Copyright holders and anti-piracy companies have been dealt a blow in their attempts to monitor and track down student file-sharers in Norway. Following a decision by the Data Inspectorate, universities will not be allowed to spy on the online activities of their students and data gathered for network maintenance purposes will kept well away from rightsholders and lawyers.

In many countries of the world, rightsholders are employing anti-piracy tracking companies to monitor file-sharing networks for unauthorized uploads. While much of this data is kept for statistical reasons, increasingly it is used to go after individuals in order to sue them, or extract cash settlements to make legal action go away.

During the last decade the RIAA made quite a name for itself going after the students of the United States for cash payouts, but eventually abandoned the practice in favor of sending them warnings via their university or college.

While educational establishments in many countries are prepared to forward such notices, in Norway the very notion has just been torpedoed by the Norwegian Data Inspectorate, the government body set up to manage the privacy framework of the Personal Data Act of 2000.

According to Universitetsaviser, the Norwegian University of Science and Technology (NTNU) has been receiving enquiries from several rightsholders who believe they have tracked instances of illegal file-sharing to IP addresses held by the university. Of course, the rightsholders want further action taken, including the forwarding of infringement notices to the students in question.

However, the issue raised two important questions. Firstly, does NTNU – a university with 20,000 students and an $800 million budget – have the right to log students’ Internet traffic in order to detect illegal file-sharing or other illegal activities.

Secondly, can NTNU make use of personal information it holds in order to pass on infringement notices from rightsholders to students.

These questions were posed to Datatilsynet, the Norwegian Data Inspectorate, and the responses couldn’t have been worse for rightsholders. The privacy body responded in the negative to both questions.

The Data Inspectorate decided that students should enjoy the same levels of privacy when using computers at university as they do while accessing the Internet from home. Furthermore, Datatilsynet noted that NTNU has no legal obligation to pass on warnings from rightsholders to students.

Additionally, NTNU has been told that while in future it can keep personally identifying information in computer logs, it may only do this for up to 3 weeks and only for the purposes of network management. Rightsholders will not have access to the information.

The deadline for implementing these data privacy practices runs out tomorrow but NTNU have said that they will be in compliance by then.