Norway does not have any specific laws regulating the metaverse; the general rules that apply in the physical world will also apply in the metaverse. These include, but are not limited to, contract law, rules on personal data protection and regulations on intellectual property.

A key legal challenge when applying Norwegian law in the metaverse will be to ensure a sufficient amount of personal data protection. As Norway is part of the European Economic Area (EEA), the main rules for data protection in Norwegian law are found in the Personal Data Act and the General Data Protection Regulation (GDPR). All processing of personal data must comply with the terms set out in this regulation.

The GDPR is implemented by the Personal Data Act, which complements the GDPR on certain topics. Some specific Norwegian examples include:

• the minimum age for children consenting to the processing of their personal data in the context of information society services is 13 years, which is lower than the GDPR standard of 16 years (Section 5);
• only certain parts of the GDPR apply when the processing of data is done solely for journalistic purposes, or in relation to academic, artistic or literary purposes;
• personal identity numbers may only be processed when there is an objective need for identification; and
• a specific legal basis applies for private entities' processing of personal data relating to criminal offences.

The supervisory authority for GDPR compliance in Norway is the Norwegian Data Protection Authority (DPA). The DPA has taken its role seriously by issuing a steadily increasing number of fines in recent years.

Regulating intellectual property rights (IPR) might also be a key legal challenge in the metaverse. For example, if intellectual property is created in the metaverse, several jurisdictions may claim their IPR laws apply, and these may dovetail or conflict with the terms of use for the metaverse.

Similarly, the regulation of non-physical tokens might become a legal challenge. A variety of non-physical tokens are used in e-sports and e-games as a currency in transactions. To assess such tokens in terms of commercial value in the physical world is a challenge in terms of applicable jurisdiction, tax regulation and contract law, for example.

In recent years, the matter of human rights in the metaverse has become an increasingly debated topic, with the Norwegian National Human Rights Institution (NIM) publishing a report on the subject in early 2023. The report highlights issues concerning jurisdiction, accountability, segregation between realities, and the applicability of certain human rights provisions.

New regulations covering the metaverse may be expected in the future. In July 2023, the European Commission adopted a strategy on actions concerning Web 4.0 and virtual worlds. Although it envisages supportive tools to encourage innovation and ensure fundamental rights, the strategy might be a stepping stone for legislative acts. Thus, any future legislation under the strategy might be binding on Norway if the legal acts are incorporated in the EEA Agreement.

Norway does not have specific laws or regulations applicable to the digital economy. EU regulations, such as the Digital Services Act and the Digital Markets Act, will apply once implemented into Norwegian law.

A general challenge of the digital economy is how to apply traditional legal concepts from the analogue world to digital activity. Specifically, tax regulations and criminal regulations have proved challenging to apply in the normal context of jurisdiction, due to the geographically borderless nature of the digital economy, which needs to be reconciled with strict requirements for laws to be clear and predictable in order to be enforceable within the areas of tax and criminal law in Norway.

Cryptocurrency has proved to be a legal challenge. Norwegian banks have long been wary of accepting deposits made in cryptocurrency, as the normal “Know Your Customer” requirements and anti-money laundering procedures can be difficult to enforce and apply in relation to clients using cryptocurrency. Documenting the absence of money laundering or similar crimes in past crypto transactions can be almost impossible, and no common code or practice is yet applied across banks in Norway. 

The Norwegian Act on Digital Content and Services entered into force in October 2023 and implements EU Directive 2019/770. The Act applies to agreements concerning the supply of digital services or content against payment in consumer relations. It imposes objective and subjective requirements for conformity and equips the consumer with remedies in case of contract breach. In short, the Act can be understood as a consumer sales law in the digital world.

New EU acts covering the digital economy that are deemed relevant for the EEA, such as the proposal for a Cyber Resilience Act, are also likely to be implemented in Norway.

Norway does not have any general legislation governing cloud and edge computing. However, specific regulations regarding the processing of personal data, financial data, archive data in the public sector and data in the health sector will influence cloud and edge computing requirements. In addition, the Norwegian Security Act may impose further requirements or restrictions based on national security considerations.

Processing of Personal Data

All processing of personal data is subject to the GDPR, which requires the data controller to have a legal basis for the processing of personal data, including the transfer of the data to the service provider, and for any transfer of data to countries outside the EU and EEA.

Article 32 of the GDPR requires the controller and the data processor to ensure the safety and integrity of the data processed through technical and organisational security measures. Appropriate measures may be encryption and the ability to restore the availability and access to personal data, as well as internal processes for regularly testing, assessing and evaluating the effectiveness of the measures.

