will be to ensure a sufficient amount of personal data protection. As Norway is part of the European Economic Area (EEA), the main rules for data protection in Norwegian law are found in the Personal Data Act and the General Data Protection Regulation (GDPR). All processing of personal data must comply with the terms set out in this regulation.
The GDPR is implemented by the Personal Data Act, which complements the GDPR on certain topics. Some specific Norwegian examples include:
The supervisory authority for GDPR compliance in Norway is the Norwegian Data Protection Authority (DPA). The DPA has taken its role seriously by issuing a steadily increasing number of fines in recent years.
Similarly, the regulation of non-physical tokens might become a legal challenge. A variety of non-physical tokens are used in e-sports and e-games as a currency in transactions. To assess such tokens in terms of commercial value in the physical world is a challenge, for example, in terms of applicable jurisdiction, tax regulation and contract law.
Norway does not have specific laws or regulations applicable to the digital economy. EU regulations, such as the Digital Services Act and the Digital Markets Act, will apply once implemented into Norwegian law.
A general challenge with the digital economy is how to apply traditional legal concepts from the analogue world to digital activity. Specifically, tax regulations and criminal regulations have proved challenging to apply in the normal context of jurisdiction, due to the geographically borderless nature of the digital economy, which needs to be reconciled with strict requirements for laws to be clear and predictable in order to be enforceable within the areas of tax and criminal law in Norway.
Cryptocurrency has proved to be a legal challenge. Norwegian banks have long been wary of accepting deposits made in cryptocurrency. The reasoning behind the reluctance is that the normal “Know Your Customer” requirements and anti-money laundering procedures can be difficult to enforce and apply in relation to clients using cryptocurrency. Documenting the absence of money laundering or similar crimes in past crypto transactions can be almost impossible and there is no common code or practice applied across the banks in Norway yet.
Norway does not have any general legislation governing cloud and edge computing. However, specific regulations regarding the processing of personal data, financial data, archive data in the public sector and data in the health sector will influence cloud and edge computing requirements. In addition, the Norwegian Security Act may impose further requirements or restrictions based on national security considerations.
Processing of Personal Data
All processing of personal data is subject to the European Union’s General Data Protection Regulation (GDPR). The GDPR requires that the data controller must have a legal basis for the processing of personal data, including the transfer of the data to the service provider, as well as for any transfer of data to countries outside the EU and EEA.
Article 32 of the GDPR requires that the controller and the data processor ensure the safety and integrity of the data processed through technical and organisational security measures. Appropriate measures may be encryption, ability to restore the availability and access to personal data as well as internal processes for regularly testing, assessing and evaluating the effectiveness of the measures.
The requirements under Chapter 5 of the GDPR govern transfer of personal data to third countries and are therefore relevant for cloud computing. Transfer of personal data to third countries requires a transfer mechanism, and the level of protection of the data must meet EU standards.
As of the ECJ’s ruling in case C-311/18 (Schrems II), the EU-US Privacy Shield personal data transfer mechanism for transfers from the EEA to the US is invalid, and organisations must seek alternative transfer mechanisms when working with US cloud providers. For Norwegian businesses using data processors abroad, the Schrems II ruling has also caused challenges for other managed services locations outside the EU and EEA, such as India.
As far as the EU standard contractual clauses (SCCs) were concerned, existing agreements based on the old templates executed before 27 September 2021 were valid until 27 December 2022. Most data exporters will have to adopt supplementary measures to ensure that the data’s level of protection is up to EU standards. The judgment therefore entails that the use of cloud computing services from third countries can be challenging. The effectiveness of encryption is emerging as a key assessment.
The Financial Sector
The Bookkeeping Act generally requires that accounting material subject to storage requirements must be stored in Norway. According to the Bookkeeping Regulation, exceptions can be made for storage in certain EEA countries if the Tax Directorate is informed. Currently, only the Nordic countries are covered by the exemption. The bookkeeping authorities may grant exemptions for other countries in the EU/EEA on a case-by-case basis. Subsequently, the access to cloud services for accounting material is restricted. However, the Bookkeeping Act does not prevent entities from storing copies of accounting material on servers abroad, as long as the material is (in addition) legally stored and processed in Norway.
