FINLAND: Parliament has (finally) passed the new national GDPR implementation act

The new Finnish national GDPR implementation act, the Data Protection Act (FIN: Tietosuojalaki) was finally passed on Tuesday 13 November at the second Parliamentary Plenary Session, together with the new act implementing Directive 2016/680/EU on the processing of personal data by competent authorities in criminal matters, the Act on Processing Personal Data in Criminal Matters (FIN: Laki henkilötietojen käsittelystä rikosasioissa). The new Data Protection Act will repeal the Personal Data Act (FIN: Henkilötietolaki 1999/523) implementing directive 95/46/EC.

The delay of almost six months was partly caused by practical reasons due to the complexity of the Finnish legislative process, where several committees of the Parliament have to submit their detailed statement on a governmental draft proposal in a certain order (the constitutional law committee, the law committee and the administrative committee).

Additionally, the main material reasons for the delay were various deliberations of the committee concerning e.g the jurisdiction of the Finnish Data Protection Ombudsman in imposing administrative sanctions, the relevant target groups subject to administrative and criminal sanctions, as well as on the choices relating to the specific processing situations under GDPR chapter IX. The delay has caused major problems, especially for the Finnish Data Protection Ombudsman who has not been able to enforce the GPDR effectively due to a lack of jurisdiction.

The most relevant national specialities with respect to the Data Protection Act include e.g the establishment of a three-member board headed by the Finnish Data Protection Ombudsman with powers to issue administrative fines, the exclusion of public authorities from the scope of administrative fines, setting the age-limit of consent at 13 with respect to offering information society services, amendments on the right of access to public documents and the issuing of extensive rules on the processing of national security numbers.

As for the special national legislation, the Finnish Ministry of Justice is still evaluating the specific GDPR-related impacts and needs. One of the most relevant privacy-related special laws in Finland, the Act on Privacy in Working Life (FIN: Laki yksityisyyden suojasta työelämässä 2004/759) will not, however, be subject to any material changes due to the GDPR as the proposed changes to the act are mostly of technical nature.

In accordance with the Finnish legislative process, the Data Protection Act is not yet effective and will be submitted to the President of the Republic of Finland for approval, after which it will be published on the Statute Book of Finland and will then become effective. The deadline for the presidential approval is three months and the estimation is that the approval should come within the next few weeks.

For further information please contact Markus Oksanen (Partner, Helsinki) and Joonas Dammert (Associate, Helsinki).