Technology and IP Quarterly 02.25

Q2 2025 Technology and IP Quarterly

In this Q2 2025 edition of the Technology and IP Quarterly, we offer a comprehensive overview of the latest developments in intellectual property rights, life sciences, and regulatory and data protection. We highlight the most significant advancements in Norway and the EU during the second quarter of 2025, covering regulatory updates, case law and other important news.

Table of Contents

Editorial team

Eirik Basmo Ellingsen

PARTNER eiell@bahr.no

Anja Stensrud Elverum

MANAGING ASSOCIATE anelv@bahr.no

Tuva Fretheim Walle

SENIOR ASSOCIATE tufwa@bahr.no

Jacob A. Møller

PARTNER jam@bahr.no

Anna Medbøe Tamuly

ASSOCIATE antam@bahr.no

Morten Smedal Nadheim

SENIOR ASSOCIATE monad@bahr.no

Sander Bøe Bertelsen Ylva Høsøien

ASSOCIATE saber@bahr.no

ASSOCIATE ylhos@bahr.no

Life sciences

BAHR provides expert guidance to clients that operate throughout the life sciences sector, including in pharmaceuticals, biotechnology, health services, and medical devices. Our distinguished team is celebrated for representing top pharmaceutical originators in both patent litigation and pioneering regulatory disputes. We offer expert advice on a wide range of matters, such as pricing, reimbursement, market access, parallel import, marketing and public procurement. We also advice on commercial contracts, such as licensing and agreements related to clinical drug development. With our support, clients are equipped to excel in the competitive life sciences arena.

This section will present updates on the life sciences sector within Norway and the EU, offering insights into recent developments and trends during the second quarter of 2025. For in-depth exploration of the life sciences sector in Norway, read our newly published Life Sciences in Norway 2025 publication here.

Norway

Regulatory updates

First notified body for IVD devices designated in Norway

On 30 April 2025, the first Norwegian notified body for in vitro diagnostic medical devices (IVD devices) was designated.1 The Norwegian Medical Products Agency (NoMa) designated DNV Product Assurance AS under Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDR), making DNV Product Assurance AS the 17th notified body under the IVDR.2 IVD devices are used to analyse samples from the human body, such as testing for infections (bacteria, viruses), diabetes, cholesterol, cancer markers, and genetic indicators. A notified body assesses the conformity of medical devices, thereby ensuring that only safe and effective devices enter the market. According to NOMA, the establishment of a Norwegian notified body may further stimulate innovation and growth within the Norwegian healthcare industry, in addition to promoting patient safety and the consistent supply of medical devices.

Long-awaited white paper on the allocation of resources within the healthcare system published

On 10 April 2025, the Norwegian Ministry of Health and Care Services (HOD) published its long-awaited white paper on prioritising resources within the healthcare system, a report HOD has been working on for nearly four years.3

Titled “Health for All – Fair Prioritisation in Our Shared Healthcare Service,” the report has been met with mixed reactions.

The Association of the Pharmaceutical Industry in Norway (LMI) has expressed satisfaction that certain parts of the report align with its input. In particular, HOD proposes granting NoMa the authority to make reimbursement decisions within a specified mandated threshold for vaccines on blue prescriptions for risk groups, rather than just for medicinal products, as is currently the case. LMI points to an example where patients with COPD could receive a vaccine on blue prescription to prevent exacerbations, in the same way they currently receive COPD medication.4 Additionally, simplifications have been proposed for the health technology assessment (HTA) process within the blue prescription scheme. This includes replacing the requirement for horizon scanning with a requirement for pharmaceutical companies to request method assessments.5

1 https://www.dmp.no/en/news/notified-body-for-medical-devices-designated-in-norway

2 https://webgate.ec.europa.eu/single-market-compliance-space/notified-bodies/notified-body-lis t?filter=legislationId:35,notificationStatusId:1

3 https://www.regjeringen.no/no/dokumenter/meld.-st.-21-20242025/id3096827/

4 https://www.lmi.no/2025/04/10/gode-vaksinenyheter-i-prioriteringsmeldingen/

5 https://www.dmp.no/nyheter/tidsbruken-fortsetter-a-ga-ned

An exception scheme has been introduced to ensure that the most seriously ill patients gain faster access to new medicines. This scheme has already entered into force, allowing patients to access vital treatments even if the Norwegian Decision Forum (Nw. Beslutningsforum), which determines whether a method can be adopted in the specialist health service, has declined to approve the medicine. Nonetheless, LMI has also raised concerns that the new prioritisation framework does not sufficiently facilitate the use of innovative and new medicines in Norway.6 Read the full white paper here

Updated guidance for aesthetic clinics in the regulations for pharmaceuticals advertising

On 4 April 2025 NoMa updated its guidance for aesthetic clinics regarding the advertising of medicinal products.7 As mentioned in our Technology and IP Quarterly for Q1 2025, available here, a joint regulatory action uncovered widespread illegal marketing practices among cosmetic treatment clinics. The newly adopted amendments to NoMa’s guidance aim to clarify when the regulations on pharmaceutical advertising apply to clinics promoting their treatments and services. In Norway, advertising prescription-only medicines directly to the public is strictly prohibited. Nevertheless, the general promotion of aesthetic treatments and services remains lawful. To distinguish permissible advertising from unlawful promotion, it is essential that no medicines are included in the advertisements. The guidance can be read here

Proposed amendments to the health legislation regarding health data and requirements for technical and organisational security measures

On 10 June 2025, the HOD submitted a proposition to the Norwegian parliament, proposing amendments to the Patient Records Act, the Health Register Act, and the Health Personnel Act.8 The proposal comes in light of the increasingly unpredictable security situation in Norway, which, according to HOD, makes it more crucial than ever to collaborate in safeguarding values and critical societal functions, including healthcare services with adequate patient safety. The proposed amendments aim to enable the restricted sharing of certain large sets of health data to enhance society’s ability to protect fundamental values, essential functions, and life and health. Furthermore, it suggests that when determining what constitutes an adequate level of security under the Patient Records Act and the Health Register Act, consideration should be given to technological advancements and essential societal functions. The proposition is available here

6 https://www.lmi.no/2025/04/10/lmi-om-prioriteringsmeldingen-en-falitterklaering-fraregjeringen/

7 https://www.dmp.no/nyheter/oppdatert-veiledning-for-estetiske-klinikker-i-regelverket-forlegemiddelreklame

8 https://www.regjeringen.no/no/dokumenter/prop.-152-l-20242025/ id3107657/?q=legemiddel&ch=2#match_0

Proposal to streamline health technology assessments for pharmaceuticals

Prior to the introduction of any new treatment into the public health system in Norway, it must undergo a HTA, which evaluates whether the potential benefits of a treatment are reasonably proportionate to its costs.9 However, this process is time-consuming, and according to the NOMA, there are better ways to streamline the HTA process. In May 2025, NOMA published proposals to revise the process, aiming to establish a more predictable framework for both pharmaceutical companies and NOMA. The proposal seeks to address key challenges currently faced in the HTA process, including improving documentation quality, reducing the recruitment time for medical experts, and enhancing predictability regarding the timing of documentation submissions. The public consultation period for the proposal ended on 28 May 2025.10

Proposed amendments to health regulations to strengthen cooperation for handling cross-border health threats in Europe

In early April 2025, the HOD initiated a public consultation aimed at incorporating three important EU regulations into Norwegian legislation, including (EU) 2022/2371 concerning serious cross-border health threats, (EU) 2022/2370 establishing the European Centre for Disease Prevention and Control, and (EU) 2022/123 which enhances the European Medicines Agency’s role in crisis preparedness and management for medicinal products and medical devices.

