Welcome to our platform for insight into all the latest in law and business. We hope to inspire and share big ideas that make the difference driving your business forward.

The new Finnish Data Protection Act supplementing the GDPR enters into force on 1 January 2019
5 Dec 2018 Finland passes new Data Protection Act, which nationally supplements and clarifies the General Data Protection Regulation. Background The European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR") entered into force on 24 May 2016 and has been applicable from 25 May 2018. Even though the Regulation is directly applicable in all Member States, it leaves some issues to be decided on or further regulated by Member States. In Finland, the Regulation is nationally supplemented and clarified with a new Data Protection Act. The new act was delayed but the Finnish Parliament accepted the relevant legislative proposal on 13 November with presidential confirmation taking place on 5 December. The Data Protection Act will enter into force on 1 January 2019 thus e.g. enabling the Finnish supervisory authority, the Data Protection Ombudsman to carry out tasks and exercise powers provided by the GDPR. Administrative fines not applicable to public authorities and bodies The Data Protection Act does not enable imposing administrative fines on public authorities and bodies, which was an issue highly debated during the preparation of the legislation. The GDPR leaves it to Member States to legislate whether administrative fines apply to public authorities and bodies. With diverse arguments for and against, the Finnish legislator decided not to apply the sanction risk of administrative fines to state, municipal, and other public authorities and bodies. For all this, it should be borne in mind that such bodies and authorities process vast amounts of significant personal data. Apart from administrative fines, they are subject to obligations and supervision under the GDPR and the Data Protection Act as well as to general public law requirements and criminal liability. The need to extend the imposition of administrative fines to public bodies and authorities will likely be monitored and assessed in the future. The Data Protection Ombudsman will be the Finnish supervisory authority According to the Data Protection Act, the Finnish Data Protection Ombudsman is the supervisory authority in Finland responsible for monitoring the application of the GDPR. The GDPR would also allow the supervisory authority to be composed of multiple members and even the establishment of more than one supervisory authority. In the Finnish solution, the position and related tasks are allocated to a single official despite earlier discussions of establishing a new authority in the form of an agency. However, upon accepting the new Data Protection Act, the Finnish Parliament required the Government to further examine the possibility of establishing a new data protection agency in the future. According to the Parliament's reply, in the development of the Data Protection Ombudsman organisation it should especially be ensured that administrative sanctions are imposed by a multi-member body and that the authority is independent, as required by the GDPR. The Data Protection Ombudsman shall have an office, which includes at least two Deputy Data Protection Ombudsmen and a necessary amount of referendaries and other personnel. The Office shall also include an internal advisory board, which, at the request of the Data Protection Ombudsman, shall give opinions on significant questions regarding the application of data protection law. Due to the significant workload relating to the enforcement of the GDPR, the current budget proposal for 2019 would allocate 855,000 euros as additional resources to the Office of the Data Protection Ombudsman, thereby – in a longer run – almost doubling its personnel from the current manpower of approximately 23 officials. The sanctions will be imposed by a new collegial body Although the Finnish supervisory authority is a single official, it was deemed vital that the power to impose administrative fines rests with a body composed of more than one member. The Data Protection Act introduces a new collegial body composed of the Data Protection Ombudsman and the Deputy Data Protection Ombudsmen. In Finland, administrative fines may only be imposed by this collegial body. By contrast, the advisory board does not directly participate in imposing administrative fines. The collegial body is chaired by the Data Protection Ombudsman and quorum for the body's decisions on administrative fines requires the presence of at least three members. The decision supported by the majority of members shall prevail and, in case of a tied vote, the decision less adverse to the party subject to the sanction. Especially as upon the time of writing the deputy ombudsmen are not yet appointed, the time will show the sanctioning policies and practices of the collegial body. Taking into account the current practices of the Finnish data protection authority we do not, however, expect that it takes significantly active approach on fines. Since administrative fines are seen as severe sanctions for data controllers and processors, it was considered necessary to allocate the imposition of administrative fines to a multi-member body. Similarly to the structure of the Finnish supervisory authority, the need to further develop the composition and decision-making procedure of the collegial body in relation to administrative fines will be monitored and assessed in the future. It should be noted that fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. The Data Protection Ombudsman has various other corrective powers (e.g. order of compliance and rectification and ban on processing), the use of which the Ombudsman may enforce by issuing a notice of a conditional fine. Conditional fines apply to private parties and public authorities and bodies. These other corrective powers, such as the power to impose bans on processing data, may in many occasions be more significant than the fines, as discussed in our recent article, which can be found here . The