Nordic IPT Law Bulletin - April

Nyhet
02 mai 2023
Category
Nyhetsbrev

In our quarterly Nordic IPT Law bulletin our IPT lawyers across the Nordic region highlight relevant news and trends on the Nordic IPT scene. The bulletin intends to provide high-level knowledge and insight. Want to learn more? Our experts will be happy to hear from you.

IT & Telecom

EU legislation - Sweden/Denmark/Norway/Finland
 

EU clampdown on ChatGPT and General Purpose AI
In the wake of ChatGPT affecting various aspects of everyday life, the European Data Protection Board ("EDPB") has launched a dedicated task force to foster cooperation and to exchange information on possible enforcement actions conducted by the member states' data protection authorities. The initiative by the EDPB may be viewed as a direct response to Italy's data protection authority which decided to block OpenAI's ChatGPT. The action naturally sparked questions on whether EU will take further action in regulating ChatGPT and its competitors.

Simultaneously as data protection authorities become more wary, EU legislators have actively discussed how to tackle so-called general purpose artificial intelligence (such as ChatGPT).
In an open letter with a call to action to the European Commission, and its president Ursula von der Leyen, and United States president Joe Biden, a group of EU parliamentarians urge the EU and the US to hold a summit on AI to find consensus in governing principles for AI in light of ChatGPT. This could be a turning point in AI legislation and may require the already progressing EU Artificial Intelligence Act to be amended or postponed to further account for both the benign and malignant functionalities of AI. Ominous clouds have formed on the horizon which may very well affect the surge in AI research and development as well as major investment into both ChatGPT and its upcoming competitors.
 

Sweden
 

Telecom/ISP forced to block access to websites
In a fresh ruling from the Swedish Patent and Market Court concerning three major telecom operators and internet service providers, the Court ruled that the operators/providers were required to block access to infamous file sharing websites such as The Pirate Bay, Fmovies and Nyafilmer. The Court found that the websites distributed copyrighted material without the copyright holders' approval in violation of the Swedish Copyright Act. The Court held that by not blocking access to said websites, the operators/providers were facilitating the distribution.

The ruling is in line with previous caselaw from 2020, where another major operator/provider was required to block access in the same way, see case PMÖD 2020:1. In those cases, the Swedish Patent and Market Court ruled that the operators/providers must block access to the websites under penalty of a fine of SEK 500 000.
 

Norway
 

Proposed changes to the Intelligence Service Act strengthen judicial review of intelligence service and the press’ source protection
The Intelligence Service Act (LOV-2020-06-19-77) serves an important function in unveiling and countering threats in the digital sphere. The proposed changes, available here, fall in line with international legal developments and include establishing requirements for judicial review of disc mirroring of communication flows in cases where, inter alia, the purpose of the disc mirroring is targeted collection and storage of cross-border electronic communication.

Intellectual Property and media

EU legislation - Sweden/Denmark/Norway/Finland
 

The European Court of Justice ("CJEU") has ruled that the broadcasting of music on passenger transport is a communication to the public, but installing the needed equipment for such broadcasting is not
It follows from Art. 3 (1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (the "InfoSoc Directive") that authors shall have the exclusive right to authorise or prohibit any communication to the public of their works.

The case originated from claims made by collective management organizations that the broadcasting of music/provision of sounds system on aircrafts and trains constituted acts of communication to the public and that the operators therefore were under the obligation to pay license fees.

The CJEU was asked, inter alia, whether the broadcasting of musical work, as background music, in passenger transport constituted a communication to the public; and whether installing software enabling such communication constitute an communication to the public.

The CJEU responded to the first question, by considering in particular that the musical work would not have been available to the public without the transport operator's action, that the broadcasting of background music constituted acts of communication to the public. On the second question, the CJEU responded that while the use of software to broadcast protected works is considered to trigger Art. 3(1), the mere installation of such are not sufficient to said article.
 

Denmark
 

Transfer pricing: new ruling regarding intellectual assets
Case SKM 2023.135.LSR concerned the valuation of intellectual assets transferred by a Danish subsidiary to a parent company, which is fiscally resident abroad.
During the hearing of the case in the Danish National Tax Tribunal, an expert opinion was issued. The appraisers applied the DCF method (“Discounted cash flow”) and assessed the value of the transferred assets at MDKK 574.

The majority of the Danish National Tax Tribunal found that the appraiser’s assessment should be used as a basis, but with certain adjustments to the future cash flow.

