Welcome to our platform for insight into all the latest in law and business. We hope to inspire and share big ideas that make the difference driving your business forward.

The new Finnish Data Protection Act supplementing the GDPR enters into force on 1 January 2019
5 Dec 2018 Finland passes new Data Protection Act, which nationally supplements and clarifies the General Data Protection Regulation. Background The European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR") entered into force on 24 May 2016 and has been applicable from 25 May 2018. Even though the Regulation is directly applicable in all Member States, it leaves some issues to be decided on or further regulated by Member States. In Finland, the Regulation is nationally supplemented and clarified with a new Data Protection Act. The new act was delayed but the Finnish Parliament accepted the relevant legislative proposal on 13 November with presidential confirmation taking place on 5 December. The Data Protection Act will enter into force on 1 January 2019 thus e.g. enabling the Finnish supervisory authority, the Data Protection Ombudsman to carry out tasks and exercise powers provided by the GDPR. Administrative fines not applicable to public authorities and bodies The Data Protection Act does not enable imposing administrative fines on public authorities and bodies, which was an issue highly debated during the preparation of the legislation. The GDPR leaves it to Member States to legislate whether administrative fines apply to public authorities and bodies. With diverse arguments for and against, the Finnish legislator decided not to apply the sanction risk of administrative fines to state, municipal, and other public authorities and bodies. For all this, it should be borne in mind that such bodies and authorities process vast amounts of significant personal data. Apart from administrative fines, they are subject to obligations and supervision under the GDPR and the Data Protection Act as well as to general public law requirements and criminal liability. The need to extend the imposition of administrative fines to public bodies and authorities will likely be monitored and assessed in the future. The Data Protection Ombudsman will be the Finnish supervisory authority According to the Data Protection Act, the Finnish Data Protection Ombudsman is the supervisory authority in Finland responsible for monitoring the application of the GDPR. The GDPR would also allow the supervisory authority to be composed of multiple members and even the establishment of more than one supervisory authority. In the Finnish solution, the position and related tasks are allocated to a single official despite earlier discussions of establishing a new authority in the form of an agency. However, upon accepting the new Data Protection Act, the Finnish Parliament required the Government to further examine the possibility of establishing a new data protection agency in the future. According to the Parliament's reply, in the development of the Data Protection Ombudsman organisation it should especially be ensured that administrative sanctions are imposed by a multi-member body and that the authority is independent, as required by the GDPR. The Data Protection Ombudsman shall have an office, which includes at least two Deputy Data Protection Ombudsmen and a necessary amount of referendaries and other personnel. The Office shall also include an internal advisory board, which, at the request of the Data Protection Ombudsman, shall give opinions on significant questions regarding the application of data protection law. Due to the significant workload relating to the enforcement of the GDPR, the current budget proposal for 2019 would allocate 855,000 euros as additional resources to the Office of the Data Protection Ombudsman, thereby – in a longer run – almost doubling its personnel from the current manpower of approximately 23 officials. The sanctions will be imposed by a new collegial body Although the Finnish supervisory authority is a single official, it was deemed vital that the power to impose administrative fines rests with a body composed of more than one member. The Data Protection Act introduces a new collegial body composed of the Data Protection Ombudsman and the Deputy Data Protection Ombudsmen. In Finland, administrative fines may only be imposed by this collegial body. By contrast, the advisory board does not directly participate in imposing administrative fines. The collegial body is chaired by the Data Protection Ombudsman and quorum for the body's decisions on administrative fines requires the presence of at least three members. The decision supported by the majority of members shall prevail and, in case of a tied vote, the decision less adverse to the party subject to the sanction. Especially as upon the time of writing the deputy ombudsmen are not yet appointed, the time will show the sanctioning policies and practices of the collegial body. Taking into account the current practices of the Finnish data protection authority we do not, however, expect that it takes significantly active approach on fines. Since administrative fines are seen as severe sanctions for data controllers and processors, it was considered necessary to allocate the imposition of administrative fines to a multi-member body. Similarly to the structure of the Finnish supervisory authority, the need to further develop the composition and decision-making procedure of the collegial body in relation to administrative fines will be monitored and assessed in the future. It should be noted that fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. The Data Protection Ombudsman has various other corrective powers (e.g. order of compliance and rectification and ban on processing), the use of which the Ombudsman may enforce by issuing a notice of a conditional fine. Conditional fines apply to private parties and public authorities and bodies. These other corrective powers, such as the power to impose bans on processing data, may in many occasions be more significant than the fines, as discussed in our recent article, which can be found here . The right to appeal to the Supreme Administrative Court requires a leave to appeal According to the Data Protection Act, decisions of the Data Protection Ombudsman and Deputy Data Protection Ombudsmen and decisions on administrative fines may be appealed against by lodging an appeal in an Administrative Court. There is no possibility to request an administrative review of decisions of the supervisory authority and, therefore, an appeal to an Administrative Court is the first legal remedy. It should be noted that a decision qualifying for