By Päivi Niinimäki-Rastas, Senior Associate, Finland
The EU General Data Protection Regulation (GDPR) entered into force on 24 May 2016 and EU Member States are required to implement the Regulation from 25 May 2018. While the Regulation will be binding in its entirety and directly applicable in all Member States, there is a margin of maneuverability for Member States to specify their own rules or to restrict them via national legislation.
In Finland, the Finnish Ministry of Justice appointed a Working Group in February 2016 to prepare for the Finnish national implementation of the GDPR. The main focus of the Working Group was to prepare a proposal for national legislation in relation to the GDPR and a proposal for a national supervisory authority.
The proposal created by the Working Group was published on 21 June 2017. The Working Group assessed the articles of the GDPR which may allow a margin of maneuverability and four different sub-groups were established to assess specific topics in detail. In addition, the Working Group heard from relevant stakeholders and received a vast number of statements from sector specific organisations.
As a conclusion, the Working Group proposes a new general Data Protection Act to be passed. The Act would enter into force on 25 May 2018, when the GDPR shall also become applicable. The current Finnish Personal Data Act would be repealed.
The new Finnish Data Protection Act – what will change?
I. Finnish national provisions shall respect the coherent data protection framework
The Working Group has identified the true nature and the aim of the Regulation as the EU wide legislative instrument. The GDPR aims to ensure a consistently high level of protection for natural persons and to remove any obstacles that inhibit the flow of personal data within the EU. Even though some national rules are permitted, the level of protection of the rights and freedoms of natural persons with regard to the processing of personal data should be the same in all Member States.
The Working Group respects the binding nature of the Regulation by keeping the number of national rules to a minimum. First and foremost, the Working Group wants to limit any additional national legislation while implementing the Regulation. The Working Group has also co-operated closely with other Member States in order to form coherent policies and approaches regarding implementation.
The Working Group has emphasized that the Regulation itself already contains highly detailed rules. Due to the directly applicable nature of the Regulation, any specifications or restrictions by Member State laws are only allowed where explicitly stated. In addition, the Working Group also suggests that Finland aims to employ the widest possible application of the GDPR also in areas of personal data processing not directly covered by the Regulation, if not explicitly otherwise stated in the national legislation. Moreover, the Finnish Data Protection Act should always be applied in parallel with the GDPR as the material content is derived from the Regulation.
II. New resources for Finnish Data Protection Authority
The Office of the Finnish Data Protection Ombudsman shall receive more resources as the new Data Protection Authority shall manage the increased duties that have been given to the national supervisory authority. The Data Protection Ombudsman shall still run the office but will have the help of one or more additional Deputy Data Protection Ombudsmen. These additional resources are required due to the many new tasks and powers invested in the national supervisory authority.
The current Data Protection Board shall be replaced by a new Sanctions Board, which shall act under the Data Protection Authority and decide on the administrative fines, limitations and bans on processing of personal data.
III. Rethinking the sanctions
The Working Group also proposes that the variety of sanctions should come under review. New criminal sanctions shall be established to supplement the administrative sanctions. However, the criminal sanctions shall only apply in limited situations when the administrative sanctions are not available. The aim is for national criminal legislation to be passed only in situations where necessary and where the remedies, liability and penalties provided by the Regulation cannot be applied. The new offence shall be called a data protection offence. In practice, this offence concerns the most common wrongdoings in connection to data processing, such as data processing for pure curiosity without a legitimate purpose.
IV. Special protection regarding privacy in working life shall be maintained
The Finnish Act on Protection of Privacy in Working Life shall stay inforce and will continue to guarantee the high level of privacy protection in working life. The Working Group has suggested maintaining the status quo so that the special legislation further promotes the protection of privacy and any other basic rights providing protection in working life. This covers, for example, the processing of employee personal data, the tests and checks taken by employees, technical surveillance in the workplace, and the retrieving and opening of employees’ emails.
Conclusions and further work
The Working Group strongly emphasizes the coherent implementation and application of the Regulation among Member States. For this reason, the Working Group has not yet confirmed its stance on every subject open under the national margin of maneuverability. One of these issues is the age limit applicable to children’s consent and to the consent of the holder of parental responsibility in relation to information society services. Regarding this and similar issues, the Working Group ideally hopes that Member States can agree on a coherent view amongst them.
According to the GDPR, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is lawful when it is based on consent where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall only be lawful if the consent is given or authorised by the person who holds parental responsibility over the child. Member States may by law provide for a lower age for these purposes provided that the lower age is not below 13 years of age.
Defining the age limit requires further work and will only be clarified when it is known how the majority of the Member States have decided on the subject.
Furthermore, an additional task for the Working Group is to assess the functionality of the current Finnish data protection legislation. The Working Group has also researched the impacts of the GDPR on businesses and the relationship between the current Finnish special legislation and the GDPR. In the latter study the researchers examined over 800 Acts and assessed if these Acts, in their current state, are compatible with the GDPR regarding the legitimate purpose for processing. The core finding was that the Acts were reasonably compatible with the Regulation.
The Working Group still aims to reduce fragmented and unnecessarily detailed rules within the special legislation. The Working Group shall continue working on this task until 16 February 2018.
The statement of the Working Group of the Finnish Ministry of Justice will now be circulated for comments and the proposal shall be handed over to the Finnish Parliament in autumn 2017. The proposal for the supplementary Finnish Data Protection Act is expected to enter into force on 25 May 2018.