The growing impact of information and communication technologies has resulted in the establishment of data protection authorities across Europe. Despite the role of these bodies as enforcers of privacy and data protection legislation, Surveillance Studies has so far offered little attention to their role in resistance. Based on a critical socio-legal examination of the Norwegian Data Inspectorate, the focus of this article is on the role of data protection authorities in resisting surveillance and threats to privacy and data protection. More specifically, the article asks what power the Norwegian Data Inspectorate has to achieve genuine resistance, and how its institutional structure affects this capability. Through a three-pronged analysis consisting of (i) institutional mapping, (ii) a typology of resistance strategies, and (iii) a review of its role in the Norwegian public debate on the EU Data Retention Directive, the article addresses the fundamental tension inherent in the Norwegian Data Inspectorate as a privacy-advocating ombudsman and an administrative body. As such, the research shows how, and to what extent, its institutional structure both strengthens and limits its possibilities for resistance.Lohne comments that
Taking a predominantly normative stance, scholars in Surveillance Studies direct their attention towards the legitimate need to resist surveillance, while less academic scrutiny focuses on describing how contemporary resistance is enacted. Important exceptions include Bennett (2008), Martin et al. (2009), Marx (2009), and Introna and Gibbons (2009). While their work makes a substantial contribution to a conceptualization of resistance within Surveillance Studies, in particular by drawing attention to the significance of privacy advocates, the way administrative bodies such as data protection authorities resist surveillance has remained strangely exempt from analysis, with the exception of David H. Flaherty’s seminal study from 1989. It may be, as suggested by Introna and Gibbons (2009, 238), that such bodies are ‘often seen as too close to government to be an effective mechanism of resistance’, or, that their presence causes ‘a false sense of security’ and in consequence legitimates the development of surveillance societies (Flaherty 1989, 11). Another explanation may be found in a particular methodological bias: in the case of scholars inclined to think ‘critically’ about state power, especially with regard to surveillance issues, a generally positive attitude towards the work of data protection authorities may lead to a preference for objects of study more readily––and justifiably––subject to criticism. However, while these suggestions help explain the lack of attention towards the role of data protection authorities, they also express the inherent duality of these bodies: although independent, data protection authorities are state actors yet at the same time, critics of state practices (Flaherty 1989).
Since its establishment in 1980, the NDI has played a significant role in the Norwegian discourses on privacy, data protection and surveillance. Alongside its supervisory responsibilities as a state administrative body, the NDI’s mandate is to act as an ombudsman for the interests of privacy and data protection. Although there has been some dissatisfaction with such a broad mandate, this particular institutional arrangement also provides the NDI with considerable access to the public discourse. Besides numerous consultative statements requested by state authorities on issues of privacy and data protection, its expertise and opinion is called for and disseminated through various public appearances by its representatives in the media, seminars and debates. Throughout the past decades, there has been a steady increase of administrative supervision in Norway as elsewhere. Whether the growth represents an increase in de facto supervisory activities, or results from general developments in government administration such as the expansion of administrative law in tandem with the prevailing juridification of society, remains questionable (Stub 2010).4 Through a mapping of the NDI’s development from 2000 – 2010, this article sheds light on some additional aspects of this discussion by inquiring into the nature of the NDI’s growth. How data protection authorities interpret and perform their tasks and responsibilities necessitates critical reflection. Does the NDI’s institutional development mirror its role as a privacy-advocating ombudsman, or that of an administrative supervisory body? The research strategy has involved a review of core regulatory and official reports, consultative statements and annual reports from the NDI in the years 2000 – 2010. As official sources, these documents possess methodological credibility and validity; but they are also normative and performative remnants, requiring a critical distance in their analysis (Kjeldstadli 1999). To this end, the research has included an analysis of a semi-structured interview with the NDI’s former director Georg Apenes, as well as of seminars, debates and media reports on privacy issues, particularly concerning the EU Data Retention Directive.
The article proceeds in three parts. The first section presents the NDI as an institution and a state administrative body, addressing the parameters of its mandate, size and responsibilities. Providing the empirical background for the succeeding analysis, the mapping is also a reflection of how the trajectory of security thinking and ICT has altered the landscape of privacy and data protection since the beginning of the 21st century. Part two probes into the NDI’s practices of governance and resistance. It builds on a fourfold typology developed by Keck and Sikkink (1998) to describe the tactics employed by transnational advocacy networks: information politics, leverage politics, accountability politics and symbolic politics, which Bennett (2008) has adapted and applied to the study of privacy advocates. This juxtaposition will shed light on whether, and to what extent, the NDI’s practices resemble those of privacy advocates, and hence, how the NDI manages its twofold role in resisting surveillance and threats to privacy and data protection. The latter is also the subject of the third and final part, where a delineation of the NDI’s role in the high-profile debate on the EU Data Retention Directive illustrates the inherent tension stemming from the NDI’s institutional twofold role.