The Norwegian Regulation regarding use of Information Communication Technology (ICT) in the Finance Sector will also affect the use of cloud computing services in this business segment. The Regulation sets requirements for ICT systems used in the financial sector, and businesses will have to carry out risk assessments, ensure the Financial Supervisory Authority's right of inspection also applies to the provider, and assess whether outsourcing in general, or cloud computing services in particular, meet the Regulation requirements related to the systems’ quality and business continuity. The Norwegian Regulation was last updated in December 2021, largely implementing guidelines by European authorities (European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), European Securities and Markets Authority (ESMA)).
The Security Act applies to all public bodies, as well as companies involved in classified procurements or companies that for other reasons are subject to the Act’s requirements following a decision by the relevant ministry. The Act generally allows for the use of cloud services for businesses that are subject to the Act, but use of cloud and edge services for information that could relate to national security interests needs to comply with strict requirements in the Act. The business must carry out risk assessments and assess whether use of cloud and edge computing services is safe considering the specific information that is to be safeguarded. A proactive dialogue with the security authorities should also be considered.
The Security Act has been in force for a relatively short period of time. Interpretation of its scope and restrictions remains vague and subject to public debate. It should also be noted that the application of the restrictions may change based on the geopolitical climate. The outbreak of war in Ukraine and the related energy crisis with attacks on energy infrastructure in Europe illustrates the risk and is particularly relevant as Europe’s reliance on the Norwegian energy sector has increased. Both events played a part when the Norwegian oil and energy company Equinor became subject to the Norwegian Security Act in 2022.
Archiving in the Public Sector
The Archive Act applies to the public sector in Norway. It does not explicitly govern the use of cloud or edge computing but prohibits public entities from transferring or transporting archive material out of Norway. However, it must be noted that EU Regulation 2018/1807 on the free flow of non-personal data (the FFD Regulation) is currently under consideration in the EEA, including Norway. If the FFD Regulation is incorporated in the EEA Agreement, Norwegian authorities may have to revoke the prohibition. A new Archive Act is also in process and is expected to be proposed to parliament in 2024.
For software suppliers to the Norwegian public administration, it is worth noting that the current Archive Act also mandates the use of open formats and requires that public entities carry out risk assessments of the storage systems to be used and examine whether these fulfil their archiving obligation.
The Health Sector
Entities providing, managing, or assuring quality healthcare services are subject to the Norwegian Patient Journal Act and underlying regulations, which impose strict requirements governing information security, including the use of cloud service providers. The Act also imposes functional requirements regarding documentation of healthcare, right of access, access control and deletion of data. Additionally, most healthcare providers in Norway are bound by the sector-specific standard “Normen”, a compilation of information security requirements which in some cases are stricter than requirements in law.
New EU Acts
New EU acts covering cloud and edge computing that are deemed relevant for the EEA are likely to also be implemented in Norway.
Norway does not have any general legislation governing artificial intelligence. However, specific regulations like the processing of personal data, intellectual property rights and discrimination in relation to fundamental rights are examples of relevant regulations that will apply to the use of artificial intelligence.
Further, in the field of artificial intelligence, Norway is influenced by EU regulation. The current EU proposals for harmonised regulation of AI are relevant for Norway through the EEA Agreement, and the Norwegian government has submitted its views and position in a national review note from August 2021. EU positions on civil liability – adapting liability rules to the digital age and artificial intelligence – are also likely to have impact on Norway via the EEA as they materialise and mature at European level.
Big data, machine learning and artificial intelligence projects will involve processing large data sets. More often than not, data sets targeted for machine learning and artificial intelligence use and contain unstructured rather than structured data. The data sets may contain non-personal data or personal data, or a mix. The GDPR will apply where such data sets contain personal data. This includes the requirement for a legal basis for the processing and a number of safeguards. Key challenges with machine learning and artificial intelligence technologies in Norway will be:
Artificial intelligence, machine learning and big data are also likely to be viewed as high-risk processing activities, entailing that the controller could be required to conduct data protection impact assessments (DPIAs).
Ownership of non-personal data has yet to be broadly discussed in Norway, but the general view is that data that merely represents factual observations may not be “owned” by the collecting company or person in the traditional concept of ownership. However, databases and computer programs used for processing big data, machine learning and artificial intelligence are to some extent safeguarded by the sui generis database property right in Norwegian copyright law. The Norwegian Protection of Trade Secrets Act may also provide dovetailing protection for data if reasonable measures to avoid disclosure are implemented. As the protection offered by national rules is limited, it is important that intellectual property questions are clearly regulated by contract.