right to appeal to the Supreme Administrative Court requires a leave to appeal According to the Data Protection Act, decisions of the Data Protection Ombudsman and Deputy Data Protection Ombudsmen and decisions on administrative fines may be appealed against by lodging an appeal in an Administrative Court. There is no possibility to request an administrative review of decisions of the supervisory authority and, therefore, an appeal to an Administrative Court is the first legal remedy. It should be noted that a decision qualifying for appeal may state that the decision is enforceable notwithstanding appeal. Therefore, the effects of a ban on processing, for instance, may not necessarily be postponed simply by appealing. However, obtaining a court order prohibiting enforcement of such decision may be possible in certain circumstances. An appeal against the decision of an Administrative Court to the Supreme Administrative Court requires leave to appeal according to the Data Protection Act. The requirement for leave to appeal is in line with current policies regarding the developing role of the Supreme Administrative Court. The applicable age for children will be 13 The GDPR requires that where information society services are offered directly to a child, processing of personal data on the basis of consent is lawful only if the child is at least 16 years old. Member States may provide for a lower age by law, but not below 13 years. According to the Data Protection Act, the applicable age in Finland is 13 years. In relation to children younger than that, consent must be given or authorised by the holder of parental responsibility over the child. The Finnish and Nordic view highlight a child's right to participate in the modern digital culture and benefit from services of the information society. While it is vital to provide necessary safeguards for the protection of children against harmful phenomena online, the use of internet and digital services is considered to have an important impact on a child's learning, social skills and self-expression. Looking forward The acceptance and confirmation of the Data Protection Act mark the end of a long wait in Finnish data protection law. However, in a more extensive process we have reached but an intermediate stage. The need to adjust the form and structure of the national supervisory authority and the non-application of administrative fines to public authorities and bodies will be monitored in the future and re-visited if necessary. Moreover, many amendments to specific legislation required by the GDPR are still under way. For example, the Finnish Parliament is currently processing amendments to the Act on the Protection of Privacy in Working Life, the peculiar and important Finland specific act governing the employee data. This next phase will be of great importance and interest, and show in part that there is still a long way to harmonising the European data protection regime.   Special thanks to the co-author of this insight Oskari Paasikivi, D&I Trainee 2018.
Success Through Data Management
23 Nov 2018 An insightful and tasty luncheon at the atmospheric Garden by Olo, engaging discussions and a key note speech by Reijo Aarnio, the Finnish Data Protection Ombudsman. We at D&I had the pleasure of hosting an event on data asset management and the upcoming changes to Finnish data protection laws. These are the key takeaways for general counsels from the event. Harmonisation, Harmonisation and Harmonisation According to Mr Aarnio, harmonisation is essential in monitoring compliance with the GDPR. Mr Aarnio pointed out that the Finnish Data Protection Ombudsman does not have the power to provide interpretations of the GDPR. Instead, the power to ensure the consistent application of the GDPR is vested only in the European Data Protection Board ("EDPB"). Thus, the Ombudsman must rely greatly on the EDPB's opinions. This setting is not optimal in light of business development as business decisions must often be made well before any interpretations are issued by the EDPB. The fact that the Data Protection Ombudsman does not provide relevant guidance at this stage weighs heavily on the controllers' shoulders. Due to the resulting uncertainty, it is of great importance to ensure that all controller decisions are well founded and diligently documented in accordance with the accountability principle. Despite its incapability to provide independent interpretations of the GDPR, as the Finnish supervisory authority, the Data Protection Ombudsman has, however, the power and obligation to monitor and enforce the application of the GDPR in Finland, as well as to promote the awareness of controllers and processors of their obligations under the GDPR. To this end, Mr Aarnio greatly urged Finnish companies to an open dialogue with the Data Protection Ombudsman. Prevent Data Protection Disputes As has been widely discussed during the past few years, under the GDPR, sanctions can be high – up to 4 percent of a company's global annual revenue. However, fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. In addition, the Ombudsman has, inter alia, the power to impose temporary or definitive restrictions on controllers' businesses, including bans on processing data. As Mr Aarnio pointed out, such a ban could in many occasions be more significant than any administrative sanction. By way of example, if such a ban were to interrupt a controller's business entirely, already a three week ban would be likely to cause higher losses than the 4 percent maximum of an administrational fine. In any event, prevention of disputes is the key. The most successful resolution of a dispute is preventing it from ever happening. Our Partner and Head of Dispute Powerhouse Jussi Lehtinen pointed out that in order to avoid proceedings by the data protection authority it is not enough to merely ensure that a company's data assets are processed adequately. The company must also appear trustworthy to the outside observer. Harness Your Data Assets Correctly Data is often regarded as the new oil – an asset that can fuel businesses in multiple ways. Although we at D&I definitely