First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

D&I Alert

Posted on

14 Sep

2023

Dittmar & Indrenius > Insight > First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.

Data protection information must be provided to data subjects through active measures

The first decision (KHO:2023:81) dealt with the transparency of data processing and the provision of information to data subjects. In its initial decision, the Data Protection Ombudsman had considered that Posti Oy (the national postal service) had violated related obligations in connection with its change of address service and, therefore, imposed a fine of EUR 100,000. The Administrative Court subsequently overturned the fine, with which the Supreme Administrative Court ultimately disagreed by upholding the original fine.

The Supreme Administrative Court underlined the following aspects:

  • To ensure the transparency of personal data processing, data protection related information, for example relevant privacy notices, must be informative and easy to find.
  • The GDPR does not specify what is meant by the provision of information. Nevertheless, the obligation to provide information must be understood as active measures by the data controller to furnish the data subject with information or to actively direct the data subject to its location.
  • When assessing the proportionality of imposing an administrative fine, it is irrelevant whether the supervisory authority has first used its other corrective powers before imposing the fine. The supervisory authority is thus entitled to impose fines without, for example, first issuing a warning or taking any other enforcement action.

The court’s ruling clearly demonstrates that passive and confusing approaches in providing data subjects with privacy information – through various links or within lengthy terms and conditions – will now run the risk of attracting strict regulatory scrutiny, although this may have been typical practice in the early days of the GDPR.

GPDR enforcement requires due examination

The second decision (KHO:2023:82) concerned the unnecessary collection of personal data from job applicants. The Data Protection Ombudsman had considered that the company in question had not been able to sufficiently demonstrate compliance with the GDPR when processing job applicants’ personal data. Both the Administrative Court and the Supreme Administrative Court disagreed with the Ombudsman and overturned the initial fine of EUR 12,500.

According to the Supreme Administrative Court, when imposing administrative fines, the authority is primarily responsible for the investigation of the matter, not the data controller. In accordance with the requirements on administrative procedure, the authority’s investigation of the case must be based on the presumption of innocence and the fact that the party in question is not obliged to present a negative statement about itself. In this context, administrative fines are considered punitive sanctions and are, therefore, comparable to criminal cases. Accordingly, administrative sanctions must comply with the presumption of innocence, and they cannot be based on a purely reversed burden of proof or strict objective responsibility.

Following these requirements, the Supreme Administrative Court held that the Data Protection Ombudsman had not demonstrated sufficient evidence that the company had processed personal data in violation of data protection legislation.

Looking forward

Interestingly, the Supreme Administrative Court was asked to submit a request for a preliminary ruling to the Court of Justice of the European Union regarding the ambiguity of the interpretation of the GDPR. However, according to the Supreme Administrative Court, no such questions had arisen in these cases, which would have required a preliminary ruling from the EU court.

Although we are now half a decade into the application of the GDPR, significant interpretation challenges are, nevertheless, sure to continue. So far, 19 GDPR fines have been imposed in Finland, nine of which have been appealed with four cases still pending either in the Administrative Court or the Supreme Administrative Court. Therefore, it is safe to say that interesting case law tackling GDPR interpretation issues remains on its way.

More by the same author

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

Latest insights

Fostering Continuous Development

Article / 1 Jul 2024

Advocate for Change: Good Governance and Sustainability

Article / 1 Jul 2024