From Regulating Personal Data Files to Enhancing Data Protection
The clock is ticking – there is less than a year until the GDPR (the “General Data Protection Regulation”) comes into effect. The European data protection authorities are doing their best to give guidance on how to interpret the regulation. However, even though the purpose of the GDPR is to harmonize the European data protection legislation, some issues are left open to the member states. On 1st of June, D&I hosted an insightful morning seminar with a tasty breakfast and engaging discussions. We had the honor to have Mr Pekka Nurmi, chairperson of the Finnish Data Protection Board and of the Working Group responsible for assessing the implementation in the first phase, as a keynote speaker. At the event, the participants got a glimpse on how the Finnish data protection regime is going to look like in 2018.
As Mr Nurmi pointed out, the Finnish regulators aim to ensure that the Finnish national laws give companies established in Finland a competitive edge as far as possible. In general, many of D&I’s clients see the data protection regime not only as a challenge but also as an opportunity. Certainly, we at D&I think that the regulatory regime is an opportunity for companies to embrace the new age of digitalization, and we strive to give our clients the best tools to get the most of the data protection laws. At D&I we see data protection, as well as all the other legal issues, as an intertwined area composed of various legal questions that relate to several fields of law. Therefore, we engage the full spectrum of our expertise in every assignment.
The details of the national implementation will be out before midsummer, but we can already point out three interesting and relevant aspects that should be noted from the proposal.
1Filling the Gaps
First and foremost, it is highly likely that by 2018 there’s going to be a new Finnish general data protection law (“tietosuojalaki”). The Finnish general data protection law will be based on the GDPR text and will only cover specific sector that are not regulated by the GDPR.
The GDPR leaves some areas open to be decided upon by the Member States. For example, the processing of personal data relating to criminal convictions and offences by private entities is lawful only when authorized by the European Union or the Member State laws. All such provisions will, to the extent possible, be found from the general data protection law. However, some practices need to be regulated in sectoral laws. For example the processing of information related to customer misconducts by credit companies has been considered lawful when based on the prior authorization of the Finnish Data Protection Board. Such authorization procedure will in all likelihood be in place also under the GDPR, but regulated in separate sectoral laws. The Working Group is at this point assessing only the necessary laws and regulations, and all the sectoral laws will be reviewed by the competent ministries in the second phase of implementation.
2The Empowered Authority
The Finnish supervisory authority will be the data protection ombudsman. As Mr Nurmi pointed out, the data protection ombudsman’s office is understaffed, as the workload is going to increase rapidly and extensively.
Indeed, we forecast that there is a need for an increase in the resources of the Finnish data protection ombudsman – our partner, and head of Data Protection, Marketing & Consumers team, Jukka Lång pointed out that the resources in 2017 are almost similar to what they were in early 2000’s when he worked at the data protection ombudsman’s office as an inspector. Time will show how prepared and well funded the new authority will be, but we find that it is in the interest of every company that the Supervisory Authority is capable of giving guidance to the companies facing increasing data protection issues in their everyday business.
3Disputes – What If? And What Then?
As the sanctions under the GDPR are much higher than any possible sanctions under the data protection laws currently in force in Finland, the likelihood of data processing related disputes, and the risk related to these, is much greater. The Working Group proposes that a “Sanctions Board” is created in addition to the data protection authority. The Board will probably consist of 5 lawyer members and it will be responsible for deciding the GDPR based sanctions based on data protection ombudsman proposal. As the sanctions under the GDPR are fairly high and harmonized within the EU, we will surely see long trials all the way to the European Court of Justice. Additionally, as our Partner and Head of Dispute Resolution Jussi Lehtinen pointed out, we will probably see many long and complicated disputes that include administrative procedures on related to the sanctions as well as parallel or follow on civil procedures for the damages. (Read More on D&I Dispute Resolution and Data Protection Alert published on 1 June 2017 in Finnish).