GDPR Enforcement in Norway

Trend: Have the national data protection authorities in Norway focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Norwegian data protection authority (“Datatilsynet”) has not clearly expressed a priority with regard to certain types of violations. However, it seems that Datatilsynet’s priority areas for 2025 will be artificial intelligence, data sharing and personal data processing in municipalities.

Overall, the fines seem to be issued either due to breaches of regulations concerning employee control (under Norwegian law), insufficient legal bases for data processing (Article 6 GDPR) – e.g., in connection with credit ratings – and a lack of appropriate information security (Article 32 GDPR).

From what we can see, the fines imposed in Norway so far are not highly concentrated within a specific sector, but processing seems to relate mostly to the public sector and to patient and employee data. Datatilsynet has also stated that their supervisory control will focus on larger undertakings, municipalities and serious or extensive violations of the GDPR.

Overall, what was the most significant fine in Norway to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

On 12 December 2021, the highest GDPR fine in Norway to date was imposed on US company Grindr LLC, which provides the world’s largest social networking app for gay, bi, trans and queer people. The fine against Grindr LLC amounted to NOK 65 million (approx. EUR 5.4 million) and was imposed due to the disclosure of personal data to advertising partners without a valid legal basis, constituting a violation of Article 6(1) GDPR, and based on the disclosure of special-category personal data to advertising partners without a valid exemption from the prohibition as set out in Article 9(1) GDPR.

Grindr appealed against the fine imposed by Datatilsynet. Datatilsynet reconsidered the case but upheld its original decision. The case was then escalated to the Privacy Appeals Board (“Personvernnemnda”), which, in September 2023, affirmed Datatilsynet’s imposition of the fine. Subsequently, Grindr initiated legal action challenging the legitimacy of Personvernnemnda’s decision. The trial was held in Oslo District Court from 12 March to 14 March 2024. The court upheld the fine of NOK 65 million (approx. EUR 5.4 million) against Grindr. Grindr has since appealed the ruling to the Court of Appeal (Lagmannsretten).

How is the data protection authority organised in Norway? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

• The Norwegian Data Protection Authority (Datatilsynet) is a public authority. It is an independent body set up to protect the individual right to privacy.
• Datatilsynet is responsible for the enforcement of the GDPR, the Norwegian Personal Data Act and privacy regulation in the context of employment, in respect of both private and public entities across Norway.
• Datatilsynet is financed by the Norwegian government and is administratively subordinate to the Ministry of Local Government and Regional Development.
• Its annual budget is NOK 85 million (approx. EUR 7.5 million) and has approx. 70 employees.

How does a fine procedure work in Norway? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Fines can be directly imposed by Datatilsynet as part of administrative proceedings.
• Administrative proceedings are governed by the Norwegian Public Administration Act.
• Proceedings usually start with a formal notification to the respective entity on the opening of a fining procedure.
• The respective entity has the option to provide its views on factual and legal aspects of the case, before the authority issues the fining decision.
• Companies can appeal against fines to the Privacy Appeals Board or competent courts.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines are transferred to the state treasury.

Is there a common, official calculation methodology for fines in Norway (such as the fining models in the Netherlands or Germany)?

Datatilsynet uses the methodology in Guidelines 04/2022 on the calculation of administrative fines under the GDPR, which the European Data Protection Board (“EDPB”) has adopted to harmonise the methodology that supervisory authorities use when calculating the amount of a fine.

Can public authorities be fined in Norway? If they can: Where does this money go?

Yes. The fines are transferred to the state treasury.

In Norway, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

There is no comprehensive publication of fines. Datatilsynet is not obliged to publish each fine. However, individuals are usually entitled to access the decisions after requesting them. Datatilsynet has also published a list of its most significant decisions, which can be found here.

Fines are published in press releases and activity reports. Usually, the company is not anonymised, but this will depend upon the circumstances.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2024?

Datatilsynet has not yet released the annual statistics for 2024. According to their latest report, they issued 7 fines over the course of 2023. We expect that the numbers for 2024 will align closely with these.

Does Norway have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Pursuant to the Norwegian Dispute Act, it is possible for several data subjects to join forces and take legal action together against the data controller (or data processor). A class action can only be brought if several persons have claims or obligations for which the factual or legal basis is identical or is substantially similar. Further conditions are as follows: it must be possible for the claims to be heard by a court with the same composition and, in the main, according to the same procedural rules; further, a class action procedure must be the most appropriate method for the hearing of the claims. Another prerequisite is that it must be possible to nominate a class representative.

A class action requires court approval. When receiving a submission, the court will decide, as soon as possible, whether to approve or reject the class action. The court will normally decide this by way of a written procedure, there being no oral hearings. However, the parties are allowed to make written submissions prior to the court’s ruling. If the class action is approved, the court will describe the scope of the claims which may be included in the class action. Moreover, the court will decide whether the class action will proceed as an “opt-in” or “opt-out” class action.

What is more relevant in Norway: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

Fines issued by data protection authorities are much more relevant than private litigation as regards data protection infringements, which are relatively rare. This is most likely due to high litigation costs, paired with relatively low claims for damages.

We have not seen a large rise in the numbers of proceedings due to the GDPR but more court cases seem to involve questions about damages.