The Norwegian Data protection legislation from the 1970ies until today

This article about developments the Norwegian Data protection legislation from the 1970ies until today is a slightly revised english version of an article that was first published in the March issue of Lov & Data  Newsletter: https://lovdata.no/artikkel/lov__data__ny_utgave_er_ute_na/5018  Lov & Data: https://lod.lovdata.no/

Arve Føyen was engaged as project manager for the implementation of the Personal Data Act and the establishment of the Data Inspectorate (the Norwegian Data protection Authority) in 1979. Upon the establishment of the Data Inspectorate, he was employed as deputy director in the Data Inspectorate from 1979 to 1982 under the director Helge Seip. In 1982, he was engaged by the Ministry of Justice to investigate the need for changes in the Personal Data Act. Since 1983, he has worked as a lawyer focusing on legal issues related to the introduction and use of ICT, telecommunications, media and media distribution, and privacy. From 2008 to 2016, Arve Føyen was deputy chairman of the Privacy Appeals Board, appointed by the Norwegian Parliament (Stortinget). He still works as a lawyer and is engaged as an external data protection officer in four different companies. Arve Føyen was the first chairman of the Norwegian Association for Computers & law when the association was founded in 1980.

1. Privacy – Introduction
In 2024, it was the 40th anniversary of the society George Orwell described in the book “1984” (published in June 1949). A small reminder from the book is that the “Party’s” ultimate goal is not only to monitor and control people’s actions but to control their thoughts and destroy their humanity. The defeat of the main character Winston represents the triumph of totalitarianism over individual freedom and human dignity. In the society described in the book, everyone is monitored by the authorities. “Big Brother” watches everything, both in private and public life. The population is constantly reminded of this with the slogan “Big Brother is watching you.”

How has the protection of individual freedom, human dignity, and personal data fared in the 40 years since the Orwellian society was described in “1984”? (1)

2. Privacy – Trends and Challenges
Privacy has undergone significant changes since the early 1970s, driven by technological development, increased use of digital solutions, and stricter legislation. This article examines key trends in privacy in Norway and internationally, with a particular focus on technological challenges, changes in legislation over time, and the introduction of GDPR.

2.1. Some Terminology
“Personal integrity” involves the individual’s right to live their life without unnecessary interference from others, including the state, companies, and private actors. This right extends to protecting the individual’s personal sphere, including their physical and mental well-being.

“Legal protection of personality” refer to legal protections that recognize the individual’s right to control and protect their own privacy, image, name, and other personal characteristics. This includes protection against violations and unauthorized exploitation of the individual’s personality in, for example, media and advertising.

“Privacy” is a broader concept that encompasses the protection of individuals’ rights and freedoms in connection with the processing of their personal data. This includes the right to privacy and the right to control how one’s personal data is collected, used, stored, and shared. Privacy is therefore an important part of both personal integrity and the legal protection of the personality.

In the government public report “Individual and Integrity” (NOU 2009:1), it is stated that data protection concerns rules and standards for the processing of personal data with the main goal of safeguarding privacy(2). Data protection specifically refers to the measures and regulations that have been introduced to protect information about individuals from misuse and unauthorized access. This includes legislation such as the Personal Data Act and GDPR, the Health Register Act, and the Police Register Act, which set strict guidelines for how and for what purposes data should be collected, processed, made available, stored, and protected, to ensure that the individual’s rights are safeguarded.

These terms are closely related and overlap in many ways, but they also represent different aspects of the individual’s right to protection against intrusions into their private life. Together, they form a framework that seeks to balance the need for free flow of information with the consideration of protecting the individual’s freedoms, dignity, and rights.

2.2. Background – Development of Data Protection
The development of data protection as a legal and societal discussion topic related to the use of computers began in the 1960s and accelerated into the 1970s. This period was characterized by an increasing awareness of the potential of data technology to collect, process, and store large amounts of information about individuals. At the same time, concerns grew about how this information could be misused by both public and private actors.

The technological development in data processing and information technology led to extensive discussions about the need to protect individuals’ personal data. In the 1970s, several countries, including Norway, initiated investigations and studies on privacy and data protection issues related to both public and private use of personal data. International organizations such as the Council of Europe and the OECD also contributed to the development of privacy principles that would form the basis for future legislation. Sweden’s Data Act from 1974 was the first of its kind and marked the beginning of a wave of legislation on privacy in Europe.

