This guide has been created for public authorities and others who desire access to more information than what is found in the lookup service.
You will find information in the guide about the limits we at Norid must conform to when we assess whether we can disclose information about our customers.
Our lookup service
Norid maintains a register of who is entitled to use Norwegian domain names, i.e. domain names ending in ‟.no”. Both organisations and private individuals obtain a right to use a domain name when we grant them a subscription to the domain name.
We disclose a number of facts regarding subscribers to Norwegian domain names through our lookup service. The service has special terms and conditions, and you can read about which information is displayed in the service in the article Domain registration directory service. You can read about Norid’s basis for processing customer information in the article Norid’s processing of customer data.
What is required for you to receive more than the lookup service provides?
You must fulfil strict requirements if you are to obtain more information than what we provide through our lookup service. The Norwegian top-level domain is intended to be an obvious first choice in Norway. Therefore, it is an important principle that we process the information the subscribers provide to us in a way that they would reasonably expect.
If we were to share customer information with third parties, it could harm the competitive positions of the subscribers, the domain name registrars or Norid. For example, such information could
- expose subscribers’ business strategies
- make it possible to identify the domain name registrars’ customer portfolios
- be misused for spam, phishing or other types of illegal or undesirable actions
At the same time, the public has a need to be able to find out who is responsible for a domain name and to contact that person. Our lookup service has been created to meet this need, after weighing it against the interests of the subscribers. The service has been created according to guidance we have received from the Norwegian Data Protection Authority1
In order for us to disclose customer information over and above what the lookup service provides, or on other terms, you must meet the requirements in Norwegian privacy legislation, including the GDPR, and the disclosure must not be contrary to the agreement Norid has with the subscribers. This also applies if what you want is a compilation of information that is available as individual lookups in the lookup service.
1. You must meet the requirements in the privacy regulations, including the GDPR
The information Norid holds regarding subscribers and their domain names is personal data for us. This means that we must have a lawful basis for processing under the GDPR to be able to disclose the information. This applies irrespective of whether the information is personal data for you, whether you yourself are subject to the privacy regulations or whether you have a lawful basis for processing for your further processing of the information.
As a general rule, there are six different bases we can use to be allowed to disclose personal data2. You must refer to at least one of these when you request customer information from us. The most commonly applicable bases are these three:
- an authorisation or other legal basis that triggers a legal obligation for us
- a legitimate interest in the information
- consent from the individual the information concerns
Information about why domain names and other customer data are personal data for Norid
Personal data are ‟any information relating to an identified or identifiable natural person”3. The information need not necessarily in itself identify a person, as long as it can be connected to other information that identifies the person.
Current case law in the EU4 indicates that everyone who processes data must assess whether the data are personal datafor themselves, i.e. whether they themselves are able to link the data to an identifiable natural person. In the Breyer judgment, the court interprets the privacy protection regulation to mean that dynamic IP addresses are personal data for a provider if the provider can lawfully connect the addresses to other data about the person behind the IP address.
49. Having regard to all the foregoing considerations, the answer to the first question is that Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
Breyer judgment of the European Court of Justice (C-582/14)
(Emphasis ours)
For Norid, this applies to all domain names and much of our other customer data. The domain name subscribers are either private individuals, identified to us by name and Norwegian national identity number, or organisations (enterprises, government bodies and other organisations) for which we are required to obtain the name of a contact person in addition to the name and organisation number of the organisation.
Although such information is personal data for Norid because we can connect it to an identifiable natural person, it is not automatically personal data for the recipient. For example, the information that the domain name altinn.no has been registered by the Norwegian Digitalisation Agency will not be personal data for the great majority. However, for Norid, which knows which contact person the Agency has listed for the subscription on this domain name, this connection makes altinn.no personal data for us.
Do you have a legal basis that imposes a duty on us to disclose?
Norid can disclose information if it is necessary to fulfil a legal obligation to which we are subject. It is important to note that it is not sufficient that you are entitled to collect information. In order for us to disclose, the legal basis you cite must mean that we have a legal duty to disclose the information to you.