The question of ownership and intellectual property rights as regards the results generated by intelligent machines has been resolved by the European Patent Office, which also impacts Norway. Hence, an artificial intelligence-system cannot be named an inventor in Norway. Contractual regulation of IPR between parties using technology for innovation purposes will remain essential for the foreseeable future.
The use of artificial intelligence may affect the rights and freedoms of individuals, eg, when examination reviews or job applications are processed by automatic means. While problematic from a GDPR perspective, such automatisation may also be problematic under the recently adapted Norwegian Act on Discrimination, governing individuals' rights to equal treatment and not to be discriminated against based on, for example, race, sex, religion, age or sexual orientation. We have already seen examples of such discrimination by algorithms internationally. As discrimination is already governed by law in Norway, developers must implement safeguards to prevent discrimination when developing artificial intelligence. Further regulation by the EU with indirect application in Norway may be expected.
There is no specific Norwegian legislation regarding the internet of things (IoT), although there has been a manifest proliferation of sensor technology across industries and for personal use in Norway in the last decade. Legal requirements for data protection will limit the scope of IoT projects when it comes to personal data, as these devices usually collect a large amount of data. All devices processing personal data will have to comply with the general principles of the GDPR, including not collecting more data than necessary for the purpose of processing (data minimisation) and not processing data in a manner incompatible with the initial purposes of processing (purpose limitation).
When IoT technology is applied for non-personal data, the contracts will remain key, although severely under-regulated in a large volume of legacy contracts in Norway, which may fuel renegotiation or disputes. A joint code of conduct for the agriculture and aquaculture industries has been proposed by relevant organisations in Norway with the aim of transferring data ownership from the sensor vendor to the farmer, but adoption remains uncertain.
Certain radio and communications devices that are connected to the internet will have to meet minimum requirements in areas such as information security, privacy and anti-fraud based on local implementation of EU cybersecurity laws.
The Norwegian Broadcasting Act sets different requirements for set categories of audio-visual media services.
The first category corresponds to companies wishing to engage in broadcasting via ground-based transmitting facilities, and these must obtain a licence. The term “broadcasting” shall be understood to encompass “the transmission of speech, music, images and the like by electronic communications networks intended or suitable for direct and simultaneous reception by the public”. Beyond the requirement that the communication must be made via an electronic communication network, the term "broadcasting" is technology neutral.
Companies wishing to engage in other broadcasting services, ie, broadcasting services not subject to the licensing requirement, must register with the Norwegian Media Authority. This requirement is typically applicable for companies wishing to broadcast via the internet, satellite or cable. The broadcasting terms criteria of “direct and simultaneous reception by the public” entails that the registration requirement is only applicable for companies wishing to transmit live content to the public, for instance streaming live news online. On-demand audio-visual services are not obliged to register.
The third and last category covers on-demand audio-visual services, which are defined as a service “where the primary purpose is providing audio-visual programmes that can be viewed at the moment chosen by the user and at their individual request on the basis of a catalogue of programmes and that is distributed to the general public via electronic communication networks”. This typically includes non-live online streaming and online television.
The criteria of editorial control will generally exclude media services which distribute user-generated content without interference from the service provider. However, Norwegian authorities are currently considering a proposed amendment to the Norwegian Broadcasting Act, which suggests implementing the rules from Directive 2010/13/EU (Audiovisual Media Services Directive), regarding user-generated video platform services (such as YouTube), over which the provider of the service has no editorial control.
The Licensing and Registration Processes
Application for a broadcasting licence is done by sending a completed form to the National Media Authority. Licensed parties will be subject to fees regulated by the Ministry of Culture. The fees may vary from time to time and for different providers.
Registration of a broadcasting service is done on the website of the Media Authority after creating a user account.
Other Main Requirements
The legal framework sets specific requirements for the different categories of audio-visual media services. This includes requirements for labelling age limits and advertisements, as well as rules on reporting to the authorities and protection measures for younger viewers.
Currently, the Electronic Communications Act applies to all activity relating to electronic communications as well as associated equipment (Section 1-2). The Act is neutral regarding variations in technology and therefore encompasses all forms of electronic communication. Further obligations for providers derive from the Act’s corresponding regulations.
However, influenced by the EU’s European Electronic Communications Code, there will likely be a new electronic communication act presented to parliament in 2023 or 2024. The final result of such a new act is not yet known, but it is implied that the scope of the telecommunication rules might be adjusted.
