Finnish Government Proposal on the Data Protection Act and Supplementary Laws in Finland
The Finnish Parliament received the Finnish Government proposal for a Data Protection Act and related legislation (HE 9/2018 vp) in March 2018. The proposed Data Protection Act (“proposed Act”) will supplement and clarify the General Data Protection Regulation (2016/679,”GDPR”) and will apply in parallel to the GDPR. The provisions of the proposed Act are generally applicable within Finland’s national discretion. The new Act is proposed to enter into force when the GDPR does, 25 May 2018. The proposed Act will repeal the Finnish Personal Data Act (523/1999).
To summarize, Finland will exercise national discretion under the GDPR, mainly based on the currently applicable legislative framework. The proposed Act will restore many current features of Finnish data protection legislation, such as strong employee privacy protections and the special status of personal identity numbers. With the age limitation of 13 for processing children’s data, and the continued use of criminal sanctions alongside the GDPR fines, Finland will uphold a high level of protection for privacy and personal data. The proposed Act will be next reviewed by the Finnish Constitutional Law Committee and the Legal Affairs Committee.
Under the proposed Act, processing personal data, based on consent, to offer information society services directly to a child is lawful for children aged 13 and older.
The current legislative framework, mainly the Act on the Protection of Privacy in Working Life (759/2004), will continue to apply to employee personal data. Employee monitoring, technical supervision and access to employee e-mail will therefore remain strictly regulated in Finland.
A working group nominated by the Ministry of Economic Affairs and Employment has published a draft government proposal on the proposed changes to the Act on Protection of Privacy in Working Life on 6 April 2018, which is currently circulated for comments until 4 May 2018.
The proposal aims to retain the current state on the processing of employee data after the GDPR enters into force. Only a few changes are proposed, and they merely relate to obtaining criminal record data, camera surveillance and the scope of sanctions directed to an employer.
Compared to most of its European peers, Finland sets stringent restrictions on personal identity number processing. These restrictions will mainly remain in force. Under the proposed Act, personal identity numbers can be processed generally only with the consent of the data subject, or if the processing is required by law.
Additionally, processing personal identity numbers is legal when the identification of the data subject is essential (i) in order to perform a task set by law (ii) in order to realize the rights or duties of the data subject or the controller or (iii) for purposes of historical, scientific or statistical research. Personal identity numbers may be processed, e.g., in certain activities in financial services and the health care sector.
The proposed Act authorizes health-related data processing for certain specified purposes not explicitly listed in the GDPR. For instance, insurance companies may process such data, particularly when determining an insurance provider’s liability. Health care service providers, including service purchasers and providers, have similar authorization.
The Finnish Data Protection Ombudsman is proposed to remain the local supervisory authority under the GDPR. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board would issue advisory statements concerning data protection legislation upon the Data Protection Ombudsman’s request.
In e-privacy matters, however, the Finnish Communications Regulatory Authority will continue to act as the supervisory authority. When the e-privacy legislation is reformed under the proposed EU Regulation on Privacy and Electronic Communications, clarifications may be expected concerning these closely related authorities.
In addition to the administrative fines or other administrative sanctions, e.g., temporary or indefinite bans on processing a personal data, criminal sanctions will be included in the Finnish Criminal Code (39/1889).
Criminal sanctions will supplement the administrative fines where the GDPR provides no administrative sanctions. A new criminal offence, data protection offence, is proposed, which limits the scope of the former offence under the current Personal Data Act. Amendments are proposed to avoid overlapping sanctions under the GDPR and to not interfere with the principle of ne bis in idem (the prohibition of double criminality). Only natural persons may be subject to criminal sanctions.
Under the proposed data protection offence, a person other than a data controller or a data processor under the GDPR, who intentionally or with gross negligence obtains personal data in a manner incompatible with the intended use of such data, and then discloses or transfers personal data in violation of any of these regulations or a provision of another legal act concerning the purpose limitation, disclosure, or transfer of personal data, and thereby violates the privacy of the data subject or causes him or her other damage or significant harm, will be guilty of a data protection offence. The penalty is a fine or to imprisonment for up to one year. Violation of the legal acts concerning the security of personal data processing is also criminalized.
Under the proposed Act, governmental authorities are somewhat surprisingly exempted from the scope of the GDPR’s administrative fines. It remains to be seen whether this proposal will hold during Parliament’s consideration.
The proposed Act makes Finnish law applicable to data processing that occurs in the operations of a controller or a data processor located within the EU when the data controller is incorporated in Finland. Where applicable foreign law derogates from the GDPR data processing for the purpose of public interest, scientific or historical research or statistical purposes, the proposed Act applies without regard to the potentially applicable foreign legislation.
This supplementary provision becomes relevant in the cross-border context where other EU Member States have exercised their national discretion in relation to the GDPR rules. However, the provision does not affect the competent authority or the court of jurisdiction.