The requirements under Chapter 5 of the GDPR govern the transfer of personal data to third countries and are therefore relevant for cloud computing. The transfer of personal data to third countries requires a transfer mechanism, and the level of protection of the data must meet EU standards.

As of the ECJ’s ruling in case C-311/18 (Schrems II), the EU-US Privacy Shield personal data transfer mechanism for transfers from the EEA to the US is invalid, and organisations must seek alternative transfer mechanisms when working with US cloud providers. For Norwegian businesses using data processors abroad, the Schrems II ruling has also caused challenges for other managed services locations outside the EU and EEA, such as India.

As far as the EU standard contractual clauses (SCCs) were concerned, existing agreements based on the old templates executed before 27 September 2021 were valid until 27 December 2022. On 10 July 2023, the EU Commission adopted an adequacy decision for US businesses, which came into effect immediately and replaced the Privacy Shield. In brief, this means that the EU Commission has assessed that businesses certified under the new framework (www.dataprivacyframework.gov) ensure a level of protection for personal data equivalent to European standards.

In July, the DPA declared that Meta's surveillance of Facebook and Instagram users for behaviour-based marketing is illegal, and imposed a temporary ban on the practice in Norway. The European Data Protection Board has decided that the Norwegian ban on behaviour-based marketing on Facebook and Instagram should be made permanent and extended to cover the entire EU/EEA.

The Financial Sector

The Bookkeeping Act generally requires that accounting material that is subject to storage requirements must be stored in Norway. According to the Bookkeeping Regulation, exceptions can be made for storage in certain EEA countries if the Tax Directorate is informed; only the Nordic countries are currently covered by the exemption, but the bookkeeping authorities may grant exemptions for other countries in the EU/EEA on a case-by-case basis. Subsequently, access to cloud services for accounting material is restricted. However, the Bookkeeping Act does not prevent entities from storing copies of accounting material on servers abroad, as long as the material is (in addition) legally stored and processed in Norway.

The Norwegian Regulation regarding the use of information communication technology (ICT) in the finance sector will also affect the use of cloud computing services in this business segment. It sets out the requirements for ICT systems used in the financial sector, and businesses will have to carry out risk assessments, ensure the Financial Supervisory Authority's right of inspection also applies to the provider, and assess whether outsourcing in general, or cloud computing services in particular, meet the Regulation requirements related to the systems’ quality and business continuity. The Norwegian Regulation was last updated in December 2021, largely implementing guidelines from European authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority).

National Security

The Security Act applies to all public bodies, and to companies involved in classified procurements or companies that for other reasons are subject to the Act’s requirements following a decision by the relevant ministry. The Act generally allows for the use of cloud services for businesses that are subject to the Act, but the use of cloud and edge services for information that could relate to national security interests needs to comply with strict requirements in the Act. The business must carry out risk assessments and assess whether the use of cloud and edge computing services is safe, considering the specific information that is to be safeguarded. A proactive dialogue with the security authorities should also be considered.

The Security Act has been in force for a relatively short period of time, and interpretation of its scope and restrictions remains vague and subject to public debate. It should also be noted that the application of the restrictions may change based on the geopolitical climate. The outbreak of war in Ukraine and the related energy crisis, with attacks on the energy infrastructure in Europe, illustrate the risk and are particularly relevant as Europe’s reliance on the Norwegian energy sector has increased. Both events played a part when Norwegian oil and energy company Equinor became subject to the Norwegian Security Act in 2022.

The Norwegian Act on Cybersecurity was adopted in December 2023, implementing EU Directive 2016/1148 (NIS1) and facilitating the implementation of the Cybersecurity Regulation. The Act applies to providers of respectively essential and digital services, which must fulfil minimum cybersecurity requirements, such as regularly conducting IT risk assessments and notifying public authorities of events that could have a significant impact on service delivery. EU Directive 2022/2555 (NIS2) has not yet been incorporated into the EEA Agreement, and is therefore not binding for Norway as of January 2024.

The Council adopted a preliminary position on 20 December 2023, with a press release on the Cybersecurity Regulation. The EU Cyber Solidarity Act will enhance solidarity at EU level for improved detection, preparation and response to significant or large-scale cybersecurity incidents. This will be achieved by establishing a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.

Archiving in the Public Sector

The Archive Act applies to the public sector in Norway. It does not explicitly govern the use of cloud or edge computing but prohibits public entities from transferring or transporting archive material out of Norway. However, it must be noted that EU Regulation 2018/1807 on the free flow of non-personal data (the FFD Regulation) is incorporated into the EEA Agreement, so Norwegian authorities may have to revoke the prohibition. A new Archive Act is also in process and is expected to be proposed to parliament in 2024.

