The Data Protection Board

5.1 General Information

The Data Protection Board consists of a chairman, a vice–chairman and five regular members, who all have personal alternate members. The Government nominates the members

48(2), are punishable with a fine only. For example, a violation of PDA section 32 concerning data security is punishable under the last provision and can therefore not lead to imprisonment.

0 50 100 150 200 250

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Opinions on Legislative Reforms Parliamentary Hearings

Opinions on International Norms & Treaties Opinions on Administrative Reforms Opinions to Public Prosecutors/Courts Opinions on Research Permissions

188

for a 3–year period, which can be renewed multiple times.⁵⁰ The terms have, in fact, been renewed quite often and the composition of the Board has therefore remained rather stable.

Illustratively, the Board has been chaired by Pekka Nurmi ever since 1988.

According to the current DPB–DPO Decree, all members of the Board must be familiar with data file activities. The chairman, vice–chairman and one regular member are required to hold a law degree, and IT expertise must be represented in the Board.⁵¹ The Board may have a full–time secretary and part–time secretaries who are required to hold law degrees.

5.2 Duties and Powers

The Data Protection Board is an entity with a decision–making role.⁵² The Board convenes when necessary and decides on matters as provided in the PDA. The decisions can be grouped into two main categories: 1) permissions and 2) orders and prohibitions.

In permission cases, the data controller applies for a permission to derogate from certain provisions that set limits on the processing of personal data. Under the PDFA, section 37 gave the Board a very wide mandate to grant permissions to derogate from practically any provision of the PDFA. The PDA, however, lays much stricter boundaries on the situations in which the Board may grant permissions. The current key provision is PDA section 43.

Section 43 — Power of the Data Protection Board to grant permissions

(1) The Data Protection Board may grant a permission for the processing of personal data, as referred to in section 8(1)(9), if the processing is necessary, otherwise than in an individual case, in order to protect the vital interests of the data subject, or in order to use the public authority of the controller or a third person to whom the data is to be disclosed. The permission may be granted also in order to realise a legitimate interest of the controller or the recipient of the data, provided that such processing does not compromise the protection of the privacy of the individual or his/her rights.

(2) The Data Protection Board may grant a permission for the processing of sensitive data, as referred to in section 12(13), for a reason pertaining to an important public interest.

(3) The permission may be granted for a fixed period or for the time being; it shall contain the rules necessary for the protection of the privacy of the data subject. These rules

50 The selection of members is prepared at the Ministry of Justice. Members are chosen from different kinds of background organizations in order to make use of wide experience and maintain a certain amount of balance in the board. However, members are to act impartially and they do not formally represent their respective interest groups when the Board makes decisions.

51 Section 2 of the DBP–DPO Act of 1987 specifically required two members of the board to be experts on IT matters.

52 Sometimes it has been characterized as a quasi–tribunal.

189

may be amended or supplemented at the request of the Data Protection Ombudsman or the data subject, if this is necessary owing to a change in circumstances.

In effect, the Board may use its discretion to grant an exception from only two specific provisions of the PDA, which concern the general prerequisites for processing and derogations from the prohibition to process sensitive data.

While permission applications are lodged by data controllers, orders and prohibitions are sought by the Data Protection Ombudsman when she or he considers the processing of personal data unlawful, and when consultation and other “soft” methods are not effective. The Board’s power to give orders and prohibit unlawful processing of personal data is regulated in PDA section 44.

Section 44 — Orders of the Data Protection Board

At the request of the Data Protection Ombudsman, the Data Protection Board may:

(1) prohibit processing of personal data which is contrary to the provisions of this Act or the rules and regulations issued on the basis of this Act;

(2) in matters other than those referred to in section 40(2), compel the person concerned to remedy an instance of unlawful conduct or neglect;

(3) order that the operations pertaining to the file be ceased, if the unlawful conduct or neglect seriously compromise the protection of the privacy of the data subject or his/her interests or rights, provided that the file is not set up under a statutory scheme; and

(4) revoke a permission referred to in section 43, where the prerequisites for the same are no longer fulfilled or the controller acts against the permission or the rules attached to it.

