Recent developments and future prospects

Trends and developments

Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?

Recent trends and developments

The development and exploitation of Big Data remains a significant trend across all sectors, but particularly for online and digital businesses. Similarly, the use of artificial intelligence, machine learning, robotics and virtual and augmented reality is gaining momentum and starting to materialise across a wide range of sectors.

New digital businesses continue to disrupt traditional sectors, and key areas such as financial services, health, energy and retail increase investment in digital and online offerings. The entry of large multinationals (eg, Apple and Amazon) in the Norwegian market (particularly in the digital payment space) has also contributed to an increasing level of consolidation of local and regional businesses. This trend is demonstrated by many M&As in the last year, including the merger between VIPPS, BankAxept and BankID.

Other significant trends include the continuous adaptation and development of solutions through the use of new technologies (eg, blockchain) in Norwegian markets. The demand and use of the Internet of Things (IoT) is increasing, and several major cybersecurity incidents in recent years have increased awareness of and consumer demand for data protection in Norway.

Regulatory developments

As a member of the European Economic Area, Norway has joined the EU member states in implementing the General Data Protection Regulation (GDPR) through the Norwegian Personal Data Act of 15 June 2018.

Norway implemented a new Copyright Act on 15 June 2018. The act aims to modernise and simplify copyright legislation and is mostly consistent with the existing law. However, the act introduces certain changes, such as the prohibition of content streaming.

Norway has implemented the Act on Testing of Self-driving Vehicles of 15 December 2017. The act aims to facilitate the testing and development of autonomous vehicles in Norway and reflects the increasing demand for smart and autonomous vehicles in Norway.

The Norwegian Marketing Control Act of 9 January 2009 introduced new provisions pertaining to telephone marketing aimed at strengthening consumer protection. For example, as of 1 January 2018 telephone marketing is prohibited if the consumer is registered in the Central Marketing Exclusion Register or directly with a specific trader (Section 12).

Norway has implemented European regulations on open internet access and mobile roaming charges for electronic communications networks and services through changes to the Electronic Communications Act of 4 July 2003 and the Electronic Communications Regulation of 16 February 2004 (by the Regulation of 20 March 2017).

Recent case law

Notable recent case law includes the following:

  • HR-2017-833-A (Scanbox) – regarding the motion from a copyright holder (Scanbox) against Norwegian internet service providers (including Telenor) to disclose the personal information of IP address holders due to the unlawful distribution of copyright protected materials (by way of peer-to-peer file sharing). The motion was dismissed as the plaintiff did not demonstrate that the violation was of the required scope under the Copyright Act. The ruling indicates that the courts must make a concrete assessment of the privacy rights of the individual IP address holder in relation to the scope of the violation of the Copyright Act in order to disclose the personal information to the copyright holder.
  • TFOLL-2017-158053 – the court decided in favour of the seizure of the domain ‘www.popcorn-time.no’ from third-party domain distributor Imcasreg8 AS, on the basis that the company contributed to a gross violation of the Copyright Act in the unlawful distribution of copyright protected films and television series (by way of streaming).
  • TOBYF-2018-83936 – the court granted an injunction on a webpage due to the violation of the database rights under the Copyright Act of the foundation Lovdata. The defendant, the owner of ‘www.rettspraksis.no’, had copied public documents (Norwegian case law) from Lovdata's databases and distributed them online.

Future prospects

What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?

Norwegian regulatory reform continues to be driven by EEA-relevant EU legislation on the digital single market and applicable case law, including:

  • the ePrivacy Directive (2002/58/EC);
  • the Directive on Security of Network and Information Systems (2016/1148); and
  • the Payment Services Directive 2 (2015/2366).

The Norwegian government has published a white paper on digital policies (Meld St 27 2015-2016), which lays out further details on ongoing regulatory reforms, mainly focusing on legislation regarding public administration and healthcare.  