On this basis the Danish National Tax Tribunal corrected the prices of intellectual assets transferred from a Danish subsidiary to a foreign parent company to MDKK 875.

Danish ceramicist claimed MDKK 40 in compensation – was granted MDKK 6.4
Case BS-1370/2016-SHR concerned an alleged imitation of ceramic-products.
The Maritime and Commercial Court as well as the High Court both found that the Danish ceramist’s products were protected as works according to the Danish Copyright Act, and that the intellectual property right to some of the ceramic products had been infringed.

The Maritime and Commercial Court has ruled on the claim regarding compensation and has stated that the proof provided did not show loss of sales exceeding MDKK 4. To this was added an amount of MDKK 2.4 to cover market interference. The Court placed particular emphasis on the differences between the claimants and the defendant’s customer group, sales channels, prices, and qualities, as well as other competition in the market.

Danish ceramist wins in the Supreme Court
The cases BS-50856/2020-HJR og BS-50859/2020-HJR concerned whether a Danish ceramist’s designs were protected against imitations under the Copyright Act and the Danish Marketing Practices Act, and, whether the defendants had infringed the ceramist’s rights by marketing products similar to the ceramist.

The Supreme Court agreed with the High Court that one of the ceramist’s three design was protected under the Copyright Act and that they all enjoyed protection under the Marketing Practices Act. The Supreme Court also stated that the products produced and sold by the defendants were close imitations of the ceramist’s products. The Supreme Court lowered the requirements for proof of the actual loss suffered due to the gross negligence by the defendants and therefore rewarded damages of DKK 1 000 000. The High Court had granted only DKK 300 000.
 

Norway
 

Changes to the Trademark Act further harmonize Norwegian law with EU legislation
The recent changes to the Act, available here, implement Directive (EU) 2015/2436 and are intended to further harmonize Norwegian trademark legislation with EU law. Among the changes, the concept of “bad faith” has been expanded, while new trademarks registered in black and white will no longer receive protection for all colors.

Appellate Court grants law firm minimal remuneration for newspaper’s use of copyrighted work
VG had used photos belonging to a law firm in several news articles. According to the Norwegian Copyright Act, the media may use such copyrighted work when reporting on news events, if remuneration is later paid. The law firm had claimed MNOK 1.1 in remuneration, whilst the Court awarded only NOK 6 800, highlighting the following elements:

• Market price for the type of image
• The extent of use
• Media’s freedom of expression
 

Finland
 

Publishing agreement not duly assigned - unauthorized book publishing
The author and copyright holder of the book “The Sewing Book of Ossi — Clothes for Little Pooches”, MK, previously had a publishing agreement for the book with publishing company Perhemediat Oy which had gone bankrupt. Wild Blue Ky had purchased the assets of Perhemediat Oy after the bankruptcy. However, the publishing agreement between MK and Perhemediat Oy was not assignable without the other party’s consent, why the agreement had not been duly assigned to Wild Blue Ky as MK had not consented. Wild Blue Ky infringed MK's copyright by making an edition of 1000 copies of the book in 2016 and making the books available to the public for almost six years. Wild Blue Ky had not obtained permission from MK to publish the work.

The Market Court ruled (MAO:19/2023) that Wild Blue Ky had infringed MK’s copyright and prohibited Wild Blue Ky from producing the books and making them available to the public. The Market Court also ordered Wild Blue Ky to pay a reimbursement of EUR 1500 to MK.

Tyres vs. Beer – trademark with reputation annuls trademark despite differences in goods
Tyre manufacturer Nokian Renkaat Oyj requested that the Market Court annul the Finnish Patent and Registration Office’s decision regarding the registration of Iso-Kallan Panimo Oy’s trademark “HAKKAPELIITTA” in classes 32 and 33 (non-alcoholic and alcoholic beverages). Nokian Renkaat Oyj made the request due to it having an identical trademark “HAKKAPELIITTA” registered in class 12 (vehicles and apparatus for the transport of people or goods by land, air or water) and the trademark being a trademark with a reputation in the field of car tyres. Nokian Renkaat Oyj argued that the target audience for its trademark is the entire Finnish public and that the same target audience applies also to Iso-Kallan Panimo Oy’s trademark.