General Approval Requirements
There is no general requirement for regulators’ approval to offer electronic communication services in Norway. However, most providers are required to register their business with the Norwegian Communications Authority (Nkom) to operate legally. The obligation to register applies to:
Other providers are not obliged to register. Examples of these are providers of content services and data transfer services that do not install or operate their own physical network and telephony providers with a service that is not – or is only partially – designed for end-to-end connectivity. Voice-over-Internet Protocol (VoIP) systems that are not fully designed for end-to-end connectivity and instant messaging systems and use other providers’ physical networks will therefore not need registering.
To register, the provider must complete Nkom’s form and have it signed by a person with the authority to legally commit the company. Once the form and relevant attachments have been sent to Nkom by post or email, the provider may offer its products and services in the Norwegian market. Registered companies appear on Nkom’s public list of registered providers.
Registration of electronic communications providers is free of charge, but providers of electronic communications networks, electronic communications services and associated facilities with a turnover of more than NOK35 million must, in the following year, pay administrative charges to Nkom.
Approval Requirements for Use of Frequencies in Norway – including RFID
The use of frequencies in Norway is not permitted without a licence. General licences are granted in the General Authorisations Regulation. These licences apply to anyone using the specific equipment or service, therefore allowing free use of the specific usage. The Regulation’s Section 9 allows for the use of specific frequency bands for RFID equipment in co-ordination with applicable standards. Consequently, the use of RFID tags within the terms set out in the provision is not dependent on application for an individual licence.
Norway does not have general legislation for IT service agreements, although the country boasts no fewer than three families of IT standard contract templates (Statens Standardavtaler, IKT Norge and Dataforeningen). The relevant legislation to consider is the Norwegian Contracts Act, and the non-statutory principles applicable to all contracts. Compared to other jurisdictions, Norway may be considered a “hybrid” between the common law and the civil law tradition. The Contracts Act contains provisions regarding all forms of agreements, including rules on how a binding contract is concluded and rules on certain circumstances that can lead to invalidation of a contract. Commercial contracts will, however, very rarely be censored or invalidated by a Norwegian court of law following the provisions of the Contracts Act. It is therefore important that the agreement, or the choice of standard template, is well considered in advance, and that the agreement regulates the placement of risk between the parties.
The Norwegian Act relating to the Sale of Goods directly applies to the sale of goods, but the Act is to some degree seen as an expression of applicable non-statutory principles governing contracts law and may therefore apply analogously to IT service agreements, especially for matters not regulated in the contract. The Act governs the parties’ obligations and remedies in the event of breach of contract and will consequently need considering when entering into an IT service agreement. Consumers enjoy mandatory protection that cannot be varied in contract, so B2C contracts require more scrutiny than B2B contracts.
GDPR compliance is a typical challenge in many IT service contracts as these will often involve the processing of personal data to some extent. If the service provider will be processing data on behalf of the customer, a data processing agreement will be mandatory pursuant to Article 28 of the GDPR. Another commonly occurring challenge is complying with the GDPR requirements for data transfer if the provider processes the data in a non-EU country, which triggers Schrems II-related issues.
Regulated industries frequently use the Statens Standardavtaler templates, which are provided by the Norwegian government for use in the public sector, but they can freely be used by businesses in the private sector as well.
As a result of the EEA, Norway has implemented the EU regulation on electric identification and trust services for electronic transactions in the internal market, through the Norwegian electronic trust services act.
Electronic signatures ID confirmation and signatures are commonly used in Norway both in the public and private sector. Most governmental platforms online require log in with electronic ID. This includes accessing tax statements, any social aid and student loans. Private corporations like banks, insurance companies, real estate agencies, unions and the Norwegian postal and freight services also prefer and rely on electronic ID confirmation and signatures. Payment confirmation through electronic signatures is also frequently used in online retail.
The largest provider of electronic signatures and identification in Norway is BankID. BankID is jointly owned and developed by Norwegian banks and is the leading identity service provider across the market in Norway.
Other examples of providers with a foothold in the Norwegian market are Buypass and Signicat.
In the last few years, liability and responsibility for loss after fraud using electronic identification and signatures has been litigated in Norwegian courts. Recent principal judgments have concluded that the electronic identification and signature providers carry a larger part of the liability than previously assumed.