Insight

Welcome to our platform for insight into all the latest in law and business. We hope to inspire and share big ideas that make the difference driving your business forward.

alert
The new Finnish Data Protection Act supplementing the GDPR enters into force on 1 January 2019
5 Dec 2018 Finland passes new Data Protection Act, which nationally supplements and clarifies the General Data Protection Regulation. Background The European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR") entered into force on 24 May 2016 and has been applicable from 25 May 2018. Even though the Regulation is directly applicable in all Member States, it leaves some issues to be decided on or further regulated by Member States. In Finland, the Regulation is nationally supplemented and clarified with a new Data Protection Act. The new act was delayed but the Finnish Parliament accepted the relevant legislative proposal on 13 November with presidential confirmation taking place on 5 December. The Data Protection Act will enter into force on 1 January 2019 thus e.g. enabling the Finnish supervisory authority, the Data Protection Ombudsman to carry out tasks and exercise powers provided by the GDPR. Administrative fines not applicable to public authorities and bodies The Data Protection Act does not enable imposing administrative fines on public authorities and bodies, which was an issue highly debated during the preparation of the legislation. The GDPR leaves it to Member States to legislate whether administrative fines apply to public authorities and bodies. With diverse arguments for and against, the Finnish legislator decided not to apply the sanction risk of administrative fines to state, municipal, and other public authorities and bodies. For all this, it should be borne in mind that such bodies and authorities process vast amounts of significant personal data. Apart from administrative fines, they are subject to obligations and supervision under the GDPR and the Data Protection Act as well as to general public law requirements and criminal liability. The need to extend the imposition of administrative fines to public bodies and authorities will likely be monitored and assessed in the future. The Data Protection Ombudsman will be the Finnish supervisory authority According to the Data Protection Act, the Finnish Data Protection Ombudsman is the supervisory authority in Finland responsible for monitoring the application of the GDPR. The GDPR would also allow the supervisory authority to be composed of multiple members and even the establishment of more than one supervisory authority. In the Finnish solution, the position and related tasks are allocated to a single official despite earlier discussions of establishing a new authority in the form of an agency. However, upon accepting the new Data Protection Act, the Finnish Parliament required the Government to further examine the possibility of establishing a new data protection agency in the future. According to the Parliament's reply, in the development of the Data Protection Ombudsman organisation it should especially be ensured that administrative sanctions are imposed by a multi-member body and that the authority is independent, as required by the GDPR. The Data Protection Ombudsman shall have an office, which includes at least two Deputy Data Protection Ombudsmen and a necessary amount of referendaries and other personnel. The Office shall also include an internal advisory board, which, at the request of the Data Protection Ombudsman, shall give opinions on significant questions regarding the application of data protection law. Due to the significant workload relating to the enforcement of the GDPR, the current budget proposal for 2019 would allocate 855,000 euros as additional resources to the Office of the Data Protection Ombudsman, thereby – in a longer run – almost doubling its personnel from the current manpower of approximately 23 officials. The sanctions will be imposed by a new collegial body Although the Finnish supervisory authority is a single official, it was deemed vital that the power to impose administrative fines rests with a body composed of more than one member. The Data Protection Act introduces a new collegial body composed of the Data Protection Ombudsman and the Deputy Data Protection Ombudsmen. In Finland, administrative fines may only be imposed by this collegial body. By contrast, the advisory board does not directly participate in imposing administrative fines. The collegial body is chaired by the Data Protection Ombudsman and quorum for the body's decisions on administrative fines requires the presence of at least three members. The decision supported by the majority of members shall prevail and, in case of a tied vote, the decision less adverse to the party subject to the sanction. Especially as upon the time of writing the deputy ombudsmen are not yet appointed, the time will show the sanctioning policies and practices of the collegial body. Taking into account the current practices of the Finnish data protection authority we do not, however, expect that it takes significantly active approach on fines. Since administrative fines are seen as severe sanctions for data controllers and processors, it was considered necessary to allocate the imposition of administrative fines to a multi-member body. Similarly to the structure of the Finnish supervisory authority, the need to further develop the composition and decision-making procedure of the collegial body in relation to administrative fines will be monitored and assessed in the future. It should be noted that fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. The Data Protection Ombudsman has various other corrective powers (e.g. order of compliance and rectification and ban on processing), the use of which the Ombudsman may enforce by issuing a notice of a