What is the Norwegian Personal Data Act 2018?
Although Norway is not a member of the European Union (EU), it is a member of the European Economic Area (EEA), which ensures the country enjoys the same four fundamental EU freedoms of movement of goods, services, persons, and capital.
Norway’s laws regarding data protection include the Law on the Processing of Personal Data (Personal Data Act or PDA) of June 15, 2018. The PDA aligns closely with the EU’s General Data Protection Regulation (“GDPR”) that came into effect in May 2018, but it does contain certain specific national variations and additions. It replaces earlier national data protection laws, ensuring Norwegian legislation fully complies with GDPR standards.
Because Norway is an EEA country, judgments from the EU’s Court of Justice (CJEU) aren’t directly applicable in the country. However “Datatilsynet,” which translates to Data Protection Authority in English, is Norway’s official data protection authority.
Historical Perspective: Data Protection in Norway
Data protection law in Norway began with the Data Protection Act in 1978, one of the first of its kind globally. This Act established the Data Inspectorate, now known as the Datatilsynet, to oversee data protection and ensure compliance.
As digital technology evolved, Norway updated its data protection laws to address emerging privacy challenges. The most significant shift came with the GDPR in 2018, prompting Norway to adopt the PDA and align national law with the GDPR. This underscored its commitment to stringent data protection standards, enhancing individual rights, and imposing stricter obligations on organizations.
Relevant provisions of the PDA include:
- Age of consent. Section 5 of the PDA sets the age of consent at 13 years. There is no general age at which a child can handle the processing of personal data on their own, but several exemptions allow children to consent in some instances.
- Freedom of speech. Only certain Articles of the Act apply when personal data is processed “exclusively” for journalistic purposes.
- Employment context. Certain personal data categories can be processed in an employment context when necessary for duties or rights under labor laws.
The law also allows special personal data categories to be processed without data subject consent if they are necessary for archival purposes in the public’s interest or if they relate to statistics or scientific or historical research.
A noteworthy provision in the Act is that imitation surveillance cameras, or signs that imply an area is being monitored when it’s not, are prohibited if real cameras processing personal data would be prohibited in the same areas.
GDPR and the NPD Act: A Symbiotic Relationship
The GDPR was incorporated into the EEA agreement and became effective in July 2018. Norway is bound to it in the same way as EU member states. There are no national law variations from the GDPR, and current exemptions generally align with GDPR standard permissions when it comes to:
- National security and defense.
- Freedom of expression and information.
- Public access to documents.
- Research and statistics.
- Employment law.
The collaborative relationship between the NPD and GDPR ensures that Norway adheres to international data protection standards while retaining the right to address specific national needs and legal traditions. It functions as follows:
- Uniformity and consistency. The GDPR provides a uniform framework for data protection across all EU and EEA member states, including Norway. Aligning its PDA with the GDPR ensures Norway’s data protection standards are consistent with those of other countries in the region, facilitating easier data flow and cooperation across borders.
- Local adaptations. The GDPR sets minimum standards but also allows member states some flexibility to adapt certain provisions to reflect local laws and practices.
- Enhanced protection and rights: The GDPR’s emphasis on entitlements, such as the right to access, rectify, and erase personal data, as well as restrictions on data processing and the movement of data, are all embedded within the PDA. This enhances Norwegian citizens’ protection by providing them with rights that have a strong backing from EU legislation.
- Regulatory oversight and compliance. The GDPR mandates establishing or designating a national supervisory authority, which in Norway is Datatilsynet. This body ensures both legislations are enforced, providing a mechanism for compliance and addressing grievances.
- Response to technological and social changes. The GDPR and the PDA are designed to be dynamic, addressing ongoing changes in technology and data usage. This allows Norway to adapt to new data protection challenges promptly while remaining aligned with broader European standards.
Key Provisions of the Norwegian Personal Data Act
The Norwegian PDA provides a robust framework for data protection, emphasizing transparency, security, and accountability in data processing practices. Key features include:
- Individual rights. Individuals enjoy various rights regarding their personal data, such as the right to access, rectify, and delete their data, and the right to object to certain types of processing.
- Data processing requirements. Organizations must ensure that personal data is processed lawfully, transparently, and for specified, explicit purposes. The data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Consent: Like the GDPR, the PDA emphasizes the importance of consent, which must be freely given, specific, informed, and unambiguous. Data subjects have the right to withdraw consent at any time.
- Data protection officer (DPO). Certain organizations must appoint a DPO who oversees compliance with data protection laws, including training staff and conducting audits.
- Data breaches. Organizations must promptly report data breaches to the Norwegian Data Protection Authority (Datatilsynet) and, in certain cases, to the affected individuals, especially if the breach poses a high risk to the rights and freedoms of individuals.
- Cross-border data transfers. Transferring personal data outside the EEA is restricted and allowed only under specific conditions to ensure the level of protection afforded to personal data is not undermined.
- Enforcement and penalties. Datatilsynet is tasked with enforcing the Act and has the power to issue warnings, ban processing, and impose fines for violations.
Datatilsynet is an independent administrative body established under Norwegian law to ensure an individual’s personal data is processed in compliance with the Norwegian PDA and other relevant privacy laws. It operates under the Ministry of Local Government and Modernization but acts independently when performing its duties.
Key functions and responsibilities include:
- The Authority oversees and ensures public and private entities comply with data protection laws when processing personal data. This includes reviewing how organizations handle personal information and enforcing laws through audits and inspections.
- Guidance and advice are provided to individuals and organizations on how to comply with data protection regulations. The Authority also educates the public and businesses about their rights and obligations under these laws.
- Datatilsynet receives and investigates complaints from individuals who believe their data protection rights have been violated.
- The Authority contributes to the development of national and international policies on data protection and privacy.
- Datatilsynet has the power to issue administrative fines and other sanctions to enforce data protection laws.
- The Authority is responsible for keeping a registry of data processing operations that require notification under Norwegian law. It also reports on its activities and the state of data protection in Norway.
Datatilsynet plays a crucial role in safeguarding personal privacy rights in the digital age, ensuring data protection practices are conducted transparently, responsibly, and legally across Norway.
Who Does the Norwegian PDA Apply To?
The PDA applies broadly to all public and private entities that process personal data within Norway. This includes:
- Organizations headquartered in Norway as well as foreign entities that process the data of individuals residing in Norway as part of their business activities.
- Any organization involved in data processing activities such as collecting, storing, using, or sharing personal data, must ensure that these processes adhere to legal standards of transparency, security, and accountability.
- Individuals and entities outside Norway if their data processing activities affect Norwegian residents.
Compliance with the Norwegian Personal Data Act
Many Norwegian businesses struggle to meet PDA compliance requirements; it’s estimated that up to 80% of the country’s small businesses are likely violating privacy policies daily. An analysis conducted in 2022 found that more than half of Norwegian business websites violate privacy rules by sharing data about their users with Google, Facebook, and other platforms without their consent. Reasons for this range from vague legal language to a insufficient resources to comply with GDPR requirements. Many organizations also find it challenging to keep up with data management and storage, as they don’t have the latest technological solutions or expertise.
Ready or not, organizations operating within Norway or dealing with the personal data of Norwegian residents need to understand current requirements and implement measures to protect personal data in accordance with the PDA. Potential penalties for non-compliance with key laws include:
- Administrative remedies from regulators and law enforcement up to EUR 20 million or four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Criminal penalties from law enforcement and regulators.
- Private remedies, including individual complaints with the data protection authorities and claims of material or non-material damages.