New act on data protection finally approved – what next?


In mid-November, the Finnish Parliament approved the so-called data protection legislation package, which means the new act on data protection and the act on the processing of personal data in criminal matters are expected to come into effect in spring 2019. The GDPR is directly applicable in the EU member states. The Data Protection Act supplements the GDPR and should be interpreted in parallel with the GDPR.

What the authorities have done since 25.5.2018

In Finland, the authority supervising the processing of personal data is the Office of the Data Protection Ombudsman. Two Deputy Data Protection Ombudsmen will be appointed alongside the current Data Protection Ombudsman, Reijo Aarnio. In addition, the Office of the Data Protection Ombudsman is recruiting eight Senior Inspectors. Thus, it is noticeable that also the supervisory authority is preparing to exercise the powers appointed to them by the GDPR and the act on data protection, such as the power to impose administrative fines or even prohibit the processing of personal data in situations where the processing is contrary to the GDPR.

In many countries, the data protection authorities have already taken actions. In the UK, the Information Commissioner’s Office (ICO) issued a £500,000 fine to Facebook for serious data protection breaches. The ICO considered that the consent provided by Facebook users was not sufficiently clear or well-informed, and that the personal data of users who had not given their explicit consent had also been unlawfully processed. In Germany, the Data Protection Authority imposed a fine of €20,000 to a company whose customers’ usernames and passwords were stolen and published. The Data Protection Authority announced that the size of the fine was positively influenced by the company’s active cooperation with the authority. In Sweden, the Data Protection Authority carried out an inspection to nearly 400 companies and authorities. As the national act comes into force and the Office of the Data Protection Ombudsman obtains additional resources, the Finnish data protection authority is also expected to become more active.

Next up: ePrivacy

In addition, the ePrivacy Regulation, which was originally intended to enter into force simultaneously with the GDPR, is currently under work. ePrivacy concerns the confidentiality of electronic communications and regulates e.g. direct marketing and cookies. ePrivacy will both supplement and refine the provisions of the GDPR. There is still no certainty as to its exact content or schedule, but it is already possible and recommended to prepare for its arrival. The best way is to ensure that the company’s direct marketing and cookie practices comply with the provisions of the GDPR.

If you have any further questions about privacy issues, please contact our experts!