Erik Samuelsen’s research report from 1972 on privacy was (3) a groundbreaking study that explored the legal and societal aspects of protecting individuals’ personal data. The report highlighted the technological challenges associated with data processing and information technology and how these could pose a threat to personal integrity.
Samuelsen analysed the need for legislation to regulate the collection, storage, and processing of personal data. He emphasized the importance of balancing the flow of information with the protection of individual rights. His work helped lay the foundation for the later development of privacy legislation in Norway and contributed to the growing awareness of privacy issues in the 1970s.

In the 1970s, two public committees were established to investigate issues related to the processing of personal data and privacy in Norway. The first investigation, NOU 1974: 22 – Personal Data and Privacy, addressed the fundamental principles and challenges related to privacy in a time of rapid technological development. The report focused on how personal data was collected, stored, and used in the private sector, as well as the need for rules and regulations to protect individuals’ rights.
The second investigation, NOU 1975:10 Public Personal Data Systems and Privacy, focused on the specific challenges of public personal data systems. The committee evaluated existing practices and proposed measures to strengthen privacy in public registers and databases. These two reports laid the foundation for the Ministry to prepare Ot prp nr 2 (1977-78) on the law on personal registers, etc. (“Personal Data Registers Act”). The law was passed by the Parliament (Stortinget) on June 9, 1978.

3. Personal Data Registers Act
3.1. Regulations, Concessions, and Implementation
The Personal Data Registers Act was passed by the Parliament on June 9, 1978. The law was a typical delegation act, with broad powers for the Government (the King in Council) and the Ministry (Ministry of Justice) to issue delegated regulations. Before the law could come into force, delegated regulations had to be prepared, and a Data Inspectorate had to be established to enforce the law.

For various reasons, the adopted law ended up in a drawer in the Ministry of Justice, and nothing happened with the implementation for about a year. About a year after the law was passed, a fast-working working group was established to prepare regulations and establish the Data Inspectorate. The working group had one member from the Government Institution for Organisation and Management (“R-dir” – equivalent to what is now Dig-Dir/DFØ) as project manager, one member from the Civil Affairs Department in the Ministry of Justice, and one member from the Legislation Department in the Ministry of Justice. Within 7 months, the working group was to prepare draft regulations to be finalized after an external consultation round, so that they could be implemented together with the law by January 1, 1980. At the same time, the working group was to establish the Data Inspectorate, hire the first 4-6 employees in the Data Inspectorate, acquire and equip premises for the Data Inspectorate, and carry out extensive information activities about the requirements for business and administration in the new law.

Originally, the Personal Data Registers Act applied to personal registers – manual and electronic. “Personal registers” were defined as registers, records, etc., where personal data is stored systematically so that information about the individual person can be found again. The law also applied to data about “legal persons”, and the law further applied to other uses of personal data in certain types of activities, which included:

• Credit and personal information activities
• Data processing companies (Service bureaus)
• Addressing and distribution activities
• Opinion and market surveys
• Transfer of data abroad
• Camera surveillance.

Starting and operating such activities required a concession from the Data Inspectorate.

The Personal Data Registers Act imposed a number of obligations on data controllers to ensure that personal data was processed in accordance with the law. This included, among other things:

• Application for concession: Businesses had to apply for a concession from the Data Inspectorate before they could establish new personal registers. Businesses operating in the above-mentioned types of activities had to apply for a concession to be able to operate their business. Transition rules were given with a deferred deadline for applying for a concession for already established registers or businesses.
• Security: Businesses were to take necessary security measures to ensure the integrity of the information and that it did not go astray.
• Right of access: Everyone had the right to be informed about what information about them was stored or processed using electronic means.
• Obligation to act on orders from the Data Inspectorate: Businesses had an obligation to comply with orders from the Data Inspectorate regarding correction, deletion, or supplementation of errors in the registers, and regarding the implementation of measures necessary to ensure that any errors did not affect the registered person.

Based on the concession system, the law required that any business wishing to maintain personal registers or operate such activities as specified had to apply for permission (concession) from the Data Inspectorate. This system was to ensure that the use of personal data was in accordance with the provisions of the law and that necessary security measures were in place to protect the data against unauthorized access, alteration, or deletion.

