Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Finland adopts new data protection law [1999] PLBIRp 25; (1999) 49 Privacy Laws and Business International Report 3

Finland adopts new data protection law

FINLAND'S NEW LAW, which implements the EU Data Protection Directive, does not radically differ from the 1987 Personal Data Files Act. Privacy Laws & Business asked the Finnish Data Protection Ombudsman to explain the main changes.

Finland's Personal Data Files Act 1987 (471/87) was replaced by the new Personal Data Act (523/99) on 1st June. Any new processing that was started on or after 1st June 1999 needs to comply with the new law immediately. Any processing of personal data that was started before this date needs to comply with the new law by 24th October 2001. While the new law is mainly based on elements that are familiar from the old Act, there are certain changes that affect international businesses, such as transfers of personal data to third countries.

The law is enforced by the Data Protection Ombudsman, Mr Reijo Aarnio. While the Ombudsman advises and instructs data controllers, the Data Protection Board deals with questions of principle relating to the processing of personal data. The Ombudsman is empowered with the right to carry out audits, and to assist trade associations in developing sectoral codes of conduct.

In Finland, the right to private life, as well as freedom of speech are guaranteed by the Constitution. In addition, privacy rights are affected by legislation on freedom of the press and freedom of information (FOI), a right that has a long history in Finland (the Publicity of Official Documents Act of 1951). The original plan was to bring the new Personal Data Act and the FOI legislation into force simultaneously. However, now the new FOI law will not enter into force until 1st December.

PL&B: What is the relationship between the two laws?

Reijo Aarnio: The new freedom of information legislation respects individuals' right to privacy, as public authorities are obliged to comply with the restriction on disclosure provisions of the Personal Data Act. However, authorities will have to learn to interpret the two laws simultaneously. I believe that because of these changes, data protection will get rid of the negative image it has had in the past.

PL&B: Is the new data protection law complete?

Reijo Aarnio: There are some administrative decrees to be adopted, but nothing that would change the substance of the law.

PL&B: Is the new law stricter than the old one?

Reijo Aarnio: I would say that it is more flexible. The old law was quite rigid in some ways. For example, disclosing more than five individuals' personal data was regarded as a mass delivery of data, which required the individual's consent or permission granted by the Data Protection Board.

PL&B: How are you dealing with the transition from the old law to the new?

Reijo Aarnio: This is an interesting situation. We have to base our investigation and decision-making procedures on the new law. This may lead to a situation where some processing already under way may now be illegal under the new law. But since there is a transitional period, we have to consider whether the processing was lawful before the new law entered into force. Therefore, we will still resort to the old law in these cases. However, in some cases the new law applies immediately to all processing. For example, the obligation to inform data subjects about the processing of their data applies from day one. Then again, the transitional period applies to any data that has been gathered before 1st June 1999, as gathering is now considered to fall under the definition of processing.

PL&B: What new rights will data subjects have?

Reijo Aarnio: The most important new right is the right to be informed about the processing by the data controller. Organisations will have to tell data subjects, from the outset when gathering data, the purposes which the data will be used for, who it will be processed by and to whom their data will be disclosed. If this obligation has already been fulfiled, there is no need for organisations to contact the individuals again.

PL&B: What is the scope of the law?

Reijo Aarnio: All natural persons. Also, the new definition of processing, which really includes all possible ways of treating data, widens the scope of the law.

PL&B: What kind of processing is exempt?

Reijo Aarnio: Any processing for purely personal purposes, such as word processing on a home computer, or personal telephone directories.

PL&B: Do organisations have to register with your office?

Reijo Aarnio: In principle, yes, but there are wide exemptions. For example, if the processing of personal data is based on a customerrelationship, or is membership data, there is no need to register. As a rule, we wanted to avoid unnecessary bureaucracy. Only a few organisations will have to register with the office, but all need to have prepared a document specifying the purpose of the register, security arrangements taken in order to keep the information confidential, etc. These registration documents must be available for the public to see at the organisations' location.

PL&B: What changes are there with regard to transferring data abroad?

Reijo Aarnio: Transferring personal data to other EU countries has no restrictions. With regard to transfers to so-called third countries, the new law requires notification to the Ombudsman. At the moment, this applies to all such transfers, even if the European Commission states that the particular country in question has an adequate level of protection. However, if an organisation's business systems were originally designed to transfer personal data abroad, this type of processing will benefit from the transitional period.

PL&B: The EU Data Protection Working Party is trying to establish which third countries may have adequate levels of data protection, and will publish decisions on individual countries. Do you think that drawing up a white list of "adequate" countries would be a good solution?

Reijo Aarnio: Compiling a white or a black list of countries may not help in the long term. As a starting point, Council of Europe Convention 108 signatories could be the first ones to be evaluated. The main question, however, is how to help individuals if their data is not treated properly in foreign jurisdictions.

PL&B: Have there been attempts in Finland to have contract clauses approved, which would enable transfers to third countries?

Reijo Aarnio: Multi-nationals in some lines of business have sent their personnel data back to the United States. They needed employees' consent for that. With regard to contracts, there have been some initiatives in the direct marketing and publishing industries.

PL&B: Does the new data protection law have a big impact on the direct marketing sector?

Reijo Aarnio: There are not many changes with regard to traditional print material with postal addresses. However, data protection in the telemarketing sector has been regulated with a Telecommunications Data Protection Act, which came into force on 1st July. The Finnish Direct Marketing Association has been very co-operative, and will inform its members of the restrictions. The new aspect is, of course, that the use of the Internet will be covered.

There are many interesting questions about the use of networks, the protection of personal data and allowing citizens to use their right to free speech. For example, do advertising banners on the Internet represent targeted marketing?

PL&B: How does the new law change the work of your office?

Reijo Aarnio: Our work has already changed so that the emphasis is on preventative advice. Organisations are in contact with us all the time, and we advise them how best to comply with the law. I think that the old traditional situation of having a registrar, and those registered, is going to change. I would describe the new relationship with the word "partners."

PL&B: How is your office informing organisations of the new law and its provisions?

Reijo Aarnio: We organise a great deal of training. Last year, our office arranged about 100 training sessions. In addition, we publish a data protection newsletter, and place many of our information materials on the Internet. When you think that we are only 18 people, and there are half a million registers in Finland, the task is considerable. People in organisations tend to have a poor knowledge about the old Act.

PL&B: The EU Data Protection Directive enables the appointment of internal data protection officials within organisations. Has Finland taken this route?

Reijo Aarnio: No. I doubt the usefulness of this approach. In practice, organisations generally have a person who is responsible for data protection compliance. Clause 10 of the new Act actually obliges organisations to draw up a description of the personal data files they hold, and also to nominate a representative that the general public can contact, if necessary.

The Office the Data Protection Ombudsman can be contacted at PL 315, 00181 Helsinki, Finland, Tel: + 358 9 18251, Fax: + 358 9 1825 7835, e-mail: tietosuoja@om.vn.fi. The office's website at www.tietosuoja.fi has a large amount of information on the new law in Finnish.