Norway’s Law on the Processing of Personal Data (PDA)

The Law on the Processing of Personal Data or the Personal Data Act for short is a Norwegian data privacy law that was recently passed in 2018. As Norway is one of a handful of European countries that is not a part of the European Union, and as a result does not fall under the direct jurisdiction of the General Data Protection Regulation or GDPR. However, Norway is a part of the European Economic Area or EEA, an economic agreement between the 28 member states and the European countries of Iceland, Liechtenstein, and Norway respectively.

What’s more, the agreement covers areas outside of economics, including consumer protection. In turn, as the EEA has adopted the provisions of the General Data Protection Regulation through its affiliation with the EU, Norway is also under the jurisdiction of certain provisions of the GDPR. To this end, the General Data Protection Regulation and the Personal Data Act both work in conjunction with one another to protect the data privacy rights of Norwegian citizens.

What is the scope and application of the Personal Data Act?

In terms of scope and applicability of the law, both the Personal Data Act and the General Data Protection Regulation “apply to the processing of personal data in connection with activities of businesses to a controller or processor in Norway, regardless of whether the processing takes place within the EU/EEA”. Additionally, these regulations also apply to the processing of personal data subjects within Norway, permitting such processing activities are related to:

• The offering of goods or services, irrespective of whether payment is required for said goods or services, to data subjects within Norway.
• The monitoring of the behavior of data subjects within Norway.

Conversely, both the General Data Protection Regulation and the Personal Data Act also have extraterritorial jurisdiction over the processing of personal data by data controllers who are not established or physically located within Norway, permitting these data controllers to reside in places where Norwegian law still applies by virtue of public international law. As a result of this, certain provisions of the GDPR and the Personal Data Act are also applicable to the territories of Svalbard and Jan Mayen.

What are the requirements of data controllers and processors under the Personal Data Act?

Generally speaking, many of the requirements placed on data controllers under the Personal Data Act are no different from the 6 data protection principles outlined in the General Data Protection Regulation. These data protection principles include integrity and confidentiality, storage limitations, purpose limitations, accuracy, data minimization, lawfulness, fairness, and transparency. On the contrary, there are certain requirements of the Personal Data Act that differ from those of the General Data Protection Regulation. These requirements include:

• Data transfers– Section 13 of the Personal Data Act states that the Norwegian government maintains “the right to adopt regulations regarding the transfer of personal data to third countries or international organizations”.
• Data protection impact assessments– Under the Personal Data Act, the Norwegian government retains the right to adopt more extensive measures and obligations in regard to data protection impact assessments.
• Data breach notifications– In relation to data breach notifications, Section 16 of the Personal Data Act states that exemptions may be made to the obligation to notify data subjects in accordance with the General Data Protection Regulation, permitting said notifications would reveal information of” importance to Norway’s national security interests or the defense of the country, information that must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offenses, and information that is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject)”.
• Children’s data– Section 5 of the Personal Data Act states that the age of consent within Norway for the purposes of information society services is 13.
• Special Categories of personal data– Under the Personal Data Act, the processing of personal data and criminal conviction data is permitted when said data processing is necessary to perform obligations in the field of employment, is found to be necessary for important public interests, or for achieving scientific, statistical, or historical research purposes, provided that the benefits that this research would provide to society would clearly exceed any potential detriment to the data subject in question.

What are the rights of data subjects under the Personal Data Act?

As is the case with the requirements that are placed upon data controllers, the rights that are afforded to Norwegian citizens in regards to their data rights is generally the same as those offered to data subjects under the jurisdiction of the General Data Protection Regulation. These rights include the right to erasure, the right to object or opt-out, the right to data portability, and the right not to be subject to automated decision-making in regards to data processing activities. Nevertheless, the Personal Data Act does differ in the rights they are given to data subjects in the following ways:

• The right to be informed– Section 16 of the Personal Data Act outlines various exemptions in regards to a data subject’s right to be informed. Some of these exemptions include instances in which a data subject’s personal data is of importance to a security interest or the defense of the country, and instances in which the disclosure of a data subject’s personal data would conflict with prevailing, obvious, and fundamental private and public interests.
• The right to access– Section 16 of the Personal Data Act also outlines various exemptions relating to a data subject’s right to access their personal data. Some of these exemptions include instances where a data subject’s personal data must be kept secret for the purposes of the prevention, detection, investigation, or prosecution of a criminal offense, or instances in which a data subject’s personal data is subject to a statutory obligation of professional secrecy.
• The right to rectification– “Section 17(2) of the Act provides exemptions from the right of rectification and limitation where the processing is performed for the purposes of archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes”.

What are the punishments for violating the Personal Data Act?

In addition to the penalties that can be imposed upon data, controllers found to be in non-compliance with the GDPR, which can include fines of up to %4 of a business agency’s global revenue, data controllers who violate the Personal Data Act are also subject to penalties from the Norwegian Data Protection Authority, also known as Datatilsynet. As such, data controllers who violate the data privacy rights of data subjects are also subject to monetary fines from Datatilsynet. Moreover, Datatilsynet also has the power and authority to impose daily fines on data controllers who do not comply with penalties imposed by the GDPR.

As Norway’s data privacy landscape is somewhat convoluted due to the country’s status within both the EU and the EEA respectively, the Personal Data Act serves to supplement the protections offered by the General Data Protection Regulation. As such, through the intersection of both laws, Norwegian citizens are offered a level of privacy protection that is on par with member states of the EU. In this way, citizens of the country can have the peace of mind that their personal information and data is being protected at all times, despite the fact that they do not reside in an EU member state.