The appointed working group immediately understood that extensive exceptions from the law were necessary, in the form of secondary regulations for different standard types of registers that could be exempted from individual concession processing. The exceptions were made in regulations under the provisions of the law, by defining what types of information the registers could contain, what purposes they could be used for, where the information could be obtained, who could access the information, etc.

The regulations further stipulated requirements for how personal data should be processed so that no concession was required. The requirements included:

• Purpose limitation: The information should only be used for the purpose for which it was collected and not for other purposes without the consent of the registered person.
• Data controller: The top management of the business was responsible for following the rules in the regulations.
• Accuracy: The information had to be accurate and up to date.
• Security: There had to be sufficient technical and organizational measures to protect the information against unauthorized access and other security threats.
• Right of access: The registered persons had the right of access to what information was registered about themselves, as well as information about the purpose of the processing and who had access to the information.
• Disclosure of information: Personal data could not be disclosed except in specific cases.
• Linking of registers: If a register was to be linked with other registers, the concession requirement would generally apply again for the combined register.
• Deletion: If no other legislation prevented deletion, anyone could, as a general rule, demand to be deleted from the register.

3.2. The Role of the Data Inspectorate

The Data Inspectorate was established as an independent body subordinate to the King and the ministry determined by the King (Ministry of Justice). The Data Inspectorate’s responsibility was to monitor compliance with the Personal Data Registers Act and the regulation. The Data Inspectorate had, among other things, the following tasks:

• Processing concession applications: Assess and approve or reject applications for permission to establish personal registers.
• Control and supervision: Conduct inspections and controls to ensure that businesses complied with the law’s requirements, and any granted concession.
• Guidance: Provide advice and guidance to businesses and individuals on privacy issues.
• Enforcement: Implement necessary measures in case of violations of the law, including sanctions and orders.

3.3. Consequences of Violations

Violations of the Personal Data Registers Act or regulations could result in criminal sanctions provided for in the law and regulation. The sanctions included the possibility of orders to stop illegal processing of personal data (which could be imposed by the Data Inspectorate), imprisonment, fines, and compensation to the registered persons (which had to be determined by the courts based on a lawsuit). It is worth noting that the law provided for personal criminal liability for the management of the business responsible for violations of the law.

4. Need for Changes – Personal Data Act 2000
4.1. Investigation of the Need for Changes
The Personal Data Registers Act was challenging to enforce. In the 1980s, the Data Inspectorate was characterized by capacity problems, with few employees and a growing workload. This led to the undersigned being engaged by the Ministry of Justice in 1982 to investigate the need for changes and simplifications of the law (4).

The investigation concerned the simplification and adaptation of the Personal Data Registers Act to bring better alignment between the Data Inspectorate’s tasks and available resources, considering technological development.

At this time, the Data Inspectorate had 8 employees (3 caseworkers) including office staff, and significant backlogs in processing concession applications for “old” registers. The Inspectorate had no persons with technical background and no one to conduct control activities.

As it was considered unrealistic to significantly strengthen the Data Inspectorate, the most immediate proposal was to remove the concession requirement and introduce material rules with criminal sanctions for violations. A main problem with this was to introduce criminal sanctions for vague and discretionary material rules.

Another main problem was that technological development had led to the “register” concept no longer being suitable as a basic concept for the protection of privacy. Personal data registers were defined as “..registers, records, etc., where personal data is stored systematically so that information about the individual person can be found again”. The investigation concluded that it would be more appropriate to regulate any form of collection, storage, and use of personal data. This was justified by the fact that modern technology could be used to retrieve information without the information being “systematically stored” in advance.

The investigation was sent for public consultation and further processed by an Interdepartmental working group and was part of the basis for Ot.prp.nr.34 (1986–1987) On amendments to the Personal Data Registers Act. Some minor changes were adopted in the law of June 12, 1987, on amendments to the Personal Data Registers Act. The more significant proposals – to make the Data Inspectorate a more independent administrative body, drop the register concept and focus on the collection, storage, and use of personal data, drop the concession requirement, introduce more material rules, etc., were, however, only partially adopted.

4.2. Transition to the Personal Data Act
The EU Commission presented a draft directive on the protection of personal data in 1992. At this time, digitalization was growing rapidly, and the need for more comprehensive legislation that could better safeguard privacy nationally and across borders became evident. The Data Protection Directive was adopted in 1995 (5).