The Market Court annulled (MAO: 25/2023) the Patent and Registration Office’s decision despite the difference in goods covered by the two trademarks, as the trademarks had at least partly the same target audience and due to the kind of connection required for the protection of a trademark with a reputation. The use of Iso-Kallan Panimo Oy’s trademark represented an unfair exploitation of the distinctiveness and reputation of Nokian Renkaat Oyj’s trademark with a reputation, and furthermore there was a risk of harm to the distinctiveness of said trademark.

Rusta trademark conflict
Bruksbo i Uppsala Kommanditbolag demanded that the Market Court annul the decision made by the Finnish Patent and Registration Office (the “Office”) based on which the Office did not consider that the figurative trademark “Rusta”, international registration held by Joint-stock company ”Sovtransavto Moskva”, causes risk of confusion in relation to Bruksbo i Uppsala Kommanditbolag’s Finnish figurative trademark “Rusta”. The trademark of the Joint-stock company ”Sovtransavto Moskva” had been registered in class 39. Bruksbo i Uppsala Kommanditbolag justified its demand by stating that its registered line of business covers similar services as those covered by class 39 and therefore, the trademark of Joint-stock company ”Sovtransavto Moskva” causes confusion.

Based on case-law, there is a risk of confusion if the target audience of the trademarks may perceive that the goods or services in question originate from the same undertaking or undertakings that are economically linked. The risk of confusion shall be assessed as a whole, taking into account all relevant factors. After taking into consideration all of the relevant factors, the Market Court stated that the international registration of the trademark “Rusta” causes confusion in relation to the national trademark “Rusta” to the extent that the services are considered at least slightly similar. Therefore, the Market Court annulled (MAO:92/2023) the decision of the Office and returned the matter to the Office.

Missing age information regarding audiovisual program recordings
The CJEU’s judgement C-662/21 relates to a preliminary ruling request made by the Supreme Administrative Court of Finland in a case concerning Booky.fi Oy (“Booky”), a Finnish company marketing and selling DVDs and Blue-rays in its webstore. The National Audiovisual Institute of Finland obligated Booky to indicate in the information regarding the audiovisual program recordings sold in its webstore the minimum age for viewing these programmes based on the classification set out in Finnish legislation. The CJEU was requested to consider whether such an obligation was in breach of Article 34 of the TFEU (Treaty on the Functioning of the European Union) regarding the prohibition of quantitative restriction between Member States when the programmes have already been classified in accordance with the rules and regulations of another Member State.

Pursuant to the CJEU’s judgement (C‑662/21), Article 34 of the TFEU shall be interpreted as not preventing the rules of a Member State which require that audiovisual programmes stored on a DVD or Blue-ray and marketed online have undergone prior verification procedures and have been classified in accordance with the laws of that Member State. This applies also even when those programmes have gone through another equivalent procedure under the laws of another Member State, provided that the objective of such requirement is to protect minors from audiovisual content likely to impede their well-being and development. The CJEU further stated that the requirement should ensure the fulfilment of the objective and not go beyond what is necessary to achieve the objective.

Marketing law

EU legislation - Sweden/Denmark/Norway/Finland
 

Directive on sustainability due diligence increases demands on transparency for companies' supply chains
In February 2023, the European Commission proposed a Directive on corporate sustainability due diligence ("Directive"), which aims to promote sustainable and responsible corporate behaviour, and to provide legal certainty, level the playing field for consumers and investors.

All EU limited liability companies with either 500+ employees and MEUR 150+ in turnover, or operating in defined high impact sectors with 250+ employees and MEUR 40 turnover, and non-EU companies with turnover in the EU that aligns with the thresholds of the above EU companies, fall under the scope of the Directive (the “Companies”). SMEs are not directly involved in the scope.

The Directive covers the Companies’ operations, subsidiaries, and value chains, and mandates Companies to consider human rights, climate change, and environmental consequences of their decisions ("Impacts"). The Directive includes requirements on the Companies to integrate the sustainability due diligence into policies, identify and prevent Impacts, and publicly communicate on due diligence.
 

Sweden
 

Penalties against concealed marketing and false environmental claims marks an increased focus on transparency
The Swedish Ombudsman for Consumers ("Konsumentombudsmannen") filed a request to the Swedish Market Court ("Market Court") to issue a fine against an influencer for breaking her previously issued prohibition on using concealed marketing. Another influencer was fined SEK 750 000 for the same unlawful practice after they failed to disclose which of their social media posts were paid collaborations.

