The Nordic data protection authorities met at their annual meeting on 21-22 May. The Nordic data protection authorities met in Þórshöfn in the Faroe Islands.

The Nordic institutions in Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden and Åland discussed Nordic co-operation and the main issues in the field of data protection and exchanged information on their work. The Nordic institutions have a long tradition of co-operation in the field of data protection and have been holding meetings since 1988.

The Nordic DPAs discussed a number of issues and special emphasis was placed on increased cooperation between institutions. Special attention was given to the need for consultation between the countries regarding the procedures for handling the large number of complaints. The DPAs discussed the creation of common guidelines, such as in the field of information security, as well as the continued work to define common and objective criteria for assessing security breaches.

The meeting concluded with the signing of the Tórshavn Declaration, the content of which is listed below. You can also find a link to the signed declaration at the bottom of the article.

__________________

Following useful discussions on complaints and common challenges, the Nordic DPAs agreed to further strengthen the co-operation that started at the Nordic Council meeting in Helsinki in 2022. Following this, the Nordic DPAs will work together on how to handle and investigate complaints in a high-quality and effective manner, alongside a wide range of other tasks. Following the changes in Finland, which are intended to extend administrative fines to the public sector, the Nordic DPAs welcome similar developments in the Faroe Islands and Åland.

The Nordic DPAs discussed the possibility of developing specific guidelines for security and technical implementation in the Nordic countries and agreed to continue to examine whether such guidelines could be applied across borders. The Nordic DPAs also discussed the possibility of taking initiatives to work with the relevant authorities to develop common guidelines for existing rules, standards and practices on information security. The Nordic Data Protection Authorities will also continue to work together on common objective criteria for assessing security breaches, with the aim of ensuring a consistent and coherent approach.

It is to be noted that the Nordic countries are at different stages in implementing the digital package from the EU. The Nordic data protection services want to work together in an efficient and effective way in the digital landscape. It is important that the data protection services have clear powers and resources to participate in co-operation, as well as resources to carry out new and existing projects related to the digital package. It is especially important that this is done because many of the agencies are facing challenges when it comes to their current projects and legal challenges.

The Nordic DPAs exchanged information and shared their experiences with legal proceedings, certification and codes of conduct, new technology and sandboxes as well as cloud solutions. The Nordic data protection authorities underlined the importance of ensuring that processing agreements with cloud service providers meet the requirements of the GDPR.

The Nordic Data Protection Authorities agreed to:

• To continue close cooperation in order to strengthen the common vision of child protection

• Exchange knowledge and experience regarding artificial intelligence used for law enforcement purposes, to ensure the legitimate and effective use of personal data. It was agreed to strengthen cooperation in this area as new solutions are constantly developing and being implemented by law enforcement authorities.

• To continue working together to identify and promote best practices and procedures in relation to cross-border case handling and to work on the preparation of the upcoming Regulation on procedural rules.

• Establishing common standards for information security, as the Nordic data protection authorities face similar challenges in cases of computer attacks and related information security issues.

• To share information and experience on certification and codes of conduct, as they are not widely used in the Nordic countries. To look at existing educational material and see if it can be improved further, and to focus on the benefits of certification and codes of conduct.

• To share information on communication media for educational material that meets the requirements of the Data Protection Regulation, as well as to create a consultation forum for employees of the data protection agencies that provide information and communication.