The directive was an important milestone in the development of privacy legislation. The directive aimed to harmonize privacy laws in the EU so that personal data could flow freely within the internal market while ensuring individuals’ right to privacy. It established key principles such as rules on explicit consent by the data subjects, and requirements for specific legal grounds for lawful data processing, and the right for individuals to access and correct their data.

Based on the directive, input from the Data Inspectorate, and the expressed need for changes outlined in section 3.1 above, the Ministry of Justice appointed a committee in October 1995 to investigate the need for a revision of the Personal Data Registers Act. The main points of the investigation were:

• The law should no longer only apply to “personal data registers” but also to “electronic processing of personal data.”
• Greater emphasis was placed on subsequent control based on notifications to the Data Inspectorate, and the concession system was largely replaced by a notification requirement to the Data Inspectorate.
• More material rules were introduced in the law itself.
• The registered persons were given more rights vis-à-vis the data controllers:
  • Facilitation for the registered persons to be able to exercise their rights (e.g., information to the registered persons when information about them was collected).
  • New and expanded rights for the registered persons (e.g., extended right of access, the right to request manual processing of automated decisions, and the right to request justification for decisions made by automated systems).
  • Facilitation for it to be practically possible for individuals to exercise their rights, including the Data Inspectorate establishing a publicly accessible register with overview of the processing of personal data.
  • The Data Inspectorate was made professionally independent of the government and ministries, and the Ministry of Justice would no longer be the appeal body for decisions in the Data Inspectorate.
  • A new appeal body – the Privacy Appeals Board – was established as an independent and autonomous appeals body, with the chairman and deputy chairman appointed by the Parliament, while the other members were appointed by the King in council.
  • Stricter rules on surveillance were introduced, e.g., television surveillance, etc.

The transition from prior control through the processing of concessions to subsequent control was based on three main elements. Firstly, a requirement was introduced to send a notification to the Data Inspectorate about certain types of processing of personal data. The notifications were to be entered in a publicly accessible register at the Data Inspectorate and were to provide the Data Inspectorate with information that could be used for control purposes. Secondly, those who process personal data were to ensure the quality of the processing and implement internal control to document what processing of personal data took place and how this processing was legally and securely conducted. Thirdly, the Data Inspectorate was to be given the authority to issue orders to stop illegal processing of personal data or impose conditions that had to be met for the processing to be lawful. If such an order was not complied with, the Data Inspectorate could impose a coercive fine that would accumulate until the matter was rectified.

The Personal Data Act was adopted on April 14, 2000, based on this investigation and Ot.Prp.nr.92 (1998-1999) “On the law on the processing of personal data.” The law came into force on January 1, 2001, and remained largely unchanged until it was replaced by GDPR on June 20, 2018.

The Personal Data Act of 2000 was significantly better suited for regulating the processing of personal data using new technology than the old Personal Data Act.

5. Full Harmonization of Privacy Legislation in the EU
5.1. Introduction of GDPR
The most significant milestone in modern privacy legislation came with the introduction of the “General Data Protection Regulation” (GDPR) in 2018. GDPR is a regulation that was introduced in Norway through the Personal Data Act (June 18, 2018, no. 38) . As a regulation, it must be implemented in each EU country (and EEA country) “as it is.” There is generally no national room for choice on how the individual rules should be implemented – except for the provisions where the regulation itself indicates that there is a choice on how the provision should be implemented. GDPR specifies more than 50 areas where national rules can be established in addition to or as a clarification of those directly stated in the regulation. For Norway, these are collected in the new Personal Data Act, which implements GDPR and is published together with GDPR (6).

GDPR’s main purpose is to protect individuals’ rights and freedoms in the processing of personal data while ensuring the free flow of data within the EU. GDPR gives individuals more power, including the right to access their own data, the right to be “forgotten,” rules on data portability, and strict purpose limitation for the use of personal data.

For businesses and public authorities, GDPR entails stricter requirements for documentation, purpose limitation, risk assessments, transparency, and security. Furthermore, GDPR has a strict regime for the transfer of personal data to countries outside the EU that do not have legislation on the processing of personal data which meets the requirements of GDPR.
GDPR also introduced significantly stricter sanctions for violations, with fines of up to 4% of a group of companies’ gross global turnover, or 20 million euros whichever is highest, for the most serious violations. This has, of course, led to significantly increased attention and willingness to comply from businesses and public authorities targeted by the rules.

