Generally speaking, the European Union’s (EU) General Data Protection Regulation (GDPR) has gone fairly well in Finland, according to Anu Talus, data protection ombudsman for the country’s data protection authority.
Two deputies work with Talus at the Office of the Data Protection Ombudsman – one is responsible for the public sector and the other looks after enforcing the laws. Talus looks after the private sector.
“Companies did a lot of work before GDPR entered into force, but there is still a lot of room for improvement, especially on two of the basic issues,” said Talus. “One of the issues is the transparent processing of personal data. Data controllers in both the public and private sector need to be more transparent about what personal data is collected and for what purpose.
“The other issue is privacy by design. Too many data controllers have been waiting until late stages in the development of new platforms to think about data protection. The regulation calls for data privacy by design, which means it is part of the fundamental architecture of any digital platform.”
Explaining data protection regulation and imposing fines in Finland
The job of the data protection ombudsman is to enforce GDPR and local laws when necessary. But it is also to inform companies and public sector agencies about data protection, to look for areas of improvement, and to provide advice and tools that help organisations comply.
While Talus is the official data protection ombudsman for Finland, for fines and other big decisions she gets help from the two deputies, who are independent decision-makers. If one of the three disagrees with the two others, the dissenting opinion is documented.
She also gets help from an expert board, which is appointed by the Finnish government to help the Office of the Data Protection Ombudsman by issuing statements on significant questions. The expert board currently consists of 10 people, including academics, legal experts and technology experts.
“Companies did a lot of work before GDPR entered into force, but there is still a lot of room for improvement, especially on two of the basic issues: the transparent processing of personal data and privacy by design”
Anu Talus, data protection ombudsman for Finland
So far, the Office of the Data Protection Ombudsman has issued 15 administration fines, the biggest of which was on Vastaamo, a psychotherapy centre. The provider of mental health services had its systems broken into about two years ago, resulting in personal data being leaked in general, which was even accessed by the police.
Vastaamo was fined €608,000 for negligence. The finding was that the company should have implemented basic measures to protect against unauthorised and illegal processing or accidental disappearance of personal data. Furthermore, it should have immediately reported the breach. Vastaamo has since gone bankrupt.
In addition to enforcing the GDPR, the ombudsman also enforces other legislation concerning data privacy in Finland. Other data protection regulation includes the Data Protection Act, which came into force on 1 January 2019 to supplement the GDPR. Earlier regulation includes the Act on the Protection of Privacy in Working Life, written in 2004 and amended in 2019, which focuses specifically on the processing of personal data concerning employees. This act addresses employer handling of test results, technical surveillance in the workplace and employee email.
“We also have a lot of sector-specific legislation around data privacy,” said Talus. “When we implemented GDPR on a national level, we looked at how we could reduce the amount of this sector-specific regulation. But it is more complicated than we first thought because of dependencies – one law depending on another and the way of enforcing the laws being intertwined with other procedures.”
The future of data protection in Finland
One of the ombudsman’s focus areas for 2022 is cloud services and the transfer of data to third countries. Most of the world’s biggest cloud providers are based in the US, so any data in the cloud is likely, at some point, to wind up on a server there, or at least a server owned by a US company. This problem is not unique to Finland and is currently be handled at the European level. The EU is working with the US to try to find a new agreement to replace the Safe Harbour Agreement and Privacy Shield, two frameworks that addressed data transfer between the EU and the US, but which were shot down in the European Court of Justice.
Another focus area for 2022 is to create tools to help small and medium-sized enterprises (SMEs) assess their level of data protection. The role of the data protection ombudsman is much more than just enforcing regulation – it’s also about explaining the regulation, spotting common misunderstandings, and helping to find remedies.
As for the future of GDPR, Talus is naturally happy with the current version of the EU-wide regulation – after all, she was one of the people who helped write it. However, she does see some challenges to be overcome around procedural rules of different member states. On the one hand, there needs to be some commonality among different countries in how they implement GDPR. On the other hand, GDPR has to fit into existing procedures in each state, so there needs to be some freedom to make local adjustments.
One of the aims of the ombudsman is to promote the development of a single digital market within the EU. This means that, while Finland has supplementary legislation of its own, there needs to be a movement towards a European-wide approach to data protection – as much as possible.
“Data protection will become more significant in the future,” Talus told Computer Weekly. “From my perspective, one of the biggest challenges is transparency. Organisations need to clearly state what data they are collecting and why. This needs to be stated clearly and concisely. Very few people read the long messages that pop up when they visit a website.”