conditional fine. Conditional fines apply to private parties and public authorities and bodies. These other corrective powers, such as the power to impose bans on processing data, may in many occasions be more significant than the fines, as discussed in our recent article, which can be found here . The right to appeal to the Supreme Administrative Court requires a leave to appeal According to the Data Protection Act, decisions of the Data Protection Ombudsman and Deputy Data Protection Ombudsmen and decisions on administrative fines may be appealed against by lodging an appeal in an Administrative Court. There is no possibility to request an administrative review of decisions of the supervisory authority and, therefore, an appeal to an Administrative Court is the first legal remedy. It should be noted that a decision qualifying for appeal may state that the decision is enforceable notwithstanding appeal. Therefore, the effects of a ban on processing, for instance, may not necessarily be postponed simply by appealing. However, obtaining a court order prohibiting enforcement of such decision may be possible in certain circumstances. An appeal against the decision of an Administrative Court to the Supreme Administrative Court requires leave to appeal according to the Data Protection Act. The requirement for leave to appeal is in line with current policies regarding the developing role of the Supreme Administrative Court. The applicable age for children will be 13 The GDPR requires that where information society services are offered directly to a child, processing of personal data on the basis of consent is lawful only if the child is at least 16 years old. Member States may provide for a lower age by law, but not below 13 years. According to the Data Protection Act, the applicable age in Finland is 13 years. In relation to children younger than that, consent must be given or authorised by the holder of parental responsibility over the child. The Finnish and Nordic view highlight a child's right to participate in the modern digital culture and benefit from services of the information society. While it is vital to provide necessary safeguards for the protection of children against harmful phenomena online, the use of internet and digital services is considered to have an important impact on a child's learning, social skills and self-expression. Looking forward The acceptance and confirmation of the Data Protection Act mark the end of a long wait in Finnish data protection law. However, in a more extensive process we have reached but an intermediate stage. The need to adjust the form and structure of the national supervisory authority and the non-application of administrative fines to public authorities and bodies will be monitored in the future and re-visited if necessary. Moreover, many amendments to specific legislation required by the GDPR are still under way. For example, the Finnish Parliament is currently processing amendments to the Act on the Protection of Privacy in Working Life, the peculiar and important Finland specific act governing the employee data. This next phase will be of great importance and interest, and show in part that there is still a long way to harmonising the European data protection regime.   Special thanks to the co-author of this insight Oskari Paasikivi, D&I Trainee 2018.
alert
Success Through Data Management
23 Nov 2018 An insightful and tasty luncheon at the atmospheric Garden by Olo, engaging discussions and a key note speech by Reijo Aarnio, the Finnish Data Protection Ombudsman. We at D&I had the pleasure of hosting an event on data asset management and the upcoming changes to Finnish data protection laws. These are the key takeaways for general counsels from the event. Harmonisation, Harmonisation and Harmonisation According to Mr Aarnio, harmonisation is essential in monitoring compliance with the GDPR. Mr Aarnio pointed out that the Finnish Data Protection Ombudsman does not have the power to provide interpretations of the GDPR. Instead, the power to ensure the consistent application of the GDPR is vested only in the European Data Protection Board ("EDPB"). Thus, the Ombudsman must rely greatly on the EDPB's opinions. This setting is not optimal in light of business development as business decisions must often be made well before any interpretations are issued by the EDPB. The fact that the Data Protection Ombudsman does not provide relevant guidance at this stage weighs heavily on the controllers' shoulders. Due to the resulting uncertainty, it is of great importance to ensure that all controller decisions are well founded and diligently documented in accordance with the accountability principle. Despite its incapability to provide independent interpretations of the GDPR, as the Finnish supervisory authority, the Data Protection Ombudsman has, however, the power and obligation to monitor and enforce the application of the GDPR in Finland, as well as to promote the awareness of controllers and processors of their obligations under the GDPR. To this end, Mr Aarnio greatly urged Finnish companies to an open dialogue with the Data Protection Ombudsman. Prevent Data Protection Disputes As has been widely discussed during the past few years, under the GDPR, sanctions can be high – up to 4 percent of a company's global annual revenue. However, fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. In addition, the Ombudsman has, inter alia, the power to impose temporary or definitive restrictions on controllers' businesses, including bans on processing data. As Mr Aarnio pointed out, such a ban could in many occasions be more significant than any administrative sanction. By way of example, if such a ban were to interrupt a controller's business entirely, already a three week ban would be likely to cause higher losses than the 4 percent maximum of an