The PDA limited the Board’s duties and powers also otherwise. The Board no longer grants permissions for archiving, disclosure of personal data to abroad, or storage of credit data.⁵³ Under the PDFA, cases concerning the data subject’s right of access to her or his own personal data and rectification of inaccurate data could also be brought to the Board if the data controller objected to the Ombudsman’s initial decision in such a matter. These cases were relatively common in the Board, especially in the late 1990s as the Board processed—and turned down—numerous data subjects’ requests for removal of registry entries concerning default of payment. Under PDA sections 40(2) and 45(1), the Ombudsman’s decisions in these matters are binding, and can be appealed to an Administrative Court and further to the Supreme

53 The permits for disclosure to a foreign country were replaced by free movement of personal data within the European Union and the new PDA provisions concerning transfer of personal data to outside of the European Union. Archiving permits are nowadays granted by the National Archives Service, and the processing of credit data is regulated in the Credit Data Act.

190

Administrative Court. Therefore, the Board no longer deals with cases coming directly from data subjects.

In addition to decision–making in individual cases, under PDA section 38(2) the Board deals with questions of principle relating to the processing of personal data, where these are significant to the application of the PDA. The exact meaning of this provision is debated, and the Board itself has been rather reluctant to provide general answers to these questions of principle in its binding decisions. Instead, it has seen the provision to be connected principally to its role in giving statements and opinions to authorities and other organizations. Further, DPB–DPO Act section 2 states that the Board is also to monitor the need of development of legislation concerning the processing of personal data and to issue initiatives it deems necessary. However, the Board has not been particularly active in doing so. Therefore, it can be noted that decision–making has always formed and still clearly forms the bulk of the Board’s operations.

5.3 Case Statistics

The change from the almost limitless, discretionary exceptions of the PDFA to the strictly regulated, specific permissions of the PDA and the otherwise diminished duties of the Board have had a significant impact on the workload of the Board. Immediately prior to the entry into effect of the PDA, the Board decided 30–40 cases per year, most of which concerned permissions. In 1993, prior to an amendment in which provisions on processing of personal data for the purposes of genealogical research and public registers were included in the PDFA, the Board decided a record number of 59 cases. Since the PDA entered into effect, the highest number of decisions per year has been 17 in 2011, with the average staying well below 10 decisions per year. The permission applications still account for a majority of the cases.

However, the spike in 2011 was caused by the Ombudsman seeking prohibitions on several pay–day loan providers that utilized inadequate practices for identification of loan–seekers. The development of the case–load is illustrated by the following figure.

191

Figure 9: Decisions of the Data Protection Board, 1988–2012.

Because the Board only convenes when needed, the noticeable drop in the number of cases has also brought a decrease in the number of Board meetings and expenses. Whereas the Board’s expenses were close to half a million FIM (approximately 113.000 euro) in the mid–

1990s and the Board convened over 20 times a year, in the 2000s the expenses have averaged approximately 15.000 euro per year, and there have been 4–8 meetings per year. This has also led to average processing times getting longer.

Since 2000, almost all of the decisions of the Board have been published in Finlex⁵⁴, the freely available online database containing legislative and other judicial information.

In contrast, only a limited number of the PDFA era decisions have been published.

5.4 Typical Cases

The early years of the Board were marked by permission applications regarding public registers and genealogical research. In a typical application, numerous exceptions were sought simultaneously, for example from the requirement of exclusivity of purpose, connection requirement, and the provisions concerning necessity, mass disclosure, and transfer of data to outside Finland. In 1994, provisions on processing of personal data for the purposes of genealogical research and public registers were included in the PDFA, which removed the need for many of these applications, resulting in a decrease in their numbers. In the late 1990s, a large group of permission applications concerned different kinds of blacklists and documentation of defaults and misuse. During the PDA era, a typical permission application

54 <http://www.finlex.fi> [7.4.2014].

