Who is affected

The Data Sharing Act primarily applies to public sector bodies and certain entities exercising public authority, including legal entities subject to the Norwegian Freedom of Information Act. The act also apply to providers of data intermediation services, which are platforms or entities that facilitate the sharing of data between data holders and data users.

It also affects businesses, researchers, start-ups, SMEs, civil society organizations and other re-users that may seek access to protected public sector data under the framework.

The Act’s main open data regime applies to data that can be made generally available, while the incorporated Data Governance Act applies specifically to “protected data”. Protected data includes data protected by confidentiality, third-party intellectual property rights and data protection laws.

Why act now?

Public bodies should start preparing for new requirements on making available metadata, formats, dynamic data, research data, and high-value datasets. The ability to charge for certain data sharing is restricted.

Entities providing (or intends to provide) data intermediation services must be able to demonstrate compliance with new requirements to neutrality, fair access, non-discrimination, and security, in addition to notification and a new supervisory regime.

The Norwegian government is required to implement rules allowing for sanctions against organizations that fail to comply with rules regarding transfer of non-personal data to third countries, and failure to notify and comply with obligations as data intermediation service providers. However, such administrative sanctions was not included in the legislative proposal and will be set through administrative regulation at a later point.

Key obligations

Open data framework

Data must be made available in all existing formats and language versions and together with related metadata. Where possible and appropriate, availability must be in a digital format that is open, machine-readable, findable, accessible and reusable, and in accordance with established open standards. Data and metadata for data made generally available must be registered in a national data catalogue.

Dynamic data are digital data that are updated often or in real time in order to remain current. When dynamic data are made available for re-use, they must generally be made available immediately after collection or production through a suitable digital interface that provides continuous access and, where relevant, by bulk download (with some exceptions where immediate availability would create a disproportionate workload).

Conditions for re-use of generally available data may only be imposed where they are included in an open standard license and are objective, non-discriminatory, proportionate and in the public interest.

Publicly funded digital data collected or produced as part of scientific research, excluding scientific publications, must be capable of re-use where they have been made openly available through an institutional or subject-based data repository by researchers.

Re-use should be free of charge, and payment may only be required where there is a basis in law or regulation. Where payment is permitted, charges are generally limited to costs incurred for reproduction, delivery and dissemination of data, anonymization of personal data, and measures to protect commercially confidential information.

High-value datasets (as defined by a separate EU implementing regulation, (EU) 2023/138) must be made generally available free of charge, including certain geospatial, earth and environmental, meteorological, mobility and company/company ownership datasets.

Protected data framework and data intermediation

Where protected data is made available for re-use, public bodies may impose safeguards such as anonymization, aggregation, secure remote access, secure processing environments, and restrictions on re-identification, including obligations to report security breaches that may lead to re-identification.

The act does not in itself require public bodies to allow re-use of protected data and does not create a new legal basis for processing personal data. Processing of personal data still requires a legal basis under the Norwegian privacy framework.

Providers of data intermediation services

Providers of data intermediation services must notify the competent authority before offering such services. Providers that are not established in the EU but offer data intermediation services in the EU must appoint a legal representative in a Member State where the services are offered.

Data intermediation providers must comply with requirements on neutrality, separation from other activities, fair and non-discriminatory access, and implement technical and organizational measures to protect data they intermediate.

Recommended actions

1. Public bodies in scope of the act should map the data they manage and identify which data can be made generally available, which data are protected, and which data that shall be excluded from sharing and re-use.
2. High-value datasets should be identified, and measures implemented to and prepare for free availability, machine-readable formats, API access, or bulk download where relevant.
3. Holders of dynamic data should assess whether suitable digital interfaces, API-equivalent functionality or bulk download arrangements are needed when such data are made available for re-use.
4. Data license agreements should be reviewed and standardized in order to comply with updated requirements.
5. Providers of data intermediation services should assess whether they are in scope and ensure notification to competent authorities, and documentation of compliance with mandatory technical and security-related requirements.

How can we assist

• Assessing whether an organization is covered by the act and whether its data fall under the open data regime, the protected data regime or the research data rule.
• Establishing or reviewing re-use terms, standard licences, and payment models in light of the new requirements.
• Supporting providers of data intermediation services with scope assessments, notification readiness and documenting compliance with technical and governance requirements.

---

Contact us