administrational fine. In any event, prevention of disputes is the key. The most successful resolution of a dispute is preventing it from ever happening. Our Partner and Head of Dispute Powerhouse Jussi Lehtinen pointed out that in order to avoid proceedings by the data protection authority it is not enough to merely ensure that a company's data assets are processed adequately. The company must also appear trustworthy to the outside observer. Harness Your Data Assets Correctly Data is often regarded as the new oil – an asset that can fuel businesses in multiple ways. Although we at D&I definitely see the value of data, we would rather compare it to the wind. Like the wind, data is a renewable source which needs to be correctly harnessed in order for it to create value. In practice, data is valuable only if two key criteria are met: when it can be used for the right purpose, and processed by the right company. That is why identifying processing purposes and systematically allocating data controllership is so important, as Iiris Kivikari, Senior Associate in our Data Protection, Marketing & Consumers team pointed out. Lawyers have a great responsibility in ensuring that data is available to the businesses that need it the most. What to Focus On So, what should a general counsel pay attention to based on the six month old GDPR? As Jukka Lång, our partner and head of our Innovation Powerhouse, noted, now is the time to shift the focus from GDPR compliance work to planning the full use of data assets. To do so, it is especially important to ensure that a data protection perspective is built into the business. Further, internal reporting must be planned and executed thoroughly to ensure that data protection matters are duly escalated to the management level able to take a stand on them. This includes, among others, the capability to respond to data breaches in a timely manner and implementing efficient annual reporting procedures. Last, but definitely not least, the structuring of data assets should be planned in a way that promotes innovation and efficient business. By doing so companies are able to maximize their valuations and enable the efficient use of data assets throughout their organisation.
alert
Supreme Court of Russia Denies Enforcement of ICC Award
19 Nov 2018 The Supreme Court of Russia has recently in a judgment of 26 September 2018 surprised many international arbitration practitioners by holding that the standard ICC arbitration clause in a contract between Luxembourgish and Russian parties was not sufficiently clear evidence of the parties' agreement that the ICC Court of International Arbitration was to administer their arbitration. Similarly to the model arbitration clauses of many of the leading arbitral institutions, the standard ICC arbitration clause does not specifically state that the arbitration will be administered by the ICC Court of International Arbitration. Rather, a reference to arbitration under the ICC Rules has virtually without exception been understood to inevitably mean arbitration that is administered by the ICC Court and its Secretariat under the ICC Rules. The model ICC Arbitration clause stipulates: "[a]ll disputes arising out of or in connection with the present contract shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules." In the Russian case, the Luxembourgish claimant had obtained a favourable decision in an arbitration seated in Geneva, Switzerland. In the final arbitral award, the Russian company had been ordered to pay EUR 3.6 million in damages plus interest. The Supreme Court of Russia denied the enforcement of the ICC award on the basis that the award was against the public policy of Russia and that the ICC Tribunal lacked jurisdiction because the arbitration clause failed to specify the arbitral institution that was to administer the arbitration. A similar reasoning can be found in a judgement delivered by the Chinese Supreme People's Court previously. The Russian Supreme Court's judgment marks a distinct departure from its previous judgments, on which it has upheld ICC and other standard arbitration clauses. We understand that the judgment will not be considered as a binding precedent in Russia but will nevertheless have at least a persuasive effect on future judgments. We further understand that Mr Alexis Mourre, the President of the International Court of Arbitration of the ICC, has sent a letter to the Supreme Court of Russia requesting a clarification on the ruling of the Supreme Court of Russia deeming a standard ICC Arbitration Clause defective and unenforceable under Russian law. Effect on Finnish businesses Taking into consideration the unpredictability of the repercussions of the judgement in Russia, we would advise Finnish parties that are considering entering into an arbitration agreement with a Russian or Chinese counterparty to amend the standard arbitration clauses of any institutions, including the FAI, to state clearly that any disputes are to be referred to arbitration, administered by the named arbitration institution in accordance with the relevant institutions' rules. Whilst the recent judgment of the Russian Supreme Court concerned a standard ICC clause, the Russian courts may adopt a similar position towards any institutional standard arbitration clauses, as they also merely refer to arbitration under the given institution's rules. The FAI and SCC standard/model arbitration clauses use language that is similar to the ICC model clause and also omit the express reference to the institution itself: FAI model arbitration clause SCC model arbitration clause We advise clients to contact D&I's Dispute Powerhouse team and to seek further advice regarding tailor made arbitration clauses when dealing with Russian parties. D&I's Dispute Powerhouse is following up on the developments of the matter and will keep you updated.
