The Norwegian data protection authority ('Datatilsynet') announced on Twitter, on 25 March 2022, that it had published a new and comprehensive guidance on the requirements for Privacy by Design and Default. In particular, the guidance notes that Privacy by Design and Default is a key requirement in the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 and means that privacy is taken into account in all development phases of a system or solution, and will ensure that the information systems comply with the privacy principles, safeguarding the data subjects' rights.

In addition, the guidance states that it is based on the European Data Protection Board's ('EDPB') Guidelines 4/2019 on Article 25 Data Protection by Design and by Default. Furthermore, the guidance outlines that it focuses on measures to ensure an effective implementation of the privacy principles and the data subjects' rights and freedoms by building the measures into the solutions and services from the outset and elaborates on the elements of Article 25 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') to be taken into account in Privacy by Design and Default. Moreover, the guidance notes that it goes through how each privacy principle can be implemented using key elements and illustrative examples, while also including tips on how various actors can contribute to the development of Privacy by Design and Default.

You can read the Twitter announcement here and the guidance here, both only available in Norwegian.