see the value of data, we would rather compare it to the wind. Like the wind, data is a renewable source which needs to be correctly harnessed in order for it to create value. In practice, data is valuable only if two key criteria are met: when it can be used for the right purpose, and processed by the right company. That is why identifying processing purposes and systematically allocating data controllership is so important, as Iiris Kivikari, Senior Associate in our Data Protection, Marketing & Consumers team pointed out. Lawyers have a great responsibility in ensuring that data is available to the businesses that need it the most. What to Focus On So, what should a general counsel pay attention to based on the six month old GDPR? As Jukka Lång, our partner and head of our Innovation Powerhouse, noted, now is the time to shift the focus from GDPR compliance work to planning the full use of data assets. To do so, it is especially important to ensure that a data protection perspective is built into the business. Further, internal reporting must be planned and executed thoroughly to ensure that data protection matters are duly escalated to the management level able to take a stand on them. This includes, among others, the capability to respond to data breaches in a timely manner and implementing efficient annual reporting procedures. Last, but definitely not least, the structuring of data assets should be planned in a way that promotes innovation and efficient business. By doing so companies are able to maximize their valuations and enable the efficient use of data assets throughout their organisation.
The GDPR and Its National Derogations
18 Jun 2018 The GDPR became applicable on 25 May 2018. The Member States were required to make the necessary changes to their national laws before that. However, like some other Member States, Finland is still working on that, as the Government Bill is still in parliamentary proceedings. Like many other Member States, Finland has not yet made the relevant changes to its legislation. The Government Bill for the new Data Protection Act ("Tietosuojalaki") was given to Parliament on the 1st of March, and it is currently being reviewed by the Administration Committee; the Bill will be passed by the Parliament, hopefully, before the summer holidays. Therefore, it's a good time to look at the main national derogations, and Finland's decisions about them. Respecting Harmonisation, Where Possible The GDPR aims to harmonise European data protection laws. For the most part it does that, but the EU legislators also left some issues to be decided by the Member States, partly due to many compromises in the negotiations, partly because of the difficulties full harmonisation would create. The Finnish legislators respect the aim of harmonisation, as the GDPR will also be applied to personal data processing outside the scope of the GDPR. However, the new Data Protection Act will not add any extra requirements on top of the GDPR, as some national legislations seem to be doing. There will, however, be areas of data processing that are not harmonised, mainly in the context of employment. The protection of privacy in working life will continue having specific and strict regulation, and Finnish employees continue to enjoy a high level of privacy protection, compared to many other Member States.   Jukka Lång from D&I was heard before the Legal Affairs Committee on the Government Bill for the new Data Protection Act. The Applicable Age for a Child's Consent Will Be 13 The GDPR contains rules for children's consent in relation to information society services. The relevant age limit in Finland will be 13. Even small deviations are deviations, and therefore harmonisation is not being achieved here. The age limit will be between 13 and 16 in other Member States. Fortunately, Finland took into account the approach taken by other Nordic countries, and also the ways children use these services in practice. Who Can Impose the Sanctions, and on Whom? According to the GDPR, the imposition of administrative fines and other penalties should be subject to appropriate procedural safeguards, including effective judicial protection and due process. The Working Group ("TATTI"), appointed by the Ministry of Justice proposed in its report that the administrative fines would be imposed by a new sanctions board. However, this well-founded approach did not make its way into the Government Bill. Rather, the power is in the hands of the Data Protection Ombudsman. Giving such sanctioning power to a single authority, albeit the main data protection authority, would be somewhat exceptional in Finland, as Jukka Lång pointed out to the Parliament's Legal Affairs Committee. The Committee for Constitutional Law pointed out that such sanctioning power does not comply with the Constitution. At the time of writing this article, the Committee for Constitutional Law is preparing a second statement, as requested by the Administration Committee. It is, therefore, possible that the Data Protection Ombudsman will not, after all, get the sole sanctioning power. An equally significant issue as who should impose the sanctions is whom they may be imposed on. The GDPR gives the Member States the right to decide whether the sanctions may be imposed, and to what extent, on public authorities and bodies. The matter is not simple, and even the members of the TATTI working group were unable to reach a consensus. According to the Government Bill, the sanctions will not be imposed on public authorities and bodies. It is fair to say that the public and private bodies are not in the same competitive position, as the latter has significantly higher risk of sanctions. It is also not certain that appropriate procedural safeguards apply, and that effective judicial procedure will be in place when public bodies would be sanctioned by means of sanctioning the natural persons in charge. In the big picture, the derogations are in the end, however, minor. The European data protection regime will be significantly harmonised and has already helped many global organisations unify their data processing practices.
