Answer ... (a) Internet (e-commerce)
The provision of internet access is governed by the Norwegian Electronic Communications Act of 4 July 2003. Internet access is considered an electronic communications service (ECS). In general, no licence is required to offer ECS in Norway. However, ECS providers must register with the Norwegian Communications Authority prior to offering ECS in Norway. The Norwegian Electronic Communications Act imposes a net neutrality obligation, which implies that ECS providers cannot discriminate their services based on different types of internet traffic.
Norway implemented the EU E-commerce Directive through the E-commerce Act of 23 May 2003. Under the E-commerce Act, it is mandatory, among other things:
- to provide certain information about the e-commerce provider;
- to make available all legal terms and conditions applicable to a service prior to entering into an agreement;
- to meet technical requirements as regards the purchase process; and
- to meet requirements regarding access to and filing of electronic contracts.
Norway has also implemented the EU Distance Selling Directive through the Withdrawal Act of 20 June 2014. Among other things, this recognises the right of a consumer to withdraw from a contract (unless a service is carried out on the instruction of the consumer prior to expiry of the withdrawal period). The Withdrawal Act also imposes an obligation to provide information about the service prior to entering into an agreement. All mandatory information under the Withdrawal Act must be provided in Norwegian if a service is targeted at Norwegian consumers.
Norway also has a specific regulation issued under the Discrimination Act of 16 June 2017, which sets out the requirements regarding the design of websites targeted at the general public. At a minimum, the design of a website shall comply with the Web Content Accessibility Guidelines 2.0 (WCAG 2.0)/NS/ISO/IEC 40500:2012, at Level A and AA. The Norwegian regulations will probably be revised when the EU Web Accessibility Directive is implemented (scheduled for mid-2020).
(b) Mobile (m-commerce)
The answers provided under question 3.1(a) also apply to m-commerce.
(c) Big Data (mining)
The main statute to consider with regard to big data and data mining is the Norwegian Act on Personal Data, which implements the EU General Data Protection Regulation (GDPR) (see question 5.1). Specific issues to consider when processing big data include documenting the legal grounds for data processing and demonstrating compliance with the purpose limitation principle. The Norwegian Data Protection Authority (NDPA) further recommends conducting a data processing impact assessment in connection with the implementation of big data and artificial intelligence (AI).
(d) Cloud computing
For details on the GDPR, see question 5.1. In addition to the requirements set out by the GDPR, cloud computing is subject to sector-specific regulations concerning cloud computing under the Information Communication and Technology Regulation (see question 5.2).
(e) Artificial intelligence
AI is first and foremost governed by the GDPR. The use of AI must comply with the fundamental principles of the GDPR. According to guidance issued by the NDPA, it is important to consider the privacy by design obligation under Article 25 of the GDPR when developing and using AI. Furthermore, AI used as part of automated decision making or profiling must comply with Article 22 of the GDPR. ‘Profiling’ is defined in Article 4 of the GDPR as: “Any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” Recital 71 of the GDPR also refers to examples of automated decision making “such as automatic refusal of an on-line credit application”. The GDPR does not prohibit AI advancements, but these must be designed to comply with the GDPR. The NDPA recommends that a data processing impact assessment be conducted in connection with the use of AI.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Norwegian law is technology neutral, so there is no legal obstacle to the application of blockchain technology. A regulated finance entity applying blockchain technology must comply with the requirements set out in the Information Communication and Technology Regulation, including conducting risk assessments and taking measures to mitigate risks and uphold contingency and emergency plans for its IT operations. It must also comply with the requirements set out by the GDPR.
Providers of exchange services between virtual currencies and fiat currencies, as well as wallet services, are obliged to register with the Norwegian Financial Services Authority (FSA) under the anti-money laundering regime. No harmonised single licence and passporting regime applicable for exchange service platforms is available within the European Economic Area. This means that all traders and virtual currency exchange and wallet platforms offering their services as a business in Norway must register with the Norwegian FSA. Appropriate anti-money laundering routines must be established and a suitability assessment conducted. The Norwegian FSA requires that all transactions be subject to ongoing customer due diligence and sanction controls, under a risk-based approach. The provision of exchange services between virtual currencies only is unregulated and is not subject to a duty to register with the Norwegian FSA.
