HOME/All Jurisdictions/NO

NO — Country Profile

Norway

24TOTAL
15OFFICIAL SOURCES
2TOPIC AREAS
Law / Act5
Executive Order1
Other18
06 DEC 2025 · Other

Data Protection Authority guidelines on tracking tools on websites and in apps

On 12 June 2025, the Norwegian Data Protection Authority published guidance on the use of tracking tools such as pixels and cookies on websites and in apps. The guidance advises organisations on complying with data protection regulations when employing these tools, particularly concerning the processing of personal data, including special categories. Organisations should identify the tracking tools used and consider inferences drawn about users, especially regarding sensitive information. For...

✓ OfficialNational Strategydatatilsynet.no ↗
21 OCT 2025 · Other

Data Protection Authority investigation into Grindr for disclosure of sensitive user information to third parties

On 21 October 2025, Norway's Borgarting Court of Appeal upheld a NOK 65 million fine against Grindr LLC for breaching Article 9 of the General Data Protection Regulation, which prohibits the processing of special categories of personal data. The court ruled that sharing an application identity (App ID) with advertisers, which identified users as Grindr dating app users, disclosed special category personal data about sexual orientation. It also stated that consent was invalid because it was bu...

✓ OfficialNational Strategydatatilsynet.no ↗
06 OCT 2025 · Other

Data Protection Authority investigation into six websites over alleged illegal sharing of personal data

On 10 June 2025, the Norwegian Data Protection Authority concluded its investigations into six websites' use of tracking pixels. The investigation found that all six of the websites, offering various services, illegally shared personal data with third parties using tracking pixels. A violation fee of NOK 250'000 was imposed on 116111.no, a public service for vulnerable children, due to the illegal processing of children's data. Reprimands were issued to the other five websites, which included...

✓ OfficialNational Strategydatatilsynet.no ↗
03 OCT 2025 · Other

Data Protection Authority investigation into Telenor over violations of General Data Protection Regulation on data protection officer appointment

On 10 March 2025, the Norwegian Data Protection Authority issued a ruling against Telenor ASA, with an administrative fine of NOK 4,000,000 for violations of the General Data Protection Regulation (GDPR). The ruling highlighted that Telenor ASA failed to comply with Data Protection Officer (DPO) requirements under Articles 37–39 GDPR and organisational obligations under Article 24 GDPR. The ruling requires Telenor ASA to assess whether it is required to appoint a DPO, revise its record of pro...

✓ OfficialNational Strategydatatilsynet.no ↗
01 OCT 2025 · Other

DPA and FSA sandbox project on data sharing to combat financial crime

On 10 January 2025, the Danish Data Protection Authority (DPA) and Financial Supervisory Authority (FSA) closes consultation into the regulatory sandbox to explore the use of data sharing in combating financial crime. The consultation applies to banks and financial institutions engaged in data-sharing solutions to participate in a regulatory sandbox. The institutions will receive guidance on navigating regulations and exploring technical solutions for secure data sharing between private compa...

National Strategydatatilsynet.no ↗
29 SEP 2025 · Law / Act

Act on Artificial Intelligence implementing EU Artificial Intelligence Act (EU Regulation 2024/1684)

On 29 September 2025, the Norwegian Data Protection Authority (Datatilsynet) submitted a consultation statement to the Ministry of Digitalisation and Public Governance on the draft Act on Artificial Intelligence, which implements the European Union’s Artificial Intelligence Regulation (Regulation (EU) 2024/1684) into Norwegian law. The Authority urged full incorporation of the Regulation to ensure legal certainty and equal protection for individuals. It requested clarification of jurisdiction...

National Strategydatatilsynet.no ↗
26 FEB 2025 · Other

Data Protection Authority guidance on cross-border data transfer to United States of America clarifying the adequacy decision with European Union

On 26 February 2025, the Norwegian Data Protection Authority published a guidance on cross-border data transfers to the United States of America (US). The guidance addresses the implementation of existing regulations under the cross-border data transfer framework, highlighting the implications of sending personal data to the US, in light of recent updates concerning the Privacy and Civil Liberties Oversight Board (PCLOB). The guidance highlighted that the framework remains in place, allowing ...

✓ OfficialNational Strategydatatilsynet.no ↗
10 JAN 2025 · Law / Act

Act on Digital Services implementing Regulation (EU) 2022/2065 on a single market for digital services in Norway

On 1 October 2025, the Norwegian Ministry of Digitalisation and Public Administration closes the consultation on a proposed Digital Services Act (DSA) to implement EU Regulation (EU) 2022/2065 into Norwegian law. The Act applies to large digital platforms, including Google, Meta, TikTok, and Amazon, to enhance online safety and consumer protection, especially for children. The Act proposes bans on targeted advertising to minors and the use of sensitive personal data for ads, requires transpar...

