The Norwegian privacy advantage

 Your email is safer here

Email privacy

At Runbox, we believe privacy is a fundamental right—not a luxury. That’s why we’ve built our email service on Norwegian soil, under Norwegian law, ensuring your data is protected by some of the strongest privacy regulations in the world. Unlike providers based in the U.S. or other high-surveillance jurisdictions, Runbox is fully owned and operated in Norway, where your privacy is safeguarded by Norwegian law and GDPR.

In a world where email privacy is increasingly under threat — with regulations in many countries being weakened or bypassed — email services in Norway offer a stronger, more reliable shield for individuals and businesses.

To help you understand how your privacy is better protected in Norway, we’ve compared the key privacy regulations in the United States and Norway, which is part of the European Economic Area (EEA) and subject to the EU’s robust GDPR framework. Discover why choosing a Norwegian-based email provider like Runbox gives you unmatched security and peace of mind.

Data protection

The problem with email privacy in the US

The extent to which email privacy is respected and email is protected from unauthorized inspection depends greatly on the legislation in the country in question.

In the United States, there is no constitutional guarantee on email privacy or correspondence in general. The secrecy of correspondence is derived from the Fourth Amendment to the United States Constitution and an 1877 U.S. Supreme Court case.

However, like all rights that have been derived through litigation, this is subject to interpretations and is limited by the legal requirement of a “reasonable expectation of privacy” which may be either subjective (the opinion of the person in question) or objective (as recognized by society).

Email is also protected by the Electronic Communications Privacy Act of 1986 which was enacted to extend government restrictions to include transmissions of electronic data. The ECPA has been criticized because an agency doesn’t need judicial review in order to demand consumer data from service providers.

After 6 months, email messages lose their status as protected communication under the ECPA and become a regular database record. This means authorities only need a subpoena—not a warrant—to force email providers to hand over your data, making it alarmingly easy for the U.S. government to access your private communications.

 

Adding to these concerns, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, further erodes email privacy by giving U.S. authorities the power to compel any U.S.-based company—or any company using U.S.-controlled infrastructure—to hand over user data, regardless of where in the world it is stored. This means that even if your emails are hosted on servers outside the U.S., a U.S.-based provider can still be forced to disclose your data to U.S. authorities without notifying you. The CLOUD Act effectively bypasses international privacy laws, making it a significant threat to global email privacy—especially for users of services subject to U.S. jurisdiction.

Email privacy in Europe

Some countries, especially in Europe, have a constitutional guarantee ofsecrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.

In the European Union, the General Data Protection Regulation (GDPR) is an important and groundbreaking regulation on data protection and privacy for all individuals within the European Economic Area (EEA).

The GDPR defines how data may be collected and processed, and gives control over personal data back to the persons themselves. The regulations require that businesses and organizations integrate this human right into their business practices through policies, procedures, and technologies that safeguard the users’ privacy.

Specifically, the GDPR declares that individuals have:

  • The right to transparency about how data is processed.
  • The right to access and information about collected data.
  • The right to rectify stored data.
  • The right to erase data (“right to be forgotten”).
  • The right to restriction of processing.
  • The right to data portability.
GDPR compliance to protect your data

What does compliance with European privacy laws mean?

Because Runbox is located in Norway, which is part of the EEA, we therefore adhere to the EU’s General Data Protection Regulation (GDPR). The Norwegian Personal Data Act implements the GDPR in Norway and regulates how personal data may be collected, stored, and processed.

Runbox in turn implements these regulations in our Terms of Service and Privacy Policy, which govern your usage of our services and describe your rights with regards to privacy.

Additionally, Runbox has appointed a Data Protection Officer who is authorized by the Norwegian Data Protection Authority to ensure that all user data is processed according to their guidelines. 

Because Runbox is not considered by the Norwegian Communications Authority to be an “electronic infrastructure provider”, Runbox is exempt from the Electronic Communications Act (currently only available in Norwegian).

More Information

Norwegian Privacy Advantage

Email privacy in Norway

In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.

The Personal Data Act as set forth by the Norwegian Data Protection Authority is the main piece of legislation in Norway that regulates collection, storage, and processing of personal data.

This legislation implements the EU’s General Data Protection Regulation (GDPR), which substantially strengthens the rights to privacy of individuals in the EEA.