What’s Happening in the Finnish Data Security Field?
4 Dec 2017 Our partner Jukka Lång had an insightful breakfast with one of the indisputably best experts in data security matters in Finland, Mr Jarno Limnéll. They both agreed that in the rapidly evolving cyber security landscape, regulating or preventing yesterday’s threats is not worth the effort. One must think ahead. The Growing Interest in Data Protection and Security The general interest in data security and data protection has rapidly increased. Both the technical capabilities and regulatory requirements have increased, and so has the general public’s interest. Data security and personal data protection go hand in hand, as Mr Limnéll pointed out. For many, these two mean the same thing, but from both the practical and legal perspective, there is a difference between these concepts. In practice, data security covers the methods used for protecting the data from illegitimate access. Data protection, on the other hand, means defining how personal data may be accessed lawfully and by who. Both Lång and Limnéll see that the general interest in data protection and data security is continually increasing. This development is surely fuelled by the clearer picture on the cyber security landscape we are going to have next spring. Previously, many of the cyber security incidents stayed under the radar. The knowledge on cyber security and the level of data protection will increase next spring, when the GDPR, with the notification obligations, enters into effect. The GDPR obligates companies that process personal data to inform the authorities and, in some cases, customers within 72 hours of becoming aware of a data breach. Already sending marketing material to recipients in the "Cc" field revealing all the emails or a ransomware attack could trigger the notification obligation. This will have an effect on companies’ obligations, but also bring many issues that could currently be kept secret into public knowledge. Legal Data Security Requirements are Fragmented but Share a Uniform Approach Every day, more and more data is being stored, and that data must be protected. Data protection - and data security to some extent - is somewhat strictly regulated. In the fall of 2016, D&I assisted the Ministry of Transport and Communications in the preliminary preparation of the national implementation of the NIS directive, which will boost the level of cybersecurity in the EU and have an effect especially on the most essential sectors, such as electricity and transportation. We assessed and analysed what types of data security, risk management and other security obligations are set forth in the Finnish law, EU-law and treaties currently applicable to the sectors covered by the directive. What we found, amongst other things, is that the security and risk management obligations fragmented and spread across our legislation. For example, if you are in the finance sector and your data assets are attacked, you may need to inform several authorities, while minimising the damages and be able to prove that you did your best to protect the data. To be able to comply with the relevant requirements, you need to know which requirements you are subject to. "The strategic-level and legal assessment of data security from the risk based approach gives the possibility to make more informed decisions" However fragmented, the different data security-related legal requirements share the similar "risk-based approach", which is especially introduced in the GDPR. This should also be the approach taken by those assessing the requirements and ensuring that agreements, systems and procedures are compliant and contain minimised risks. The strategic-level and legal assessment of data security from the risk based approach gives the possibility to make more informed decisions – and for the individuals to speak a similar language whether they are lawyers, security professionals or management only starting to understand the field of security. Securing and Protecting the Most Valuable Assets Whether you define your data assets as the oil or the air, the data flows circulate around every key element of your business, including running machines, HR and CRM. Both Jukka and Mr Limnéll have seen that Finnish companies are increasingly interested in personal data protection and cyber security-related issues and have been advising large Finnish companies, and their top management, in these issues. There are many reasons for that, including the role of the ubiquitous data in the business and the resulting wider PR and regulatory risks, not least because of the high sanctions under the GDPR. “Cyber security is no longer only IT’s or security consultants’ problem, but rather a matter that concerns the company’s core business” One of the key aspects in this regard is that cyber security is no longer only IT’s or security consultants’ problem, but rather a matter that concerns the company’s core business. This is nowadays the case regardless of whether the company is a retailer in the consumer business or a metal factory far from data driven business (needless to say, however, many of the factories are also experimenting with the opportunities provided by data driven business models). Data security and data protection are so closely linked to the core business and corporate governance that it is necessary for the management to be informed and to then make the key decisions regarding these matters.
