The law regulating data protection in working life is broken – and only a temporary fix is under way

The trends affecting working life – digitalisation, the development of the platform economy, the increasing importance of data and continuous internationalisation – are challenging the premises built into Finland’s legislation governing data protection in working life, formulated in the early 2000s. The regulation of the processing of employees’ personal data in Finland is an exceptional departure from the data protection legislation of other EU Member States in which the processing of employees’ personal data is largely based on the General Data Protection Regulation (EU 2016/679) (“GDPR”).

The GDPR provides Member States with limited national leeway in terms of personal data processed in the context of employment relationships. When the amended Act on the Protection of Privacy in Working Life (759/2004) entered into force in the spring of 2019 nearly in its old form – contrary to expectations for the drafting of the law –, Finland took the view that it had exercised this leeway enabled by the GDPR. Critical assessments and recent academic research[1] have nevertheless shown that the Act appears to be fundamentally in conflict with the GDPR. The following is a description of the challenges resulting from this exceptional set-up, and the developments that have taken place as a result.

[1] Mia Eklund. 2021. Integritet och övervakning i arbetslivet – juridiska perspektiv på arbetsgivarens rätt att övervaka arbetstagare, pp. vii-viii and 65-81.

The working life-specific necessity requirement and consent as a prerequisite for personal data processing

At the national level, the starting point for the processing of employees’ personal data is the necessity requirement laid down in Section 3 of the Act on the Protection of Privacy in Working Life, according to which the employer may only process personal data directly necessary for the employee’s employment relationship. The Section also states that no exceptions can be made to the necessity requirement, even with the employee’s consent. This enhanced necessity requirement, which departs from the necessity requirement imposed by the GDPR, is the first special national characteristic exceeding the leeway allowed by the Regulation.

The Act on the Protection of Privacy in Working Life also requires personal data concerning employees to be collected primarily from the employees themselves. If the personal data is collected from elsewhere than from the employees themselves, the employees must consent to it (Section 4). This consent requirement specific to Finland can be departed from only in a limited number of cases. An employee’s consent is not required when an authority discloses information to the employer for the purpose of the employer fulfilling its statutory obligation or if the collection or obtaining of data is expressly provided for by law. Due to the GDPR, the validity of the employees’ consent is, in practice, subject to a strict set of criteria. Given the interpretation of the EU’s data protection authorities according to which employees are in a subordinate position in relation to employers, the genuinely freely given consent required by the GDPR is easily relegated to the status of an artificial formality when it is relied upon. Since the other grounds for processing provided by the GDPR are, in essence, beyond the reach of employers, Finland is basically in a situation in which an employer’s right to carry out monitoring or investigate misconduct in the workplace is very limited.

An ongoing project[2] of the Ministry of Economic Affairs and Employment aims to amend the regulation concerning the processing of employees’ personal data. The purpose of the project is to amend the legislation in terms of the consent requirement so that employers could also collect, without employees’ consent, personal data during an employment relationship for the purpose of fulfilling their rights or obligations provided in the law or when the law separately provides for the processing of personal data. The proposed amendment is also linked to the Whistleblower Protection Act currently being drafted in Finland, which would implement what is referred to as the Whistleblower Directive. The forthcoming Act would give a party authorised by an employer the right to process the personal data of the person whom a report concerns and other persons mentioned in the report without their consent for the collection of data, although in practice, employers may also need to process investigation requests or cases of negligence other than those falling under the scope of the Act in question. The implementation of this amendment would, at the same time, around the turn of 2021-2022, provide an opportunity for amending the limitation imposed in the Section 4(1) of the Act on the Protection of Privacy in Working Life in a way that would also allow monitoring related to the fulfilment of an employer’s rights and obligations and the investigation of any misuse or misconduct in a manner which would not, as opposed to the current Section, be in conflict with the GDPR.