alert
The Government Proposal on Changes in Taxation of Electricity Storage
8 Nov 2018 The Government Proposal regarding amendments to energy taxation has been submitted to the Parliament on 18 October. The most significant changes relate to electricity storages. Pursuant to the Proposal, electricity would be transferred to electricity storages without any excise duty on electricity. The excise duty would be paid when electricity is transferred to be consumed. The need for electricity storages has arisen since more and more electricity has been produced by using renewable energy sources such as wind and solar which are not flexible. The electricity storages can be used to even out the variation in supply and demand of electricity and prices. However, current legislation does not recognize electricity storages at all. Therefore, the excise duty on electricity has been paid twice, for example, in circumstances where the storage has been first charged from the grid and later supplied back to the grid to be consumed. The purpose of the Proposal is that transmission of electricity to the electricity storage would be duty free. The excise duty would be paid when electricity is transferred to be consumed from the duty free electricity storage. The condition would be the electricity storage is deemed to be a part of the grid or a power plant; or an owner of the electricity storage has a permission from the Tax Administration to uphold the duty free energy storage. In order to meet the purpose of the Proposal the definition of the grid would be broadened. The electricity storage would be deemed to be a part of the grid if the electricity storage is connected to the grid and no electricity can be transferred to be consumed from the electricity storage. In addition, the definition of a power plant would be changed. In the future, the power plant would mean a fixed functional unit which acts in a certain area and its purpose is to produce electricity (and heating) and store electricity in the electricity storage. Owners of electricity storages which are not a part of a grid or a power plant in accordance with the law should apply permission of the Tax Administration in order to be owners of a duty free electricity storage. Consequently, the Proposal allows duty free electricity storage for different operators as power plants, grid companies or end consumers or storage service providers. The recast electricity market directive, currently under legislative process in the EU, seeks to promote market based energy storage. It would limit the distribution and transmission systems operators (DSO and TSO) involvement with energy storage facilities. Among others, DSOs and TSOs would be prohibited from owning and operating storage facilities, except in cases where no other parties have expressed interest, or where the storage facility is necessary for fulfilling the DSO's or TSO's obligations. Exceptions are subject to approval of the regulator. Member States would have to re-assess whether third parties would be able to own, develop and manage or operate the storage facilities, in which case the operations of DSOs and TSOs would be phased out. We welcome the removal of double taxation. However, according to the Proposal, the electricity storage means only a unit of equipment, machines and buildings which are required in order to temporary store electricity electrochemically. Our view is that the definition of an electricity storage should not be limited only to storages based on electrochemical technology. The limitation might delay development of new technology and its adoption to use. Taxation should be neutral for all technology solutions. With the current wording, storage solutions based on for example power-to-gas or kinetic technology would not be duty free. The purpose of other, more technical, changes to energy taxation is to promote the use of natural gas instead of coal, which is part of the Government's plan to encourage the early phase-out of combined heat and power plants using coal by 2029. The proposed changes would enter into force in the beginning of 2019. Due to developments in technology and promotion of the transfer towards more sustainable energy system, changes in energy taxation as well as energy storages in general can be expected also on the EU level. We are happy to discuss in more detail the proposed legislation in concrete situations.