The Norwegian Data Protection Authority was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.

Central principles of the Norwegian data privacy regulations are:

  • Personal data must only be collected by private entities when consent from the user has been obtained.
  • Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
  • Personal data must not be stored longer than required by the purpose of collection.
  • Personal data must be kept confidential unless required by law.

What does compliance with Norwegian privacy laws mean?

So what does Runbox’ compliance to Norwegian laws mean regarding your personal data when using Runbox, and the content of your emails stored on our servers?

Runbox does not collect any data about you except what is necessary to provide you with our services. Under Norwegian legislation, Runbox is ordinarily not required to retain any traffic logs, and is permitted to delete your data if you ask us to.

This is in accordance with our Terms of Service and Privacy Policy, which is compliant to The Personal Data Act. This paragraph states that personal details can only be collected and processed with consent from the registrant.

Similarly important is §11, stating that personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.

Runbox will request a Norwegian court order pursuant to the Norwegian Criminal Procedure Act before disclosing information to the Norwegian Police Service.

How we handle requests for data from authorities outside Norway

A request from foreign authorities or agencies regarding Runbox account details or user data has a long way to go before it reaches Runbox:

It will in general start with a legal request (letter rogatory) submitted through diplomatic channels to the Norwegian Ministry of Foreign Affairs, who sends it to the Attorney General at the Norwegian Office of the Prime Minister.

If appropriate, the Attorney General will forward the request to the Ministry of Justice and Public Security who in turn sends it to the appropriate police unit, for example the National Criminal Investigation Service, Norway (Den nasjonale enhet for bekjempelse av organisert og annen alvorlig kriminalitet; Kripos) or The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) for independent investigation.

All requests will be evaluated with regards to Norwegian laws and regulations, and must be submitted to the Norwegian court system. If delays might impede the investigation an order from the prosecuting authorities may temporarily replace a court order, but the case must be submitted to the courts as soon as possible. Otherwise a request for a court order may submitted by Runbox before data can be disclosed. The Norwegian police authorities may then present Runbox with an order to disclose the requested information.

Norway has entered into agreements with some foreign nations to cooperate in criminal matters regarding disclosure of objects and data, that may simplify the procedure above:

Through the European Convention on Mutual Assistance in Criminal Matters requests go directly to the Ministry of Justice and Public Security, through the Schengen Agreement requests go to the public prosecutor in Norway, and between Nordic countries, requests go to central or local police (district chiefs of police). Requests from Canada and Thailand go directly to the Ministry of Justice and Public Security.

All other nations, the United States included, have to follow the general rule outlined above: Requests must be sent through diplomatic channels to the Norwegian Ministry of Foreign Affairs.

What about surveillance…

According to the laws mentioned above, the Norwegian police authorities can not execute communication control, for instance surveillance of electronic messages, without a valid court order.

An independent tribunal, the Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll) is established to control that the police’s use of wiretapping occurs within the framework of the law and that the use of such methods is as limited as possible.

This means that no surveillance of traffic to or from Runbox can occur unless a valid court order is presented. However, the regulation that governs wiretapping (Forskrift om kommunikasjonskontroll; Kommunikasjonskontrollforskriften [only available in Norwegian]) and the Control Committee for Wiretapping do not pertain to intelligence, which is the domain of The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), see below.

Digital Surveillance System for Enhanced Security in Offices
Concept of law, order, regulations, digital justice. Intelligence oversight over data gathering.

…and intelligence?

Let us examine the various Norwegian intelligence agencies and their mandates.

  • The Norwegian Intelligence Service (Etterretningstjenesten): A body established in order to survey and monitor external threats to Norway and high-priority Norwegian interests. For that aim, the NIS is allowed, under strict parliamentary and judicial control, to order targeted collection and storage of cross-border electronic communication.
  • The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST): Do NOT have any legal rights beyond the Norwegian Police Service, which is discussed above.
  • The Norwegian Defence Security Department (Forsvarets sikkerhetsavdeling, FSA): Applies to military institutions only, and is not relevant for Runbox customers at all.
  • The National Security Authority (Nasjonal sikkerhetsmyndighet, NSM): Is established to control governmental and civil institutions regarding security, and because Runbox does not provide services to such institutions, this authority is not relevant to Runbox or our customers.
  • Joint Counter-terrorism Center (Felles etterretning- og kontraterrorsenter, FEKTS): A recently established department within PST staffed with people from PST and ETJFEKTS is a cooperation agency sharing information and analyzing terror threats against Norway. FEKTS is subject to the laws and regulations governing the activities of The Norwegian Police Security Service and the Norwegian Intelligence Service.