The Konsumentombudsmannen won a recent case in the Market Court against Arla Foods AB, which was prohibited from marketing dairy products with environmental claims such as "net zero environmental effect", as it misled customers to believe the products had no environmental impact, which was false.

These cases indicate an increased demand of transparency and fair marketing practices, on both companies and natural persons.
 

Denmark
 

Legislative proposal: Prison sentence for serious misleading in marketing
The Government has presented a bill that will make it possible to impose a prison sentence for serious or systematic violation of the Danish Marketing Practices Act’s ban on misleading marketing. The Danish Competition and Consumer Authority has been responsible for the preparatory work.

Documentation requirements for ”green” marketing
Case BS-4151/2021-SHR concerned a number of marketing statements used by a Danish company, which supplies roofing felt products to the Danish market. The statements highlighted the product series Derbigium NT, a Belgian product for which the Danish company is the exclusive distributor of, as being more environmentally friendly than competing products on the market. Such statements must be provable.

The Maritime and Commercial High Court found, based on the evidence, that the documentation requirement had not been met. The statements were therefore unjustified and not in compliance with the Danish Marketing Practices Act, and the defendant was prohibited from using them as done in its current marketing.

The case contributes to understanding the documentation requirements in cases regarding environmental marketing.

Night club reported to the police due to 51 illegal alcohol advertisements
For the third time, the Consumer Ombudsmand has reported a night club to the police for violating the Danish Marketing Practices prohibition on alcohol advertisement aimed at young people under the age of 18.
 

Norway
 

Proposed changes to the Marketing Control Act (MCA)
The proposal, available here, is intended to bring Norwegian marketing law more in line with the EU law, creating a more level playing field for Norwegian participants in the EU-retail market. Important changes include new rules on the marketing of sales, namely, how to calculate the prior price.

The Consumer Authority (CA) issues administrative fine to former CEO for illegal marketing
The CA issued an administrative fine of NOK 100 000 to the former CEO of Stayclassy AS, for violating the MCA by providing insufficient and misleading information about sales. The company itself would likely have faced a larger fine for the violation but has since gone bankrupt.

The Market Council (MC) upholds recent decisions for use of fictitious former prices
The MC upheld three decisions by CA against three suppliers of cosmetics for violations of the Marketing Control Act in relation to Black Friday 2022. The suppliers were found to have used fictitious former prices, and the fines were set at a record high (MNOK 3, MNOK 1.5 and NOK 700 000), with additional compulsory fines set at MNOK 4, 3 and 1.5. The decisions are available herehere and here.
 

Finland
 

Lack of clarity in influencer marketing
The Council of Ethics in Advertising (the ”Council”) published several statements regarding the recognizability of advertisements published in social media channels of influencers. The Council considered in several cases, that the advertisements were not sufficiently recognizable as such and not clearly marked by the influencer.

The Council does not issue binding judgements or rulings, only statements on whether an advertisement or advertising practice is ethically acceptable. However, the statements are generally well respected.

Considerable proportion of consumers suffer from misleading discount marketing
Discount sales can be useful for consumers, but there are also harmful features associated with their marketing. The vast majority of respondents to a survey conducted by the Finnish Competition and Consumer Authority (“KKV”) feel that they act prudently when searching for bargains. Yet, misleading discount marketing causes harm to more than a third of consumers at least occasionally.

KKV investigated consumers' discount sales behaviour as well as views and experiences of discount marketing. The research shows that haste is the most important factor in a purchase situation, which increases the probability of perceived disadvantages. Consumer disadvantages manifest themselves as low-quality, pointless and more expensive purchases than expected.

For example, claims made in marketing according to which the discount is only valid for a certain limited time or that the discounted product is available in a limited amount increase haste in the buying situation. If the discount campaign is continued over and over again or the information about the quantities of discounted products is incorrect, consumers will make purchasing decisions based on misleading information.

According to KKV's research, consumers have noticed a wide variety of misleading discount sales practices. Most common practices include repeated closeouts or stock clearances, as well as continuous discount sales, where the sale campaign is continued immediately after the end of the previous one.

Misleading discount marketing has been noticed most often in fields of furniture and interior design sales, as well as home appliances and electronics.

Three out of four respondents said that constant sales often or occasionally cloud their perception of what the usual price of products is.

Data for the survey was collected in the spring of 2022. There were changes to the regulations regarding discount sales when the reforms of the Finnish Consumer Protection Act came into force at the beginning of 2023.

