On 11 April the Norwegian data protection authority (the "Datatilsynet") issued a press release which strongly recommended notification of data breaches to affected individuals, stating that where companies don't do this, the Datatilsynet may order them to do so.

The press release follows a number of decisions of the Norwegian Privacy Appeal Board and is a reinforcement of the modern principle of transparency. Factors that may be taken into account in the Datatilsynet's decision whether to order notification include; the likelihood of misuse of the affected information and the economic impact on the company.

Organisations operating in Norway should ensure that is has the processes and resources in place to deal with notifications to data subjects on any data breach in Norway.

The Datatilsynet's press release can be accessed here (Norwegian).