The proposed legislative amendments will affect various acts and regulations related to medicinal products and medical devices. The primary objective of these amendments is to strengthen cooperation and systems for managing cross-border health threats across Europe. This includes ensuring robust surveillance of health threats and securing the supply of pharmaceuticals and medical devices during potential future health crises. This initiative is a direct response to the insights gained from the COVID-19 pandemic. Stakeholders are invited to submit their feedback by the deadline of 4 July 2025. 11

9 https://www.dmp.no/en/public-funding-and-pricing/health-technology-assessments

10 https://www.dmp.no/nyheter/mer-forutsigbar-prosess-for-a-effektivisere-arbeidet-medmetodevurdering

11 https://www.regjeringen.no/no/dokumenter/horing-forslag-til-endringer-i-lov-om-apotek-lovom-legemidler-mv.-lov-om-medisinsk-utstyr-forskrift-om-legemidler-forskrift-om-medisinsk-utstyrmsis-forskriften-og-ihr-forskriften/id3095384/?expand=horingsnotater

EU

Regulatory updates

The Council is ready to begin negotiation of the “Pharma Package” with the European Parliament

On 2 June 2025, the Council reached a consensus on its stance regarding the proposed “Pharma Package” and is prepared to enter negotiations with the European Parliament.12 Initially proposed by the European Commission on 26 April 2023, the “Pharma Package”, also known as the pharma reform, comprises a new regulation and directive aimed at enhancing the availability of innovative medicines across the EU, while simultaneously bolstering the competitiveness of the EU’s pharmaceutical industry. The package represents the most significant reform of EU pharmaceutical legislation in over two decades and has faced a range of reactions and criticism. Critics argue that the proposal could render the EU an unattractive destination for pharmaceutical research investment, thereby undermining the competitiveness of the EU’s pharmaceutical industry.

The Council’s introduces several key amendments to the European Commission’s proposed legislation. Under the Council’s mandate, data used to develop innovative medicine will be protected for eight years. Additionally, the producers of innovative medicine will benefit from one year of regulatory protection, which may be extended to two years. Furthermore, the Council’s proposal empowers the authorities to require marketing authorisation holders of medical products to produce that product available in sufficient quantities to cover the member states’ needs. The mandate also clarifies the scope of the so-called “Bolar exemption”, extending it to include submissions for procurement tenders.

The European Medicines Agency and the Heads of Medicines Agencies have published a joint workplan “Data and AI in medicines regulation to 2028”

On 7 May 2025 the European Medicines Agency (EMA) and the Heads of Medicines Agencies (HMA) published a joint workplan called “Data and AI in medicines regulation to 2028”.13 The ambition is to better leverage high volumes of data and artificial intelligence, encouraging research, innovation, and support regulatory decision making for better medicines that reach patients faster. The workplan lays out a roadmap for the upcoming three years for managing, analysing, and sharing data across the network. Recent EU legislation is addressed, such as the pharmaceutical legislation, the European Health Data Space (EHDS), the EU AI Act, and the Interoperable Europe Act. The workplan is available here

12 https://www.consilium.europa.eu/en/press/press-releases/2025/06/04/pharma-package-councilagrees-its-position-on-new-rules-for-a-fairer-and-more-competitive-eu-pharmaceutical-sector/

13 https://www.ema.europa.eu/en/news/leveraging-power-data-public-animal-health

CTIS has been designated as a primary registry by the WHO within the ICTRP

In our Technology and IP Quarterly for Q1 2025, we reported that the transition to the Clinical Trials Information System (CTIS) was complete. In the second quarter of 2025, the World Health Organisation (WHO) has designated CTIS as a primary registry within the International Clinical Trials Registry Platform (ICTRP). According to EMA, this development is a significant milestone in facilitating data sharing and promoting transparency and trust in clinical research. It also means that CTIS adheres to specific criteria regarding content, data quality and validity, accessibility, unique identification, technical capacity, and administration.14

Historical Pandemic Agreement adopted

On 20 May 2025, the world’s first Pandemic Agreement was formally adopted. The members of the WHO came to an agreement after three years of negotiation, initiated by governments in response to the profound impacts of the COVID-19 pandemic. The agreement aims to enhance global safety and preparedness for future pandemics. The resolution of the Pandemic Agreement outlines the necessary steps for its implementation, including the drafting and negotiation of a Pathogen Access and Benefit Sharing system (PABS). The outcomes of this process will be reviewed at next year’s World Health Assembly.15

EFPIA has submitted its response to the European Commission’s call for evidence on the proposed EU Biotech Act

On 14 May 2025, the European Commission launched a call for evidence on the Biotech Act.16 EFPIA responded on 11 June 2025, advocating for a world-class innovation environment for biotechnologies.17 EFPIA highlights the need for coordinated action in several key areas, such as reforming the Supplementary Protection Certificate (SPC) framework and simplifying and harmonising procedures for multi-country clinical trials, particularly ethics reviews facilitated by reliance mechanisms.

Furthermore, EFPIA underscores that while pharmaceutical legislation reform should simplify processes, the Biotech Act holds potential to drive additional progress, for example, by accelerating digital transformation, sustainably enhancing regulatory capacity and expertise, and positioning the EU as a global standard-setter in biotechnological innovation. Read all of EFPIA’s areas of action here.

14 https://www.ema.europa.eu/en/news/clinical-trials-information-system-designated-who-primaryregistry

15 https://www.who.int/news/item/20-05-2025-world-health-assembly-adopts-historic-pandemicagreement-to-make-the-world-more-equitable-and-safer-from-future-pandemics

16 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14627-Biotech-Act_en

17 https://efpia.eu/news-events/the-efpia-view/efpia-news/efpia-response-to-the-europeancommission-call-for-evidence-on-the-eu-biotech-act/

Case law

Prohibition on advertising of pharmacies is contrary to EU law - Court of Justice of the European Union – C-200/24

The Court of Justice of the European Union (CJEU) has recently ruled that a Polish law enacting a near total prohibition on advertising pharmacies runs foul of the Directive 2000/31 (the E-Commerce Directive) and the freedom of establishment and to provide services under TFEU Articles 49 and 56. The Commission brought proceedings against the Republic of Poland with an action for failure to fulfil obligations.

Firstly, the CJEU found that Article 8(1) of the E-Commerce Directive enables members of a regulated profession (such as pharmacists) to use information society services in order to promote their activities. The Article states that such authorisation may be subject to professional rules and codes of conduct, but does not allow general and absolute prohibitions on such communication. This is the case even if not all pharmacists work in pharmacies and as such are not covered by the prohibition, as the prohibition would be no less general and absolute.

