Data protection & privacy laws in Norway (2026)

Norway's second-highest court confirmed Datatilsynet's record fine against Grindr LLC for sharing users' location, device IDs, and app-use data (inferring sexual orientation and HIV status) with ad-tech partners without valid GDPR consent. The ruling cements the principle that sharing identifiers tied to a sensitive-category app constitutes disclosure of special-category data under GDPR Art. 9.

The Ministry of Digitalisation and Public Governance published a draft Act to incorporate the EU AI Regulation (2024/1689) into Norwegian law via the EEA Agreement, proposing a multi-agency supervisory model with Datatilsynet as market surveillance authority for law-enforcement AI uses. Enactment is targeted for mid-2026, in line with the EU's own timeline.

Norway's DPA issued a NOK 4 million fine against the country's largest telecom for failing to ensure the Data Protection Officer's independence and a direct reporting line to top management, violating GDPR Arts. 37–39 and 24. The case was handled via the GDPR cooperation mechanism together with the Swedish and Danish DPAs.

The Norwegian Labour and Welfare Administration was fined NOK 20 million and issued multiple binding remediation orders for systemic IT security failures and inadequate data protection governance affecting millions of welfare recipients. The decision signalled Datatilsynet's willingness to use escalating sanctions against public bodies that fail to remediate.

Following Norway's Art. 66(2) referral, the European Data Protection Board issued an urgent binding decision instructing the Irish DPA to permanently ban Meta from relying on contract or legitimate interest as legal bases for behavioral advertising across all EEA states. This was the first successful use of the GDPR's cross-border emergency escalation mechanism, triggered and led by Norway.

The Norwegian Personal Data Processing Appeals Board (Personvernnemnda) upheld Datatilsynet's 2021 fine in full, rejecting Grindr's arguments on legal basis and proportionality. The confirmed fine remained the largest GDPR penalty issued by any Nordic supervisory authority.

Norway's DPA imposed a three-month temporary ban on Meta Ireland processing Norwegian users' data for behavioral advertising under contract or legitimate interest legal bases—the first Nordic use of the GDPR's emergency unilateral powers. Norway then referred the matter to the EDPB in September 2023, leading to the EEA-wide permanent ban.

Norway's DPA fined Grindr for sharing users' precise location, device identifiers, and app-use data with advertising partners without valid consent from July 2018 to April 2020; the disclosure was deemed to reveal sexual orientation under GDPR Art. 9. At the time, it was the largest fine per capita issued by any European DPA.

The GDPR was formally incorporated into the EEA Agreement (Annex XI) and Norway's supplementing Personal Data Act 2018 (LOV-2018-06-15-38) took effect simultaneously, binding Norway to GDPR obligations identical to EU Member States. The Act sets the consent age for children at 13 and adds national rules on employment data, research, and national ID numbers.

A Storting constitutional amendment added §102, explicitly guaranteeing every person the right to respect for private and family life, home, and communications. This elevated data privacy to a fundamental constitutional right, providing a domestic constitutional foundation that reinforces and co-exists with the GDPR framework adopted four years later.

Norway enacted a comprehensive new Personal Data Act (Lov-2000-04-14-31) transposing the EU's first harmonised data protection directive, replacing the 1978 Personal Data Registers Act. The Act introduced formal data subject rights, controller obligations, and expanded Datatilsynet's investigative and sanctioning powers.

Norway enacted Lov-1978-06-09-48 (Personregisterloven), one of the world's first national data protection statutes, and established Datatilsynet (the Data Inspectorate) as an independent supervisory authority commencing operations in 1980. This placed Norway at the global vanguard of privacy regulation and created the institutional architecture that underpins today's GDPR enforcement.