Content Moderationregjeringen.no ↗
01 JAN 2025 · Law / Act

Cybersecurity regulation in Electronic Communications Act (Prop. 93 LS)

On 1 January 2025, the Electronic Communications Act, including cybersecurity regulations enters into force. The Act includes security measures for electronic communication networks and services, including the obligation for operators to conduct continuous risk assessments and update their security protocols accordingly. Additionally, the Act requires service providers to notify the Norwegian Data Protection Authority within 72 hours about significant security breaches and users within 24 hou...

✓ OfficialNational Strategystortinget.no ↗
28 OCT 2024 · Other

Data Protection Authority investigation into Disqus for alleged illegal processing of personal information

On 28 October 2024, the Norwegian Data Protection Authority (DPA) issued a reprimand to Disqus for processing personal data without legal grounds under the General Data Protection Regulation (GDPR). The reprimand addresses the company’s collection and sharing of personal data. It was highlighted that the browsing activity of Norwegian users was collected through the comment widget on websites between July 2018 and December 2019, without proper consent or legal justification. Despite Disqus’s ...

National Strategydatatilsynet.no ↗
23 OCT 2024 · Law / Act

Bill amending Personal Data Act to raise age limit for data processing consent

On 23 October 2024, the Norwegian government announced plans to raise the age limit for children’s consent to social media processing of their personal data from 13 to 15 years under the Personal Data Act. The proposal aims to protect children from harmful content, commercial exploitation, and the misuse of personal data. The government will present a consultation paper outlining amendments to the Personal Data Act.

National Strategyregjeringen.no ↗
20 JUN 2024 · Other

Datatilsynet investigation into Meta platforms Instagram and Facebook behavioural advertising practices compliance with GDPR

On 20 June 2024, the Privacy Board concluded that the Norwegian Data Protection Authority (DPA) lacks the authority to impose daily fines on Meta and other international companies for non-compliance with data protection regulations. The daily fines, amounting to NOK 1 million, were issued after Meta failed to adhere to the Norwegian Data Protection Authority (DPA)'s ban on behaviour-based marketing on Facebook and Instagram. Despite the ruling, the ban on behaviour-based advertising remains e...

✓ OfficialNational Strategydatatilsynet.no ↗
18 APR 2024 · Executive Order

Data Protection Authority Accreditation requirements for a GDPR code of conduct monitoring body

On 18 April 2024, the Norwegian Data Protection Authority adopted accreditation requirements for control bodies responsible for monitoring compliance with codes of conduct under the General Data Protection Regulation (GDPR). These requirements, designed to ensure that control bodies operate independently and possess in-depth knowledge of the relevant standards, are based on Article 41(2) GDPR and the European Data Protection Board's guidelines. The criteria cover independence, conflict of int...

✓ OfficialNational Strategydatatilsynet.no ↗
06 APR 2024 · Other

Datatilsynet assessment of Meta's use of users' photos and posts for AI services training and development

On 4 June 2024, the Norwegian Data Protection Authority (Datatilsynet) issued a note following Meta’s announcement that it will use users' photos and posts to train its artificial intelligence (AI) services. Meta, formerly Facebook, plans to use users' photos and posts from Facebook and Instagram to develop and improve its AI services starting 26 June 2024, excluding private messages. Asserting that its interests outweigh users' rights, Meta does not request users' consent for this usage. Wh...

National Strategydatatilsynet.no ↗
22 MAR 2024 · Other

Data Protection Authority strategy on the use of Artificial Intelligence

On 22 March 2024, the Norwegian Data Protection Authority published its Strategy for the Work with Artificial Intelligence (AI). The strategy aims to ensure responsible development and use of AI, taking into account individual rights and societal values. It focuses on coordinating AI-related activities, providing guidance, and building expertise within the organisation. The Strategy is built on two pillars, external and internal. Externally, the strategy aims to actively contribute to respons...

National Strategydatatilsynet.no ↗
07 FEB 2024 · Other

Data Protection Authority investigation into the Rejsekort app regarding personal data collection

On 2 July 2024, the Data Protection Authority (DPA) announced an investigation into the Rejsekort app's data collection practices. Previously, the DPA had asked Rejsekort general questions about their new app and its data collection. After reviewing the responses and considering the case, the DPA decided to proceed with a formal investigation and has requested further explanations from Rejsekort.