Secondly, the CJEU also found that the prohibition was contrary to the freedoms of establishment and to provide services. Poland justified the prohibition on public health grounds, especially the risk of over-consumption of pharmaceutical products. However, the prohibition was far too broad and therefore disproportionate. Advertising of medicinal products is already governed by Article 87(3) of Directive 2001/83, which is intended to encourage rational use of the products. Advertising pharmacies is a benefit to consumers, as it allows them to be informed of lower prices and additional services. And several nonprescription products may be bought at supermarkets and kiosks, who are not subject to the prohibition. In addition, the promotion of screening services was covered by the prohibition, which is unrelated to the sale of medicinal products.

The prohibition was also not proportionate in light of the need to safeguard the independence of pharmacists. Any pressure on pharmacists to increase sales of pharmaceutical products and advising their customers, is not correlated with the possibility of advertising the pharmacy itself. A less restrictive measure would be to subject such advertising to conditions which would serve to protect the professional ethics of pharmacists, along with the necessary supervision.

Intellectual property rights

BAHR’s intellectual property practice covers all areas of contentious and noncontentious intellectual property law. The team has litigated numerous cases and has extensive experience providing legal advice to both domestic and international clients within the fields of patents, trademarks, copyright, design and trade secrets. For more information regarding patent litigation in Norway, BAHR has authored the Norwegian chapter in Lexology In-Depth: Patent Litigation, accessible here.

This section will present recent regulatory developments and case law in the field of intellectual property from Norway, the European Union, and other European jurisdictions, offering insights into the latest legal trends and decisions during the second quarter of 2025.

Norway

Case law

Patent - Amendments to dependent claims – HR-2025-1235-A

In a decision rendered on 26 June 2025, the Supreme Court assessed whether dependent patent claims can be amended without also limiting the patent protection and concluded that they cannot.

Merck Sharp & Dohme LLC (MSD), an American pharmaceutical company, sought to amend dependent claims in one of its patents. However, MSD did not wish to amend the independent claim, and the The Norwegian Industrial Property Office (NIPO), the Norwegian Board of Appeal for Industrial Property Rights (the Board of Appeal), Oslo District Court and Borgarting Court of Appeal rejected the request for amendment because it did not involve a limitation of the patent protection, as, in their opinion, required by Section 39a of the Norwegian Patents Act, which is the Norwegian provision that equals the European Patent Convention (EPC) Article 69 (1).

The parties agreed that the requested amendment did not entail any limitation of the patent protection, and the question the Supreme Court considered was whether the amendment could still proceed. The Supreme Court found that the wording of Section 39a of the Patents Act, the preparatory works, and the legal theory indicated that patent claims can only be amended if the amendment involves a limitation of the patent protection.

The Supreme Court assessed Article 105a of the EPC, as well as the European Patent Office (EPO)’s Implementing Regulations and the Guidelines for Opposition and Limitation/Revocation Procedures. The Guidelines state that “limitation of a dependent claim only, without any independent claim being limited, is acceptable” (Part D Chapter X section 4.3).

The Supreme Court determined that Norway was not bound by this interpretation when applying the Norwegian Patents Act, and the interest in harmonization was outweighed by the interpretation of the phrasing of the provision. Consequently, the Supreme Court concluded that it is not permissible to make amendments to patent claims that do not involve a limitation of the patent protection under Norwegian law. The decision includes interesting assessments of the relationship between Norwegian patent law and rules from the EPO.

Patent - Lack of inventive step in patent on sustainable aviation fuelBorgarting Court of Appeal - LB-2024-125937

Neste Oyj brought legal proceedings against the Board of Appeal as it had denied registration of Norwegian patent NO 343 028, relating to a diesel fuel blend consisting of a renewable fuel component and a mineral middle distillate. The Board of Appeal, as well as the District Court and Court of Appeal, considered the patent to lack inventive step against the closest prior art (D7), the PCT application WO 2008/113592 A1, from Eni S.P.A.

The parties disagreed on whether the objective technical problem that the invention solved was to produce a solution with improved characteristics or simply an alternative to what was already known. The Court of Appeal considered that the invention did not have improved characteristics compared to D7.

Next, Neste claimed that the objective technical problem could be defined as an alternative solution to D7. The Court of Appeal, with reference to the legal literature on inventive step, considered simple alternative solutions to be less likely to be inventive. This is especially the case if the prior art contains a pointer towards the technical solution. The Court of Appeal found that the person skilled in the art would be likely to develop the blends described in claim 1 of the contested patent by following D7 and general knowledge in the field, and therefore that the solution was obvious. The Board of Appeal’s decision to deny registration of the patent was upheld.

An important aspect highlighted by the Court of Appeal is that the objective technical problem formulated in a patent application may be reformulated as part of the patent application prosecution or at a later stage as part of validity court proceedings.

Patent – Alleged patent infringement - Oslo District Court24-027709TVI-TOSL/03

This case from the oil and gas sector concerned an infringement claim filed by InflowControl AS, asserting that the supply, sale, and use of a valve-based system developed by Tendeka AS and Swellfix UK Ltd. (jointly referred to as “Tendeka”) infringed two of InflowControl’s patents, EP/NO 3 255 242 and EP/NO 3 765 707. Tendeka demanded dismissal of the infringement claims and filed a counterclaim seeking the invalidation of InflowControl’s patent.

Tendeka’s system is designed to regulate the inflow of fluids into an oil production pipe. This technology is known in the field as an Autonomous Inflow Control Device (“AICD”). The Oslo District Court examined whether Tendeka’s system violated the two patents, which are both AICD inventions, and whether a prohibition against the sale and marketing of the valve-based system could be imposed.

The District Court determined that Tendeka’s solution was not encompassed by the patent protection afforded to InflowControl’s patents and concluded that Tendeka’s system did not infringe any of the patents. Regarding the claim of infringement by equivalence, the court observed that a person skilled in the art would need to undertake extensive and creative modifications to the patented technology to achieve Tendeka’s solution, and thus concluded that there was no infringement by equivalence. Since the court dismissed the patent infringement claim against Tendeka, it did not assess the validity of InflowControl’s patents.

The judgment has been appealed. BAHR represents Tendeka in these proceedings.

Patent - Exclusion of evidence – Telemark District Court - TTEL-202510601

This case concerns the property aspect of patent rights, and exclusion of evidence, focusing on a patent right which was sold by the company Nimtec to another company, Eblanks AS.

The patented technology involves environmentally friendly blank ammunition. Nimtec had reserved a royalty right calculated based on Eblanks’ turnover. Eblanks lacked an auditor, and according to Norwegian corporate and bankruptcy law, a trustee was appointed to liquidate the company under bankruptcy regulations. The appointed trustee sold the patent rights to the company Green Ammo. The patent right became effective in the USA, and Nimtec argues that the royalty rights accompanied the patent rights as an encumbrance.

