Implementing the GDPR in Norway

The General Data Protection Regulation (GDPR) starts to apply within the European Union (EU) from 25th May 2018. Since the GDPR is an EU regulation, it will have direct applicability and direct effect in all EU member states as from that date. Norway, however, is not an EU member state but a member of the European Economic Area (EEA) and a different procedure therefore applies before the GDPR can become part of Norwegian law.

Once the GDPR has been deemed, like the Data Protection Directive before it, to be an EEA-relevant EU legal act, it must be first incorporated into the EEA-Agreement before it can be implemented into national law in Norway. That process of incorporation commenced last year, the GDPR is currently under scrutiny by the EEA and a draft joint committee decision is awaited. The process of implementing the GDPR in Norwegian law is led by the Ministry of Justice and Public Security in collaboration with the Ministry of Local Government and Modernisation. An interdepartmental working group was set up and consists of government departments concerned and the Data Protection Authority.

As the legal form of the GDPR is that of an EU regulation, the Ministry of Justice and Public Security has proposed that it should be incorporated into Norwegian law via a reference clause (c.f. EØS-notat, 24 March 2017). In effect, this means that a clause in the main text of the law will incorporate the GDPR into Norwegian law, with the GDPR text being then reproduced as an appendix to such law.

Certain articles in the GDPR cross-refer to national law and/or provide EU/EEA states a margin of manoeuvre to introduce more specific national rules. An example is article 9(4) which allows EU/EEA states to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Another example is article 88 which opens for the introduction, via national law or collective agreements, of more specific rules regarding the processing of personal data in the context of employment. This means that, with regards to these specific areas, Norway, like all other EU/EEA countries, must assess whether and to what extent it wants to maintain or introduce more specific rules. Norway, in fact, already has some sector-specific data protection rules. The Personal Data Act and its regulations have 'inter alia' specific rules which limit an employer's access to its employees' e-mail and other electronic workspaces, rules on video surveillance, and rules on the processing of personal data by credit information services. In the health sector, Norway has a number of statutes which have data protection implications such as the Personal Health Data Filing System Act (helseregisterloven) and the Health Research Act (helseforskningsloven).

It remains to be seen whether these current sector-specific rules will be retained and if so, how and to what extent. A consultation paper on this matter is expected during summer 2017. What is sure is that Norway, like the other EU and EEA states, must secure a "consistent and homogenous application" of the GDPR so that the rules on the processing of personal data are equivalent in all the EU and EEA states (c.f. recital 10). After all, the underlying scope of the GDPR – a full harmonization regulation – is to prevent fragmentation in the implementation of data protection across the EU and EEA, to remove legal uncertainty and to ensure the free flow of personal data throughout the EU and EEA.