National-Security

The Norwegian Security Act creates a comprehensive framework for national security. It requires security clearances for personnel accessing classified information and establishes classification levels (RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET). Organizations handling classified information must implement security measures and undergo security audits. The Act enables the government to impose security requirements on critical infrastructure operators and assess foreign investments for national security risks. It covers information security (protecting classified data), personnel security (vetting individuals), and supply chain security (managing risks in procurement). NSM (Norwegian National Security Authority) oversees implementation, while PST (Police Security Service) handles threat assessments. The law interacts with data protection rules, allowing certain national security exemptions while maintaining proportionality requirements.

The USA PATRIOT Act, passed after September 11, 2001, dramatically expanded US surveillance capabilities. Key provisions include Section 215, which authorized the FBI to obtain ‘any tangible things’ relevant to terrorism investigations including business records, until the USA FREEDOM Act restricted bulk collection. The law enabled National Security Letters (NSLs) demanding records from communications providers without court approval. It facilitated information sharing between foreign intelligence and domestic law enforcement. ‘Sneak and peek’ searches allow delayed notification of search warrants. Roving wiretaps can follow targets across devices without new court orders. While some provisions have sunset dates requiring reauthorization, the framework fundamentally changed US surveillance law. For international organizations, the Patriot Act exemplifies the broad access authorities that create tension with data protection regimes like GDPR.

The UK National Security Act 2023 updates laws against espionage and foreign interference that dated back to the Official Secrets Act 1911. It creates new offenses for obtaining, copying, or disclosing protected information to foreign powers; foreign interference in UK politics and civil society; and sabotage of critical national infrastructure. The Act establishes a Foreign Influence Registration Scheme requiring registration of activities conducted at the direction of foreign powers. It provides new powers to restrict individuals assessed as threats to national security, including prevention and investigation measures. The law responds to evolving state-level threats including cyber operations and covert influence campaigns. For organizations, it increases the legal risks of unauthorized disclosure and may affect partnerships with foreign entities.

China’s Data Security Law of 2021 complements the Cybersecurity Law with comprehensive data governance. It establishes a classification system: ‘core data’ relating to national security receives the highest protection; ‘important data’ in regulated catalogs requires security assessments before cross-border transfer; ‘general data’ faces fewer restrictions. All data processing must serve China’s national security and development interests. Organizations must cooperate with government data requests and maintain security measures. The law has extraterritorial reach: activities outside China harming Chinese national security or citizens’ interests can be penalized. For international organizations, the Data Security Law complicates cross-border data flows—transferring data from China to headquarters may require government approval and security assessments.