The Data Protection Act (1050/2018) (‘the Act’) entered into force, on 1 January 2019, following the Parliament of Finland’s approval on 13 November 2018. The Act implements the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) into national law and repeals the Personal Data Act (523/1999), as well as the Law on the Data Protection Board and the Data Protection Commissioner (389/1994).
Henri Tanskanen, Associate at HH Partners, Attorneys-at-law Ltd., told DataGuidance, ”I don’t think we are used to seeing ourselves as the laggards of the EU, but here we are this time. The enactment of the Act was significantly delayed due to a prolonged working group phase followed by additional parliamentary work on the details of the national sanction regime. In the end, no new supervisory authority was set up as [initially] proposed, and the Office of the Data Protection Ombudsman (‘Ombudsman’) remains as the national data protection authority. Administrative fines, in turn, will be imposed by a three-member board consisting of the Ombudsman and two Deputy Data Protection Ombudsmen.”
The Act contains special provisions, which include requirements in relation to the processing of personal identity numbers; exceptions to the processing of personal data; restrictions on the obligation of data controllers to provide information to data subjects; as well as limitations of the individuals’ right of access. Furthermore, the Act sets the age of consent for the provision of information society services to children to 13 years old.
One fear is that the differential treatment of public and private sector entities may lead to unfair competition
Tanskanen continued, ”One of the more startling aspects of the Act is that administrative fines may not be imposed on public authorities and bodies. The issue was divisive all the way through the law-making process, with even the Ombudsman himself lobbying to keep the public sector in scope of the administrative fines. One fear is that the differential treatment of public and private sector entities may lead to unfair competition particularly in health and social services, and potentially also unreasonable liability scenarios in public-private supply chains and outsourcing arrangements.”
The Act prescribes that organisations, including state authorities, state-owned enterprises, municipal authorities, parliamentary offices and the Office of the President are exempted from the imposition of fines. In addition, the Act also includes provisions which reflect the repealed Personal Data Act (523/1999), particularly in relation to the protection of free speech and journalistic freedom.
Tanskanen concluded, ”While the legislator largely managed to keep any significant deviations from the GDPR to a minimum, the existing employee privacy regime was left practically untouched. This means that various national peculiarities related to the use of email, drug and aptitude testing, company network monitoring and other aspects of workplace privacy remain in place, undermining the goal of EU-wide harmonisation.”
WERONIKA NATALIA BŁASZCZYK Junior Privacy Analyst