Jukka Lång

Partner
Head of Data Protection, Marketing & Consumers

Jukka Lång

Partner
Head of Data Protection, Marketing & Consumers

Share this

Data protection specialist Jukka Lång is highly praised for his “strong understanding” of this field.

Chambers Europe 2018, TMT

He is client focused and has the ability to explain complicated legal issues in a way that is understandable; his initiative and the way he follows up are superb.

Client Choice Awards 2016, Winner of the IT & Internet category for Finland

The best data protection lawyer in Finland.

The Legal 500 2018, TMT

He understands business; he is curious and ready to challenge a conservative approach and to provide practical guidance.

Client Choice Awards 2018, Winner of the IT & Internet category for Finland

Really knowledgeable in the area and appears to be a person who is able to also understand the wider context.

Chambers Europe 2017, TMT

I really rely on him; his knowledge is exceptional and he can offer practical insights.

Chambers Europe 2015, TMT

Jukka is the best data protection lawyer in Finland; he has an in-depth understanding of the subject matter and a unique ability to tie it to the client’s business needs.

Client Choice Awards 2018, Winner of the IT & Internet category for Finland

Excellent strategy building.

Chambers Europe 2018, TMT

Open, internationally-minded and flexible.

Chambers Europe 2016, TMT

A strong player in the privacy area.

Chambers Europe 2016, TMT
Dittmar & Indrenius > People > Jukka Lång

Focus on complex data protection, cyber security and IT law matters.

Jukka Lång is known for his solution-oriented approach and extensive experience in data protection matters and his capability to understand client’s business needs relating to the use of data in today’s evolving business landscape.

He advises clients in large-scale international data protection and data security compliance projects and provides strategic advice, for example, in intelligent building, IoT and Big Data projects.

Jukka Lång is the leading Finnish lawyer in the field of data protection and privacy and a trusted strategic speaking partner and advisor for many innovative Finnish listed companies in all their business matters relating to data protection and cyber security. Since 2012 he has been teaching a course of data protection law and contracts at the Faculty of Law, University of Helsinki.

Jukka Lång started his career in data protection law as an inspector of the Finnish Data Protection Authority in 2003.

Education

University of Helsinki (LL.M., 2006; B.A., 2006 and M.A., 2009, in History)