To substantiate that the royalty right was an encumbrance that the bankruptcy estate and subsequently Green Ammo had to respect, Nimtec obtained a legal opinion from an American lawyer. Nimtec and Eblanks had agreed in the transfer agreement that the agreement should be subject to Norwegian law. The District Court concluded that the question of whether the royalty right followed the American patent as an encumbrance, and whether the encumbrance had legal protection, had to be assessed in light of Norwegian law. Since the case, in the court’s opinion, did not raise issues to be resolved based on American law, there was no need for evidence regarding the legal situation in the USA, and the motion for exclusion of evidence was granted.

Trademark – Assessment of Color Trademark Distinctiveness – The Board of Appeal – VM 25/00013

On June 30, the Board of Appeal issued a decision regarding the shade of blue, Pantone 2144 C, which Orkla Confectionary & Snacks Norge AS (Orkla) sought to register as a trademark for porous milk chocolate. Orkla had previously attempted to register the same shade of blue as a trademark for chocolate in general, but both NIPO and the Board of Appeal concluded that the color mark lacked distinctiveness and had not achieved distinctiveness through use.

In a trademark dispute between Orkla and Mondelez, the Oslo District Court found that Orkla had acquired trademark protection for the same shade of blue through extensive use specifically for porous milk chocolate. The court determined that Mondelez’s use of the color on the packaging of its porous chocolate infringed upon this trademark right.

Following the Oslo District Court’s decision, Orkla applied for trademark protection for the color blue, this time specifically for porous chocolate. NIPO rejected the application, stating that the color mark had not become distinctive through use. Orkla, in response, further limited the product specification from porous chocolate to porous milk chocolate.

The Board of Appeal noted that color marks often face greater challenges in meeting the distinctiveness requirement, as the average consumer does not typically perceive colors as an indication of commercial origin or as a trademark.

However, Orkla had presented extensive documentation showing that it had conducted comprehensive and resource-intensive marketing efforts over several decades throughout Norway. The Board of Appeal described the documentation presented by Orkla as overwhelming and found that it demonstrated that the shade of blue would be perceived by the average consumer as Orkla’s trademark when used on porous milk chocolate.

Consequently, NIPO’s decision was overturned, allowing the shade of blue to be registered as Orkla’s trademark for porous milk chocolate.

Trademark - Assessment of trademark descriptiveness - Oslo District Court – 24-175472TVI-TOSL/05

The company Carl Zeiss Meditec AG is engaged in medical technology, and they wanted their trademark OPTIKIT to receive trademark protection in Norway, for, among other goods, products such as chemical reagents and diagnostic agents for medical purposes and surgical, medical, dental, and veterinary instruments and apparatus. The Norwegian Industrial Property Office (NIPO) found that the trademark was descriptive, and that the market would not perceive the mark as anything other than a description of the goods’ characteristics. The Board of Appeal agreed with NIPO on this assessment.

Oslo District Court overturned the decision from the Board of Appeal. The district court found that the mark would not be perceived as descriptive directly and immediately. Furthermore, the district court pointed out that the mark had been registered in a number of other jurisdictions.

Trademark - Assessment of trademark descriptiveness - Oslo District Court - 24-171224TVI-TOSL/03

In yet another matter, the NIPO and the Board of Appeal found that the applied word mark, CLASS PASS lacked distinctiveness. The word mark would be perceived as descriptive when the mark was used for goods and services related to booking training sessions. The District Court agreed that the words CLASS would be perceived as a class, as in a training class or school class, while PASS would be perceived as an access pass or a permit.

However, the District Court found that when the words are combined into CLASSPASS, the market would not perceive the mark as directly and immediately descriptive. The internal rhyme and rhythm of the mark also created a certain force, the District Court believed. The District Court therefore concluded that the mark could be registered, and the decisions by the Board of Appeal were overturned.

Trademark - Counterfeit products – Oslo District Court - 25-025766TVITOSL/07

Under Norwegian law, counterfeit products can be destroyed by customs authorities without prior legal proceedings if the right holder confirms that the goods constitute an infringement and both parties’ consent to the destruction. For the recipient of the goods, passive consent is sufficient, meaning the goods will be destroyed if the recipient does not actively oppose it.

In this case, a private individual had ordered two counterfeit Omega watches, which were withheld by customs. Omega demanded that the watches be destroyed. The private individual who ordered the watches, however, opposed

their destruction and forced Omega to file a lawsuit to obtain a final ruling that the watches infringed their intellectual property rights. The private individual argued that, as a private person, he could import counterfeit products for personal use.

However, under Norwegian law, private individuals cannot import counterfeit products purchased from businesses and the District Court found that the sender of the watches was acting in a business capacity. The court did not consider the fact that the private individual was unaware that the watches bore Omega’s trademark, and that the trademark was not visible in the sales advertisement. The court emphasized that there is no requirement for intent in cases concerning the destruction of counterfeit products and concluded that the watches should be destroyed.

Trademark – Measures for preserving evidence (personal data)Borgarting Court of Appeal – LB-2025-39763

In a recent decision, Cartier, a purveyor of luxury goods, sought a court order to obtain the personal data and contact information of the individual behind the domain “cartier.no”. The registration was anonymized, and Cartier filed the order against Norid, the registry of the top-level domain “.no” (Norway).

Chapter 28 A of the Norwegian Dispute Act allows pre-trial measures for preserving and obtaining evidence of and information related to alleged intellectual property infringement. The claimant needs to prove reasonable cause for infringement of an intellectual property right, here the trademark rights to “Cartier”.

Borgarting Court of Appeal considered that registering the domain “Cartier. no” was not an infringement of Cartier’s trademark rights, and that it was not shown that the webpage had been used to market goods or services by use of the Cartier trademark. Because of this, the special measures for preserving and obtaining evidence of intellectual property infringement could not be ordered. The court also concluded that there was no reason to believe that the individual behind the domain had put in place significant preparatory acts leading to infringement, such as preparing to offer products or services with Cartier trademarks. In reality the domain “Carter,no” had been dormant since its registration in 2021.

On this basis, the Court of Appeal upheld the decision of the lower court and ordered Cartier to pay the costs. This decision is one of few cases where Chapter 28 A of the Dispute Act has been tried. Chapter 28 A of the Dispute Act was implemented in Norwegian law following the Enforcement Directive (2004/48/ EU). Although the Enforcement Directive is not part of the EEA Agreement, the Norwegian legislator considered it important that the Norwegian rules grant rights holders at least the same level of rights to information as in the EU.

Copyright - Right to photograph in accordance with the Copyright Act –Oslo District court - TOSL-2025-17189

Oslo District Court has dealt with a case concerning the Copyright Act’s rules on exclusive rights to photography. A lawyer was interviewed by the magazine Dine Penger, and a number of photos of the lawyer were taken. Without the photographer’s consent, the lawyer used one of those photos on the website of the law firm he worked for. The photographer contacted the lawyer and demanded payment for the use of the photo. The lawyer refused to pay but offered to remove the photo.

The District Court concluded that the lawyer did not have the right to use the photo, and that reasonable compensation had to be paid. The court further found that the lawyer had acted grossly negligently by using the photo on the

law firm’s website and ordered him to pay double the reasonable license fee to the photographer.