Legal framework

Legislation

What primary and secondary legislation governs the conduct of digital business in your jurisdiction?

There is no primary legislation (ie, written laws) or secondary legislation (ie, regulations and administrative decisions) which explicitly target the conduct of digital business in Norway. Therefore, the conduct of digital businesses is governed by general legislation (ie, legislation that applies across business sectors), including:

  • the Contract Act of 31 May 1918;
  • the Sale of Goods Act of 13 May 1988;
  • the Marketing Control Act of 9 January 2009;
  • the Norwegian Electronic Commerce Act of 23 May 2003;
  • the Copyright Act of 15 June 2018;
  • the Personal Data Act of 15 June 2018;
  • the Electronic Communications Act of 4 July 2003 (particularly Sections 2-7(b) on the use of cookies);
  • the Taxation Act of 26 March 1999;
  • the Value Added Tax (VAT) Act of 1 January 2013;
  • the Customs Act of 21 December 2007; and
  • the Limited Liability Companies Act of 13 June 1997.

Digital businesses conducting business-to-consumer activities are subject to consumer-specific legislation, including:

  • the Consumer Purchases Act of 21 June 2002; and
  • the Cancellation Act of 20 June 2014.

Primary legislation is supplemented with detailed secondary legislation (ie, regulations). Some of the relevant secondary legislation includes:

  • the Information and Communication Technology (ICT) Regulation of 21 May 2003 (which applies to specific sectors, including banking and insurance); and
  • the Regulation for Universal Design of ICT Solutions of 21 June 2013.

This list of applicable legislation is not exhaustive.

Regulatory authorities

Which authorities regulate the conduct of digital business and what is the extent of their powers?

There are no dedicated authorities that regulate the conduct of digital business in Norway. However, the following authorities are important for digital businesses.

General authorities

The following general authorities are important for conducting digital business:

  • the Norwegian Data Protection Authority (which enforces the Personal Data Act); and
  • the Norwegian Tax Authority (which enforces the Taxation Act, the VAT Act and the Customs Act).

Consumer-specific authorities

The following consumer-specific authorities are important for conducting digital business:

  • the Consumer Authority (which enforces the Marketing Control Act and the Cancellation Act); and
  • the Consumer Disputes Commission (which is a tribunal for consumer disputes and enforces the Consumer Complaints Act of 17 February 2017).

Sector-specific authorities 

The following are some of the sector-specific authorities which are important for conducting digital business:

  • the Norwegian Communications Authority (which enforces the Electronic Communications Act); and
  • the Financial Supervisory Authority (which enforces the ICT Regulation and the Financial Institutions Act of 10 April 2015).

The above authorities have the power to:

  • order disclosure of information (eg, a supervision or audit authority) for the purposes of investigating non-compliance with applicable legislation which is subject to enforcement;
  • order corrective action to achieve compliance with the applicable legislation which is subject to enforcement; and
  • impose coercive and infringement fines, charges and penalties for breaching applicable legislation which is subject to enforcement.

The Consumer Disputes Commission is a tribunal which has the power to hand down legally enforceable judgments in disputes between consumers and businesses.

The general courts also have the power to hand down enforceable judgments in disputes (eg, by overruling the Consumer Disputes Commission) and to hand down decisions on petitions for preliminary injunction.

Government policy and regulatory approach

How would you describe the government’s policy and regulatory approach to digital business?

The government’s policy and regulatory approach to digital business is highly influenced and driven by EU initiatives.

The government has published a white paper on digital policies (Meld St 27 2015-2016), which lays out further details on ongoing regulatory reforms, mainly focusing on legislation regarding public administration and healthcare.

Establishing digital businesses

Requirements

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

There are no distinctions between the regulatory and procedural requirements which govern the establishment of digital businesses and brick-and-mortar businesses in Norway.

The Norwegian Limited Liability Companies Act of 13 June 1997 regulates the procedures and requirements for incorporating private limited liability stock companies.