GDPR has also led to increased reporting requirements and a significant increase in the number of deviation reports to the Data Inspectorate. From 2017 to 2023, the number of deviation reports received by the Data Inspectorate increased by 790%, a growth that has been challenging to handle for an inspectorate with limited resources. Much of the increase is naturally due to the significant tightening of the sanction levels related to violations of the rules.

5.2. “Brussels Effect”
For Norway, GDPR has the effect that supervisory practices and case law throughout the EU area are significant for the application and interpretation of the rules in Norway as well.
GDPR also has ripple effects far beyond Europe, as the processing of personal data that takes place outside Europe must largely follow European rules. This has been called the “Brussels Effect.” Companies that process personal data about EU citizens or operate in the EU must follow the legislation here.

The Brussels Effect is the process of unilateral regulatory globalization caused by the EU de facto (but not necessarily de jure) externalizing its laws beyond its borders through market mechanisms. At the same time, this has had the effect that several countries worldwide have created their own privacy legislation, which in many cases follows the EU’s example.

5.3. Harmonization of Legislation and Case Law
GDPR contributes to harmonizing case law in Europe by setting common rules and standards that apply in all EU and EEA countries. As a regulation, GDPR must be implemented directly into national legislation “as is” without significant changes, except in areas where there is room for national adaptations. This ensures a uniform approach to privacy and the processing of personal data across countries, providing equal rights and obligations for both individuals and businesses throughout the EU. This also creates equal competitive conditions for businesses. Harmonization also simplifies the transfer of personal data between countries, as the same requirements and protections apply everywhere.

The EU Court of Justice’s main task is to interpret EU law to ensure it is applied in the same way in all EU countries and to resolve legal disputes between national authorities and EU institutions. The EU Court of Justice is therefore a key player in ensuring that EU legislation is interpreted consistently and fairly across member states. This includes the interpretation and enforcement of GDPR. National courts can ask the EU Court of Justice for guidance on how provisions in GDPR should be understood and applied. The EU Court of Justice’s decisions are binding on all member states, ensuring a uniform understanding and application of privacy rules.
Through its decisions, the EU Court of Justice directly influences how national courts and authorities interpret and enforce privacy rules. For example, it can clarify how certain rights, such as the right to be forgotten, should be balanced against other rights, such as freedom of expression and information. This helps ensure a consistent application of the rules throughout the EU.

The EU Court of Justice has issued several important rulings that have contributed to harmonizing privacy legislation in the EU. For example, it has clarified how consent should be obtained and documented, and how personal data should be protected when transferred to third countries.

6. Technological Challenges and Future Regulations
6.1. Regulating on steroids
While GDPR was being prepared and implemented, there has been a steadily increasing development in technology, with growth in the use of cloud services, artificial intelligence (AI), and large amounts of data. This has created new challenges for privacy.

The EU has been working on introducing several regulations to address the complex issues related to the data economy. Among these are the Open Data Directive, Data Governance Act, Digital Markets Act, Digital Services Act, AI Act, Data Act, the Digital Operational Resilience Act (“DORA”) and the NIS 1 and NIS 2 directives (”Network and Information Security Directives). These are legal instruments designed to ensure a fair distribution of values in the data economy, promote the use of open data, and strengthen trust in data transactions. Several of these legal instruments require the establishment or designation of regulatory and coordinating bodies at the national level. It will be important to coordinate the efforts and resources needed to implement the legal instruments in a responsible and transparent manner and to prevent fragmented regulatory follow-up and control.

A particular challenge for technological development is the use of personal data in large language models. The question of how personal data and IPR-protected data are used to train language models and other AI solutions has become a hot debate.

Furthermore, the globalization of the technology sector has led to large American corporations, such as Amazon, Apple, Oracle, and Microsoft, dominating the market for cloud services, raising concerns about the transfer of data to third countries. It also raises concerns about American dominance over key resources for digitalization and the development of critical societal functions in the EU.

