The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.
Data protection information must be provided to data subjects through active measures
The first decision (KHO:2023:81) dealt with the transparency of data processing and the provision of information to data subjects. In its initial decision, the Data Protection Ombudsman had considered that Posti Oy (the national postal service) had violated related obligations in connection with its change of address service and, therefore, imposed a fine of EUR 100,000. The Administrative Court subsequently overturned the fine, with which the Supreme Administrative Court ultimately disagreed by upholding the original fine.
The Supreme Administrative Court underlined the following aspects:
- To ensure the transparency of personal data processing, data protection related information, for example relevant privacy notices, must be informative and easy to find.
- The GDPR does not specify what is meant by the provision of information. Nevertheless, the obligation to provide information must be understood as active measures by the data controller to furnish the data subject with information or to actively direct the data subject to its location.
- When assessing the proportionality of imposing an administrative fine, it is irrelevant whether the supervisory authority has first used its other corrective powers before imposing the fine. The supervisory authority is thus entitled to impose fines without, for example, first issuing a warning or taking any other enforcement action.
The court’s ruling clearly demonstrates that passive and confusing approaches in providing data subjects with privacy information – through various links or within lengthy terms and conditions – will now run the risk of attracting strict regulatory scrutiny, although this may have been typical practice in the early days of the GDPR.
GPDR enforcement requires due examination
The second decision (KHO:2023:82) concerned the unnecessary collection of personal data from job applicants. The Data Protection Ombudsman had considered that the company in question had not been able to sufficiently demonstrate compliance with the GDPR when processing job applicants’ personal data. Both the Administrative Court and the Supreme Administrative Court disagreed with the Ombudsman and overturned the initial fine of EUR 12,500.
According to the Supreme Administrative Court, when imposing administrative fines, the authority is primarily responsible for the investigation of the matter, not the data controller. In accordance with the requirements on administrative procedure, the authority’s investigation of the case must be based on the presumption of innocence and the fact that the party in question is not obliged to present a negative statement about itself. In this context, administrative fines are considered punitive sanctions and are, therefore, comparable to criminal cases. Accordingly, administrative sanctions must comply with the presumption of innocence, and they cannot be based on a purely reversed burden of proof or strict objective responsibility.
Following these requirements, the Supreme Administrative Court held that the Data Protection Ombudsman had not demonstrated sufficient evidence that the company had processed personal data in violation of data protection legislation.
Interestingly, the Supreme Administrative Court was asked to submit a request for a preliminary ruling to the Court of Justice of the European Union regarding the ambiguity of the interpretation of the GDPR. However, according to the Supreme Administrative Court, no such questions had arisen in these cases, which would have required a preliminary ruling from the EU court.
Although we are now half a decade into the application of the GDPR, significant interpretation challenges are, nevertheless, sure to continue. So far, 19 GDPR fines have been imposed in Finland, nine of which have been appealed with four cases still pending either in the Administrative Court or the Supreme Administrative Court. Therefore, it is safe to say that interesting case law tackling GDPR interpretation issues remains on its way.