For software suppliers to the Norwegian public administration, it is worth noting that the current Archive Act also mandates the use of open formats and requires public entities to carry out risk assessments of the storage systems to be used and examine whether these fulfil their archiving obligations.

The Health Sector

Entities providing, managing or assuring quality healthcare services are subject to the Norwegian Patient Journal Act and underlying regulations, which impose strict requirements governing information security, including the use of cloud service providers. The Act also imposes functional requirements regarding the documentation of healthcare, right of access, access control and the deletion of data. In addition, most healthcare providers in Norway are bound by the sector-specific standard “Normen”, a compilation of information security requirements that in some cases are stricter than requirements in law.

New EU Acts

New EU acts covering cloud and edge computing that are deemed relevant for the EEA are likely to also be implemented in Norway.

Norway does not have any general legislation governing artificial intelligence. However, specific regulations like the processing of personal data, IPR and discrimination in relation to fundamental rights are examples of relevant regulations that will apply to the use of artificial intelligence.

A compromise on the AI Regulation was negotiated by the Council, the Commission and the European Parliament on 9 December 2023. The goal is to make the EU the leading entity in terms of the development and use of secure, reliable and human-centred AI.

EU positions on civil liability – adapting liability rules to the digital age and artificial intelligence – are also likely to have an impact on Norway via the EEA as they materialise and mature at the European level.

Data Protection

Big data, machine learning and artificial intelligence projects will involve the processing of large data sets. More often than not, data sets targeted for machine learning and artificial intelligence use and contain unstructured rather than structured data. The data sets may contain non-personal data or personal data, or a mix. The GDPR will apply where such data sets contain personal data. This includes the requirement for a legal basis for the processing and a number of safeguards. Key challenges with machine learning and artificial intelligence technologies in Norway will be:

• complying with the prohibition against processing data for a purpose that is incompatible with the purpose for which it was collected; and
• biased algorithms.

Artificial intelligence, machine learning and big data are also likely to be viewed as high-risk processing activities, meaning the controller could be required to conduct data protection impact assessments (DPIAs).

Intellectual Property

Ownership of non-personal data has yet to be broadly discussed in Norway, but the general view is that data that merely represents factual observations may not be “owned” by the collecting company or person in the traditional concept of ownership. However, databases and computer programs used for processing big data, machine learning and artificial intelligence are to some extent safeguarded by the sui generis database property right in Norwegian copyright law. The Norwegian Protection of Trade Secrets Act may also provide dovetailing protection for data if reasonable measures to avoid disclosure are implemented. As the protection offered by national rules is limited, it is important that intellectual property questions are clearly regulated by contract.

The question of ownership and IPR as regards the results generated by intelligent machines has been resolved by the European Patent Office, which also impacts Norway, so an artificial intelligence system cannot be named an inventor in Norway. Contractual regulation of IPR between parties using technology for innovation purposes will remain essential for the foreseeable future.

Furthermore, it is worth noting that the implementation of the Data Act may affect the current regulation of IPR (see 5.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection).

Discrimination

The use of artificial intelligence may affect the rights and freedoms of individuals – eg, when examination reviews or job applications are processed by automatic means. While problematic from a GDPR perspective, such automatisation may also be problematic under the recently adapted Norwegian Act on Discrimination, governing individuals' rights to equal treatment and not to be discriminated against based on, for example, race, sex, religion, age or sexual orientation. There have already been examples of such discrimination by algorithms internationally. As discrimination is already governed by law in Norway, developers must implement safeguards to prevent discrimination when developing artificial intelligence. Further regulation by the EU with indirect application in Norway may be expected.

There is no specific Norwegian legislation regarding the internet of things (IoT), although there has been a manifest proliferation of sensor technology across industries and for personal use in Norway in the last decade. Legal requirements for data protection will limit the scope of IoT projects when it comes to personal data, as these devices usually collect a large amount of data. All devices processing personal data will have to comply with the general principles of the GDPR, including not collecting more data than is necessary for the purpose of processing (data minimisation) and not processing data in a manner that is incompatible with the initial purposes of processing (purpose limitation).

When IoT technology is applied for non-personal data, the contracts will remain key, although the area is severely under-regulated in a large volume of legacy contracts in Norway, which may fuel renegotiation or disputes. A joint code of conduct for the agriculture and aquaculture industries has been proposed by relevant organisations in Norway, with the aim of transferring data ownership from the sensor vendor to the farmer, but adoption remains uncertain.