General duty of loyalty and unfair competition – Agder Court of Appeal - LA-2024-109130

In this case, the Agder Cour of Appeal considered whether the termination of a cooperation between two professional parties violated the Marketing Control Act’s rules. Dural GmbH is a German company that sells tools, profiles, and floor underlays for use in tiling. Dural does not manufacture goods itself; instead, it sells various products with its own logo and brand.

The industrial company Isola AS had for many years sold products to Dural in accordance with a supply agree ment. In the summer of 2022, Isola terminated the supply agreement that regulated the cooperation. One of the main issues in the case was whether Isola’s termination of the supply agreement was justified or not.

Isola justified the termination, among other things, by claiming that Dural had another supplier copy the product that Isola delivered to them. In assessing whether this copying gave Isola grounds for termination, the Agder Court of Appeal pointed out that Isola’s product was not patent protected because there was no inventive step. It was also agreed that the copying did not involve any infringement of other intellectual property rights. The Court of Appeal further noted that copying products through reverse engineering was not illegal in itself and was not in conflict with section 25 of the Marketing Control Act, regarding acts of unfair competition. The Court of Appeal also found that Dural was not prevented from undertaking such copying based on the general duty of loyalty between the parties, nor was Dural obliged to inform Isola that they were copying the product that Isola delivered to them. After a comprehensive assessment, which also considered other circumstances, the Court of Appeal concluded that Isola’s termination was not justified.

Exemption for evidence of trade secrets – the Norwegian Court of Appeal – HR-2025-1218-A

Also on 26 June 2025, the Supreme Court issued a ruling concerning the exemption for evidence of trade secrets, regarding Section 22-10 of the Dispute Act. According to this provision, the holder of a trade secret is entitled to refuse to present trade secrets as evidence in a court case unless the court finds that it is necessary to disclose after a balancing of interests.

The dispute was between Elmatica AS and the company Confidee AS. Elmatica demanded that Confidee’s application for a tax deduction from the Research Council be submitted as evidence. Confidee argued that the application contains trade secrets and refused to present it, referring to Section 22-10 of the Dispute Act. Confidee argued that it followed from EEA law and the ECHR that trade

secrets could only be refused disclosure if it was ‘strictly necessary,’ and that Section 22-10 of the Dispute Act must be interpreted in line with this.

The Supreme Court asked the EFTA Court to render an advisory opinion on the relevant obligations of EEA law, hereunder the Directive on Protection of Trade Secrets (EU 2016/943), imposed on the court in the matter. In the EFTA Court’s advisory opinion, it is stated that it is up to national courts to take appropriate measures in the proceedings to ensure a balance between the requirements for effective legal protection and the protection of confidential business information, including trade secrets. The Supreme Court concluded, in line with the advisory opinion, that the EEA obligations do not impose any additional obligations on Norwegian courts beyond those that follow from Section 22-10 of the Dispute Act. Further, the Supreme Court found that neither does Article 6 of the ECHR, regarding the right to a fair trial.

The Supreme Court concluded that Section 22-10 of the Dispute Act requires a balancing of interests of the relevancy and importance of the trade secrets as evidence in the case on one side and the need for confidentiality on the other side, and that this is in accordance with Norway’s international obligations under ECHR Article 6 as well as under the Directive on Protection of Trade Secrets. The right of a trade secret holder to refuse to present trade secrets as evidence is not limited to situations where such refusal is ‘strictly necessary’.

Trade secret protection in litigation is a question of practical importance which often is raised in disputes between private parties. In a separate recent matter, prior to the Supreme Court’s decision, the Agder Court of Appeal (L A-2024138420-1) concluded that a sales agreement, which constituted trade secrets, nevertheless had to be presented as evidence. In the specific balancing of interests, the Court of Appeal found that the need for the Court to be properly informed weighed heavier than the need for confidentiality. This decision is a rather rare example of trade secrets having to be disclosed due to the interest in informing the Court.

EU Case law

Copyright – Advocate General Szpunar’s opinion on the copyright protection of applied arts - EU Court of Justice C-580/23 and C-795/23

The case concerns proceedings before Swedish and German courts, wherein manufacturers of interior goods and modular furniture systems, respectively, sued competitors alleged to sell products infringing the manufacturers copyright to their original works.

The referring courts asked questions of a principal nature in how one should assess whether works of applied art satisfy the conditions of being considered protected “works” in articles 2 to 4 of Directive 201/29. As noted by Advocate General Szpunar in the introduction of his opinion, works of applied art exist on a scale between pure utility and complete absence of practicality, which can make the assessment of originality particularly difficult and unpredictable in legal cases.

Advocate General Szpunar first concluded that there is no relationship of rule and exception between the protection of designs and copyright, in that stricter requirements are applied when examining originality in the case of applied arts.

Second, the referring courts asked for general clarifications on what factors need to be considered when assessing originality. According to Advocate General Szpunar, the crucial aspect is whether the subject matter reflects the personality of its author as an expression of his or her free and creative choices (original subject matter). Courts must consider whether choices made by the author are dictated by constraints binding the actor, which are more frequent in the applied arts as such art have a utilitarian purpose. The Attorney General also firmly concluded that the authors intentions is not a decisive factor in determining whether the claimed subject matter is protected. In other words, courts must measure originality in the work objectively and not consider the subjective intentions of the author.

Other factors external to and subsequent to the creation cannot be regarded as decisive either, such as the author’s use of generally available shapes, inspiration taken by the author, the possibility of similar independent creation, or presentations in exhibitions and museums.

Third, the final question concerned another interplay between design and copyright law, where the courts asked if- when assessing infringement under articles 2(a), 3(1), and 4(1) of Directive 2001/29 - the work whose protection is sought must be recognisable in the allegedly infringing subject matter or whether the same overall visual impression is sufficient.

Advocate General Szpunar concluded that the court hearing the case must determine whether the creative elements of the protected work have been reproduced in a recognisable manner in the allegedly infringing subject matter. In copyright law, he says, what distinguishes two works is not the overall impression but the details that uniquely personalise them. Also, the possibility of similar independent creation cannot justify a finding of non-infringement if it is established that the creative elements of the protected work are reproduced. Only if an actual independent creation is established by the evidence of the case, copyright infringement will not occur.

Copyright – Advocate General Emiliou’s opinion on sampling and the pastiche exemption in the Infosoc-directive – EU Court of Justice C-590/23

Advocate General Emiliou has provided a proposed answer to the questions posed by the Bundesgerichtshof (Federal Court of Justice, Germany) (the BGH) in the conflict between the electronic band Kraftwerk, and the hip hop producers SD and UP as well as the production company Pelham (collectively referred to as Pelham).

Pelham had used two seconds of the song Metal auf Metall by Kraftwerk in their own track, and used that extract as a continuous loop in their own song. Such use is known as “sampling.” The EU Court of Justice previously concluded that using two seconds of Kraftwerk’s sound recording was covered by the producer’s exclusive rights, and that Pelham needed prior consent before using the sound clip in their own tracks, see C-476/17. Sampling without consent would, according to the EU Court of Justice, constitute an infringement of the producer’s exclusive rights to the sound recording.