It is possible to establish limited liability companies through the governmental internet portal Altinn. The portal also contains detailed information about how to proceed with the registration of a company (eg, depending on the preferred type of company and the nationality of its founders).

All businesses established in Norway must be registered in the Central Coordinating Register for Legal Entities. Depending on the organisation of the business (eg, if the business is organised through a private or a public limited company) and the business activity (eg, if the company is a sole proprietorship that trades goods or has more than five employees), the business may also be required to register in the Register of Business Enterprises.

Further, and depending on its activities, a business may also be required to register in the employer and employee register and the value added tax register.

Electronic contracts and signatures

Electronic contract availability

Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?

Yes. There are no general requirements regarding the format or medium of contracts. Therefore, electronic contracts are legally valid to the same extent as other contracts.

Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?

No. There are in principle no limitations or restrictions on transactions that can be concluded through electronic contracts.

Do any data retention requirements apply to electronic contracts?

Yes, the following regulations require the retention of electronic contracts:

  • the Norwegian Bookkeeping Act of 19 November 2004 requires that any entity obliged to keep books must retain contracts (including electronic contracts) for three years and six months, unless the contract is insignificant for the business (ie, it is of low value or is not important to the business); and
  • the Norwegian Money Laundering Act of 6 June 2009 requires that the following documents are retained for at least five years:
    • documents and information concerning measures taken to conduct customer due diligence for anti-money laundering purposes; and
    • documentation regarding all circumstances which may indicate money laundering or terrorist financing and any actions and decisions taken in the examination of suspected money laundering or terrorist financing transactions.

The Norwegian Personal Data Act of 2018 (which implements the EU General Data Protection Regulation) stipulates that personal data must be deleted when it is no longer necessary for processing (eg, after the required retention period).

Remedies

Are any special remedies available for the breach of electronic contracts?

No, Norwegian contract law does not distinguish between the ways in which a contract is written. Therefore, the available remedies for the breach of an electronic contract depends – as for other contracts – on the content of the contract and any applicable legislation.

Electronic signatures

Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?

Yes, electronic signatures are legally valid in Norway.

Contract law stipulates that the formation of a contract is not subject to formalities and can be done in any way the parties choose. Therefore, contracts are generally valid if legally competent parties reach an agreement, regardless of whether the agreement is made verbally, electronically or in the form of a physical document.

Electronic payments

Electronic payment systems

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Electronic payment systems are subject to the following laws and regulations, among others, which set out the rules and restrictions pertaining to the establishment, use and supply of electronic payment systems:

  • the Payment Systems Act of 17 December 1999;
  • the Financial Contracts Act of 25 June 1999;
  • the Financial Institutions Act of 10 April 2015; and
  • the Regulation on Systems for Payment Services of 17 December 2015.

Only banks and other financial undertakings with a licence from the Norwegian Financial Supervisory Authority and corresponding international institutions – as well as a licence from the applicable country of origin – can provide payment services in Norway.

Users of electronic payment systems are subject to the responsibilities set out in the Financial Contracts Act.

In Norway, a consumer may in principle require settlement in the form of cash payment (under Section 38(3) of the Financial Contracts Act, pursuant to Section 14 of the Norges Bank Act of 24 May 1985).

Virtual currencies

Are there any rules or restrictions on the use of virtual currencies (eg, Bitcoin)?

Virtual currencies are considered assets under Norwegian law (ie, not currencies). Therefore, the profits from the sale of virtual currencies is subject to taxation according to the rules for realisation of assets pursuant to the Taxation Act of 26 March 1999.

As a means of payment, virtual currencies are in principle not considered to be a ‘financial instrument’ under the Securities Trading Act of 29 June 2007 Section 2(2), and accordingly virtual currencies normally fall outside the scope of the rules and restrictions of the financial market. However, the use of virtual currencies may be considered to be within the scope of the Securities Trading Act if a virtual currency is issued by a private company which gives an ownership stake in the company or if publicly traded derivatives use virtual currencies as underlying assets (Meld St 14 2017-2018 Chapter 3).