In discount sale marketing, the seller must state the lowest price at which the goods have been marketed during the 30 days preceding the price reduction. With the change, the consumer is better able to evaluate the affordability of the discount and the general price level of the seller's products.

KKV will monitor the effects of the regulation and investigate the topic further.

Consumer law

EU legislation - Sweden/Denmark/Norway/Finland



Denmark
 

Decision of the Danish Consumer Ombudsman

Lime received a fine for misleading consumers

A District Court fined Lime (the electric scooters rental company), DKK 200 000 for misleading consumers by, among other things, stating in the app store with description of the services provided in its app that the scooters were free to use without being free. The Consumer Ombudsman reported the company to the police for misleading consumers about the price of using the scooter. The Consumer Ombudsman also found that the terms of use described in the app were in breach of other consumer protection rules.
 

Norway
 

New Digital Consumer Services Act
The new Act’s, available here, increases consumer protection in relation to purchases of digital content and services. The Act also applies to free services/content if the consumer provides the company with personal data that goes beyond what is necessary in order to deliver the content/service. The Act largely codifies current law, but also introduces some additional consumer rights.

New rules regarding assessment of administrative fines
The new regulation, available here, stipulate that an administrative fine may be set at up to 4 % of the business’ annual turnover or MNOK 25, whichever is highest.

The Consumer Agency's annual report for 2022 highlights success of mediation
The report, available here, highlights that the Consumer Agency mediated and resolved disputes concerning claims for more than MNOK 186. The majority of cases related to the purchase / sale of cars (30 %), clothing and leisure items (18 %), and electronic products (15 %).
 

Finland
 

Credit company to be taken to court by the Finnish Consumer Ombudsman
The Finnish Consumer Ombudsman is taking the credit company Bondora to the Finnish Market Court for violating credit price regulation.

The credit company Bondora had offered consumers more expensive credits than allowed by law, when it had not calculated the fees charged for the services it designated as separate additional services as credit costs that fall within the scope of price regulation. In addition, Bondora had charged consumers a cost designated as credit interest in violation of the Finnish Consumer Protection Act. The Consumer Ombudsman demands that the Market Court forbids Bondora from continuing or renewing its illegal practice under the threat of a fine of EUR 150 000.

Bondora had offered consumers three separate services designated as additional services, the fees of which it has not included in the credit costs. With the help of the services, the consumer can, among other things, make changes to the payment schedule, repay the credit early, receive priority customer service and receive messages about credit management.

The Consumer Ombudsman considers that these are costs directly resulting from the credit relationship and therefore they should also be counted as credit costs, the maximum amount of which is stipulated by law. Bondora's pricing model exceeds the cost ceiling set by law. Bondora considers that these are additional services outside of price regulation.

Until November 2021, Bondora had also agreed on the cost it designates as interest on the credit, so that the cost is charged throughout the credit relationship for the original amount of the credit and not for the remaining capital. In the Consumer Ombudsman's point of view, this kind of expense is not a credit interest as defined by law, but an expense similar to other credit costs. Also with this procedure, the Consumer Ombudsman's views that Bondora has violated price regulation.

An agreement has not been reached in the negotiations with Bondora, which is why the Consumer Ombudsman is seeking the matter to be resolved in the Market Court.
The Consumer Ombudsman has clarified ambiguities regarding credit costs in the past with another credit company, Blue Finance Suomi Oy. The Market Court issued its decision in December 2022, in which it considered that the payments related to obtaining credit should be counted as credit costs. Blue Finance Suomi Oy had limited the payments related to obtaining a loan outside the credit costs, and therefore the pricing exceeded the maximum amount according to the law. However, in the case of Bondora, it is a different type of payment than in the case of Blue Finance Suomi Oy.

According to the credit price regulation that entered into force in September 2019, the annual interest charged on the outstanding capital of the credit at any given time may not be agreed to be greater than 20 percent. In addition, the daily amount of other costs charged from the credit may not exceed 0.01 percent of the original credit amount or credit limit. However, the amount of other credit costs may not exceed EUR 150 per year under any circumstances.

Credit costs include all costs known to the creditor resulting from the credit relationship. For example, the fees charged for applying for credit, withdrawing credit and sending payment information are credit costs, regardless of how much time or what kind of method is used to complete the procedure. Only completely voluntary additional services can be excluded from credit costs. Credit must then be offered on the same terms, regardless of whether the consumer also concludes an additional service agreement in connection with the credit agreement.

