The GDPR became applicable on 25 May 2018. The Member States were required to make the necessary changes to their national laws before that. However, like some other Member States, Finland is still working on that, as the Government Bill is still in parliamentary proceedings.
Like many other Member States, Finland has not yet made the relevant changes to its legislation. The Government Bill for the new Data Protection Act (“Tietosuojalaki”) was given to Parliament on the 1st of March, and it is currently being reviewed by the Administration Committee; the Bill will be passed by the Parliament, hopefully, before the summer holidays. Therefore, it’s a good time to look at the main national derogations, and Finland’s decisions about them.
Respecting Harmonisation, Where Possible
The GDPR aims to harmonise European data protection laws. For the most part it does that, but the EU legislators also left some issues to be decided by the Member States, partly due to many compromises in the negotiations, partly because of the difficulties full harmonisation would create. The Finnish legislators respect the aim of harmonisation, as the GDPR will also be applied to personal data processing outside the scope of the GDPR. However, the new Data Protection Act will not add any extra requirements on top of the GDPR, as some national legislations seem to be doing.
There will, however, be areas of data processing that are not harmonised, mainly in the context of employment. The protection of privacy in working life will continue having specific and strict regulation, and Finnish employees continue to enjoy a high level of privacy protection, compared to many other Member States.
Jukka Lång from D&I was heard before the Legal Affairs Committee on the Government Bill for the new Data Protection Act.
The Applicable Age for a Child’s Consent Will Be 13
The GDPR contains rules for children’s consent in relation to information society services. The relevant age limit in Finland will be 13.
Even small deviations are deviations, and therefore harmonisation is not being achieved here. The age limit will be between 13 and 16 in other Member States. Fortunately, Finland took into account the approach taken by other Nordic countries, and also the ways children use these services in practice.
Who Can Impose the Sanctions, and on Whom?
According to the GDPR, the imposition of administrative fines and other penalties should be subject to appropriate procedural safeguards, including effective judicial protection and due process. The Working Group (“TATTI”), appointed by the Ministry of Justice proposed in its report that the administrative fines would be imposed by a new sanctions board. However, this well-founded approach did not make its way into the Government Bill. Rather, the power is in the hands of the Data Protection Ombudsman. Giving such sanctioning power to a single authority, albeit the main data protection authority, would be somewhat exceptional in Finland, as Jukka Lång pointed out to the Parliament’s Legal Affairs Committee. The Committee for Constitutional Law pointed out that such sanctioning power does not comply with the Constitution. At the time of writing this article, the Committee for Constitutional Law is preparing a second statement, as requested by the Administration Committee. It is, therefore, possible that the Data Protection Ombudsman will not, after all, get the sole sanctioning power.
An equally significant issue as who should impose the sanctions is whom they may be imposed on. The GDPR gives the Member States the right to decide whether the sanctions may be imposed, and to what extent, on public authorities and bodies.
The matter is not simple, and even the members of the TATTI working group were unable to reach a consensus. According to the Government Bill, the sanctions will not be imposed on public authorities and bodies.
It is fair to say that the public and private bodies are not in the same competitive position, as the latter has significantly higher risk of sanctions. It is also not certain that appropriate procedural safeguards apply, and that effective judicial procedure will be in place when public bodies would be sanctioned by means of sanctioning the natural persons in charge.
In the big picture, the derogations are in the end, however, minor. The European data protection regime will be significantly harmonised and has already helped many global organisations unify their data processing practices.