The National Implementation of the GDPR in Finland Takes the First Step
On 21 June 2017, the Working Group appointed by the Finnish Ministry of Justice (“Working Group”) published the report on how the General Data Protection Regulation (the “GDPR”) should be implemented in Finland.
The European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”) was entered into force on 24 May 2016 and shall apply from 25 May 2018. Even though the Regulation is directly applicable in all Member States, it leaves some issues to be decided on or further regulated by Member States. On February 2016, The Ministry of Justice appointed a Working Group (“TATTI”), the purpose of which is, among others, to assess the need for new national data protection laws and the need to amend other legislation accordingly. Nevertheless, the main focus of TATTI was to prepare a proposal for the national data protection law (Tietosuojalaki).
Here’s our take on the ten most significant aspects from the report, that provide you with our estimate on what the Finnish data protection regime will look like in 2018.
1. Harmonisation Will Be Respected
One of the main aims of the GDPR is to harmonise the European data protection laws. The Working Group emphasizes that the national implementation of the GDPR in Finland will respect that aim and proposes that the GDPR will be applied also to personal data processing outside the scope of the GDPR, unless required otherwise by sectoral laws. The possibility for derogations and national exemptions will be only limitedly used in Finland. This signal will be welcomed by all businesses operating internationally.
2. The Protection of Privacy in Working Life Will Continue Having Specific and Strict Regulation
The GDPR allows Member States, by law or by collective agreements, to provide more specific rules on the protection of the rights and freedoms in respect to the processing of the employees’ personal data in the employment context.
The Finnish legislation already contains specific regulations on the matter as the Act on the Protection of Privacy in Working Life lays down the provisions on the processing of personal data on employees. In comparison to other Member States, the Finnish regulation is exceptionally strict for employers in fields such as monitoring employees’ internet usage and access to their work email.
According to the report, the Act on the Protection of Privacy in Working Life is already in line with the regulation set in the GDPR and, therefore, the Act will continue being in force without amendments. Thus, all companies doing business in Finland are required to comply with the detailed national law in addition to the GDPR in respect of their HR data.
3. Many Questions Still Unclear as They Will Be Covered by Sectoral Laws
Currently, there are hundreds of different sectoral laws which supplement the general legislation on processing of personal data in Finland. Unfortunately, the renewal of such sectoral laws remains still unclear as the Working Group has not assessed the necessity or the contents of the existing specific legislation. The work remains to be completed by each of the responsible ministries in the future.
Therefore, from the perspective of companies operating e.g. on the finance, insurance or health care sectors, this essentially complicates the preparation of such companies to the changing legislation as the overall picture remains vague. However, the Working Group emphasizes the European Commission’s view on the very limited possibilities of supplementing the GDPR on a national level as it is a regulation, not a directive.
4. The Established Data Protection Authority Will Be the Finnish Supervisory Authority
The official duties set in the GDPR will further be concentrated to one new supervisory authority — the Data Protection Authority (tietosuojavirasto). The Data Protection Authority is to continue the activity of the existing Office of the Data Protection Ombudsman with certain organisational changes. The current Data Protection Ombudsman will act as the lead official of the Data Protection Authority and, as a new feature, a separate Sanctions Board (seuraamuslautakunta) will be established within the Data Protection Authority.
The GDPR requires that each Member State shall ensure that each supervisory authority is provided with the resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. It is estimated that the new Data Protection Authority will require up to 75 per cent more resources (EUR 1,320,000) in 2019 compared to the existing resources of the Office of the Data Protection Ombudsman.
5. The Sanctions Will Be Imposed by the New Sanctions Board
The administrative fines are one of the most discussed topics of the GDPR. Therefore, it is important to know who has the right to impose such fines and how the controller may appeal. Unlike under the current Finnish law, the GDPR provides the supervisory authority the power to issue the administrative fines.
The Working Group proposes establishing a Sanctions Board under the new Data Protection Authority. The members of the Sanctions Board will be appointed by the Finnish Government, from the Data Protection Authority’s proposal, for a five year term. Members may be re-appointed once for second term.
