Peak PrivacyPEAK PRIVACY
Back to blog

Privacy Enforcement in Norway

While Brussels debates the Digital Omnibus, a conversation with Norway's Datatilsynet reveals the practical realities of privacy enforcement, both what's working and what remains difficult

V
Vibeke Specht
Privacy Enforcement in Norway

LESSONS FROM THE FRONTLINE

JANUARY 2026 — As the European Commission's Digital Omnibus proposal moves through its feedback phase, privacy advocates like NOYB warn that proposed changes to core GDPR definitions will mainly benefit Big Tech — not the small businesses the package claims to help. But beyond the lawmaking gymnastics of the EU, enforcement authorities across Europe face a more, perhaps, eternal question: how do you actually enforce privacy law in practice?

I spoke with Tobias Judin, Head of International at Norway's Data Protection Authority, Datatilsynet, about their recent experience, from taking on Meta to implementing new enforcement powers under ekomloven. What he described wasn't a success story or a failure story. It was something more useful: an honest account of what enforcement looks like on the ground.

Substance vs. Procedure

The Meta Case

In July 2023, Norway imposed a temporary ban on Meta's behavioral advertising on Facebook and Instagram, threatening daily fines of one million Norwegian kronor for non-compliance. It was a bold move, the first by a European authority after Ireland's Data Protection Commission ruled Meta's practices violated GDPR but took no enforcement action.

Oslo District Court sided with Datatilsynet, and the daily fines started accumulating. Then in June 2024, Norway's Privacy Appeals Board overturned the fine. Not because Meta had done nothing wrong, but because of a technicality in how the law was written.

Norway's law said Datatilsynet could issue daily fines for GDPR violations. But it didn't explicitly say "including cross-border cases where the company is based in another country." Since Meta is headquartered in Ireland, not Norway, the board ruled Datatilsynet didn't have authority to impose the fine.

"Normally the law or the preparatory works wouldn't necessarily mention each and every type of case," Judin explains. "They would just say if you violate the law you can issue those kind of fines. Many were surprised by the decision."

In other words: everyone expected that "you can fine GDPR violations" meant all GDPR violations, not just domestic ones. But the appeals board read it literally - if cross-border cases weren't specifically mentioned, they weren't covered.

Norway had to reimburse Meta 85 million kroner. But the substance of the decision stood: Meta is still banned from using legitimate interest for behavioral advertising in Norway. And within a week, the Ministry of Justice announced they would revise the law, which could potentially close the loophole.

"So, we hope to get more and more tools for the next cases," Judin notes.

It's a revealing example: even when enforcement works on merit, procedural gaps can derail it. The response matters, fix the law and move forward.

Ekomloven

Closing a 15-Year-Old Loophole 

Norway's bigger structural change came at the end of 2024 with ekomloven, the new electronic communications law. To understand why it matters, you need to understand the loophole it closed.

Back in 2009, the EU updated its ePrivacy Directive to require active consent for cookies and tracking. But Norway isn't in the EU,  it's in the EEA (European Economic Area), which means EU laws have to be formally incorporated into the EEA agreement before Norway must implement them.

That 2009 consent requirement? It was never incorporated. For complicated political reasons having nothing to do with cookies, it's been stuck in EEA bureaucracy for 15 years.

"Norway's international obligation is kind of limited to the original ePrivacy directive from 2002," Judin explains. This created a gap: controllers could argue that if your browser allowed cookies, that counted as consent under Norwegian law.

"What the controllers would often say is that their tracking is also covered by ekomloven, because there is a gaining of access or storage of cookies. And they would say: well that is lex specialis. And you do not need a consent for that, because the browser allowed cookies."

This made enforcement nearly impossible. Datatilsynet had to prove there was "subsequent processing" beyond what ekomloven covered. With third-party cookies involving controllers in different countries, it got even messier.

"So we have had a few cases where this has been quite complicated. The reason we got this change is to avoid that, so we can enforce effectively."

So, Norway chose to close the gap voluntarily. Ekomloven now explicitly requires active consent for tracking, implementing what the EU required in 2009 even though Norway technically wasn't obligated to.

It also unifies enforcement: instead of splitting responsibility between different authorities (like Sweden and Denmark do), Datatilsynet now handles both privacy and tracking for most cases.