0 10 20 30 40 50 60 70

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Decisions Published in Finlex

192

has concerned direct access to the so–called THS identification query system.⁵⁵ These applications have been pursued by numerous insurance companies and professional debt collectors, and have generally been accepted.

Although even in the early years of the Board there were some applications regarding computer–based data files and data processing, a major part of the cases concerned manual data files throughout the 1990s, and very seldom was the actual legal question even remotely related to the use of computers. In the 21^st century, however, the development of IT and networks has been clearly visible from the evolution of the Board’s cases. In 2006, for example, the Board was asked to rule on whether or not IP addresses are personal data.⁵⁶ In the last few years the Board has also decided on permissions to collect of street imagery and WiFi information for the purposes of Internet–based location and map services—which the Board has granted, under certain conditions. Furthermore, during the PDA era, order and prohibition cases initiated by the Ombudsman have almost exclusively had to do with Internet or mobile phone services. A majority of these cases have concerned the identification practices employed by various pay–

day loan providers.

5.5 Appeals

Under PDFA section 38, the Board’s decisions could be appealed directly to the Supreme Administrative Court (hereinafter: SAC). As provided in PDA section 45(1), the path of appeal now goes through an Administrative Court. The longer path may be problematic in two ways:

the time to final decision may become too long, and fewer court cases are likely to be published as the SAC publishes its decisions far more actively than the regional Administrative Courts.

With the longer path, fewer cases reach the SAC.

The Finlex database currently lists 21 decisions on appeals against the Board’s decisions.

Out of these published decisions, 18 are from the PDFA era and mere three concern the PDA.

Another factor contributing to the decrease of the number of court cases are the diminished powers of the board, which have led to fewer cases in the Board, as well.

Out of the 18 PDFA era cases, 15 concerned permissions.⁵⁷ In 11 cases, the appeal was filed by the data controller, in three cases by the Ombudsman. One case concerned the right of

55 Direct use of this system does not fall within the general prerequisites for processing because the system operates in such a way that the queries may also return personal data of persons to whom the data controller has no connection.

56 According to the Board, they are.

57 See KHO 1989–A–9, KHO 1989–A–10, KHO 1989–A–12, KHO 1990–A–3, KHO 1990–A–4, KHO 1990–

A–5, KHO 1990–A–6, KHO 6.3.1991 T 770, KHO 1992–A–10, KHO 1992–A–11, KHO 1992–A–29, KHO 1993–A–4, KHO 1995–A–11, KHO 1996–A–6 and KHO 3.3.1999 T 339.

193

appeal of a data subject and a third party, which was found to be lacking. In eight cases, the SAC upheld the Board’s decisions, whereas in the remaining seven it either altered or overturned the decisions, in part or in full. Most of these cases were returned to the Board.

Two of the PDFA era cases concerned prohibitions issued by the Board on request of the Ombudsman.⁵⁸ One of the two decisions was overturned in part, the other one in full. In the remaining PDFA era case the SAC dismissed an appeal against the Board’s decision not to investigate a request for rectification of corporate credit data due to lack of jurisdiction.⁵⁹

One of the three published PDA era decisions concerned the scope of the Board’s power to grant permissions, which the SAC interpreted in the same way as the Board and dismissed the appeal.⁶⁰ The other two SAC decisions concerned the same case in which a company published personal tax information in magazines and transferred the data to another company to be published via an SMS service. Following complaints, the Ombudsman requested the Board to prohibit such activities. The Board rejected the request, whereupon the Ombudsman brought proceedings before the Helsinki Administrative Court, which also rejected his application, and consequently an appeal before the SAC. The SAC, having consulted the Court of Justice,⁶¹ returned the case to the Board for issuing the prohibition.⁶²

In almost a half of the published decisions on appeals, the Board and the SAC have not seen eye to eye. However, the published decisions do not really tell much; this already because of the fact that there are very few of them.⁶³ There are no comprehensive statistics on how the Administrative Courts have treated the appeals, but in general, the decisions of the Board are appealed against rarely, and even more rarely do the decisions get overturned.⁶⁴

In document Society trapped in the network : does it have a future? (sivua 189-195)