appeal may state that the decision is enforceable notwithstanding appeal. Therefore, the effects of a ban on processing, for instance, may not necessarily be postponed simply by appealing. However, obtaining a court order prohibiting enforcement of such decision may be possible in certain circumstances. An appeal against the decision of an Administrative Court to the Supreme Administrative Court requires leave to appeal according to the Data Protection Act. The requirement for leave to appeal is in line with current policies regarding the developing role of the Supreme Administrative Court. The applicable age for children will be 13 The GDPR requires that where information society services are offered directly to a child, processing of personal data on the basis of consent is lawful only if the child is at least 16 years old. Member States may provide for a lower age by law, but not below 13 years. According to the Data Protection Act, the applicable age in Finland is 13 years. In relation to children younger than that, consent must be given or authorised by the holder of parental responsibility over the child. The Finnish and Nordic view highlight a child's right to participate in the modern digital culture and benefit from services of the information society. While it is vital to provide necessary safeguards for the protection of children against harmful phenomena online, the use of internet and digital services is considered to have an important impact on a child's learning, social skills and self-expression. Looking forward The acceptance and confirmation of the Data Protection Act mark the end of a long wait in Finnish data protection law. However, in a more extensive process we have reached but an intermediate stage. The need to adjust the form and structure of the national supervisory authority and the non-application of administrative fines to public authorities and bodies will be monitored in the future and re-visited if necessary. Moreover, many amendments to specific legislation required by the GDPR are still under way. For example, the Finnish Parliament is currently processing amendments to the Act on the Protection of Privacy in Working Life, the peculiar and important Finland specific act governing the employee data. This next phase will be of great importance and interest, and show in part that there is still a long way to harmonising the European data protection regime.   Special thanks to the co-author of this insight Oskari Paasikivi, D&I Trainee 2018.
The National Implementation of the GDPR in Finland Takes the First Step
21 Jun 2017 The National Implementation of the GDPR in Finland Takes the First Step On 21 June 2017, the Working Group appointed by the Finnish Ministry of Justice ("Working Group") published the report on how the General Data Protection Regulation (the "GDPR") should be implemented in Finland. Background The European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR") was entered into force on 24 May 2016 and shall apply from 25 May 2018. Even though the Regulation is directly applicable in all Member States, it leaves some issues to be decided on or further regulated by Member States. On February 2016, The Ministry of Justice appointed a Working Group ("TATTI"), the purpose of which is, among others, to assess the need for new national data protection laws and the need to amend other legislation accordingly. Nevertheless, the main focus of TATTI was to prepare a proposal for the national data protection law (Tietosuojalaki). Here's our take on the ten most significant aspects from the report, that provide you with our estimate on what the Finnish data protection regime will look like in 2018. 1. Harmonisation Will Be Respected One of the main aims of the GDPR is to harmonise the European data protection laws. The Working Group emphasizes that the national implementation of the GDPR in Finland will respect that aim and proposes that the GDPR will be applied also to personal data processing outside the scope of the GDPR, unless required otherwise by sectoral laws. The possibility for derogations and national exemptions will be only limitedly used in Finland. This signal will be welcomed by all businesses operating internationally. 2. The Protection of Privacy in Working Life Will Continue Having Specific and Strict Regulation The GDPR allows Member States, by law or by collective agreements, to provide more specific rules on the protection of the rights and freedoms in respect to the processing of the employees' personal data in the employment context. The Finnish legislation already contains specific regulations on the matter as the Act on the Protection of Privacy in Working Life lays down the provisions on the processing of personal data on employees. In comparison to other Member States, the Finnish regulation is exceptionally strict for employers in fields such as monitoring employees' internet usage and access to their work email. According to the report, the Act on the Protection of Privacy in Working Life is already in line with the regulation set in the GDPR and, therefore, the Act will continue being in force without amendments. Thus, all companies doing business in Finland are required to comply with the detailed national law in addition to the GDPR in respect of their HR data. 3. Many Questions Still Unclear as They Will Be Covered by Sectoral Laws Currently, there are hundreds of different sectoral laws which supplement the general legislation on processing of personal data in Finland. Unfortunately, the renewal of such sectoral laws remains still unclear as the Working Group has not assessed the necessity or the contents of the existing specific legislation. The work remains to be completed by each of the responsible ministries in the future. Therefore, from the perspective of companies operating e.g. on the finance, insurance or health care sectors, this essentially complicates the preparation of such companies to the changing legislation as the overall picture remains vague. However, the Working Group emphasizes the European Commission's view on the very limited possibilities of supplementing the GDPR on a national level as it is a regulation, not a directive. 