Right before the midsummer holidays, the TATTI working group appointed by the Finnish Ministry of Justice published its report on the national implementation of the EU General Data Protection Regulation (the “GDPR”) in Finland. The GDPR will be directly applicable in all EU member states as of 25 May 2018, but it allows certain derogations and additions to be made through national legislation. In its report, the working group proposes the Finnish Personal Data Act (523/1999) to be repealed and replaced by a new Data Protection Act that would complement the GDPR.
In its report, the working group proposes significant changes to the national legislative landscape of data protection. The five key takeaways from the report are, in our view, the following:
- National leeway has been used scarcely. It seems as though the working group has held back on suggesting national exemptions to the GDPR, making sure the GDPR’s aim of harmonisation is respected. The possibility of regulating national derogations will only be used in a limited number of situations, making compliance easier for companies that operate in multiple different member states.
- The Office of the Data Protection Ombudsman is to be turned into the Data Protection Agency. This includes certain organisational changes, such as the appointment of one or more Assistant Data Protection Ombudsmen as well as a general expansion of the agency. The Data Protection Board will be replaced with a Sanctions Board which will operate under the Data Protection Agency and be responsible for imposing the widely discussed and hefty administrative fines set forth in the GDPR.
- Legislation on criminal sanctions is to be amended. The current data protection offence in the Finnish Criminal Code is suggested to be replaced by a more limitedly available offence being applicable only to natural persons acting in breach of data protection regulations, such as the employees of a company acting as a data processor or controller. The heavy administrative fines of the GDPR are seen as a sufficient sanction for non-compliant companies.
- No changes to processing of employee data. The current Act on Protection of Privacy in Working Life governing the processing of employee personal data remains the same, as the proposed Data Protection Act contains a reference to existing law.
- The right to appeal is wide – but to some extent contingent on a leave to appeal. The decisions taken by the newly established Data Protection Agency, including both the Data Protection Ombudsman and the Sanctions Board, will be subject to appeal to the Administrative Court and thereafter the Supreme Administrative Court, the latter requiring a leave to appeal.
Certain topics are, however, still left undecided by the working group, such as the national age limit for the processing of children’s personal data. Many topics covered by sectoral laws are also left open and to be regulated more specifically later on. One very interesting aspect regarding the possibility to impose sanctions on public authorities is that the working group could not reach a consensus on whether administrative fines should be applicable to public authorities or not, and if so, at what size. This means that there is certainly more to come, and we will pay close attention to this topic that is bound to be subject to a lively discussion.
The proposal for legislation included in the report will now be circulated for comments, after which the government proposal for the new legislation will be handed to the parliament in the fall. The new national Data Protection Act is planned to enter into force at the same time as the GDPR becomes applicable, i.e. in May 2018. As usual, Hannes Snellman’s data protection team is keeping a keen eye on the national preparations for the GDPR and will keep you updated on the progress.
Managing Associate at Hannes Snellman