General rules and restrictions on criminal liability, money laundering, terror financing and fraud also apply to virtual currencies.

There are several ongoing reviews and preparatory works on regulations regarding virtual currencies and it is expected that more comprehensive rules and restrictions will be introduced in the future. The regulatory authorities have expressed particular concern for consumer protection.

Data protection and cybersecurity

Collection, use and storage

What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?

Norway has implemented the EU General Data Protection Regulation (GDPR), which regulates the use of personal data. Although there are some local deviations (particularly in the field of employment), Norway generally has the same rules, restrictions and procedures concerning the collection, use and storage of personal data as other countries in the European Union and the European Economic Area.

In short, the GDPR sets out a number of obligations on businesses for collecting, using or any other processing of personal data. Among other requirements, businesses must:

  • have a legal basis for the processing of data;
  • provide information on the activity to the affected individuals;
  • delete personal data when it is no longer needed; and
  • ensure that the data is secure.

International data transfers

What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?

The general obligations under the GDPR apply to the cross-border transfer of personal data. In short, transferring is itself considered processing of personal data and requires a legal basis.

In addition, transferring personal data outside of the European Union or the European Economic Area requires a transfer basis. The most practical transfer bases are:

  • the use of the EU Standard Model Clauses;
  • reliance on the EU-US Privacy Shield arrangement;
  • an adequacy decision from the European Commission stating that a non-EU or non-EEA state has a sufficient level of data protection; and
  • binding corporate rules.

Consumer rights

What rights are afforded to consumers in relation to their personal data?

As data subjects, consumers have a number of individual rights when a business collects, uses or in any other way processes their personal data.

Before data processing begins, the business must provide the consumer with the information mentioned in Article 13 and Article 14 of the GDPR. Among other requirements, the business must provide the consumer with information on:

  • the purpose of the processing;
  • the types of personal data that will be collected and stored;
  • the legal basis for the processing;
  • if the personal data will be disclosed to third parties; and
  • if the personal data will be transferred out of the European Union or the European Economic Area.

Depending on the circumstances (eg, the purpose and nature of the processing activity and the legal basis) consumers have a number of individual rights with respect to the business use of their personal data. Among other rights, consumers will generally have the right to request the company:

  • to provide confirmation of whether it processes the consumer's personal data;
  • to provide more detailed information about the processing activity;
  • to have their personal data deleted;
  • to limit the company’s use of their personal data;
  • to provide a copy of the personal data and have it transferred to a third party;
  • to stop certain processing activities; and
  • to not be subjected to automated decisions based on profiling.

The rights listed above are not absolute and some exemptions apply.

How is the use of cookies regulated?

The use of cookies is regulated in the Electronic Communications Act of 4 July 2003, which implements the EU ePrivacy Directive (2002/58/EC).

The use of cookies on websites operating in Norway, or those which mainly target Norwegian citizens, require user consent. However, consent may be passive, which means that a website is not required to have a pop-up window which asks the user to consent to the placing of cookies on their device. Not having disabled browser cookies is sufficient consent, given that information about the use of cookies are provided on the website. If the use of cookies implies use and collection of the user's personal data, the business must also comply with the GDPR requirements.

Data breach

What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?

Digital operators are subject to requirements under the GDPR in case of data breach, provided that the data breach leads to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to” personal data.

Data processor – if a digital operator acts as a data processor it must notify the data controller as soon as possible and in accordance with the data processor agreement between the parties.

Data controller – if the digital operator acts as a data controller, it may be obliged to notify the supervisory authority and affected consumers or data subjects within 72 hours of the breach. If the data breach represents a risk to the rights and freedoms of the affected consumers and data subjects, the Norwegian Supervisory Authority must be notified. If the risk is high, the affected consumers and data subjects must also be notified.