Certain radio and communications devices that are connected to the internet will have to meet minimum requirements in areas such as information security, privacy and anti-fraud, based on local implementation of EU cybersecurity laws.

In November 2023, the EU Data Act was adopted in the EU Parliament, with the stated purpose of enhancing innovation within the EU by providing increased access to, as well as greater opportunities for the re-use of, data originating from affiliated entities. The text is considered relevant to the EEA. The process of evaluating whether the text should be included in the EEA Agreement, and subsequently implemented into Norwegian law, traditionally takes significantly longer than the time it takes for the legal act to take effect in EU countries. Nevertheless, the legal act will have implications for Norwegian businesses operating in the EU from the point at which it takes effect there.

The Norwegian Broadcasting Act sets different requirements for set categories of audio-visual media services.

The first category corresponds to companies wishing to engage in broadcasting via ground-based transmitting facilities, and these must obtain a licence. The term “broadcasting” shall be understood to encompass “the transmission of speech, music, images and the like by electronic communications networks intended or suitable for direct and simultaneous reception by the public”. Beyond the requirement that the communication must be made via an electronic communication network, the term “broadcasting” is technology-neutral.

Companies wishing to engage in other broadcasting services (ie, broadcasting services not subject to the licensing requirement) must register with the Norwegian Media Authority. This requirement is typically applicable for companies wishing to broadcast via the internet, satellite or cable. The broadcasting terms criterion of “direct and simultaneous reception by the public” entails that the registration requirement is only applicable for companies wishing to transmit live content to the public – eg, streaming live news online. On-demand audio-visual services are not obliged to register.

The third and last category covers on-demand audio-visual services, which are defined as services “where the primary purpose is providing audio-visual programmes that can be viewed at the moment chosen by the user and at their individual request on the basis of a catalogue of programmes and that is distributed to the general public via electronic communication networks”. This typically includes non-live online streaming and online television.

The criterion of editorial control will generally exclude media services that distribute user-generated content without interference from the service provider. However, Norwegian authorities are currently considering a proposed amendment to the Norwegian Broadcasting Act, suggesting implementing the rules from Directive 2018/1808, which amends Directive 2010/13/EU (Audiovisual Media Services Directive) concerning user-generated video platform services (such as YouTube), over which the provider of the service has no editorial control.

The Licensing and Registration Processes

Application for a broadcasting licence is done by sending a completed form to the National Media Authority. Licensed parties will be subject to fees, regulated by the Ministry of Culture. The fees may vary from time to time and for different providers.

Registration of a broadcasting service is done on the website of the Media Authority after creating a user account.

Other Main Requirements

The legal framework sets specific requirements for the different categories of audio-visual media services. This includes requirements for labelling age limits and advertisements, and rules on reporting to the authorities and protection measures for younger viewers.

Upcoming EU Acts Relevant for Norway

The European Commission has made proposals covering Audio-Visual Media Services, and many of them are of relevance to the EEA. Not all of them can be discussed in this paper, but two significant proposals will be highlighted.

The European Media Freedom Act seeks to secure the independence of the media, as well as media pluralism. The proposal also includes rules regarding the editorial responsibility of very large internet platforms – eg, an obligation to state the reasons for removing or blocking content published by media service providers. Norwegian authorities will consider the appropriate measures for implementing the act once the proposal is adopted in the EU.

In addition, the Commission has proposed a regulation to prevent and combat child sexual abuse on the internet (Child Sexual Abuse Regulation, or CSAM). The relevant service providers must assess the risk of their service being used to spread child abuse content and assess the risk of “grooming”. Furthermore, the service providers must establish measures to minimise identified risks. National authorities may require the service provider to track the existence of such content. Norwegian authorities held a hearing about the proposal in February 2023, and are considering proposing a Norwegian act similar to CSAM.

The Electronic Communications Act currently applies to all activity relating to electronic communications, as well as associated equipment (Section 1-2). The Act is neutral regarding variations in technology and therefore encompasses all forms of electronic communication. Further obligations for providers derive from the Act’s corresponding regulations.

However, influenced by the EU’s European Electronic Communications Code, a new electronic communication act is likely to be presented to parliament in 2024. The final result of such new act is not yet known, but it is implied that the scope of the telecommunication rules might be adjusted and may, among other things, include rules concerning data centres.

General Approval Requirements

There is no general requirement for regulators’ approval to offer electronic communication services in Norway. However, most providers are required to register their business with the Norwegian Communications Authority (Nkom) in order to operate legally. The obligation to register applies to:

• providers that install, operate and give access to electronic communications networks that are utilised for offering a public electronic communication service;
• providers of telephone services available to the public; and
• providers of transmission capacity.

