By Jukka Lång, Anni-Maria Taka and Oskari Paasikivi
Two weeks ago, Finland witnessed its first GDPR fines, as three companies were fined for violations of key obligations under the GDPR. Issued a week before the second anniversary of GDPR application, the decisions mark the end of long anticipation and unpredictability in the Finnish data protection field.
Further, on 29 May 2020, the Finnish data protection authority published another, fourth, GDPR fine decision of EUR 72,000 imposed on Taxi Helsinki Oy, the largest taxi dispatch company in Finland. The fine was due to several types of breaches of the GDPR. It has also been reported that more fine decisions are to be expected.
As to the first three decisions, the Collegial Body, composed of the Finnish Data Protection Ombudsman (the ‘Ombudsman’) and the Deputy Data Protection Ombudsmen, has imposed the following fines: On 18 May a EUR 100,000 fine for insufficient transparency and a EUR 16,000 fine for, in particular, failure to carry out a data protection impact assessment and, finally on 20 May, a EUR 12,500 fine for, among other things, unnecessary collection of personal data from job applicants. The decisions are not yet final and they may be appealed to the Administrative Court.
Although focus is drawn to the specifics of each individual case at hand, the decisions also allow insights into broader future developments of data protection supervision in Finland. After two years of keeping a low profile, the data protection authority significantly shifts its approach to supervision with these first three fine decisions. We have presented below our key takeaways of the decisions and our predictions for the years to come.
Basic principles in focus: transparency, risk-based approach and data minimisation
Ultimately, the three decisions all boil down to insufficient observation of basic principles enshrined in the GDPR, notably transparency, the risk-based approach and data minimisation. As highlighted in connection with other EU member states’ first fines, it is clear that basic data protection principles really do matter and require a proper, controller-specific assessment.
The first case involved the Finnish main postal service, Posti Oy, which received a EUR 100,000 fine for failing to process personal data in a transparent manner (the ‘Transparency Case’). Individuals who had recently submitted a change of address were commercially contacted by various companies. This was due to Posti disclosing updated address data to such companies, which was, as such, legal. However, according to the Collegial Body, data subjects were not properly provided with information in connection with the change of address, most notably information on the right to object to the disclosures. One of the purposes of the decision was to highlight the role of transparency as a prerequisite for the effective use of data subjects’ rights: in general, individuals cannot invoke rights they are unaware of.
The second case concerned a communal water supply and treatment company, Kymen Vesi Oy, which processed location data of its employees through a vehicle tracking system in order to, for example, track working time (the ‘DPIA Case’). The decision demonstrates a thorough analysis of the risk-based approach: a fundamental principle of the GDPR. Accordingly, a controller must actively assess the data protection risks within its activities and implement measures appropriate to its risk profile. Such measures include a data protection impact assessment (‘DPIA’), which is a mandatory requirement if envisaged data processing is likely to result in a high risk to the rights and freedoms of natural persons. These risks were deemed likely in the case considering the subordinate position of employees to their employers and the fact that location data was systematically monitored. The Collegial Body therefore saw fit to issue a EUR 16,000 fine as no formal DPIA had been carried out or even appropriately considered.
Finally, the third case involved an unnamed company receiving a EUR 12,500 fine for using a job application form to collect information on job applicants’ religious beliefs, health, possible pregnancy and family relationships (the ‘Job Applicant Case’). Collected data was unnecessary for the purposes of the application process and potential employment. The necessity requirement is the central element of the data minimisation principle set out in the GDPR. Pursuant to the principle, controllers may only collect personal data, which is necessary in relation to the purposes for which they are processed. In Finland, the principle is supplemented in the employment context by the Act on the Protection of Privacy in Working Life, according to which employers may only process directly necessary personal data of their employees. Interestingly, the decision relies heavily on the concept of necessity provided in the national legislation, giving rather limited focus on the GDPR. The decision also identified other breached key principles of the GDPR, such as lawfulness and accountability.
The supervisory authority has changed gear
The Ombudsman made it clear from the start that new enforcement powers under the GDPR would, initially, not be deployed with full rigour. Instead, the Ombudsman would actively support compliance through guidance and advice, and follow European trends ensuring harmonised application of the GDPR. Enforcement decisions have been issued, but none have led to fines until now.