The Finnish National Implementation of the GDPR On Its Way
22 Jun 2017 From Regulating Personal Data Files to Enhancing Data Protection The clock is ticking - there is less than a year until the GDPR (the "General Data Protection Regulation") comes into effect. The European data protection authorities are doing their best to give guidance on how to interpret the regulation. However, even though the purpose of the GDPR is to harmonize the European data protection legislation, some issues are left open to the member states. On 1st of June, D&I hosted an insightful morning seminar with a tasty breakfast and engaging discussions. We had the honor to have Mr Pekka Nurmi, chairperson of the Finnish Data Protection Board and of the Working Group responsible for assessing the implementation in the first phase, as a keynote speaker. At the event, the participants got a glimpse on how the Finnish data protection regime is going to look like in 2018. As Mr Nurmi pointed out, the Finnish regulators aim to ensure that the Finnish national laws give companies established in Finland a competitive edge as far as possible. In general, many of D&I's clients see the data protection regime not only as a challenge but also as an opportunity. Certainly, we at D&I think that the regulatory regime is an opportunity for companies to embrace the new age of digitalization, and we strive to give our clients the best tools to get the most of the data protection laws. At D&I we see data protection, as well as all the other legal issues, as an intertwined area composed of various legal questions that relate to several fields of law. Therefore, we engage the full spectrum of our expertise in every assignment. The details of the national implementation will be out before midsummer, but we can already point out three interesting and relevant aspects that should be noted from the proposal. 1Filling the Gaps First and foremost, it is highly likely that by 2018 there's going to be a new Finnish general data protection law ("tietosuojalaki"). The Finnish general data protection law will be based on the GDPR text and will only cover specific sector that are not regulated by the GDPR. The GDPR leaves some areas open to be decided upon by the Member States. For example, the processing of personal data relating to criminal convictions and offences by private entities is lawful only when authorized by the European Union or the Member State laws. All such provisions will, to the extent possible, be found from the general data protection law. However, some practices need to be regulated in sectoral laws. For example the processing of information related to customer misconducts by credit companies has been considered lawful when based on the prior authorization of the Finnish Data Protection Board. Such authorization procedure will in all likelihood be in place also under the GDPR, but regulated in separate sectoral laws. The Working Group is at this point assessing only the necessary laws and regulations, and all the sectoral laws will be reviewed by the competent ministries in the second phase of implementation. 2The Empowered Authority The Finnish supervisory authority will be the data protection ombudsman. As Mr Nurmi pointed out, the data protection ombudsman's office is understaffed, as the workload is going to increase rapidly and extensively. Indeed, we forecast that there is a need for an increase in the resources of the Finnish data protection ombudsman - our partner, and head of Data Protection, Marketing & Consumers team, Jukka Lång pointed out that the resources in 2017 are almost similar to what they were in early 2000's when he worked at the data protection ombudsman's office as an inspector. Time will show how prepared and well funded the new authority will be, but we find that it is in the interest of every company that the Supervisory Authority is capable of giving guidance to the companies facing increasing data protection issues in their everyday business. 3Disputes - What If? And What Then? As the sanctions under the GDPR are much higher than any possible sanctions under the data protection laws currently in force in Finland, the likelihood of data processing related disputes, and the risk related to these, is much greater. The Working Group proposes that a "Sanctions Board" is created in addition to the data protection authority. The Board will probably consist of 5 lawyer members and it will be responsible for deciding the GDPR based sanctions based on data protection ombudsman proposal. As the sanctions under the GDPR are fairly high and harmonized within the EU, we will surely see long trials all the way to the European Court of Justice. Additionally, as our Partner and Head of Dispute Resolution Jussi Lehtinen pointed out, we will probably see many long and complicated disputes that include administrative procedures on related to the sanctions as well as parallel or follow on civil procedures for the damages. (Read More on D&I Dispute Resolution and Data Protection Alert published on 1 June 2017 in Finnish).  

Dittmar & Indrenius