Skatteetaten Defends Audit Data-Copying Powers: What Firms Must Know
Norway's tax authority, Skatteetaten, has gone on the record to defend its practice of copying business devices, including smartphones and laptops, during tax audits. Published on 15 April 2026 by the authority's legal director, the statement responds directly to public criticism that the practice overreaches into private life. For accounting firms, auditors, and CFOs serving Norwegian entities, this is a concrete signal: digital record-keeping is now squarely within the scope of a Norwegian tax audit, and the authority has both the legal basis and the internal infrastructure to act on it.
What Skatteetaten Actually Said
The core legal argument
The statement, signed by legal director Harald Johannessen, makes three points clearly. First, the authority holds a statutory basis in the Tax Administration Act (skatteforvaltningsloven) to access and copy data carriers belonging to a business. Second, this power exists because business records no longer live on paper or local servers; they live in cloud services accessed through company-issued or work-used personal devices. Third, the authority insists the practice is bounded: strict confidentiality obligations apply, access to copied material is restricted to staff with a specific service need, and a specialist unit handles the initial extraction and filtering.
The privacy and rule-of-law guardrails
Johannessen directly addresses the privacy concerns, noting that copied data inevitably includes material outside the audit's scope, such as legal correspondence, personal information, and health data. The authority says such material is filtered out before any case officer sees it. Taxpayers retain the right to appeal and to have courts review what Skatteetaten considers relevant audit data. At least one contested case has already been upheld at both district court and appellate court level, with a further appeal to the Supreme Court pending at the time of writing.
Why the Statutory Basis Is Being Tested
A public debate prompted by press coverage
Norwegian financial daily DN has run multiple stories over the past year on Skatteetaten's data-copying practices. The immediate trigger for this statement was a commentary piece by lawyer Bettina Banoun, who drew a pointed comparison to George Orwell's dystopian fiction. The authority's response is notable precisely because it chose to engage publicly rather than let the legal proceedings speak for themselves. That decision suggests the authority is aware the debate has moved beyond specialist legal circles.
Constitutional and ECHR boundaries
Skatteetaten acknowledges that its powers must be applied within the limits set by the Norwegian Constitution and the European Convention on Human Rights, particularly the right to private life. The authority's position is that this is exactly the function courts are meant to perform: testing where the line sits as technology evolves. The phrase used is deliberate: the statutory powers must remain fit for purpose under continuous technological change in how business data is stored and processed.
Practical Implications for Accounting Firms and CFOs
Digital records are audit records
The clearest takeaway for practitioners is definitional. Skatteetaten treats cloud-connected smartphones and computers used in the operation of a business as part of that business's archive. There is no safe harbour simply because data is stored off-premise or behind a personal login. For firms advising Norwegian clients, this reframes how you should be discussing record retention and device-use policies with those clients. Any device that touches business operations is potentially within scope.
Crypto bookkeeping software and digital asset accounting software: the audit exposure angle
Businesses holding or transacting in digital assets face a compounded version of this issue. Crypto bookkeeping software and digital asset accounting software often operate through browser-based or mobile interfaces, pulling data from exchanges and wallets via API. If those interfaces are accessed on a device that Skatteetaten copies during an audit, the authority gains a window into transaction histories, wallet addresses, and portfolio positions, regardless of where the underlying data is hosted. Firms advising clients who use crypto accounting software in Norway should now treat the device layer as part of the audit trail, not separate from it.
This connects directly to the broader pattern of Norwegian enforcement activity. Our earlier coverage of Norway tax enforcement and facilitator liability showed that Skatteetaten is willing to pursue not just primary taxpayers but those who help structure non-compliant positions. The data-copying capability strengthens that investigative reach considerably.
Internal controls firms should be reviewing
Accounting firms with Norwegian clients should be prompting those clients to review three things now. First, which devices are used to access business systems, including cloud accounting, payroll, and any crypto bookkeeping software, and whether those devices carry non-business data that would be sensitive if copied. Second, whether attorney-client privilege is adequately protected, given that Skatteetaten explicitly acknowledges it will encounter legal correspondence during device copies before filtering it out. Third, whether record-keeping is sufficiently structured and labelled so that auditors can identify relevant material quickly, reducing the scope and duration of a device copy exercise.
On the data quality dimension, our guide to blockchain analytics data quality standards for compliance teams sets out the due-diligence questions firms should be asking about the integrity and provenance of on-chain records, which becomes especially relevant when those records may be reviewed by a tax authority.
What to Watch Next
The Supreme Court referral
The most consequential near-term development is whether Norway's Supreme Court accepts the pending case for review. If it does, the resulting judgment will set the clearest boundary yet on how far Skatteetaten's data-copying powers extend relative to constitutional privacy protections. A ruling narrowing those powers would require the authority to adapt its audit methodology; a ruling affirming them would remove the remaining legal uncertainty and give the practice a firm judicial foundation.
Broader Nordic and European context
Norway is not alone in grappling with this tension. Tax authorities across the EU are similarly expanding their digital audit capabilities, driven by the same shift of business records to cloud environments. The legal frameworks differ, but the operational pressure is identical. Firms advising clients across multiple jurisdictions should track how the Norwegian case resolves, as it may become a reference point in comparable disputes elsewhere.
Q: Does Skatteetaten need a court order before copying a business's devices?
Based on the authority's statement, the power to copy data carriers during an audit derives directly from the Tax Administration Act and does not require prior court authorisation. Judicial review is available after the fact, both through appeal rights and ordinary court proceedings.
Q: What happens to personal or privileged data found on a copied device?
Skatteetaten says a specialist unit conducts the initial extraction and filters out material that falls outside the audit's scope, including legal correspondence, personal data, and health information. Case officers only receive access to material that passes this filter.
Q: How does this affect businesses that use cloud-based accounting or crypto bookkeeping software?
If cloud services are accessed through devices used in business operations, those devices are treated as part of the business archive. The authority can copy the device itself. The cloud-side data would depend on access credentials and API connections present on the device at the time of the copy.
Q: Is there a pending legal case that could change these powers?
Yes. At least one case has been appealed to Norway's Supreme Court after lower courts upheld Skatteetaten's position. Whether the Supreme Court accepts the case for hearing was unresolved as of the authority's April 2026 statement.
Q: What should accounting firms do right now for Norwegian clients?
Review device-use policies, assess which devices carry both business and sensitive personal data, ensure crypto and financial records are clearly labelled and structured, and brief clients on the possibility that any work-used device is within the audit perimeter under current Norwegian law.
Source: Skatteetaten