Data Privacy

EU legislation - Sweden/Denmark/Norway/Finland
 

Controllers must provide the specific identity of recipients of personal data
On 12 January 2023, the Court of Justice of the European Union ("CJEU") issued a judgment in Case C-154/21, available here, regarding controllers' obligation to provide data subjects with information pursuant to the right to access (Article 15(1)(c) of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR")). The CJEU specified that such information must be as precise as possible, and that the data subject has the right to obtain information about the specific identity of recipients to whom personal data concerning him/her have been or will be disclosed. Controllers may indicate only the categories of recipients in cases where it is not (yet) possible to identify those the recipients. This applies in particular where the recipients of the personal data are not yet known, or where the controller can demonstrate that the data subject’s requests for access was manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR.

The CJEU furthermore points out that the data subject’s right of access is necessary to enable the data subject to exercise other rights under the GDPR, such as the right to rectification, the right to erasure (‘right to be forgotten’) and the right to object to processing.
 

Sweden
 

Case concerning the right to information partially overturned
In March 2022, the Swedish Authority for Privacy Protection ("IMY") issued an administrative fine of MSEK 7,5 (approx. EUR 662 000) against a Swedish bank for non-compliance with the right to information, the obligation to provide such information in a way that is concise, transparent, intelligible and easily accessible, the principle of lawfulness, fairness and transparency and the accountability principle (Articles 12(1), 13, 14, 5(1)(a) and 5(2) of the GDPR, respectively). The requirements that followed from the IMY's interpretation of these Articles required a more detailed approach than many controllers had previously taken in their privacy notices. The decision was appealed, and in its ruling on the 14 April 2023, an Administrative Court partially overturned the IMY's decision.

As opposed to the IMY, the Court held that controllers are not obliged under Article 13(1)(e) to inform data subjects of whether recipients of their personal data are Swedish or foreign, as far as transfers within the EU/EEA are concerned. Moreover, the Court found that the IMY had not sufficiently described the basis for its assessment regarding why it had found that Article 12(1) of the GDPR had been violated, hence a fine against the bank could not be issued for such violation since the burden of proof lied with the IMY.

The Court reduced the administrative fine to MSEK 6 (approx. EUR 530 000) as the Court identified less violations of the GDPR than the IMY. Nevertheless, it should be noted that the Court upheld several of the IMY's findings concerning the right to information, confirming that a high level of detail is required.

The IMY investigates a political party's processing of personal data when sending personal video messages during election campaign
After receiving a large number of complaints regarding personal video messages, sent out by a political party during the 2022 election in Sweden e.g. concerning inadequate information provided to data subjects, potential transfers of personal data to the US and the fact that recipients of the messages were able to see other peoples' personal video messages, the IMY has opened an investigation. The IMY intends to investigate several matters, inter alia whether the political party transferred personal data to a third country and whether any such transfer violated Art. 44-49 of the GDPR.

Supreme Administrative Court grants review permits for appealability of decisions by the IMY
The Court has granted review permits in two separate cases concerning data subjects' right to appeal the IMY's decisions. The first case regards whether data subjects can appeal the IMY's decisions to not investigate their complaint further (without initiating an audit). In the other case, the Court will review whether data subjects can appeal the IMY's decisions to terminate audits without any actions, where those audits have been initiated based on their complaints. It remains to be seen what the outcome of the rulings will be.
 

Denmark
 

New guidelines on the use of cookie walls
The Danish Data Protection Agency has published a new set of short guidelines on the use of cookie walls, after making two landmark decisions, available here.
According to these guidelines, the use of cookie walls on a website requires compliance with the following four requirements:

1. A fair alternative must be offered to the visitor of the website – i.e., payment.
2. A fair price when the alternative is payment.
3. The collection must be limited to what is necessary for achieving the goal.
4. When the visitor pays instead of consenting, data may be processed in accordance with the regular rules, meaning the use of cookies that are necessary for the delivery of the service.

New Guidelines on data protection in employment relations
The Danish Data Protection Authority has published an updated set of Guidelines on data protection in employment relationships, available here. The updates reflect more recent case law, namely in relation to the collection of references and criminal records. Certain sections have been clarified, including the sections on the obligation to inform about processing and the section on transfer of data.
 