The question posed by the BGH to the EU Court of Justice this time is whether ‘sampling’ could be regarded as freely permitted under one of the exceptions laid down in the InfoSoc Directive, namely use for the purpose of pastiche, cf. article 5 section 3 letter k.

The Advocate General pointed out that “inspiration and reformulation” is freely permitted and not a copyright infringement, but that the copying of protected material is not allowed and pointed out that “the line that separates ‘inspiration’ and ‘reproduction’ is not always clear in practice.”

Regarding the scope of the pastiche exception, the Advocate General concluded that the concept of “pastiche”, within the meaning of the InfoSoc Directive, is an artistic creation which (i) evokes an existing work, by adopting its distinctive “aesthetic language” while (ii) being noticeably different from the source imitated, and (iii) is intended to be recognized as an imitation.

As a result, the Advocate General concluded that “samples” are not an artistic, overt stylistic imitation, and that the pastiche exception could not apply to the reuse of a “sample” taken from a phonogram to create a new musical work in a completely different style.

Patents – The Enlarged Board of Appeals of the European Patent Organisation - ruling in G 1/24

The Enlarged Board of Appeals (EBOA) of the European Patent Organisation has decided on the highly anticipated case G 1/24. As stated in our previous quarterly report, the case concerns the role of the patent’s description in claim interpretation in validity proceedings. Unlike in cases of infringement, where

Article 69 EPC provides guidance on interpretation, there is no written law of the EPC prescribing how claims are interpreted when - for example - an opponent submits claims of lack of novelty or inventive step.

The EBOA ruled - in a decision of only twelve pages - that the description shall always be referred to when interpreting the claims when assessing patentability under the Articles of the European Patent Convention (EPC), and not only if the person skilled in the art finds a claim to be unclear or ambiguous when read in isolation. The EBOA especially referred to the harmonization philosophy of the EPC and the case law of national courts and the Unified Patent Court (UPC). Despite not pertaining to validity proceedings, the wording of Article 69 EPC has consistently been applied by analogy in the case law of the Boards of Appeal and in the courts of member states, as well as the UPC.

The interesting feature of G 1/24 is that the description in the contested patent supports a broader interpretation of the technical term than what is usual in the relevant industry. There are examples from Norwegian case law where patent claims have been interpreted to have a narrower scope than what may follow from the wording of the claims themselves, in light of the description, but there is not a clear consensus on the question of patent claims being broadened in light of the description, which in validity proceedings could be to the detriment of the applicant (as opposed to in infringement proceedings). The interpretation of the patent claims depend on a case-specific assessment in which the patent description is usually consulted.

We expect that the decision’s impact on Norwegian case law will be a popular topic among Norwegian intellectual property jurists and patent attorneys. At first glance, the decision does not seem to entail any major deviations from Norwegian practice on claim interpretation in validity proceedings.

Regulatory and data protection

At BAHR, we recognise the vital role of data privacy and security in today’s digital world. Our team of legal experts is committed to providing clear guidance on regulatory matters to ensure businesses remains compliant and secure. We offer customised solutions to help businesses navigate the complexities of the Norwegian and EU Digital regulations.

This section will provide updates on the regulatory framework within Norway and the EU, offering insights into recent developments and trends.

Norway

Regulatory updates

The Norwegian DPA has published the results from its survey among data protection officers

On 16 June 2025, the Norwegian Data Protection Authority (DPA) published a survey it had conducted among data protection officers (DPOs).18 Approximately 600 DPOs participated in the survey.

The results of the survey show that 6 out of 10 officers report that they are asked for advice in important and relevant processes in the organisation, and 76% report that they feel that the advice they give is followed. However, only 37% of the DPOs report that management keeps itself informed and shows interest in the tasks of the data protection officer.

Furthermore, 76% of the officer’s report that they feel their organization complies with the data protection regulations to a large or very large extent. They generally score best on having routines to detect breaches and work with information security and processing protocol.

The areas with the lowest compliance, according to the officers, are employee training and built-in privacy. Most DPOs find it challenging to establish functioning routines and processes, and there is a lack of human resources.

The findings in this survey align with our own experiences. Particularly smaller organisations and businesses struggle to meet the extensive documentation requirements for processes and procedures. Fortunately, there may be some relief on the horizon – please refer to Section 4.2.2 below. Read the full report from the Norwegian DPA here

The DPA has issued a guide on consent to cookies and other tracking technologies

The DPA has published a guide on how consent for the use of cookies and other tracking technologies should be obtained in order to be compliant with the GDPR and the Electronic Communications Act (Nw. ekomloven).19 The Act became effective on 1 January 2025, and contains explicit regulation of cookies and tracking technologies, which refers to the requirements for a consent to be valid consent in accordance with GDPR. The goal of the guide is to make it easier to comply with the new rules on tracking technologies in the Electronic Communications Act.

18 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/funn-frapersonvernombudsundersokelse/

19 https://www.datatilsynet.no/personvern-pa-ulike-omrader/internett-og-apper/bruk-avinformasjonskapsler-og-andre-sporingsteknologier/

The guide is intended to be a practical tool for Norwegian businesses, and the target audience is anyone who operates a website or a digital service that uses cookies or similar technologies. The guide provides a checklist of ten practical tips on how businesses can meet the requirements in order for a consent to be valid both in accordance with the GDPR and the Electronic Communications Act.

If a business uses cookies provided by a third-party, it is important to note that the business and the third-party may be joint controllers for the processing of personal data using such technology.

If a company acts in violation of the Electronic Communications Act, the Norwegian Communications Authority has the authority to impose fines. According to the Electronic Communications Regulation (Nw. ekomforskriften), the administrative fines may amount to up to 5% of the company’s turnover. This exceeds the fine level in the GDPR, which stipulates that administrative fines may amount to 4% of the company’s turnover.

Sanctions for unlawful share of personal data collected through tracking pixels

The DPA recently conducted an audit of six websites’ use of tracking pixels. All of them shared the visitors’ personal data with third parties unlawfully.20 Several of the websites did not know that they were sharing personal data, and in several cases, the data involved was sensitive.

The DPA imposed an infringement penalty of NOK 250,000 to the website 116111.no, which is a public service for children in vulnerable situations. The breaches in this case were deemed serious, as they involved a public website processing sensitive data about children. In addition to lacking legal grounds for the sharing of data, the website failed to provide adequate and sufficient information to the data subjects.

Joint declaration from the Nordic Data Protection Authorities

The Nordic data protection authorities had their annual Nordic meeting in May 2025, to discuss cooperation on privacy matters.21 The purpose of the meeting is to exchange experiences and to coordinate across borders.

The meeting concluded with a joint declaration on a number of current topics. The parties agreed to exchange knowledge and experiences regarding AI tools used for law enforcement purposes. The declaration further addresses how to handle and investigate an increasing number of complaints in an effective and

20 https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fradatatilsynet/2025/ulovlig-deling-av-personopplysninger-gjennom-sporingspiksler-hos-seksnettsteder/

21 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/felles-erklaring-fra-de-nordiskedatatilsynsmyndighetene/

diligent manner. The parties also discussed the possibility of developing specific guidelines related to security and technical implementation across the Nordic countries.

