The trends affecting working life – digitalisation, the development of the platform economy, the increasing importance of data and continuous internationalisation – are challenging the premises built into Finland’s legislation governing data protection in working life, formulated in the early 2000s. The regulation of the processing of employees’ personal data in Finland is an exceptional departure from the data protection legislation of other EU Member States in which the processing of employees’ personal data is largely based on the General Data Protection Regulation (EU 2016/679) (“GDPR”).
The GDPR provides Member States with limited national leeway in terms of personal data processed in the context of employment relationships. When the amended Act on the Protection of Privacy in Working Life (759/2004) entered into force in the spring of 2019 nearly in its old form – contrary to expectations for the drafting of the law –, Finland took the view that it had exercised this leeway enabled by the GDPR. Critical assessments and recent academic research[1] have nevertheless shown that the Act appears to be fundamentally in conflict with the GDPR. The following is a description of the challenges resulting from this exceptional set-up, and the developments that have taken place as a result.
[1] Mia Eklund. 2021. Integritet och övervakning i arbetslivet – juridiska perspektiv på arbetsgivarens rätt att övervaka arbetstagare, pp. vii-viii and 65-81.
The working life-specific necessity requirement and consent as a prerequisite for personal data processing
At the national level, the starting point for the processing of employees’ personal data is the necessity requirement laid down in Section 3 of the Act on the Protection of Privacy in Working Life, according to which the employer may only process personal data directly necessary for the employee’s employment relationship. The Section also states that no exceptions can be made to the necessity requirement, even with the employee’s consent. This enhanced necessity requirement, which departs from the necessity requirement imposed by the GDPR, is the first special national characteristic exceeding the leeway allowed by the Regulation.
The Act on the Protection of Privacy in Working Life also requires personal data concerning employees to be collected primarily from the employees themselves. If the personal data is collected from elsewhere than from the employees themselves, the employees must consent to it (Section 4). This consent requirement specific to Finland can be departed from only in a limited number of cases. An employee’s consent is not required when an authority discloses information to the employer for the purpose of the employer fulfilling its statutory obligation or if the collection or obtaining of data is expressly provided for by law. Due to the GDPR, the validity of the employees’ consent is, in practice, subject to a strict set of criteria. Given the interpretation of the EU’s data protection authorities according to which employees are in a subordinate position in relation to employers, the genuinely freely given consent required by the GDPR is easily relegated to the status of an artificial formality when it is relied upon. Since the other grounds for processing provided by the GDPR are, in essence, beyond the reach of employers, Finland is basically in a situation in which an employer’s right to carry out monitoring or investigate misconduct in the workplace is very limited.
An ongoing project[2] of the Ministry of Economic Affairs and Employment aims to amend the regulation concerning the processing of employees’ personal data. The purpose of the project is to amend the legislation in terms of the consent requirement so that employers could also collect, without employees’ consent, personal data during an employment relationship for the purpose of fulfilling their rights or obligations provided in the law or when the law separately provides for the processing of personal data. The proposed amendment is also linked to the Whistleblower Protection Act currently being drafted in Finland, which would implement what is referred to as the Whistleblower Directive. The forthcoming Act would give a party authorised by an employer the right to process the personal data of the person whom a report concerns and other persons mentioned in the report without their consent for the collection of data, although in practice, employers may also need to process investigation requests or cases of negligence other than those falling under the scope of the Act in question. The implementation of this amendment would, at the same time, around the turn of 2021-2022, provide an opportunity for amending the limitation imposed in the Section 4(1) of the Act on the Protection of Privacy in Working Life in a way that would also allow monitoring related to the fulfilment of an employer’s rights and obligations and the investigation of any misuse or misconduct in a manner which would not, as opposed to the current Section, be in conflict with the GDPR.
[2] Draft of the government proposal on amending Section 4 of the Act on the Protection of Privacy in Working Life, 7 July 2021. (Available in Finnish and Swedish)
The processing of employees’ health data is a whole different story in its own right
Another problem of the national legislation involves the processing of employees’ personal health data. According to the GDPR, the processing of data concerning health requires the data either to be obtained directly from the employees themselves or an employee’s consent for the collection of the data from elsewhere. In departure from other EU Member States, Finland limits, in addition to the possible grounds for processing, the purposes for processing health data in such a way that an employee’s health data may only be processed, even at the employee’s consent, for the purposes defined in law, i.e. for the purpose of paying sick pay or other comparable health-related benefits or establishing the reason for an absence or assessing working capacity (Section 5).
The prerequisite for the leeway left to Member States by the GDPR in the field of employment law is that the defined grounds for processing personal data may be specified by national legislation only in respect of a legal obligation or public interest. In terms of the grounds for processing data concerning health, however, the Member States have not been provided with any national leeway at all although, according to the GDPR Article 9(4), Member States may maintain or introduce further conditions, including limitations, with regard to the processing of data concerning health. This being the case, the Act on the Protection of Privacy in Working Life, in practice, curtails the scope of an employee’s consent as the grounds for processing data concerning health. This has led to significant challenges with respect to unexpectedly identified and unforeseen needs to process health data. This has also been the case in attempts to manage the coronavirus epidemic.
On a practical level, the problem also takes shape in the product development of applications and devices that utilize health data. For example, the possibilities of Finnish health technology companies developing health technology for testing and developing their products in Finland are weaker, given that the processing of employees’ health data, such as heart rate data and other similar physiological data, for research and product development purposes is not legal even with employees’ explicit consent.