The precautionary measures that must be taken depend on a risk assessment, taking into consideration the processing activity, including the types of personal data processed. It is recommend that cybersecurity, technical and organisational measures are implemented, which are proportionate to the risks and detailed documentation of relevant measures, routines and assessments are kept. Precautionary measures include:

  • encryption;
  • limited access;
  • access control; and
  • pseudonymisation.

What cybersecurity regulations and/or standards apply to the conduct of digital business?

There are currently no dedicated cybersecurity regulations or standards that apply specifically to digital businesses.

In relation to personal data, the GDPR contains requirements for information security and cybersecurity. In short, businesses are required to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk" (Article 32 of the GDPR). The aforementioned provision also contains some examples of measures that can be taken.

International Standard Organisation (ISO) certifications are increasingly common, particularly for cloud service providers (ISO:27002, ISO:27001 and ISO:27000). In addition to the requirements set out in the GDPR, there are certain sector-specific cybersecurity requirements depending on the type of business and its activity (eg, financial services, payment services, insurance, IT services for the health or social care sector and utilities).

Is cybersecurity insurance available and commonly purchased?

Cybersecurity insurance is available and is becoming increasingly common in Norway. Most of the business-to-business offer insurance covering data breaches and unintended loss of data, among other things.

Encryption

Are there regulations or restrictions on the use of encryption?

Norway has followed the 1997 Organisation for Economic Co-operation and Development Cryptography Guidelines and liberalised its cryptography legislation during the late 1990s and early 2000s. Today, there are in principle no practical restrictions on the use of encryption for digital businesses in Norway.

Under the GDPR, encryption is explicitly recommended as a security and personal data protection measure (Article 32).

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer data?

In criminal cases, the police may intercept communications and access consumer data if they have reasonable suspicion that a crime has been committed. The  interception of communications and access to consumer data is governed by the Criminal Procedure Act of 1981 (Chapters 16(a)-16(d)). Access generally requires a court decision granting permission. Detailed rules on the interception of communications through wiretapping, bugging of rooms and data access in criminal cases are provided by the Regulation on Communication Control of 9 September 2016.

The police can order providers of electronic communication (ie, internet service providers) to disclose IP addresses, pursuant to the Electronic Communications Act of 2003.

Generally, public authorities are subject to the GDPR, according to the Norwegian Personal Data Act of 15 June 2018, and access to consumer data requires a legal basis for the processing of personal data under Article 6 of the GDPR.

Advertising and marketing

Regulation

What rules govern digital advertising and marketing in your jurisdiction?

Digital marketing and advertising (eg, telemarketing and email advertising) is governed by the Marketing Control Act of 9 January 2009 and the Electronic Commerce Act of 23 May 2003.

The processing of personal data for the purpose of digital marketing and advertising is governed by the EU General Data Protection Regulation (GDPR).

Are there any specific regulations governing the use of targeted advertising?

The Marketing Control Act contains applicable regulations governing the use of targeted advertising.

Electronic methods of communication

Main rule: opt inthe Marketing Control Act requires that targeted advertising and marketing by electronic methods of communication (ie, email, fax and automated calling systems) to natural persons (ie, in both business-to-business (B2B) and business-to-consumer (B2C) contexts) requires prior consent.

Targeted marketing by email does not require prior consent if:

  • there is an existing customer relationship;
  • the recipient's contact details were originally collected in the context of a sale; and
  • the marketing relates to similar products or services for which the recipient's details were originally obtained. However, consumers may still opt out at any time.

Communication by use of telephone

B2C – consumers may opt out of targeted advertising or marketing by phone, either directly with the business in question or by reservation in the Central Marketing Exclusion Register. Phone marketing of consumers listed in the register is prohibited.

B2B – telephone marketing towards natural persons in businesses is permissible, unless the person has opted out of such marketing with the business in question.