Before the changes to ekomloven, Datatilsynet conducted a 2023 website inspection but mainly issued reprimands. They publicly stated they were "going soft" this first round.

"But the reason we did that inspection is that we hope to do similar inspections in the future, and now when we have some precedent - this is serious, this is not okay - then we can go even harder at controllers during the next round."

When I ask if they intend to use these new rules to crack down on practices, his answer is immediate:

"Yes, we do."

His assessment?

"We are super happy to see this change. We feel invigorated."

The Technical Reality

But Judin is also candid about the limits. Even with good laws, understanding what apps and websites actually do remains challenging.

"We do use tools, open source tools etcetera," he explains. "And there are more and more tools being rolled out. But at the end of the day, the technical part is opaque so we still need to interpret the results."

They use the EDPB tool to find trackers and cookies, Meta's pixel helper to detect Facebook integration. Then their technical unit interprets: "Just because you have a website with trackers, you still need to kind of assess: okay, what are the trackers really doing? Where is the data going and what is it being used for?"

Not all data protection authorities have technical capacity. "Maybe they have one or two people with technical know-how, which makes it difficult to enforce for sure."

This is the unsexy reality of privacy enforcement: it requires technical expertise to interpret tools, legal expertise to apply rules, and organizational capacity to do both at scale. Norway has been building that capacity, but it's an ongoing process, not a solved problem.

What Does "Necessary" Really Mean?

The Next Battle

Ekomloven's arrival has already surfaced a new fight, and it reveals how even clear laws face constant pressure from industry.

Under the new law, companies need user consent for tracking and cookies, with one major exception: things that are "strictly necessary" to provide the service the user asked for. If you can't deliver a website without a particular cookie, you don't need consent for it.

So what then, constitutes as "necessary"?

Some media companies state: personalization. They're lobbying that personalizing news feeds is "strictly necessary" to provide modern news services, arguing because users expect it.

"And then it becomes, you don't really need to have those cookies just to provide a news website. You need to have them to provide personalization," Judin notes.

It's a clever argument. News websites worked fine before personalization existed. But if personalization is what users now expect, does that make it "necessary"?

"The media is saying yes. And we, well, we have some questions, let's just put it at that."

Here's where it gets complicated. Under ekomloven, the national telecoms authority (Nkom) is supposed to decide what's technically necessary, while Datatilsynet assesses whether consent was properly obtained. It's a logical split in theory, technical questions go to technical experts, consent questions go to privacy experts.

But Nkom hasn't weighed in yet.

Meanwhile, Datatilsynet has "had a lot of conversations" with media companies, not just about privacy but about broader concerns - confirmation bias, filter bubbles, how algorithmic recommendations shape what people see.

Media companies push back on those concerns. They argue that it is not a way to provide one side of the debate. It is to assess if the reader is interested in sports, for example. If not, then there will be less sports news, not none at all.

Judin's response is diplomatic but pointed:

"It could very well be that it’s not as bad as the algorithmic recommending system on social media. But still generally: why not ask the users instead of tracking them, for example through preference management solutions.”

In other words, even if personalization in a journalistic context isn't as problematic as social media algorithms, why not simply let users choose whether they want it?

It's a small example of a larger pattern. Even after closing loopholes and unifying enforcement, authorities face constant pressure to carve out exceptions, to redefine "necessary" to include "nice to have," to avoid asking for consent by claiming the service can't work without tracking.

The law is clear. How it gets interpreted in practice? That's still being fought over.

The Devil is in the Details

Norway's experience doesn't show that enforcement is easy. It shows something more useful: that closing procedural gaps matters, that unified authority helps, and that understanding what you're actually regulating requires technical capacity most authorities don't have.

It also shows the pressure never stops. Even with ekomloven in effect, media companies lobby to expand what counts as "necessary." Even after winning the Meta case on merit, procedural technicalities can wipe out fines. Even with tools to detect trackers, someone still has to interpret what they mean.

While Brussels debates redefining personal data and creating AI training exceptions, Norway is doing the unglamorous work of actually enforcing existing rules. Not perfectly. Not easily. But persistently.

As Judin says about the Meta case: "We hope to get more and more tools for the next cases."

That might be the most honest summary of privacy or data protection enforcement you'll hear.

It's not a victory lap. It's showing up for the next round.

Also read: Why is France scaling their app enforcement?