Norway
 

SATS issued fine of MNOK 10
SATS (a leading provider of fitness clubs and services) was issued an administrative fine of MNOK 10 for several breeches of the GDPR, namely violating the data subject’s rights and certain transparency obligations and lacking legal basis for certain processing activities. The decision is available here.

Failure to notify data breach within 72 hours leads to MNOK 2.5 fine
Argon Medical Devices was issued a fine of MNOK 2.5 for violation of art. 33 of the GDPR, as they had failed to notify the Data Protection Authority (DPA) within 72 hours after having become aware of a data breach. The decision is available here.

Preliminary decision regarding Google Analytics
The Data Protection Authority's current conclusion is that use of Google Analytics violates the GDPR. If this conclusion ultimately stands, it will fall in line with the assessments of other European data protection authorities. The conclusion is available here.
 

Finland
 

Reprimand issued to several Finnish libraries for infringing data protection legislation by conveying data to US-based Google
The Deputy Data Protection Ombudsman issued a reprimand (Dno 4672/161/22) to the libraries of the cities of Helsinki, Espoo, Vantaa and Kauniainen for infringements of data protection legislation in the processing of personal data. The websites of the Capital Region's Helmet libraries have used tracking technologies that may have conveyed data on, for example, the books and other materials searched by users to third parties. Personal data has also been unlawfully transferred to the United States.

One of Finland’s leading providers of digital business and consumer information services fined due to breach of legislation
The Data Protection Ombudsman issued an administrative penalty (Dno 310/161/23) of EUR 440 000 to Suomen Asiakastieto Oy, due to the company not removing incorrect payment default entries stored in its credit data register after the Data Protection Ombudsman had ordered it to remove such entries. The Data Protection Ombudsman highlighted that the processing of payment default related data has significant effects on the rights and freedoms of data subjects.

Provider of accommodation services warned for having inadequate safeguards
The Data Protection Ombudsman issued a reprimand (Dno 3206/171/20) to Majoituspalvelu Forenom Oy (”Forenom”), which has been subject to a data breach, for inadequate safeguards and ordered the company to shorten the retention period of personal data processed by it. The attacker had gained access to a self-service portal for Forenom’s customers and Forenom’s ERP system through an interface vulnerability. The data breach involved tens of thousands of personal data. Forenom operates in the accommodation sector offering its customers long and short-term rentals and accommodation.

Other relevant legal topics

Sweden
 

Bank receives a remark and an administrative fine of MSEK 850 (approx. MEUR 76) due to an IT-incident in April 2022
Following a business-critical IT system change, customers of one of Sweden's largest banks were shown incorrect account balance when checking their bank accounts. The incident affected almost one million customers and several payments. The Swedish Financial Supervisory Authority initiated an investigation regarding the incident that showed that the bank had made changes to a IT-system without following the bank’s internal procedures and processes. The investigation also showed that the bank did not have suitable control mechanisms in place to capture deviations and ensure that internal procedures and processes were followed. As a result, the bank received a fine of MSEK 850 (approx. MEUR 76). The decision has not been appealed.
 

Norway
 

Increased focus on alcohol marketing on social media
The Norwegian Directorate of Health (NDH) has issued 40 advanced notices of administrative sanctions (rectification) to various producers of alcoholic beverages, for allegedly breaching the prohibition on advertising of alcohol. Many of the cases relate to private individuals "tagging" producers of alcoholic beverages in Instagram posts. The NDH has stated that producers must actively take measures to ensure that such posts do not appear on the producer’s social media platforms, as this can be considered illegal marketing.

Increased focus on age limits for movies/TV
The Norwegian Media Authority has actively been monitoring and issuing warnings to various media distributors relating to the providers’ set age limits on movies and TV shows. No further sanctions have, however, been imposed as the companies that received warnings quickly improved their routines thereafter.
 

Finland
 

Open Source meets data protection
The Data Protection Ombudsman and TIEKE Information Society Development Centre conducted a two-year GDPR2DSM project the purpose of which was to support SMEs in meeting data protection requirements. As a result of the project, a simple online tool for companies to test the fulfilment of the requirements of the GDPR in their company was developed. The tool is available in Finnish, Swedish and English. The tool has been released as open source.

Legislation procrastination
The European Commission referred Finland to the Court of Justice of the European Union for failing to fully transpose EU copyright rules into national law. The Government Proposal for the implementation of the EU copyright rules is still being processed in the Finnish Parliament.