4. The Established Data Protection Authority Will Be the Finnish Supervisory Authority The official duties set in the GDPR will further be concentrated to one new supervisory authority — the Data Protection Authority (tietosuojavirasto). The Data Protection Authority is to continue the activity of the existing Office of the Data Protection Ombudsman with certain organisational changes. The current Data Protection Ombudsman will act as the lead official of the Data Protection Authority and, as a new feature, a separate Sanctions Board (seuraamuslautakunta) will be established within the Data Protection Authority. The GDPR requires that each Member State shall ensure that each supervisory authority is provided with the resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. It is estimated that the new Data Protection Authority will require up to 75 per cent more resources (EUR 1,320,000) in 2019 compared to the existing resources of the Office of the Data Protection Ombudsman. 5. The Sanctions Will Be Imposed by the New Sanctions Board The administrative fines are one of the most discussed topics of the GDPR. Therefore, it is important to know who has the right to impose such fines and how the controller may appeal. Unlike under the current Finnish law, the GDPR provides the supervisory authority the power to issue the administrative fines. The Working Group proposes establishing a Sanctions Board under the new Data Protection Authority. The members of the Sanctions Board will be appointed by the Finnish Government, from the Data Protection Authority's proposal, for a five year term. Members may be re-appointed once for second term. The board consists of five lawyer members, of which the chairperson and the vice-chairperson must have the same competence as a judge (excluding the requirement to be a Finnish national). The members must have the relevant expertise and knowledge on data privacy rules. The Sanctions Board is not working full time and the members are not employed by the Data Protection Authority. They are subject to public liability and obligated to refrain from all actions incompatible with their duties. The GDPR does not set procedural rules regarding the exercise of the sanctions. Interestingly, to ensure due process, the Working Group proposes a possibility for an oral hearing in accordance with the Administrative Judicial Procedure Act (hallintolainkäyttölaki). 6. The Right to Appeal to the Supreme Administrative Court Requires a Leave to Appeal The decisions of the Data Protection Authority are subject to appeal to the Administrative Court in accordance with the provisions of the Administrative Judicial Procedure Act. The right to appeal is not just for the decisions of the Court, but also from the Data Protection Ombudsman decision to present administrative sanctions regardless of whether the case is already pending in the Sanctions Board. Interestingly, the right to appeal to the Supreme Administrative Court requires that the Supreme Administrative Court grants a leave to appeal. 7. Sanction Imposed on Public Authorities and Bodies Still Undecided The level of administrative fines and the grounds for imposing such are harmonised pretty widely, and the European authorities will aim to ensure the harmonisation of the sanctions in practice under the GDPR. However, the GDPR leaves the rules on whether the sanctions may be imposed, and to what extent, on public authorities and bodies to be decided by the Member States. The Working Group was not able to reach a unanimous conclusion on whether such derogation should be applied. Some members of the Working Group pointed out, e.g., that the derogation would require alternative effective sanctions mechanisms. However, building alternative mechanisms or lower sanction levels, would be against the principle of harmonisation. Other members pointed out that the question should be assessed from the perspective of the Finnish sanctions system, which already includes a wide range of effective measures that ensure the implementation of the regulation in public authorities, and that as the sanctions are paid to the government, the money would be, in practice, only transferred from one pocket to another. 8. Applicability of Criminal Sanctions As mentioned, the GDPR is strongly based on the administrative sanctions. In order to avoid situations where the same breach would lead to two different punishments, i.e. the administrative and criminal sanction, the Working Group proposes that the administrative fines would be supplemented with criminal sanctions but only when the fines are not available for the matter. The current data protection offence (henkilörekisteririkos) that provides possibility for fines or imprisonment up to one year would be replaced by more limitedly available offence (tietosuojarikos) that would be subject to the same penalties. The criminal responsibility would only apply to persons, who have not acted in the capacity of data controller or processor. For instance, the criminal sanctions would be applicable to the employees of a company who process personal data without a legitimate purpose but only out of curiosity, or to persons breaching the data security requirements, e.g. by disposing of printed documents including personal data without taking care of the proper destroying of such documents. 9. The Necessity to Enable Class Actions for Data Subjects Will Be Further Discovered The Working Group suggests that the necessity and the possibility to allow class actions for data subjects should be further assessed in a later phase. According to the Working Group, the class action could be a useful legal remedy in data protection matters. The class action would be applicable particularly in situations where the data subject seeks for compensation of damages and it could significantly increase the risk of data subjects' claims. 10. The Applicable Age for Children Will Be Further Decided The GDPR contains rules for the child's consent in relation to information society services. According to the GDPR, processing of the personal data of a child is lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. The Working Group proposed that Finland uses the opportunity to provide for a lower age by law. However, it shall still be further decided whether the applicable age should be 13 or 15 years. It is explained that Finland should, above other relevant facts, make the decision taking into consideration the policy that the majority of other Member States or Nordic countries decide. Looking Forward The report of the Working Group will now circulate for comments and the Government proposal is planned to be given to the Parliament in the autumn. The Working Group is to continue its tasks, especially in setting the starting points for the use of the national latitude and coordinate the preparation and revision of sector specific laws. We at Dittmar & Indrenius are happy to help with any questions you may have regarding the GDPR and its effects, and will keep you posted on the implementation process and the further clarifications from the Finnish as well as the European Data Protection Authorities.

Dittmar & Indrenius