On 30–31 May 2024, the The Nordic Data Protection Authorities (DPAs) met in Oslo for their annual Nordic Meeting. The purpose of the meeting is to discuss current data protection issues and exchange best practices. During the meeting the DPAs signed a common declaration addressing current data protection issues.
The Nordic Meetings have been organised since 1988, and all the Nordic Data Protection Authorities (Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden and Åland) participated.
- The Nordic DPAs share the same values and face the same challenges. We will continue and strengthen our cooperation moving forward, said Director General Line Coll.
During the meeting, the Nordic DPAs adopted joint principles on children and online gaming. The principles will be published shortly.
In relation to the EU’s digital package, the DPAs highlighted the importance of avoiding unwanted fragmentation of supervision. If provided with the resources to do so, DPAs can provide practical guidance on the interplay between the GDPR and the new legislation, in order to help innovation.
The DPAs also discussed AI in particular. While the AI Act will address certain aspects of AI, the GDPR will continue to apply. Most development, training and use of AI will entail processing of personal data. Therefore, it is necessary to apply both sets of rules. The DPAs have a number of roles to play in relation to AI and need sufficient resources to carry out their tasks and to help avoid legal uncertainty.
The DPAs furthermore highlighted the need to review whether current national legislation provides for and supports responsible AI, in particular to ensure a legal basis for processing personal data in the context of AI.
Additionally, the DPAs discussed the importance of the general Nordic approach wherein DPAs can issue fines against public sector bodies. The DPAs note with regret that the Finnish, Åland and Faroese DPAs do not have the same powers as is as is the general Nordic practice and endorse suggestions that these DPAs’ powers be expanded in this regard.
Finally, the DPAs reaffirmed their focus on efficiency and a risk-based approach to their designated tasks. The DPAs’ resource situation continues to affect their ability to respond to violations of individuals’ fundamental right to data protection in a timely and effective manner. This especially applies to the situation in Åland.