National implementation of the GDPR takes a step forward - TATTI Working Group's report published
The so called TATTI Working Group set up by the Ministry of Justice to tackle the national implementation of the General Data Protection Regulation (EU) 2016/679 (GDPR) issued its report on 21 June 2017. Although the GDPR is directly applicable in the EU, it also provides a margin of manoeuvre for Member States to specify its rules. Among other things, the Working Group proposes enacting of a new Data Protection Act (tietosuojalaki) to be applied in parallel with the GDPR and which would replace the current Personal Data Act.
The Working Group proposes that a Data Protection Agency (tietosuojavirasto) would be established to act as the Supervisory Authority within the meaning of the GDPR. The Agency would replace the current Office of the Data Protection Ombudsman also introducing certain organisational changes. The Data Protection Ombudsman would continue as the head of the Agency and be assisted by a Deputy Data Protection Ombudsman (apulaistietosuojavaltuutettu).
Furthermore, a new Sanctions Board (seuraamuslautakunta) would be set up within the Agency replacing the current Data Protection Board. This Sanctions Board would have jurisdiction to impose the administrative sanctions included in the GDPR and could also prohibit the processing of a controller as per the GDPR. If necessary, oral proceedings could be held before this Board and its decisions could also be challenged by an appeal as provided in the Administrative Judicial Procedure Act (hallintolainkäyttölaki). However, appealing to the Supreme Administrative Court would be subject to a leave to appeal. Moreover, the Agency would also be the body to which data subjects may lodge complaints for actions of a controller.
Furthermore, other matters brought up in the report include, for example:
• The Act on the Protection of Privacy in Working Life would still apply to processing of personal data in connection with employment.
• The current data protection offence (henkilörekisteririkos) would be replaced with a new data protection offence (tietosuojarikos) in the Criminal Code with a more limited scope focusing on criminalising actions taken by an individual not acting as a controller or processor.
• The necessity and possibility for data subjects to be allowed to bring forth class actions towards the controllers would be assessed on a later phase.
• Insurance companies would be remain to be allowed by a specific provision in the new Data Protection Act to process information received in the insurance operations that relates to e.g. the health, sickness or disability of an insured person or a claimant and of which processing is necessary to investigate the insurance company's liability.
The Working Group has not yet attained its final position on all the topics concerning the national legislation and will continue its work. Matters that still remain unresolved include whether public authorities and bodies will be subject to the administrative sanctions introduced by the GDPR. Moreover, the Working Group has not reached a decision of the age limit of a child's consent in relation to information society services; the limit currently is proposed to be either 13 or 15 years. The Working Group will also continue its work until the end of its term on 16 February 2018 to coordinate the evaluation and reformation of the sectoral legislation in Finland and further updates are expected on this area.
The new Data Protection Act is planned to enter into force on 25 May 2018 at the same time when the GDPR becomes applicable. In the meanwhile, we will keep a close eye on further developments of the national implementation of the GDPR.