National Strategydatatilsynet.dk ↗
10 JAN 2024 · Law / Act

Government review of Personal Data Act considering legal changes following the Meta case

On 1 October 2024, the Norwegian Government closes its public consultation on the review of the Personal Data Act, considering legal changes following the Meta case. The objective is to ensure that the Data Protection Authority has the necessary tools and that the law is up-to-date. Justice and Public Security Minister emphasised the importance of updating the law to protect individual privacy rights. The Personal Data Act, which has been in effect since 20 July 2018, implements the EU's GDPR...

National Strategyregjeringen.no ↗
03 AUG 2023 · Other

Investigation into Argon Medical Devices regarding Cybersecurity Incident and late Reporting

On 8 March 2023, the Norwegian Data Protection Authority (Datatilsynet) concluded its inquiry into Argon Medical Devices, Inc. (Argon) over a cybersecurity incident. On 24 September 2021, Argon notified Datatilsynet of a cybersecurity breach that occurred between 21 May 2021 and 14 June 2021. Datatilsynet found that Argon notified of the incident 62 calendar days after it occured, causing Argon to violate Article 33(1) of the GDPR, which requires incident reporting without undue delay. Theref...

✓ OfficialNational Strategydatatilsynet.no ↗
12 JUL 2023 · Other

Data Protection Authority guidance on rights management

On 7 December 2023, the Norwegian Data Protection Authority adopted a guidance on access rights, emphasising the importance of effective rights management for ensuring information security within organisations. The guidance outlines measures to be followed to safeguard the personal data of employees, customers, and citizens. The concept of rights management encompasses not only controlling access to IT systems and premises but also specifying the actions individual users can perform with thei...

✓ OfficialNational Strategydatatilsynet.dk ↗
14 NOV 2022 · Other

Norwegian Data Protection Authority advice on apps for 2022 World Cup

On 14 November 2022, Norwegian Data Protection Authority Datasilsnyet issued a warning that two compulsory apps that visitors to the 2022 Qatar World Cup must download can potentially be used to monitor visitors' digital activities. Datasilsnyet stated that it did not know what these apps did or what users' data would possibly be used for. Some advice issued included asking visitors to back-up their devices beforehand, avoiding connections to open or unsecure networks, or bringing a phone tha...

✓ OfficialNational Strategydatatilsynet.no ↗
26 SEP 2022 · Other

Datatilsyet report on the status of privacy in Norway

On 26 September 2022, the Norwegian Data Protection Authority (Datatilsynet) published a report on the status of privacy in Norway, which was subsequently submitted to the Government. Investigating the state of privacy protection in the country, the report highlights the general tendency for digitalisation to come at the expense of privacy and the need for a holistic approach to data protection. Datatilsynet made a number of recommendations to this effect, including the establishment of a nat...

✓ OfficialNational Strategydatatilsynet.no ↗
03 APR 2022 · Other

Datatilsynet alert on data transfer risks due to Ukraine conflict

On 4 March 2022, the Norwegian Data Protection Authority Datatilsynet published an alert on data transfer risks due to the Russian invasion of Ukraine. In particular, the export of data to Russia or Ukraine may bring security risks, especially when it occurs in cooperation with data processors operating in Russia and Ukraine. Therefore, Datatilsynet urges all companies transfering personal data from Norway to recipients in Ukraine and Russia to reconsider the legal basis for the data transfer...

✓ OfficialNational Strategydatatilsynet.no ↗
23 JUN 2021 · Other

Inquiry into surveillance-based advertising

The Norwegian Consumer Council (NCC) released a report on surveillance-based advertisement, advocating for the ban of such advertising. According to the report, surveillance-based advertising includes behavioural, personalized, and tailored online marketing, whereby advertisemests are targeted to an individual or group based on certain characteristics. The NCC concludes that a ban of surveillance-based advertisement to reduce potential harmful effects on individuals and urges policymakers in ...

✓ OfficialNational Strategyforbrukerradet.no ↗
09 MAR 2021 · Other

Guidance on Data Transfers under the GDPR

Datatilsynet, the Norwegian data protection authority, has updated its guidance on transfer of personal data outside the EEA in relation to the GDPR following the CJEU's 'Schrems II' decision, which, while not binding on Norway, still has important implications for the interpretation of the GDPR. According to the updated guidance, companies transfering personal data outside the EEA can be subject to additional requirements of due diligence to ensure that data protection in the third country i...

✓ OfficialNational Strategydatatilsynet.no ↗