Norway’s Data Protection Authority (DPA) announced that it will require companies to notify individuals whose personal data is disclosed without authorization. Norwegian law currently requires only that a data controller notify the DPA when personal information has been disclosed to unauthorized persons. It also requires that data controllers inform data subjects at the time data is collected whether the data will be disclosed, and to whom. But there is no specific requirement to notify data subjects if their data is disclosed without authorization. Nevertheless, the DPA decided, based on decisions by a Norwegian court, that “unwritten privacy principles” require that data subjects be so informed. The DPA will therefore order companies to make such notifications after the DPA has received notice. The DPA’s announcement encourages companies to consider voluntarily providing notification to affected data subjects, even before they receive an order from the DPA requiring them to do so.