Further, the Electronic Commerce Act sets out information requirements and other obligations that apply for direct marketing, including the following:

  • Targeted advertising by email must clearly identify itself as marketing and the benefactor of the marketing must be identified.
  • Advertising offerings (ie, discounts, prizes and gifts) must be identifiable, and the conditions for receipt of such offerings must be readily available. Promotional competitions or games must be identifiable. Information concerning conditions for participation in such competitions or games must be readily available.
  • A service provider located in Norway directing unsolicited marketing representations by email to recipients in other EEA states is required to consult and respect the registers of natural persons not wishing to receive such email advertising.

The Personal Data Act of 15 June 2018 (which implements the GDPR) regulates the processing of personal data in connection with targeted advertising.

Restrictions

Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?

There are restrictions on marketing certain goods and services in Norway, including:

  • alcohol, pursuant to the Alcohol Act of 2 June 1989;
  • tobacco, pursuant to the Tobacco Act of 9 March 1973;
  • gambling, pursuant to the Lottery Act of 24 February 1999; and
  • medicine, pursuant to the Act Relating to Medicines of 4 December 1992.

Further, the Marketing Control Act sets out the general restrictions on marketing practices for all products and services.

Spam messages

What rules and restrictions govern the sending of spam messages?

Spam messages are subject to restrictions under the following legislation:

  • the Marketing Control Act;
  • the Electronic Commerce Act;
  • the Electronic Communications Act of 4 July 2003; and
  • the GDPR (the Personal Data Act).

Spam will typically fall within the scope of the general marketing restrictions under Section 15 of the Marketing Control Act, which sets out restrictions to direct marketing communications at natural persons using electronic methods of communication which permit individual communication. Sections 2-3 of the Electronic Communications Act sets out requirements for internet service providers to avoid harmful interference (eg, spam) on the communication network.

Digital content and IP issues

Required notices

Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?

Yes, websites and other digital content are required to display certain legal or other information, including the following:

  • Section 8 of the Electronic Commerce Act of 23 May 2003 requires businesses to display the following information on websites:
    • the company's legal name;
    • its organisation number;
    • whether the company is value added tax registered;
    • licences (if applicable for the business); and
    • in cases where the company offers services which legally require diplomas or certifications, the website must also provide information regarding said certification (eg, work titles).
  • The EU General Data Protection Regulation (GDPR) sets out information requirements (Article 13) which are fulfilled by displaying privacy policies on the company website.
  • The Regulation for Universal Design of Information and Communication Technology Solutions of 21 June 2013 requires businesses to design websites in accordance with approved design standards (eg, the Web Content Accessibility Guidelines 2.0).

Liability for content

What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?

Defamation

Norway decriminalised defamation with the introduction of the Penal Code of 2005, effective from 1 October 2015. Defamation can in certain cases be penalised as a violation of privacy under Section 267 of the Penal Code.

The Damage Compensation Act of 13 June 1969 (Sections 3 to 6) provide a legal basis for claiming compensation due to defamatory content. The liability under the act includes:

  • compensation for damages;
  • loss of future income; and
  • reasonable damages for non-economic loss.

Liability for defamation requires negligence or intent.

The GDPR also provides grounds to hold content providers liable for defamation, in cases where the defamatory content also infringes on the GDPR. Under Articles 83 and 84 of the GDPR fines are limited to €20 million. The infringing party may also be liable for material and non-material damages for breaching the GDPR (Article 82).

Infringement

The liability for online or other digital content that infringes another party’s IP rights is governed by the Copyright Act of 15 June 2018. Liability for such infringement includes:

  • criminal penalties (Section 79 and 80); and
  • remunerations and compensation (Section 81).

In cases of IP infringement, internet service providers (ISPs) may be ordered to:

  • disclose personal data regarding the infringing party (Section 88); and
  • obstruct or make access to webpages difficult (Section 88).

How can liability be excluded or limited?

The liability for damages requires negligence or intent, and the risk of liability will thus be limited (or excluded entirely) by ensuring due diligence when distributing digital content.

Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?

The defamatory or infringing party, in addition to parties who negligently or consciously contribute to the violation, can be held liable for defamatory or infringing content.

In principle, ISPs cannot be held liable for defamatory or infringing content. ISPs are generally indemnified for the content which is transferred through a communications network under Section 16 of the Electronic Commerce Act. The aforementioned indemnification applies to both criminal liability and civil liability for damages. The technical and neutral contribution ISPs make to the distribution of infringing content has been considered as too insignificant to be characterised as unlawful and punishable by Norwegian courts (see Borgarting Court of Appeal decision of 9 February 2010 (The Pirate Bay, LB-2010-6542).

Content takedowns

What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?

The procedure for removing infringing content without permission is regulated in Chapter 6, Part II of the Copyright Act. Norwegian courts can order ISPs to obstruct access to webpages or otherwise render access difficult, if the webpage in question distributes materials which evidently infringe IP rights under Section 88 of the Copyright Act. The take-down procedure involves the following:

  • The claimant files a motion to Oslo District Court which specifies every ISP that the decision will be directed towards (Section 89).
  • The proceedings are subject to simplified rules – the motion can be decided on the basis of written proceedings or by way of oral hearings at the court's discretion (Sections 90 to 91).
  • If the motion is granted based on simplified procedures wherein the owner of the webpage has not been given the opportunity to give a statement, the owner should be given the opportunity to claim subsequent proceedings in order to review the take-down decision (Section 92).
  • Take-down decisions can be legally enforced (Section 93).
  • Take-down decisions can be subject to review if new evidence which invalidates the factual grounds for the decision can be produced (Section 93).

Domain names

What rules, restrictions and procedures govern the licensing of domain names?

Norwegian domain names ‘.no’ are governed by the Domain Regulation of 1 August 2003 as well as the Domain Name Policy by Norid.

The applicant for a domain name must either be a private individual registered in the National Registry or an organisation registered in Norway’s Central Coordinating Register for Legal Entities. A list of approved organisation forms is available on the Norid website.

Domain names must be between two and 63 approved characters (ie, letters, numbers between 0 and 9 and certain national characters). Further, domain names must not be identical to a registered domain name, be reserved or prohibited. A list of reserved and prohibited domain names is available on the Norid website.

How are domain name disputes resolved in your jurisdiction?

Domain name disputes are settled by the Alternative Dispute Resolution Committee (ADRC) run by Norid.

The ADRC passes legally binding decisions in cases regarding ownership disputes and has the power to transfer and delete domain names.

A complaint to the ADRC must be raised within three years after the domain was registered or transferred.

Either party may dispute an ADRC decision and bring the case before a court of law (or arbitration if the parties have agreed to dispute resolution by arbitration). A decision handed down by the ADRC is not binding for the court going forward.

A detailed guide to domain name dispute resolution is available on the Norid website.

What special measures and safeguards should rights holders consider in protecting their online/digital content?

In order to protect their online and digital content, rights holders should consider:

  • ensure that the domain name is properly registered by the correct legal entity;
  • ensure that the digital content is stored in a secure manner – this should also include confirming that any cloud-based services or other hosting solutions are properly secured;
  • implement adequate passwords and password protection measures;
  • restrict access to online and digital content by implementing access control measures;
  • include content ownership protection (eg, IP rights clauses in contracts with third-party service providers and employees);
  • include proper and enforceable sanctions in contracts with third-party service providers; and
  • include jurisdiction and legal venue clauses in contracts with third parties in order to reduce risks involved with the enforcement of content protection.

This list is not exhaustive.

Tax issues

Online sales

How are online sales taxed?

The tax treatment of online sales depends on whether the corporation conducting the sales is considered to be resident in Norway for tax purposes or have a tax liability in Norway due to its presence through business activities carried out in or from Norway, or capital goods situated in Norway (Sections 2 to 3 of the Tax Act).