If you are a public authority, as a rule it will be required that you can cite authority that both
- grants the authority the power to collect the information, and
- imposes a duty on Norid to disclose the information to the authority in question
Some examples of authority that may apply for various authorities
- Police and prosecuting authority: A formal decision on seizure or an order to surrender evidence under the Norwegian Criminal Procedure Code may be worded so that it grants the police or a prosecuting authority the power to collect information and imposes on a third party a duty to assist in disclosing such information if there is a need for it. The applicable provisions in the Norwegian Criminal Procedure Code are Chapter 16, particularly Sections 203, 210 and 215 a.
- Tax authorities: Section 10-2 (1) of the Norwegian Tax Administration Act stipulates that any third party is obliged at the request of the tax authorities to provide information that may be relevant for someone’s tax obligation. The tax authorities can require that third parties document the information, for example by providing access to, presenting, compiling, disclosing or submitting accounting materials including vouchers, contracts, correspondence, board of directors minutes, electronic programs and software systems. See Section 10-2 (5).
- Norwegian Consumer Authority: Section 34 of the Norwegian Marketing Control Act stipulates that everyone is obliged to provide the Norwegian Consumer Authority with the information the Authority requires to carry out its duties under the law.
- Norwegian Gaming Authority: Section 16a, first paragraph, of the Norwegian Lottery Act stipulates that everyone is obliged to give the Norwegian Gaming Authority the information that is necessary in order for the Authority to assess whether an enterprise is an unlawful pyramid scheme under Section 16 of the Act.
- Norwegian Data Protection Authority: The Norwegian Data Protection Authority is granted investigatory authority by Article 58, no. 1(a) of the GDPR to order a data controller, data processor and, if relevant, their representatives to submit all information the Authority needs to perform its tasks. In addition, the Norwegian Data Protection Authority is granted authority by Article 58, no. 1(e) to obtain access from a data controller or data processor to all personal data and all information that is necessary in order to perform the tasks assigned to the Norwegian Data Protection Authority.
Alternatively, the legal basis can be a judicial ruling or order. For example, the police and the prosecuting authority may make decisions on seizures and orders to surrender evidence under the Norwegian Criminal Procedure Code, authorising them to collect specific information and imposing on Norid a duty to assist in disclosing such information. In private law disputes dealt with under the Norwegian Dispute Act, the evidentiary obligation under Section 21-5 of the Act provides a basis for judicial orders on disclosure of information by Norid to the parties in the dispute.
Do you have a legitimate interest that outweighs consideration for the subscriber’s privacy?
If you do not have authority or another legal basis that triggers a disclosure duty for us, a balancing of interests may be an alternative basis for processing. You must be able to show that you need access to the information in question in order to safeguard a legitimate interest. In addition, you must explain why you believe that this interest outweighs the privacy of the persons whose information you are requesting. Note that government authorities cannot use this basis in order to process personal data as a part of the performance of their tasks as an authority5. It is the legislature’s responsibility to ensure that authorities have a sufficient legal basis for this type of processing, by granting the authority necessary authorisations.
Do you have consent from the person involved?
If you need information about an individual domain name or an individual subscriber, the person that the information concerns can consent to Norid disclosing the information to you.
However, consent is a difficult basis to use. There are stringent requirements that it be voluntary, specific, informed and verifiable, and that it can be withdrawn at any time. Nevertheless, in some cases consent can be an appropriate basis, and we will have to assess this specifically in each individual case.
2. You must also meet the requirements in our subscription agreement
Everyone who has a Norwegian domain name has entered into a subscription agreement with Norid which describes the legal relationship between us and them. The agreement is a part of the regulations for Norwegian domain names, and we cannot disclose information in violation of it. This applies even if the disclosure is according to the privacy regulations as described above.
The subscription agreement grants Norid the right to process information about the subscribers and their domain names, so that we can fulfil the agreement and attend to our social responsibility6. The lookup service we provide is based on the assignment we have to administer the Norwegian top-level domain in a manner that contributes to robust operation of the internet as infrastructure. The service is expressly rooted in the subscription agreement7 In addition to the information we provide through the lookup service, the agreement grants us a limited right to disclose information about the subscribers.
