'The Norwegian Data Inspectorate: Between Governance and Resistance' by Kjersti Lohne in 10(2)
Surveillance & Society (2012) 182-197
argues that
The growing impact of information and communication technologies has resulted in the establishment of data protection
authorities across Europe. Despite the role of these bodies as enforcers of privacy and data protection legislation, Surveillance
Studies has so far offered little attention to their role in resistance. Based on a critical socio-legal examination of the
Norwegian Data Inspectorate, the focus of this article is on the role of data protection authorities in resisting surveillance and
threats to privacy and data protection. More specifically, the article asks what power the Norwegian Data Inspectorate has to
achieve genuine resistance, and how its institutional structure affects this capability. Through a three-pronged analysis
consisting of (i) institutional mapping, (ii) a typology of resistance strategies, and (iii) a review of its role in the Norwegian
public debate on the EU Data Retention Directive, the article addresses the fundamental tension inherent in the Norwegian
Data Inspectorate as a privacy-advocating ombudsman and an administrative body. As such, the research shows how, and to
what extent, its institutional structure both strengthens and limits its possibilities for resistance.
Lohne comments that
Taking a predominantly normative stance, scholars in Surveillance Studies direct their attention towards
the legitimate need to resist surveillance, while less academic scrutiny focuses on describing how
contemporary resistance is enacted. Important exceptions include Bennett (2008), Martin et al. (2009),
Marx (2009), and Introna and Gibbons (2009). While their work makes a substantial contribution to a
conceptualization of resistance within Surveillance Studies, in particular by drawing attention to the
significance of privacy advocates, the way administrative bodies such as data protection authorities resist
surveillance has remained strangely exempt from analysis, with the exception of David H. Flaherty’s
seminal study from 1989. It may be, as suggested by Introna and Gibbons (2009, 238), that such bodies
are ‘often seen as too close to government to be an effective mechanism of resistance’, or, that their
presence causes ‘a false sense of security’ and in consequence legitimates the development of surveillance
societies (Flaherty 1989, 11). Another explanation may be found in a particular methodological bias: in
the case of scholars inclined to think ‘critically’ about state power, especially with regard to surveillance
issues, a generally positive attitude towards the work of data protection authorities may lead to a
preference for objects of study more readily––and justifiably––subject to criticism. However, while these
suggestions help explain the lack of attention towards the role of data protection authorities, they also
express the inherent duality of these bodies: although independent, data protection authorities are state
actors yet at the same time, critics of state practices (Flaherty 1989).
Since its establishment in 1980, the NDI has played a significant role in the Norwegian discourses on
privacy, data protection and surveillance. Alongside its supervisory responsibilities as a state
administrative body, the NDI’s mandate is to act as an ombudsman for the interests of privacy and data
protection. Although there has been some dissatisfaction with such a broad mandate, this particular
institutional arrangement also provides the NDI with considerable access to the public discourse. Besides
numerous consultative statements requested by state authorities on issues of privacy and data protection,
its expertise and opinion is called for and disseminated through various public appearances by its
representatives in the media, seminars and debates. Throughout the past decades, there has been a steady
increase of administrative supervision in Norway as elsewhere. Whether the growth represents an increase
in de facto supervisory activities, or results from general developments in government administration such
as the expansion of administrative law in tandem with the prevailing juridification of society, remains
questionable (Stub 2010).4 Through a mapping of the NDI’s development from 2000 – 2010, this article
sheds light on some additional aspects of this discussion by inquiring into the nature of the NDI’s growth.
How data protection authorities interpret and perform their tasks and responsibilities necessitates critical
reflection. Does the NDI’s institutional development mirror its role as a privacy-advocating ombudsman,
or that of an administrative supervisory body?
The research strategy has involved a review of core regulatory and official reports, consultative statements
and annual reports from the NDI in the years 2000 – 2010. As official sources, these documents possess
methodological credibility and validity; but they are also normative and performative remnants, requiring
a critical distance in their analysis (Kjeldstadli 1999). To this end, the research has included an analysis of
a semi-structured interview with the NDI’s former director Georg Apenes, as well as of seminars, debates
and media reports on privacy issues, particularly concerning the EU Data Retention Directive.
The article proceeds in three parts. The first section presents the NDI as an institution and a state
administrative body, addressing the parameters of its mandate, size and responsibilities. Providing the
empirical background for the succeeding analysis, the mapping is also a reflection of how the trajectory of
security thinking and ICT has altered the landscape of privacy and data protection since the beginning of
the 21st century. Part two probes into the NDI’s practices of governance and resistance. It builds on a
fourfold typology developed by Keck and Sikkink (1998) to describe the tactics employed by
transnational advocacy networks: information politics, leverage politics, accountability politics and
symbolic politics, which Bennett (2008) has adapted and applied to the study of privacy advocates. This
juxtaposition will shed light on whether, and to what extent, the NDI’s practices resemble those of privacy
advocates, and hence, how the NDI manages its twofold role in resisting surveillance and threats to
privacy and data protection. The latter is also the subject of the third and final part, where a delineation of
the NDI’s role in the high-profile debate on the EU Data Retention Directive illustrates the inherent
tension stemming from the NDI’s institutional twofold role.
