The Finnish law regulating data protection in working life remains in conflict with the GDPR

D&I Alert

The Finnish Act on the Protection of Privacy in Working Life will not be amended during the current electoral term. The government proposal on amending the Section 4 of the Act has not progressed since May 2022 and will lapse, as the electoral term’s last parliamentary session has now ended.

In 2020, the Ministry of Economic Affairs and Employment of Finland launched a project to clarify the Finnish regulation concerning the collection of employees’ personal data. The purpose of the project was to amend the legislation in terms of the consent requirement so that employers could also collect, without employees’ consent, personal data during an employment relationship for the general purpose of fulfilling their rights or obligations provided in the law or when the law separately provides for the processing of personal data. This would have clarified the relationship between the Act on the Protection of Privacy in Working Life and the General Data Protection Regulation (“GDPR”).

The government proposal1 on amending the Section 4 of the Act on the Protection of Privacy in Working Life was submitted to the Parliament in March 2022. The proposal has been under consideration of the Employment and Equality Committee, but the handling of the matter has not progressed since May 2022 and the committee report has not been completed.

Legislative proposals that have not been approved by the end of the electoral term will lapse. It is up to the new government to decide whether it will submit a similar proposal to the Parliament. It should be noted that the new government is not tied to the contents of the lapsed proposal, and eventual regulatory drafting would be conducted anew on the ministry level. Therefore, no changes to the Act on the Protection of Privacy in Working Life can be expected in the near future.

1Government proposal 35/2022. (Available in Finnish and Swedish)

Read also

The law regulating data protection in working life is broken – and only a temporary fix is under way

More by the same author

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

eIDAS2.0 Has Arrived – What is an EUDI Wallet?

The awaited eIDAS Regulation (EU) 1183/2024, known as eIDAS2.0, introduces new comprehensive rules aimed at facilitating a secure and seamless Europe-wide digital identity framework by amending the first eIDAS Regulation (EU) 910/2014. As the most notable change, eIDAS2.0 introduces a new EU Digital Identity Wallet (EUDI Wallet), meaning an electronic authentication application that must be interoperable throughout the EU. In function, the application will be similar to ordinary wallets, especially when looking at what types of data is stored in it. The Regulation entered into force on 20 May 2024 and the European Commission is due to adopt technical implementing acts in November 2024, after which the Member States have 24 months to implement at least one EUDI Wallet.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

Latest insights

Fostering Continuous Development

Article / 1 Jul 2024

Advocate for Change: Good Governance and Sustainability

Article / 1 Jul 2024