The first fines suggest a turn of the tide. The new decisions made it clear that, after nearly two years of GDPR application controllers have had ample time to ensure their compliance with the new requirements supported by numerous guidelines issued on a national and European level. A notable feature of the decisions, in comparison to the previous standards in the Ombudsman’s varying praxis, is the effort put into their reasoning. As such, it is clear that some controllers previously left ‘un-fined’ could have equally merited a fine. However, this does not mean that such controllers will be immune in the future, bringing us to our next observation.
Companies are not safe sticking to the status quo
Controllers have been relying on a certain legal certainty and status quo expectations in their data processing practices, as well as in their attempts in fending off unexpected supervision measures after the enactment of the GDPR. In general, businesses have been surprised by the lack of active guidance from the data protection authorities.
In the Transparency Case, the controller had referred to demonstrated compliance under previous Finnish data protection legislation. The company also contended that since the Ombudsman had looked into the company’s processing activities in 2017 without any further action until 2020, the company should have been able to trust the lawfulness of its conduct. However, these arguments were not accepted by the Collegial Body and the decision stressed that it was for the controller to monitor and assess compliance with new requirements pursuant to the GDPR.
In light of the Collegial Body’s argumentation, it is important for all controllers to observe that data processing activities that have so far not been subject to measures taken or decisions given by the data protection authority are not immune to authority intervention in the future. Based on the stance taken by the Collegial Body in the Transparency case, persisting in practices that do not comply with the GDPR could be seen as implying lengthy non-compliance and the intentional or negligent character of the GDPR infringement, and, could therefore, be used as arguments meriting a higher fine.
The Ombudsman is not a general point of consultation
An interesting common feature of the Transparency Case and the Job Applicant Case is that the controllers argued that the Ombudsman had failed to provide sufficient guidance on how to carry out the respective data processing activities in compliance with the GDPR. The Collegial Body did not accept these arguments as it found that the respective provisions of the GDPR were not so inadequate or ambiguous as to prevent the controller from assessing their meaning and requirements for itself.
The Collegial Body stressed that it was for the controller to assess the data protection risks of its activities and ensure compliance with the GDPR. For the same reasons, the argument in the DPIA Case, that it was unreasonable to impose a fine before giving the chance to rectify conduct was rejected as the Collegial Body deemed the breached obligation sufficiently clear to comply with considering available guidelines.
The price tag
Often, a main point of interest in news on GDPR fines is the amount of the fine. Indeed, the risk of fines up to EUR 20 million or 4% of total worldwide annual turnover was the focal point of conversations during the period leading up to the application of the GDPR. As such, focusing solely on fines can be misleading. For data-intensive businesses, other corrective measures under the GDPR, notably a ban on, or restrictions to, the data processing, could even have more severe implications for essential business operations.
Nevertheless, the amount of the fine in a specific case provides valuable insight into the supervisory authorities’ regulatory tone and highlights the crucial aspects of GDPR compliance. As required by the GDPR, the Collegial Body carried out a detailed evaluation of the relevant aspects of the infringement, such as the duration and character of the infringement, number of affected data subjects, categories of personal data and mitigating acts by the controller, to determine a fine which is effective, proportionate and dissuasive.
Interestingly, the Collegial Body structured the calculation of the highest fine of EUR 100,000 by first declaring the maximum fine possible in the case, EUR 62,584,000, from which it concluded that the infringement merited the EUR 100,000 fine. The Collegial Body gave value to the controller’s mitigating actions and the fact that relevant information was nevertheless available to data subjects.
Publicity is a possible consequences of non-compliance
As a final observation, although the imposed fines have a significant effect on all three controllers, one controller got off the hook in terms of negative publicity. In the Job Applicant Case, the company fined for collection of unnecessary job applicant data was left unnamed. According to the Collegial Body, the name of the company will only be publicised in cases of general significance for data subjects and where the company could be confused with another. However, it is important to note that, although a company’s name is not mentioned in the public statement of a GDPR enforcement decision, the identity of the company will generally be available following a request of access to official documents under the Finnish Act on the Openness of Government Activities. As GDPR fine decisions inherently attract wide attention, it is likely that the Collegial Body’s practices in naming the fined companies will spark some controversies in the future.