Data Protection Trends and Highlights for Norway

More than five years after the implementation of the General Data Protection Regulation (GDPR) in Norway, the focus has shifted from GDPR implementation projects and focus on data breach reporting to rapid developments in technology, artificial intelligence and more privacy-aware consumers. This trend will continue in 2024, with expected increased regulatory focus on artificial intelligence, digital services and data governance.

In the news media, social media and from a supervisory perspective, there has been substantial focus on processing of health data and the privacy rights of children, for example in connection with filming or streaming of events for kids. Increased awareness about privacy rights, as well as increased supervisory activity, has led to these issues being high on the agenda throughout the year, and these are believed to be key topics for 2024. It is also expected that cookies and similar online tracking technologies will have substantial focus in 2024, as both Norwegian and EU supervisory authorities have expressed concerns about the GDPR compliance of such technologies.

Regulatory enforcement

The Norwegian Data Protection Authority (Datatilsynet) maintains on the top-ten list of the supervisory authorities having issued the highest amounts of fines since the GDPR entered into force, with a total of 51 fines in the aggregate sum of approximately EUR12.1 million. In 2023, the most noteworthy regulatory sanctions in Norway were the notification of intention to fine the Norwegian Labour and Welfare Authority (NAV) NOK20 million (approximately EUR1.8 million), which is the highest fine given by Datatilsynet to a public body since the GDPR entered into force. In 2023, the Norwegian Privacy Appeals Board also upheld Datatilsynet’s record-high fine to Grindr in the amount of NOK65 million (approximatelyEUR5.8 million) from December 2021.

The largest amount of attention given in terms of regulatory enforcement in Norway in 2023 however, has been around Datatilsynet’s urgency decision from July 2023 of provisional measures to prohibit behaviour-based marketing on Meta-platforms, due to the high risk to the privacy rights and freedoms of Norwegian users of the platforms. Meta challenged the decision in court, but the Oslo District Court ruled in favour of Datatilsynet in September 2023. Meta launched a new court filing in October, but this was later withdrawn as Meta changed to a “pay-or-OK” approach for behavioural advertising, where the users of the Meta platforms can pay a monthly fee to avoid such advertising. This “pay-or-OK” model is currently undergoing regulatory scrutiny by the European Data Protection Board (EDPB). The questions about behavioural advertising and “pay-or-OK” models will most likely also have material supervisory focus in Norway and the EU in 2024 as the EDPB will issue its statement in this respect during the course of the year.

The EDPB has selected the right of access to personal data (GDPR, Article 15) as its topic for co-ordinated enforcement action in 2024. This means that this will be a prioritised topic for data protection authorities across the EU in 2024, including Norway. In 2023, the EDPB focused on the role of the data protection officers, at discussed below.

Artificial intelligence

In Norway, as in the rest of the world, there is increased focus on the development of artificial intelligence. With the EU agreement on the final version of the new Artificial Intelligence Act in December 2023, the EU took a new and important step in terms of regulating the use of artificial intelligence. Nonetheless, the provisions of the GDPR are already applicable to processing of personal data for the purposes of artificial intelligence, and have been subject to the attention of Datatilsynet for some time, both through a regulatory sandbox project for artificial intelligence (which was made a permanent offering in 2023) and through a separate podcast series by Datatilsynet and the various organisations participating in the sandbox project.

In a recent survey executed by Datatilsynet and the Norwegian Board of Technology, there are indications that many Norwegians are still hesitant to embrace artificial intelligence. For example, 58% of the 1009 respondents had never tried a generative artificial intelligence tool. In the age group 18 to 29 years, however, 79% of the respondents had used one or more such tools, with Snapchat MyAI and ChatGPT being the most-used applications across all age groups. Although many of the respondents see potential benefits and values in the use of artificial intelligence going forward, the majority of the respondents (59%) are concerned about the processing of personal data for the purposes of artificial intelligence.