In order for a disclosure not to violate the subscription agreement, you must
- have a legal basis that imposes a duty on us to disclose the information, or
- have consent from the subscriber it concerns, or
- intend to use the information in a manner that we regard as within the purposes we have for our processing of the information, or that is clearly within the requirements in the agreement
The subscription agreement sets rules for Norid’s use of registered information
16.1 Norid collects and processes information about the domain name subscribers, in order to
- ensure that private individuals and organisations can subscribe to Norwegian domain names and to maintain and transfer the subscription within the framework of the domain name policy
- administer the Norwegian top-level domain in a way that contributes to robust operation of the Internet as infrastructure
16.2 Norid operates a look-up service in which the public can look up a domain name and obtain information about the subscription, the subscriber, technical contact and technical setup and who is the domain name registrar. The service provides different amounts of information about the subscriber depending on whether this is an organisation, a sole proprietorship or a private individual.
The purpose of the service is to
- assist in resolving technical problems, where individual domains cause harm to the functionality, security or stability of other domains or the Internet as infrastructure
- provide the public with an opportunity to contact the party that subscribes to the domain name
16.3 Historical information about the subscriptions is stored for research and statistical analysis. Such information is not made available to anyone other than the party that was the subscriber when the information was current, or upon consent from that subscriber, unless otherwise provided for by law or judicial decision.
16.4 Part of the information Norid processes is information that can be tied to individuals and is regarded as personal data. This is described in greater detail in Norid's privacy policy documents.
Domain name policy for Norwegian domain names, Section 16
3. You must explain who you are and the purpose for which you want to use the information
When you approach us to request disclosure of information about our customers, you must inform us about
- who you are and which country you are located in
- which information you need
- what you want to use the information for
- which basis in the privacy protection regulations you believe we have for disclosing personal data
- how you believe the disclosure you are requesting is in accordance with our subscriber agreement
If you believe that what you wish to do with the information (your purpose) is covered by or naturally follows from the purpose Norid has provided to the subscribers in our agreement with them, it is important that you explain this.
The purposes of Norid’s processing of customer data
Norid collects and processes information about the domain name subscribers in order to:
- ensure that private individuals and organisations can subscribe to Norwegian domain names, maintain the subscription, and transfer the domain name within the framework of the domain name policy
- administer the Norwegian top-level domain in a way that contributes to robust operation of the Internet as infrastructure
Send the enquiry by email to info@norid.no.
Process going forward: Norid considers the specific case
Once we have received your enquiry, we must assess the basis and decide whether we can disclose the information you are requesting.
If what you have requested are personal data for us, we must assess whether you have a lawful basis for collecting the data, whether we have a lawful basis for the disclosure and whether the purpose of the disclosure is consistent with the purpose for which the data were obtained. If the disclosure is incompatible with the original purposes we provided to the subscribers when we collected the data, grounds for further processing are also required8.
In addition, we must assess whether the disclosure is in accordance with or in conflict with the subscription agreement. As a result of the agreement and the other regulations regarding Norwegian domain names, it is Norid’s practice that we generally do not disclose more information than what the lookup service provides, unless we are legally obliged to disclose the information or the disclosure promotes the purposes we have in processing the information.
Kilder
- 1. Norid discussed the design of the service with the Norwegian Data Protection Authority in 2018 (see Norwegian Data Protection Authority reference Case no. 2017/2060).
- 2. See GDPR Article 6, no. 4.
- 3. See GDPR Article 4, no. 1
- 4. Breyer judgment C-582/14
-
5.
See GDPR Article 6, no. 1, second paragraph, and Preamble paragraph 47.
See also the Norwegian Data Protection Authority’s guidance on disclosure of personal data to authorities (Norwegian only): https://www.datatilsynet.no/regelverk-og-verktoy/sporsmal-svar/Utlevering-av-personopplysninger/ - 6. See Section 16 in the subscriber agreement: https://www.norid.no/en/om-domenenavn/regelverk-for-no/#16.-Norid’s-use-of-registered-information and the self-declaration that all subscribers must provide, see Section 4 of the Norwegian Domain Name Regulation.
- 7. Section 16.2 in the subscription agreement, and the overarching purpose for Norid’s processing of information in 16.1
- 8. jf. GDPR artikkel 6 nr. 4.