CIPP/E 2013

Admitted: Finnish Bar Association

Languages

Finnish, Swedish and English

References

Latest Insights

alert
The new Finnish Data Protection Act supplementing the GDPR enters into force on 1 January 2019
5 Dec 2018 Finland passes new Data Protection Act, which nationally supplements and clarifies the General Data Protection Regulation. Background The European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR") entered into force on 24 May 2016 and has been applicable from 25 May 2018. Even though the Regulation is directly applicable in all Member States, it leaves some issues to be decided on or further regulated by Member States. In Finland, the Regulation is nationally supplemented and clarified with a new Data Protection Act. The new act was delayed but the Finnish Parliament accepted the relevant legislative proposal on 13 November with presidential confirmation taking place on 5 December. The Data Protection Act will enter into force on 1 January 2019 thus e.g. enabling the Finnish supervisory authority, the Data Protection Ombudsman to carry out tasks and exercise powers provided by the GDPR. Administrative fines not applicable to public authorities and bodies The Data Protection Act does not enable imposing administrative fines on public authorities and bodies, which was an issue highly debated during the preparation of the legislation. The GDPR leaves it to Member States to legislate whether administrative fines apply to public authorities and bodies. With diverse arguments for and against, the Finnish legislator decided not to apply the sanction risk of administrative fines to state, municipal, and other public authorities and bodies. For all this, it should be borne in mind that such bodies and authorities process vast amounts of significant personal data. Apart from administrative fines, they are subject to obligations and supervision under the GDPR and the Data Protection Act as well as to general public law requirements and criminal liability. The need to extend the imposition of administrative fines to public bodies and authorities will likely be monitored and assessed in the future. The Data Protection Ombudsman will be the Finnish supervisory authority According to the Data Protection Act, the Finnish Data Protection Ombudsman is the supervisory authority in Finland responsible for monitoring the application of the GDPR. The GDPR would also allow the supervisory authority to be composed of multiple members and even the establishment of more than one supervisory authority. In the Finnish solution, the position and related tasks are allocated to a single official despite earlier discussions of establishing a new authority in the form of an agency. However, upon accepting the new Data Protection Act, the Finnish Parliament required the Government to further examine the possibility of establishing a new data protection agency in the future. According to the Parliament's reply, in the development of the Data Protection Ombudsman organisation it should especially be ensured that administrative sanctions are imposed by a multi-member body and that the authority is independent, as required by the GDPR. The Data Protection Ombudsman shall have an office, which includes at least two Deputy Data Protection Ombudsmen and a necessary amount of referendaries and other personnel. The Office shall also include an internal advisory board, which, at the request of the Data Protection Ombudsman, shall give opinions on significant questions regarding the application of data protection law. Due to the significant workload relating to the enforcement of the GDPR, the current budget proposal for 2019 would allocate 855,000 euros as additional resources to the Office of the Data Protection Ombudsman, thereby – in a longer run – almost doubling its personnel from the current manpower of approximately 23 officials. The sanctions will be imposed by a new collegial body Although the Finnish supervisory authority is a single official, it was deemed vital that the power to impose administrative fines rests with a body composed of more than one member. The Data Protection Act introduces a new collegial body composed of the Data Protection Ombudsman and the Deputy Data Protection Ombudsmen. In Finland, administrative fines may only be imposed by this collegial body. By contrast, the advisory board does not directly participate in imposing administrative fines. The collegial body is chaired by the Data Protection Ombudsman and quorum for the body's decisions on administrative fines requires the presence of at least three members. The decision supported by the majority of members shall prevail and, in case of a tied vote, the decision less adverse to the party subject to the sanction. Especially as upon the time of writing the deputy ombudsmen are not yet appointed, the time will show the sanctioning policies and practices of the collegial body. Taking into account the current practices of the Finnish data protection authority we do not, however, expect that it takes significantly active approach on fines. Since administrative fines are seen as severe sanctions for data controllers and processors, it was considered necessary to allocate the imposition of administrative fines to a multi-member body. Similarly to the structure of the Finnish supervisory authority, the need to further develop the composition and decision-making procedure of the collegial body in relation to administrative fines will be monitored and assessed in the future. It should be noted that fines are not the only punitive measure in the toolbox of the Data Protection Ombudsman. The Data Protection Ombudsman has various other corrective powers (e.g. order of compliance and rectification and ban on processing), the use of which the Ombudsman may enforce by issuing a notice of a conditional fine. Conditional fines apply to private parties and public authorities and bodies. These other corrective powers, such as the power to impose bans on processing data, may in many occasions be more significant than the fines, as discussed in our recent article, which can be found here . The right to appeal to the Supreme Administrative Court requires a leave to appeal According to the Data Protection Act, decisions of the Data Protection Ombudsman and Deputy Data Protection Ombudsmen and decisions on administrative fines may be appealed against by lodging an appeal in an Administrative Court. There is no possibility to request an administrative review of decisions of the supervisory authority and, therefore, an appeal to an Administrative Court is the first legal remedy. It should be noted that a decision qualifying for appeal may state that the decision is enforceable notwithstanding appeal. Therefore, the effects of a ban on processing, for instance, may not necessarily be postponed simply by appealing. However, obtaining a court order prohibiting enforcement of such decision may be possible in certain circumstances. An appeal against the decision of an Administrative Court to the Supreme Administrative Court requires leave to appeal according to the Data Protection Act. The requirement for leave to appeal is in line with current policies regarding the developing role of the Supreme Administrative Court. The applicable age for children will be 13 The GDPR requires that where information society services are offered directly to a child, processing of personal data on the basis of consent is lawful only if the child is at least 16 years old. Member States may provide for a lower age by law, but not below 13 years. According to the Data Protection Act, the applicable age in Finland is 13 years. In relation to children younger than that, consent must be given or authorised by the holder of parental responsibility over the child. The Finnish and Nordic view highlight a child's right to participate in the modern digital culture and benefit from services of the information society. While it is vital to provide necessary safeguards for the protection of children against harmful phenomena online, the use of internet and digital services is considered to have an important impact on a child's learning, social skills and self-expression. Looking forward The acceptance and confirmation of the Data Protection Act mark the end of a long wait in Finnish data protection law. However, in a more extensive process we have reached but an intermediate stage. The need to adjust the form and structure of the national supervisory authority and the non-application of administrative fines to public authorities and bodies will be monitored in the future and re-visited if necessary. Moreover, many amendments to specific legislation required by the GDPR are still under way. For example, the Finnish Parliament is currently processing amendments to the Act on the Protection of Privacy in Working Life, the peculiar and important Finland specific act governing the employee data. This next phase will be of great importance and interest, and show in part that there is still a long way to harmonising the European data protection regime.   Special thanks to the co-author of this insight Oskari Paasikivi, D&I Trainee 2018.

Share this

Dittmar & Indrenius