NORWAY Law and Practice Contributed by: Kari Gimmingsrud, Stian Hultin Oddbjørnsen and Andreas Bernt, Haavind
to comply with strict requirements in the Act. The business must carry out risk assessments and assess whether the use of cloud and edge com - puting services is safe, considering the specific information that is to be safeguarded. A proac - tive dialogue with the security authorities should also be considered. It should further be noted that the application of the restrictions may change based on the geo - political climate. The outbreak of war in Ukraine and the related energy crisis, with attacks on the energy infrastructure in Europe, illustrate the risk and are particularly relevant as Europe’s reliance on the Norwegian energy sector has increased. Archiving in the Public Sector The Archive Act applies to the public sector in Norway. It does not explicitly govern the use of cloud or edge computing but prohibits public entities from transferring or transporting archive material out of Norway. However, it must be noted that EU Regulation 2018/1807 on the free flow of non-personal data (the FFD Regulation) is incorporated into the EEA Agreement, so Nor - wegian authorities may have to revoke the prohi - bition. A new Archive Act is also in process and is expected to be proposed to the Norwegian Parliament in 2025. For software suppliers to the Norwegian public administration, it is worth noting that the current Archive Act also mandates the use of open for - mats and requires public entities to carry out risk assessments of the storage systems to be used and examine whether these fulfil their archiving obligations. The Health Sector Entities providing, managing or assuring quality healthcare services are subject to the Norwegian Patient Journal Act and other sector-specific
legislation, which impose strict requirements governing information security, including the use of cloud service providers. The Act also imposes functional requirements regarding the documen - tation of healthcare, right of access, access con - trol and the deletion of data. In addition, most healthcare providers in Norway are bound by the sector-specific standard “Normen” (The Code of Conduct for information security and data pro - tection in the health sector), which is a compi - lation of information security requirements that in some cases are stricter than requirements in law. The documents are available at www.helse - direktoratet.no. New EU Acts New EU acts covering cloud and edge comput - ing that are deemed relevant for the EEA are likely to also be implemented in Norway. 3. Artificial Intelligence 3.1 Liability, Data Protection, IP and Fundamental Rights Norway does not yet have any general legisla - tion governing artificial intelligence, but the EU AI Act is expected to be implemented in Norway more or less “as is” when included in the EEA Agreement. Specific regulations governing the processing of personal data, IPR and discrimination in relation to fundamental rights are examples of relevant regulations that will apply to the use of artificial intelligence. EU positions on civil liability – adapting liability rules to the digital age – are also likely to have an impact on Norway via the EEA Agreement.
345 CHAMBERS.COM
Powered by FlippingBook