With new legislation on its way from the EU as well as continued regulatory and commercial attention, combined with swift technological developments within the world of artificial intelligence, this will also be a key trend in 2024.

Cybersecurity and data breaches

In 2023, the trend from the preceding years with an increase in data breaches and cybersecurity incidents continued. As with other European countries, the apparent motivations behind these attacks have been both geopolitical and commercial. As a result, assessing and managing cyber-related risk exposure is increasingly prioritised by Norwegian and (more broadly) global companies. New regulations from the EU, such as the NIS2-directive and the Digital Operational Resilience Act have also increased the pressure on companies to increase their information-security resilience.

The EU Court of Justice recently issued a decision clarifying to which extent a company which has been subject to a cyber-attack can be held responsible for the loss of personal data, despite the harm to the data subjects being caused by a hacker. The key take-aways from the ruling are as follows.

• The court stated in its decision that a company that has lost or misplaced personal data following a hacker attack may be held liable for damages if the business had not implemented appropriate security measures to prevent or mitigate such attacks in accordance with GDPR Article 32.
• However, companies cannot be held liable solely because personal data has been lost as a result of a cyber-attack. The loss must be connected to the measures that have been implemented, or the lack thereof, and as such the company is responsible for demonstrating that appropriate security measures were implemented as per GDPR Article 32 and 24.
• Whether the measures are appropriate or not depends on the risk associated with the specific processing. Companies must conduct risk assessments, which form the basis for implementing appropriate security measures.
• Failure to conduct a risk assessment can expose companies to liability.

The liability and damages following a cyber-attack or other personal data breaches will continue to be relevant in 2024.

Datatilsynet conducted an audit of 93 Norwegian municipalities and five regional municipalities in 2023 pertaining to information security, and issued a report about their findings. In summary, the findings of the report were positive, indicating that the municipalities understand the importance of data protection and information security and that a lot of valuable efforts are made across the municipalities in scope. However, there is still improvement potential in terms of internal control, governance and documentation requirements as per GDPR Article 5(2) and 24.

The role of the DPO

On 17 January 2024, the EDPB issued a report focusing on the role of the Data Protection Officer (DPO) after the implementation of the GDPR. The report stems from an EU-wide collaboration and investigation regarding the designation and position of the DPO. In summary, the report showed that, despite some challenges faced by some DPOs, the results of the investigation are encouraging. Most DPOs declare that they have the skills and competence to perform their tasks under the GDPR and that they do not receive instructions in terms of how to exercise their duties. However, the report also showed that some organisations had not yet appointed a DPO despite such appointment being required, the DPO getting insufficient resources, lack of independence, lack of reporting to the highest management level and the DPO not being fully entrusted with the tasks required under data protection law. Datatilsynet has stated that it will review the report carefully and consider which measures it will implement, if any, going forward.

In the immediate period following the implementation of the GDPR, many companies relied heavily on their DPOs to help with the regulatory interpretations and GDPR “1.0 projects”. More recently, however, we see a trend that the role of the DPO has been adjusted closer to what was the original intention of the GDPR; the DPO shall support, advise and monitor compliance with the GDPR and not necessarily execute the data protection efforts or be responsible for activities. This trend will most likely continue into 2024 as companies further refine and update their GDPR compliance efforts.

Data transfers

In July 2023, a new EU-US Data Privacy Framework for transfers of personal data between the USA and EU was approved by the EU and the USA. This decision facilitated legal transfers of personal data between the USA and EU after three years of intensive work by privacy professionals to conduct data transfer impact assessments to consider whether transfers of personal data could be executed with appropriate safeguards to the USA. Max Schrems, the chair of the privacy consumer rights group NOYB (None Of Your Business), the driving force behind the two previous EU Court of Justice rulings prohibiting data transfers to the USA (often referred to as the Schrems I and Schrems II rulings) has already informed that the EU-US Data Privacy Framework will be challenged in court.