6.2. The Role of the Data Inspectorate in Today’s Landscape
In facing these challenges, the Data Inspectorate has an important role. However, the Data Inspectorate, now as before, faces significant capacity challenges. There is an increasing need for rapid and efficient case processing, while resources and technical competence in the inspectorate are limited. To meet future privacy requirements, the Data Inspectorate must be strengthened both in terms of resources and organization.
Authorities will also be designated for monitoring and following up on several of the relevant directives and regulations from the EU, and there will be a strong need for coordination and cooperation between the Data Inspectorate and any other bodies designated under new directives and regulations.
An evaluation by DFØ (Directorate for Administration and Financial Management) has also pointed out that the inspectorate must become a more constructive guide for public and private enterprises, while also developing better strategic cooperation with other public bodies (7).

6.3. Overregulation and the need for simplifications
Privacy has gone from being a niche area in the 1970s to becoming a central part of the modern digital economy. From the introduction of the Norwegian Personal Data Act to GDPR’s strict requirements, privacy has evolved in line with technological development – albeit somewhat lagging. Going forward, it will be necessary to balance innovation with privacy requirements, especially in light of AI, big data, and cloud services. To ensure that privacy continues to be safeguarded, both legislation and supervisory authorities such as the Data Inspectorate must be strengthened and adapted to the digital landscape.

Going forward, it will be necessary to balance innovation with privacy requirements, especially in light of AI, big data and cloud services.

At the same time, in my opinion, it is absolutely necessary to avert the current trend towards overregulation of the digital area. Such overregulation hinders development and puts a serious damper on the innovation power of businesses and public administration.

According to NHO, 99% of Norwegian companies are small and medium-sized enterprises (SMEs) (companies with fewer than 100 employees), and more than 56% of all employees in the private sector work in SMEs. It is obvious that such companies have limited resources for extensive compliance work and interpretation and adaptation to extensive, discretionary rules like GDPR.

Internationally, there is an increasing discussion about whether the EU, through its regulatory zeal, is in the process of stifling innovation and development, causing EU countries to lag behind in international technological development and productivity growth.

In recent years, most businesses, including American companies, have been confronted with an increasing number of demanding European digital regulations with extensive extraterritorial effects. Influential European voices are asking whether this has now gone too far and whether the extensive regulations are undermining Europe’s competitiveness.

Mario Draghi, former head of the European Central Bank, voiced these concerns in a report (8) in September 2024. The report was commissioned by the Commission’s leader, Ursula von der Leyen. Draghi claimed that the EU Commission’s “legislative activity has grown excessively” in recent years and that “innovative companies that want to scale up in Europe are hindered at every step by inconsistent and restrictive regulations”.

Ursula von der Leyen addressed this in her speech to the European Parliament’s plenary session on the new College of Commissioners and its program on November 27, 2024 (9), where she emphasized that for Europe to regain its innovation power, the EU must make things easier for European businesses. Companies report that the regulatory burden weighs heavily on them. There is too much reporting and too many overlapping regulations, which are too complex and costly to comply with. According to von der Leyen, the rules must be streamlined to reduce the burden on businesses. And it must be predictable for businesses what is expected of them. On this basis, von der Leyen has asked one of the EU’s most experienced commissioners, Valdis Dombrovskis, to take the lead in simplification and implementation. He will also be responsible for increasing Europe’s economy and productivity.

One of the Commission’s first steps in the new mandate will, according to von der Leyen, be new cross-sectoral legislation. The Commission will look at different sectors and assess European legislation. The EU’s internal market has always been the biggest driver of growth. The greatest strength of the internal market is that it replaces countless national standards and business practices with a single set of rules. So, according to von der Leyen, the EU must return to what the internal market does best: making business easy across Europe.

These are promising words from one of Europe’s most powerful bureaucrats – but it remains to be seen whether concrete simplifications will come out of this. I am somewhat sceptical when the first step in simplification is to establish new cross-sectoral legislation.

1. Based on Wikipedia
2. NOU 2009 chapter 4.1.5
3. Erik Samuelsen – Statlige databanker og personlighetsvern – Universitetsforlaget 1972
4. Complex nr. 1/1983 Assessement of the need for changes in the personal data registers act
5. EU-directive 95/46/EF
6. Law 15.6.2018 nr. 38
7. DFØ-report 2024:8 Both watchdog and guide dog? An evaluation of the Data Inspectorate
8. The future of European competitiveness – Part A | A competitiveness strategy for Europe – September 2024
9. Speech by President von der Leyen at the European Parliament Plenary on the new College of Commissioners and its programme