The board consists of five lawyer members, of which the chairperson and the vice-chairperson must have the same competence as a judge (excluding the requirement to be a Finnish national). The members must have the relevant expertise and knowledge on data privacy rules. The Sanctions Board is not working full time and the members are not employed by the Data Protection Authority. They are subject to public liability and obligated to refrain from all actions incompatible with their duties.
The GDPR does not set procedural rules regarding the exercise of the sanctions. Interestingly, to ensure due process, the Working Group proposes a possibility for an oral hearing in accordance with the Administrative Judicial Procedure Act (hallintolainkäyttölaki).
6. The Right to Appeal to the Supreme Administrative Court Requires a Leave to Appeal
The decisions of the Data Protection Authority are subject to appeal to the Administrative Court in accordance with the provisions of the Administrative Judicial Procedure Act. The right to appeal is not just for the decisions of the Court, but also from the Data Protection Ombudsman decision to present administrative sanctions regardless of whether the case is already pending in the Sanctions Board.
Interestingly, the right to appeal to the Supreme Administrative Court requires that the Supreme Administrative Court grants a leave to appeal.
7. Sanction Imposed on Public Authorities and Bodies Still Undecided
The level of administrative fines and the grounds for imposing such are harmonised pretty widely, and the European authorities will aim to ensure the harmonisation of the sanctions in practice under the GDPR. However, the GDPR leaves the rules on whether the sanctions may be imposed, and to what extent, on public authorities and bodies to be decided by the Member States.
The Working Group was not able to reach a unanimous conclusion on whether such derogation should be applied. Some members of the Working Group pointed out, e.g., that the derogation would require alternative effective sanctions mechanisms. However, building alternative mechanisms or lower sanction levels, would be against the principle of harmonisation. Other members pointed out that the question should be assessed from the perspective of the Finnish sanctions system, which already includes a wide range of effective measures that ensure the implementation of the regulation in public authorities, and that as the sanctions are paid to the government, the money would be, in practice, only transferred from one pocket to another.
8. Applicability of Criminal Sanctions
As mentioned, the GDPR is strongly based on the administrative sanctions. In order to avoid situations where the same breach would lead to two different punishments, i.e. the administrative and criminal sanction, the Working Group proposes that the administrative fines would be supplemented with criminal sanctions but only when the fines are not available for the matter.
The current data protection offence (henkilörekisteririkos) that provides possibility for fines or imprisonment up to one year would be replaced by more limitedly available offence (tietosuojarikos) that would be subject to the same penalties.
The criminal responsibility would only apply to persons, who have not acted in the capacity of data controller or processor. For instance, the criminal sanctions would be applicable to the employees of a company who process personal data without a legitimate purpose but only out of curiosity, or to persons breaching the data security requirements, e.g. by disposing of printed documents including personal data without taking care of the proper destroying of such documents.
9. The Necessity to Enable Class Actions for Data Subjects Will Be Further Discovered
The Working Group suggests that the necessity and the possibility to allow class actions for data subjects should be further assessed in a later phase. According to the Working Group, the class action could be a useful legal remedy in data protection matters. The class action would be applicable particularly in situations where the data subject seeks for compensation of damages and it could significantly increase the risk of data subjects’ claims.
10. The Applicable Age for Children Will Be Further Decided
The GDPR contains rules for the child’s consent in relation to information society services. According to the GDPR, processing of the personal data of a child is lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
The Working Group proposed that Finland uses the opportunity to provide for a lower age by law. However, it shall still be further decided whether the applicable age should be 13 or 15 years. It is explained that Finland should, above other relevant facts, make the decision taking into consideration the policy that the majority of other Member States or Nordic countries decide.
The report of the Working Group will now circulate for comments and the Government proposal is planned to be given to the Parliament in the autumn. The Working Group is to continue its tasks, especially in setting the starting points for the use of the national latitude and coordinate the preparation and revision of sector specific laws.
We at Dittmar & Indrenius are happy to help with any questions you may have regarding the GDPR and its effects, and will keep you posted on the implementation process and the further clarifications from the Finnish as well as the European Data Protection Authorities.