Other providers are not obliged to register; examples include providers of content services and data transfer services that do not install or operate their own physical network and telephony providers with a service that is not – or is only partially – designed for end-to-end connectivity. Voice-over-Internet Protocol (VoIP) systems that are not fully designed for end-to-end connectivity and instant messaging systems, and that use other providers’ physical networks, will therefore not need to register.

To register, the provider must complete Nkom’s form and have it signed by a person with the authority to legally commit the company. Once the form and relevant attachments have been sent to Nkom by post or email, the provider may offer its products and services in the Norwegian market. Registered companies appear on Nkom’s public list of registered providers.

The registration of electronic communications providers is free of charge, but providers of electronic communications networks, electronic communications services and associated facilities with a turnover of more than NOK35 million must, in the following year, pay administrative charges to Nkom.

Approval Requirements for Use of Frequencies in Norway

The use of frequencies in Norway is not permitted without a licence. General licences are granted in the General Authorisations Regulation and apply to anyone using the specific equipment or service, therefore allowing free use of the specific usage. Section 9 of the Regulation allows for the use of specific frequency bands for RFID equipment in co-ordination with applicable standards. Consequently, the use of RFID tags within the terms set out in the provision is not dependent on an application for an individual licence.

Norway does not have general legislation for IT service agreements, although the country boasts no fewer than three families of IT standard contract templates (Statens Standardavtaler, IKT Norge and Dataforeningen). The relevant legislation to consider is the Norwegian Contracts Act, and the non-statutory principles applicable to all contracts. Compared to other jurisdictions, Norway may be considered a “hybrid” between the common law and the civil law tradition. The Contracts Act contains provisions regarding all forms of agreements, including rules on how a binding contract is concluded and rules on certain circumstances that can lead to the invalidation of a contract. Commercial contracts will, however, very rarely be censored or invalidated by a Norwegian court of law following the provisions of the Contracts Act. It is therefore important that the agreement, or the choice of standard template, is considered well in advance, and that the agreement regulates the placement of risk between the parties.

The Norwegian Act relating to the Sale of Goods applies directly to the sale of goods, but is to some degree seen as an expression of applicable non-statutory principles governing contracts law and may therefore apply analogously to IT service agreements, especially for matters not regulated in the contract. The Act governs the parties’ obligations and remedies in the event of a breach of contract and will consequently need considering when entering into an IT service agreement. Consumers enjoy mandatory protection that cannot be varied in contract, so B2C contracts require more scrutiny than B2B contracts.

Data Protection

GDPR compliance is a typical challenge in many IT service contracts, as these will often involve the processing of personal data to some extent. If the service provider will be processing data on behalf of the customer, a data processing agreement will be mandatory, pursuant to Article 28 of the GDPR. Another common challenge is compliance with the GDPR requirements for data transfer if the provider processes the data in a non-EU country, which triggers Schrems II-related issues.

Regulated Industries

Regulated industries frequently use the Statens Standardavtaler templates, which are provided by the Norwegian government for use in the public sector, but they can freely be used by businesses in the private sector as well.

As part of the EEA, Norway has implemented Regulation (EU) 910/2014 (eIDAS) through the Norwegian Electronic Trust Services Act.

Electronic signatures and electronic ID confirmation and signatures are commonly used in Norway in both the public and private sector. Most governmental online platforms require log ins with an electronic ID, including accessing tax statements, any social aid and student loans. Private corporations like banks, insurance companies, real estate agencies, unions and the Norwegian postal and freight services also prefer and rely on electronic ID confirmation and signatures. Payment confirmation through electronic signatures is also frequently used in online retail.

The largest provider of electronic signatures and identification in Norway is BankID, which is jointly owned and developed by Norwegian banks and is the leading identity service provider across the market in Norway. Other examples of providers with a foothold in the Norwegian market include Buypass and Signicat.

In the last few years, liability and responsibility for loss after fraud using electronic identification and signatures has been litigated in Norwegian courts. Recent principal judgments have concluded that the electronic identification and signature providers carry a larger part of the liability than previously assumed. Consequently, the new Norwegian Financial Contracts Act was adopted in 2020, with effect from 1 January 2023. The purpose of the new act is to strengthen consumer protection, with more responsibility being placed on the banks and financial institutions in cases of BankID fraud. The deductible has also been significantly reduced in favour of the consumer.

The Commission Proposal amending the eIDAS Regulation is still being discussed in the EU. The Norwegian government considers the amendments to be relevant to the EEA so the act may be incorporated into the EEA Agreement when the proposal is adopted in the EU, which would prompt an amendment to the existing Norwegian legislation.