alert
New CFC Rules Require Review of Corporate Structures
6 Nov 2018 The Finnish Government issued a government proposal on controlled foreign company ("CFC") rules on 1 November.  The proposed rules would enter into force at the beginning of 2019 and would apply already for tax year 2019. Through these rules, the Anti-Tax Avoidance Directive (2016/1164, the "Directive") adopted by the EU is further implemented in Finland. The proposed rules are stricter than the currently applicable CFC rules in particular for Finnish companies with subsidiaries outside of the European Economic Area ("EEA"). In principle, the government proposal follows the main features of the draft proposal published earlier this year with the exception of widening the exempted activities to certain services. Overview of Proposed Rules General In brief, foreign entity's income is subject to CFC taxation in Finland if a Finnish tax resident, together with its related parties, has sufficient control in the foreign entity, the foreign entity's level of taxation is significantly lower than in Finland, and the genuine economic activities exemption is not applicable. If an entity qualifies as a CFC, the proportion of the income of the CFC controlled by Finnish tax residents is taxed as their income in Finland. According to the proposed new rules, the type of income received by the foreign entity or the artificial nature of the transactions would not be relevant in the assessment. Thus, Finland would not implement either of the alternative models laid out in the Directive as such but instead the new rules follow similar approach as the current rules. Control The new proposal imposes a participation threshold of 25% for the CFC rules to apply. The participation by the Finnish resident's related parties (based on also the 25% threshold) in the foreign entity is included in the assessment. This presented participation threshold is significantly stricter than the 50% threshold adopted by the Directive and the 50% threshold of the current CFC rules. In practice, the low CFC threshold significantly expands the scope of the rules. It may also prove to be challenging to obtain necessary information to assess potential CFC taxation when the participation in the CFC is e.g. only 25%. Level of Taxation According to the proposal, a CFC is an entity with an actual level of taxation of less than 60% of the actual level of taxation the entity would be subject to in Finland. Finland’s current corporate income tax rate is 20%, which leads to an effective tax rate threshold of 12%, when the foreign entity's taxable income is calculated in accordance with the Finnish rules. The level of taxation is assessed separately for each year. The proposed new rules do not take into account the timing differences, e.g. different depreciation rules. More accelerated depreciation rules than the Finnish depreciation rules may trigger CFC taxation for the years when larger depreciations are deducted even though the level of taxation over the years would not be lower than the above mentioned threshold. Exempted Activities The main exemption in the proposed rules is the genuine economic activities exemption. The concept of genuine economic activities is assessed differently depending whether the foreign entity is a EEA resident company or not. The proposal follows the Directive’s, as well as the current CFC rules', framework of excluding EEA resident companies with genuine economic activities from CFC taxation. This requires sufficient level of personnel, premises and assets. Outside the EEA, the concept of genuine economic activities also requires that the entity carries out certain type of business activity. The new rules exempt only companies the income of which mainly arises from industrial or other comparable production activities, shipping activities, as well as sales or marketing activities related to such exempt activities. The government proposal widens the current concept of activities comparable to production activities to include marketable services. However, the proposal lists service activities which are not comparable to production activities, such as certain investment management services, holding and transferring of intangibles, as well as intra-group financing, insurance and management services.In addition, adequate exchange of information procedures need to be in place between Finland and other state, and the other state cannot be listed as non-cooperative tax jurisdiction by the EU, for the exemption to apply.Contrary to the currently applicable CFC rules, which have required that the sales and marketing activities could only be performed in the company’s state of residence in order for the exemption to apply, the new CFC rules would also exempt regional sales and marketing hubs from the applicability of the rules, provided that the operations relate to industrial production or comparable activities. This change will provide more flexibility for companies with regional activities. The current exemption applicable to tax treaty resident companies would be abolished. Consequently, the effective level of taxation of such non-EEA resident companies, which do not fall under the genuine economic activities exemption, needs to be monitored. Implications As discussed above, the scope of the application of the CFC rules is significantly widened due to the newly proposed amendments. The different approaches compared to the Directive, as well as compared to the current rules, will likely cause issues to numerous taxpayers. Pursuant to the new rules, genuine business operations subject to low taxation in non-EEA countries may classify as CFCs. In particular, intra-group and other service activities as well as holding company structures may trigger CFC taxation in situations that have so far not been subject to the current CFC rules. Inclusion of service activities to the scope of exempted activities is a welcomed feature but the definition in the proposal leaves room for interpretation. An advance ruling on the interpretation in specific cases may be recommendable in order to achieve certainty on the treatment. Due to the Directive, all EU countries need to implement CFC rules. Also many other jurisdictions have already implemented or will implement CFC rules. This may lead to the taxation of the same company's income as CFC income in several jurisdictions. The proposed Finnish CFC rules do not take this type of double taxation into account at all. Group structures with multiple layers of companies should therefore be reviewed from this perspective. On the other hand, the new rules introduce new options to enhance the group structure for many operators with regional activities due to the extension of the scope of sales and marketing exemption. Do not hesitate to contact us with respect to the proposed changes, we are happy to discuss the matter and its implications to your circumstances.

Dittmar & Indrenius