In order to monitor these agencies and ensure they are acting in accordance with laws and regulations and in as limited a way as possible, the Norwegian Parliament has established The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), and Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll).

What is the conclusion of all this?

All your Runbox email stored on our servers is safe because Runbox is located in Norway. Runbox strictly adheres to the Norwegian Personal Data Act and the Norwegian Criminal Procedure Act, which is the main legislation governing our operations. This fact, along with our ethics and values, prevents us from doing anything unauthorized with your data.

Specifically, Runbox protects your data against disclosure requested by the authorities because we will request a court order from the Norwegian authorities before we disclose any data.

Norwegian authorities are not allowed to gather and utilize of data traffic without a valid court order. Norway has established independent agencies to ensure that these agencies follow the laws and regulations under which they operate. In addition, Norway is an open democracy with a critical and investigative press which readily publicizes any suspicion of breached laws and regulations.

Any foreign nation asking for data have to send a formal request according to established protocols and strict rules. And any such legal request will be scrutinized by Norwegian judicial authorities, and only in cases where Norwegian law is breached could a request result in an ordered seizure which is necessary to obtain data from Runbox.

Norwegian courts are not bound by foreign definitions of “national security”, and rigorously evaluate the legality and necessity of such request under Norwegian and EU privacy laws, which prioritize fundamental privacy rights. This is very different from the broad powers enabled by laws like the U.S. CLOUD Act.

In short, no authority or agency can monitor and utilize Runbox’ data or traffic without a court order, which can only be issued when there is evidence of criminal activity in violation of Norwegian penal code or evidence of threats to Norway and high-priority Norwegian interests..

Privacy Protected email in Norway - symbol with Norway flag and the words hosted in Norway and privacy protected

Summary about Norwegian privacy legislation and regulations

First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data in The Personal Data Act. This legislation implements the EU’s General Data Protection Regulation (GDPR), which substantially strengthens the rights to privacy of individuals in the EEA.

The first version of The Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.

Additionally, the Norwegian Data Protection Authority (Datatilsynet), an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data. It also verifies that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified.

Any complaint against decisions made by The Data Protection Authority may be reported to The Privacy Tribunal (Personvernnemda), another independent authority, for decision.

The Norwegian Criminal Procedure Act (Lov om rettergangsmåten i straffesaker; Straffeprosessloven) is an important law governing the seizure of objects or data when a criminal act has been reported to the police.

Another important law in this context is the Norwegian Penal Code (NPC, Lov om straff; Straffeloven) which states that it is illegal to access information systems or data unauthorized (NPC Chapter 21, § 201 – §211).

We must also mention Norwegian Law on Electronic Communications (Lov om elektronisk kommunikasjon; Ekomloven), which regulates telecommunications in Norway. This law contains rules for the interception of electronic communications and for the duration of storage of personal data.

Because Runbox is similar to an Internet service provider and not a telecommunications company, Runbox is NOT affected by this law. For instance, this means that Runbox is permitted to delete your email data upon your request at any time, and that we are not required to store any traffic logs.

The bottom line is that a request from Norwegian police authorities to disclose data from any Runbox account will be rejected by Runbox unless a Norwegian court has decided otherwise.

Additional email protection

Runbox customers automatically have an advantage by storing their email in Norway, and you can add another layer of protection by encrypting your communication with Runbox.

To protect your privacy even further, Runbox does NOT use Google Analytics or any other third-party tracking of our customers’ usage. We never use data or traffic information for any other purpose than anonymous statistics in order to improve our services and our system’s performance. Our service is absolutely ad-free, and we do not share or sell your personal details to anyone.

The combination of the strict Norwegian legal environment, our solid IT infrastructure, Runbox’ ethics and Privacy Policy, and the technology Runbox provides, means that Runbox provides a service that is uniquely private and secure.

Feel free to contact us with any questions or concerns.