A foreign corporation is considered to be a Norwegian tax resident if the effective management at board level is carried out in Norway. Non-resident corporations carrying out business activities in or from Norway will as a starting point be liable to pay Norwegian corporate income tax on income arising from these activities. The tax liability may be reduced under an applicable tax treaty between Norway and the country in which the corporation is a tax resident.

Foreign corporations not resident in Norway that carry out business in or from Norway, or sell goods that are physically present in Norway, are generally not liable to pay taxes in Norway on sales to the Norwegian market. However, as the assessment of whether the corporation carries out business in or from Norway may be complicated, consultation with a local tax adviser before establishing an online sales business to Norway is recommended.

Other taxes

What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?

Foreign corporations may have an obligation to register in the Norwegian value added tax (VAT) register and calculate VAT on sales. Whether the corporation has such an obligation depends on whether it has turnover in Norway. Important aspects of this assessment are whether the online sales activities are solely directed towards the Norwegian market and whether a Norwegian domain is used. Consultation with a local adviser before establishing a digital sales business in Norway is recommended.

Jurisdiction, governing law and dispute resolution

Jurisdiction and governing law

How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?

There are no special rules regarding jurisdiction and choice of law in relation to online and digital transactions and disputes. The most common and practical way to determine jurisdiction and governing law is by way of agreement between the parties. However, the following general procedural principles apply if there are no agreements pertaining to jurisdiction and governing law.

Jurisdiction

Jurisdiction in lawsuits regarding civil and commercial cases, directed against a defendant domiciled in member states of the Lugano Convention of 30 October 2007 (ie, EU member states, Norway, Switzerland and Iceland), must be determined in accordance with the rules of the convention.

The main rule of the Lugano Convention is that the defendant's domicile state has jurisdiction in a dispute. However, the claimant may choose a different jurisdiction under certain circumstances, including:

  • in matters relating to a contract, the defendant may be sued in the place of performance of the obligation in question; and
  • a consumer may sue the other party to a contract in the courts of the place where the consumer is domiciled.

In lawsuits which are either not a civil or commercial case, or not directed against a defendant domiciled in a Lugano Convention member state, Norwegian courts have jurisdiction if the dispute is deemed to have a sufficient connection to Norway. Whether a particular case has a sufficient connection to Norway depends on a comprehensive assessment of both legal and factual components of the individual situation. There is no requirement that the connection to Norway is stronger than the connection to other jurisdictions.

Choice of governing law

The choice of governing law in the Norwegian courts is generally determined according to the proximity principle. The proximity principle provides that a dispute is governed by the laws of the country to which the dispute is most closely related.

Courts

Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?

The Norwegian courts are in principle general courts. With exceptions for collective employment matters and certain other sectors, there are no special courts in Norway.

The government has established tribunals and committees which play similar roles to those of courts of justice in certain areas, but, not specifically for online and digital issues.

For example, the Consumer Complaint Committee has the authority to decide a wide range of disputes between consumers and businesses, including online sales, digital services and marketing issues.

However, online and digital disputes must be brought before the regular courts. Awards from tribunals and committees (eg, the Consumer Complaint Committee) are subject to review by the general courts in case of legal action.

Civil lawsuits regarding the Norwegian Copyright Act of 15 June 2018 must be raised at the Oslo District Court.

Alternative dispute resolution

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

Dispute resolution by arbitration is common in Norway, including for online and digital disputes. Arbitration is common practice in business-to-business relationships, as the access to undertake arbitration agreements with consumers before a specific dispute is restricted by law. Arbitration in Norway is commonly executed by ad hoc proceedings under the Norwegian Arbitration Act of 14 May 2005 or by institutional arbitration (eg, subject to the rules of the Oslo Chamber of Commerce).

The general courts, certain institutions and private legal practitioners also provide a variety of ADR services, including arbitration, mediation, expert determination and certain combinations thereof.