NORWAY Law and Practice Contributed by: Kari Gimmingsrud, Stian Hultin Oddbjørnsen and Andreas Bernt, Haavind
baseline for cybersecurity requirements for IoT consumer products and providing a basis for future IoT certification schemes. The standard has received public support from the Norwegian Communications Authority, which is the execu - tive supervisory and administrative authority for services within the postal and electronic com - munication sector in Norway. Connectivity Services Providers of connectivity services for IoT devices will have to comply with Norwegian requirements for the provision of connectivity services, includ - ing the Electronic Communications Act (see 6. Telecommunications for further guidance). Contracts When IoT technology is applied for non-personal data, contract regulation will remain key. Howev - er, the area is severely under-regulated in a large volume of legacy contracts in Norway, which may fuel renegotiation or disputes in the future. 4.2 Compliance and Governance Companies deploying IoT solutions may face dif - ferent compliance challenges depending on the type of data to be processed in the IoT solutions and the sector in which the companies operate. Typically, compliance challenges may relate to: • mandatory security requirements in the digital sphere which also apply to (use of) IoT devices; and • limitations or procedural requirements to allowed use of data which also apply to (use of) IoT devices – eg, under data protection legislation. For more information on both topics, see 4.1 Machine-to-Machine Communications, Com- munications Secrecy and Data Protection .
Even if not directly subject to security require - ments applicable to (the processing of data in and use of) IoT devices themselves, companies deploying IoT devices are advised to ensure the implementation of appropriate security meas - ures to protect against incidents. 4.3 Data Sharing Once/if implemented in Norway, the Data Act will include data sharing obligations targeted at IoT companies and providers of services related to connected products. Data sharing requirements in regulation not specifically targeted at IoT com - panies may also apply. EU Data Act Under the Data Act, data holders, which may be IoT companies, will be under an obligation to share data with users of connected products or such third parties that the users request. In addition, connected products and related ser - vices shall be designed in such a manner that data is available by default, easily, securely, free of charge, in a comprehensive, structured, com - monly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user. Data holders will also, under certain circumstances, be obliged to share data with public authorities upon request – eg, when necessary to respond to a public emergency. Micro and small enterprises will be exempted from many of the requirements. GDPR In relation to personal data, IoT companies should note the rights of data subjects under the GDPR, which include the right to receive access to personal data concerning the subject from data controllers and information on the purposes of processing. All controllers are subject to the
348 CHAMBERS.COM
Powered by FlippingBook