MiCA and DORA have entered into force in Norway

On 1 July 2025, the EU Markets in Crypto-Assets Regulation (MiCA) entered into force in Norway.22 During the second quarter of 2025, several significant developments took place to facilitate this transition. Notably, on 20 May 2025, the Norwegian Parliament passed the Norwegian Crypto-Assets Act (Nw. kryptoeiendelsloven), which implements MiCA in Norwegian law.23

MiCA aims to promote innovation, strengthen investor protection, ensure market integrity, and maintain financial stability. It introduces a range of rules that will substantially affect issuers of crypto-assets and crypto-asset service providers operating in Norway, including requirements for licensing, supervision, and measures to prevent market abuse in the crypto-assets sector.

The EU’s Digital Operational Resilience Act (DORA) entered into force on the same day as MiCA.24 Entities subject to the new rules are expected to have adapted to the requirements of the act before this date. Read more about what managers of alternative investment funds need to do in our newsletter

Case law

Access to information - Access to HCPs identity in medical recordsFrostating Court of Appeal - LF-2025-2597

In an interesting decision from the Court of Appeal, published on 6 May 2025, the right of access to medical records under Section 5-1 of the Norwegian Patient and User Rights Act and the right of access under GDPR Article 15 were examined.25 In the case, the parents of a child with a kidney disorder sought access not only to the child’s medical record from an emergency clinic visit, but also the names, positions, and professional qualifications of the healthcare professional (HCP) involved.

The majority of the Court of Appeal denied the parents’ request, emphasising that where a medical record contains only the HCPs’ initials, their full identities do not require disclosure. The Court briefly referenced Case C-579/21 (Pankki), which considers whether GDPR Article 15(1) entails a right to know the identities of employees who have accessed a data subject’s personal data. However, it did not engage in any detailed discussion on this point. The majority also noted that GDPR Article 15 provides a right of access only to one’s own personal data.

22 https://lovdata.no/dokument/LTI/lov/2025-05-27-20

23 https://www.stortinget.no/no/Saker-og-publikasjoner/Saker/Sak/?p=102399#step-link-1

24 https://lovdata.no/dokument/NL/lov/2025-05-27-18

25 https://lovdata.no/pro/#document/LFSIV/avgjorelse/lf-2025-2597?from=NL/lov/1999-07-0263/%C2%A75-1

The minority took a different view, holding that Section 5-1 of the Norwegian Patient and User Rights Act, when read in conjunction with the legal requirements governing the content of medical records, directly supports the right to access the names of the healthcare personnel involved.

EU Regulatory updates

Meta has started AI training on users’ photos and posts

On 27 May 2025, Meta began using photos and posts from Facebook and Instagram users in the EEA to train its AI service.26 The purpose of this training is to develop and improve Meta’s generative AI services. Both publicly published content of the users and their interactions with Meta’s AI services will be used for the training. However, only data related to users over 18 years old will be used. Moreover, Meta has indicated that it will respect any objections; protest forms are available for Facebook here and Instagram here.

Meta’s use of personal data to train its AI service has previously been extensively debated. Organisations such as noyb, Co-founded by activist Max Schrems, has warned that they will take action against such use of personal data, which they believe to be unlawful. Read more about noyb’s view of Meta’s processing of personal data to train on AI here.

The European Commission has proposed simplification of EU rules (including GDPR)

The European Commission has proposed new amendments to save companies administrative costs relating to compliance.27 When small and medium enterprises (SMEs) grow beyond 250 employees, they become large enterprises and face a sharp increase in compliance obligations.

The Commission is therefore planning to introduce a new category of companies – so-called small-mid caps (SMC). Such companies have fewer than 750 employees, and either up to EUR 150 million in turnover or up to EUR 129 million in total assets. These companies will gain access to certain SME benefits or simplified rules, and the package will simplify obligations for both SMEs and SMCs.

26 https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/meta-begynner-ki-trening-pabrukernes-bilder-og-innlegg/

27 https://commission.europa.eu/news-and-media/news/simplification-measures-save-eubusinesses-eu400-million-annually-2025-05-21_en

Additionally, for GDPR specifically, the Commission is planning to simplify the record-keeping obligations. Paragraph 5 of article 30 provides for a derogation for SMEs and organisations with fewer than 250 employees. According to the Commission’s proposal, the scope of the derogation should be broadened to include SMCs and organisations with fewer than 750 people.

EDPB has published its annual report for 2024

On 23 April 2025, the European Data Protection Board (EDPB) released its annual report for 2024 on the protection of personal data in a changing landscape.28 In 2024, the EDPB adopted a new strategy for the period 2024-2027, which sets out the Board’s priorities for the period. Notably, the EDPB organised two stakeholder events on the topics of use of personal data to train AI models and so-called “Consent or Pay” mechanisms (for further information on this mechanism, please refer to our newsletter). The Board also launched its 20242025 Work Programme, which is a roadmap for addressing emerging challenges, and includes both pillars and implementable actions. The full report can be read here

New proposals for legislative acts published Q2 2025

Digital Networks Act. On 6 June 2025, the Commission published a proposal for regulation of digital networks.29 According to the Commission, the purpose of the initiative is to improve access to secure, fast and reliable connectivity for the transition towards cloud-based infrastructure and AI. The proposal further states that one of the objectives of the initiative is to reduce reporting obligations and remove unnecessary regulatory burdens, which aligns with the proposal for a simplification of EU rules (please refer to Section 4.2.2 above). The feedback period lasts until 11 July 2025.

Cloud and AI Development Act. According to the press release issued by the Commission on 9 April 2025, the EU is launching a new act to address Europe’s deficit in cloud and AI infrastructure capacity.30 The proposal is driven by the recognition that increasing computational capacity within the EU is essential for a mature data economy. In connection with this proposal, the Commission has initiated a consultation to gather insights from a diverse range of stakeholders, particularly concerning the current and emerging challenges related to the EU’s computational capacity gap.31 The consultation period lasts until 3 July 2025.

28 https://www.edpb.europa.eu/our-work-tools/our-documents/annual-report/edpb-annualreport-2024_en

29 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14709-DigitalNetworks-Act_en

30 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14628-AI-Continentnew-cloud-and-AI-development-act_en

31 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14628-Cloud-and-AIDevelopment-Act/public-consultation_en

Q2 2025 developments under legal acts in force

Digital Markets Act. On 25 April 2025, the Commission published a report on the Digital Markets Act, addressed to the European Parliament and the Council of the European Union.32 The report sets out the activities undertaken by the European Commission in connection with the Act in 2024. In 2024, the Commission decided to designate large players such as Alphabet, Amazon, Apple, ByteDance, Booking.com, Meta and Microsoft as gatekeepers. The Commission also concluded several market investigations related to rebuttals submitted by undertakings claiming that they do not meet the requirements for being designated as gatekeepers. As the Act entered into its implementation and enforcement phase, the Commission also engaged in regulatory dialogue with the designated gate-keepers, and performed investigations related to noncompliance.