[2] Draft of the government proposal on amending Section 4 of the Act on the Protection of Privacy in Working Life, 7 July 2021. (Available in Finnish and Swedish)

The processing of employees’ health data is a whole different story in its own right

Another problem of the national legislation involves the processing of employees’ personal health data. According to the GDPR, the processing of data concerning health requires the data either to be obtained directly from the employees themselves or an employee’s consent for the collection of the data from elsewhere. In departure from other EU Member States, Finland limits, in addition to the possible grounds for processing, the purposes for processing health data in such a way that an employee’s health data may only be processed, even at the employee’s consent, for the purposes defined in law, i.e. for the purpose of paying sick pay or other comparable health-related benefits or establishing the reason for an absence or assessing working capacity (Section 5).

The prerequisite for the leeway left to Member States by the GDPR in the field of employment law is that the defined grounds for processing personal data may be specified by national legislation only in respect of a legal obligation or public interest. In terms of the grounds for processing data concerning health, however, the Member States have not been provided with any national leeway at all although, according to the GDPR Article 9(4), Member States may maintain or introduce further conditions, including limitations, with regard to the processing of data concerning health. This being the case, the Act on the Protection of Privacy in Working Life, in practice, curtails the scope of an employee’s consent as the grounds for processing data concerning health. This has led to significant challenges with respect to unexpectedly identified and unforeseen needs to process health data. This has also been the case in attempts to manage the coronavirus epidemic.

On a practical level, the problem also takes shape in the product development of applications and devices that utilize health data. For example, the possibilities of Finnish health technology companies developing health technology for testing and developing their products in Finland are weaker, given that the processing of employees’ health data, such as heart rate data and other similar physiological data, for research and product development purposes is not legal even with employees’ explicit consent.

For the purpose of managing risks, cases of practical application should carefully ensure the realisation of privacy protection and carry out the measures necessary for ensuring legal compliance to that end.

The current state of the national legislation can be deemed to impair Finland’s competitiveness in the international labor market. In special cases, it can furthermore result in a situation where companies are practically forced to move their product development operations, and thus jobs, out of Finland. Due to the aforementioned limitations, companies developing health technology striving to engage in product development in the Finnish operating environment have led to interpretations based on which physiological data deemed health data has also been considered eligible for collection with the express consent of an individual. The practical solution which has developed as a response to the limitations of the current data protection in working life is an interpretation according to which employers, as controllers, also process employees’ personal data for purposes other than those related to the employment relationship, meaning that an employee is considered to simultaneously hold the role of both an employee and a test subject. However, for the purpose of managing risks, such cases of practical application should carefully ensure the realisation of privacy protection and carry out the measures necessary for ensuring legal compliance to that end.

“The acknowledged conflict with EU regulation means that, to be repaired, the Act on the Protection of Privacy in Working Life requires something other than mere quick fixes, which the proposed amendment offers.”

Even though there has not been much public debate on the state of our national data protection legislation, there have even been proposals to repeal the national Data Protection Act altogether. More than 20 years of experience in its application has nevertheless proven the Act on the Protection of Privacy in Working Life to have its uses. At its best, it clarifies operational practices and employers’ special obligations in terms of employee data processing. In many respects, it also improves the status and rights of employees. The provisions which clarify and increase predictability in relation to workplace drug testing and camera surveillance are a good practical example of the streamlining effects of the Act. Even so, the acknowledged conflict with EU regulation means that, to be repaired, the Act on the Protection of Privacy in Working Life requires something other than mere quick fixes, which the amendment to Section 4(1) described above offers.  In addition, the processing of employees’ emails – connected on a more general level to Finland’s exceptionally extensive protection of the secrecy of communications and the ePrivacy Regulation, the drafting of which has been under way in the EU for quite some time now – is another story altogether. In this dimension as well, European harmonisation may lead to a need for interim national remedies. Alternatively, we might be looking at a more wide-ranging re-evaluation of the regulation of Finnish working life.

 

Special thanks to Roope Liuha who participated in the writing of this article and works as an Associate Trainee at Dittmar & Indrenius in autumn 2021.

Latest insights

Ehdotus whistleblowing-lainsäädännöksi on julkaistu

Alert / 21 Sep 2022
Reading time 3 minutes

The EU General Court dismisses appeals in landmark state aid rulings

Alert / 16 Sep 2022
Reading time 4 minutes