Norway: Netflix, WhatsApp and Similar Service Providers Impacted by New e-surveillance Act

The draft permits broad sweep of cross-border communications and will affect private companies, including global platforms and streaming services. The national intelligence service ("e-tjenesten") will have new powers to access metadata related to electronic communications via computers, smartphones, laptops, tablets, smart-TVs and video gaming consoles.

According to the proposal, which shall replace the 1998 Intelligence Service Act, ecom providers (typically Internet service providers - ISPs) would be required to retain and make available specific data to e-tjenesten if the court deems it relevant to investigations. However, providers of so-called over the top (OTT) services, which typically transmit text, sound and images in streaming format, would also be subject to the new requirements.

The fact that OTT is covered by the obligation to make data available is new compared to the current law. The inclusion of OTT services implies that new obligations could apply to global platforms like Netflix, WhatsApp, Skype, YouTube, Apple TV+, Messenger and similar. Such services could be required to make technical adjustments, contribute to service tests and technical solutions and generally be subject to new administrative tasks in relation to operations, maintenance and data formatting.

The background for the proposal is that a legal overhaul is deemed necessary to strengthen Norway's ability to collect intelligence via electronic communications. Norway is one of the world's most digitized countries, and the digital domain is used for terrorism, sabotage and espionage. There is political agreement that Norway must strengthen its ability to detect and counteract these threats. One of the tools in this relation will be a new and modernized act for the national intelligence service.

According to the Norwegian government, the purpose of the new law is to "safeguard Norway's sovereignty, territorial integrity, democratic governance and other national security interests". Further, the new law will help to "secure confidence in and secure the basis for control of the activities of e-tjenesten, and to ensure that their activities is carried out in accordance with human rights and other fundamental values". Defence Minister Bakke-Jensen has stated that the proposal is “compliant with national and international legal standards”.

As a result of ongoing debate on privacy concerns, the proposal includes restrictions related to collection of information about persons in Norway and strengthened judicial control.

However, The Norwegian Data Protection Authority has stated that the draft would “dramatically increase registration and monitoring” in relation to today’s threshold and ”essentially mean that virtually all communication channels” may be monitored. Further, the authority argues that “considerable uncertainty exists” as to whether all domestic communication will be filtered out, as many Norwegian communication platforms use foreign-based servers. In addition, the proposal contains “no assessment of privacy consequences” and suffers from a “lack of clarity and legal certainty”.

Thus, questions remain over whether the proposal could contravene safeguards related to data storage and proportionality contained in the EU’s General Data Protection Regulation (GDPR). The proposal’s legality could be defined by the European Court of Human Rights, which is due to consider challenges to similar legislation including Sweden’s so-called FRA Act, which has allowed the Swedish intelligence services to monitor cross-border communications since 2009.