Cybersecurity Act. The Commission issued a press release which states that there will be an initiative to revise the Cybersecurity Act on 11 April 2025.33 The purpose of the initiative is to clarify the mandate of the EU Agency for Cybersecurity, and to improve the European Cybersecurity Certification Framework to achieve better resilience. The Commission further called for a consultation, with the aim to gather the views of stakeholders on areas for improvement in the current regulation.34 The consultation was closed 20 June 2025.

Guidelines

EDPB has adopted guideline on Article 48 GDPR (transfers or disclosures not authorised by Union law)

On 4 June 2025, the EDPB adopted a version 2.0 of its Guideline 02/2024 on Article 48 GDPR.35 Article 48 stipulates that judgments from a court or tribunal, as well as decisions from administrative authorities in a third country, requiring a controller or processor to disclose or transfer personal data, can only be enforceable if they are based on an internation agreement in force between the requesting third country and the Union or a member state.

The guideline aims to clarify the rationale and objectives of the article, while providing practical recommendations for controllers and processors. The EDPB emphasizes that the article’s objective is to make clear that judgments and decisions from third countries cannot automatically and directly be recognised, and their validity depends on recognition through international agreements.

32 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2025:166:FIN

33 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14578-The-EUCybersecurity-Act_en

34 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14578-The-EUCybersecurity-Act/public-consultation_en

35 https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022024article-48-gdpr_en

Article 48 does not itself constitute a legal basis for transfer and must be supplemented with a ground for transfer in accordance with Chapter V of the GDPR. The transfer or disclosure of personal data must also have a legal basis for the processing in accordance with Article 6. The EDPB notes that where a request from a third country aligns with an international agreement, and the agreement gives the request the effect of a legal obligation, Article 6 (1) c may provide a legal basis for the transfer.

The EDPB also notes that a scenario where a third country authority requests personal data from an entity located in its territory (parent company) which would than ask its subsidiary in the EU for the data, does not fall under the scope of Article 48. Read the guideline here

EDPB has adopted guideline on processing of personal data through blockchain technologies

On 14 April 2025, the EDPB adopted a Guideline on the processing of personal data through blockchain technologies, available here. This insightful Guideline aims to provide a framework for organisations considering the use of blockchain technology, outlining key GDPR compliance considerations for planned processing activities. It explains how blockchains function, assessing various architectures and their implications for personal data processing.

According to the EDPB, blockchains can facilitate secure data handling and transfer, ensuring data integrity and traceability. However, the EDPB advises against storing personal data on a blockchain if it conflicts with data protection principles.36

The Guideline emphasises the importance of implementing technical and organisational measures and that organisations should conduct a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies where such processing is likely to pose a high risk to individuals’ rights and freedoms. Finally, the EDPB discusses the interplay between the technical aspects of blockchain and the data protection principles outlined in Article 5 of the GDPR.

36 https://www.edpb.europa.eu/news/news/2025/edpb-adopts-guidelines-processing-personaldata-through-blockchains-and-ready_en

Strategy updates

AI Continent Action Plan

The Commission launched a plan with the objective of establishing the EU as a global leader in AI on 9 April 2025.37 The plan is structured around five key pillars: 1) Developing a large-scale AI data and computing infrastructure, 2) increasing access to large and high-quality data, 3) developing algorithms and fostering AI adoption in strategic EU sectors, 4) strengthening AI skills and talents and 4) regulatory simplification.38 Notably, in relation to regulatory simplification, the Commission will launch an AI Act service desk to help businesses comply with the AI Act.

A European strategy for AI in science – paving the way for a European AI research council

On 10 April 2025, the Commission introduced an initiative aimed at shaping policy approaches towards AI in science.39 The goal is to facilitate the adoption of technology by scientists, addressing the challenge of limited adoption of AI in European scientific activities.

Data Union Strategy

On 23 May 2025, the Commission announced an initiative to streamline existing data rules.40 The objective is to create a simpler, clearer and more coherent legal framework for businesses and administrations, particularly concerning largescale data sharing. The feedback period for this initiative is open until 18 July 2025.

International Digital Strategy

On 5 June 2025, the European Commission and the High Representatives presented a plan to strengthen its leadership in global digital affairs, while reinforcing its digital partnerships.41 The strategy is centered around three main objectives: 1) Expanding international partnerships, 2) enhancing the EU’s technological competitiveness through economic and business cooperation and 3) strengthen global digital governance.

37 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52025DC0165

38 https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1013

39 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14547-A-EuropeanStrategy-for-AI-in-science-paving-the-way-for-a-European-AI-research-council_en

40 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14541-European-DataUnion-Strategy_en

41 https://digital-strategy.ec.europa.eu/en/library/joint-communication-international-digitalstrategy-eu

EU Blueprint on cybersecurity crisis management

EU adopted a blueprint to better manage European cyber crises and incidents on 6 Jun 2025.42 The blueprint gives guidance on how to handle such incidents and crises and aims to enhance preparedness and detection capabilities.

Case law

Mgr. L. H. v Ministerstvo zdravotnictví - Case C-710/23

In a judgement from 3 April 2025, the CJEU addressed whether disclosing the name, signature, and contact details of a natural person representing a legal entity constitutes the processing of personal data under GDPR.43 In the case, a request was made to the Czech Ministry of Health for information concerning individuals who had signed contracts to purchase COVID-19 screening tests, as well as certificates demonstrating that those tests could be used within the EU.

The CJEU ruled that disclosing the identifying details of a representative of a legal person does indeed constitute the processing of personal data under Articles 4(1) and (2) of the GDPR, regardless of whether such disclosure is merely intended to identify the authorised signatory. The judgment highlights the broad scope of personal data protection under the GDPR, emphasising that natural persons acting in a professional capacity are also protected.

Additionally, the CJEU held that Article 6(1)(c) and (e), read in conjunction with Article 86 of the GDPR, does not preclude national legal requirements that necessitate informing and consulting the individual concerned before disclosing official documents containing personal data, provided such obligations are not impossible or disproportionately burdensome. The judgment confirms that while public access to information is essential, safeguards must remain in place to ensure that individuals’ personal data are duly protected.

42 https://www.consilium.europa.eu/en/press/press-releases/2025/06/06/eu-adopts-blueprint-tobetter-manage-european-cyber-crises-and-incidents/

43 https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62023CJ0710

BAHR Technology

BAHR’s multi-disciplinary Technology group is tailored to meet the diverse needs of technology companies, covering all areas from litigation and M&A to contracts and regulatory matters. We are dedicated to maintaining in-depth knowledge and active engagement with industries at the cutting edge of technological advancement, delivering market-leading expertise to tackle the legal challenges these sectors face. Our clients benefit from lawyers who not only understand their business but also grasp the commercial opportunities and challenges inherent within their industry.

“ – Legal 500

BAHR’s Intellectual Property and TMT practice is outstanding and the best in Norway due to its deep expertise and innovative approach to complex legal matters. The team is uniquely adept at providing strategic advice that aligns with our business objectives, specially in the rapidly evolving IP and TMT sectors.

The lawyers at BAHR are excellent. They are experts on patent litigation and are resultsoriented and super responsive.

– Chambers