Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Norway: EU court confirms Datatilsynet fee practice on privacy rules violation

On December 6, 2023, the Norwegian data protection authority (Datatilsynet) welcomed two judgments from the EU Court of Justice (CJEU), confirming and clarifying rules for fees and ensuring fair competition conditions for businesses. The CJEU clarified that European data supervision must demonstrate that a company can be blamed for breaking privacy rules before imposing a fee, aligning with Datatilsynet's existing approach.

What are the outcomes of the judgments?

In the first case concerning a Berlin property company, the Deutsche Wohnen case, the CJEU ruled against the use of German rules on fines, finding them incompatible with privacy regulations. Furthermore, the court emphasized the following:

  • a country cannot demand to identify specific persons for fee impositions on the business;
  • a data inspectorate must prove that the company negligently or intentionally violated the rules; and
  • when a business is part of a company (group), the Datatilsynet must calculate the maximum limit for fees based on the total turnover for the group in the previous financial year.

In addition, the second case concerns questions from a court in Lithuania discussing, among other things, when and how fines can be imposed for breaches of the privacy rules.

What are the key takeaways for businesses?

  • Datatilsynet will continue to issue fees only when a business is found negligent or wilful in violating privacy rules;
  • equal enforcement prevents competition distortion between Norwegian and international companies; and
  • businesses need to prioritize effective management systems and compliance with privacy regulations.

You can read the press release, only available in Norwegian, here, the first decision here, and the second decision here, both only available in Danish.