This area is covered by Annex XI EEA on Electronic Communication, Audiovisual Services and Information Society.
The protection of natural persons in relation to the processing of their personal data is a fundamental right enshrined notably in the European Convention on Human Rights and related international instruments, such as the Council of Europe’s Convention No 108. In its essence, this right guarantees that personal data should only – and always – be processed lawfully, fairly and in a transparent manner; be collected for specified purposes; be limited to what is necessary; be accurate; be stored for no longer than necessary; and be kept securely and confidentially.
At the same time, the digitalisation and integration of European societies are increasing both the demand for personal data processing and the volume of cross-border data flows within the EEA and beyond. In this context, the regulation of personal data protection at EEA level contributes to the achievement of a genuine internal market, whilst ensuring that the fundamental rights of individuals are safeguarded. Personal data protection has been regulated at Union level since 1995 and in the EEA since 1999, allowing the free flow of personal data within the area.
In the field of data protection, the EEA Agreement covers EU legislation of general application to commercial activities, such as the General Data Protection Regulation (EU) 2016/679 and all related “adequacy decisions” allowing international transfers of personal data with counterparties located outside the EEA, as well as the e-Privacy Directive 2002/58/EC and related acts such as Regulation (EU) No 611/2013 on notifications of data breaches. As a result, individuals in the EEA EFTA States (Iceland, Liechtenstein and Norway) and in the Union benefit from the same level of protection. Controllers or processors of personal data established in an EEA EFTA State are subject to the obligations laid down in EU legislation, and their compliance is monitored by the independent data protection authority of each EEA EFTA State.
EU legislation regarding the processing of personal data for law enforcement purposes is not covered by the EEA Agreement, but may be applicable to some or all of the EFTA States by virtue of other agreements with the Union.
The EFTA Expert Group on Data Protection contributes to the development of Union policies and legislation in the field of data protection by providing expert advice and opinions to the European Commission on its proposals, or by participating in its committees, in accordance with the EEA Agreement. It is composed of representatives of the EEA EFTA States and meets three to four times a year.
In addition, the national data protection authorities of Iceland (Persónuvernd), Liechtenstein (Datenschutzstelle) and Norway (Datatilsynet) participate in the relevant EU cooperation forums for independent authorities, such as the European Data Protection Board.