Norway Datatilsynet News

Norwegian Schools Survey on Privacy in Free Apps Used by Children

Datatilsynet (Norway's data protection authority) surveyed 38 free online services used by children in Norwegian schools as part of the Global Privacy Enforcement Network (GPEN) coordinated initiative, conducted in November 2025. Key findings include: 28 services collected personal data and 14 shared it with third parties for marketing; only 12 of 20 services claiming age limits had actual age-verification functions, and 10 of those were bypassable; and 3 services involved data processing assessed as high risk for children. Datatilsynet is not conducting supervisory action but is publishing recommendations for municipalities and schools to apply when approving digital tools for classroom use.

Norway DPA Responds to Health Crisis Legislation Proposals, Flags Privacy Gaps

Datatilsynet (Norway's Data Protection Authority) has submitted formal consultation responses to two proposed laws from the Ministry of Health and Care Services: the proposed Health Preparedness Act (helseberedskapsloven) and the proposed Infection Control Act (smittevernloven). The DPA finds that privacy impact assessments in both proposals are insufficient, raising concerns about extensive personal data collection without consent, extended registry use, and prolonged data retention periods. The authority cites its experience with the Smittestopp coronavirus app, where it had to issue a temporary prohibition due to inadequate documentation of necessity and violations of data minimisation principles.

Norway Proposes New Rules for Financial Data Sharing

Finansdepartementet submitted Proposition 39 L (2025-2026) to Stortinget on March 20, 2026, proposing expanded data sharing among financial institutions for economic crime prevention. Datatilsynet's consultation feedback was largely incorporated, including strengthened purpose limitation requirements, safeguards for sensitive personal data with a maximum five-year retention period, and explicit legal basis for processing special categories under GDPR Articles 9 and 10.