Drafting and development of Finnish Data Protection legislation

Finland was not among the very first countries to draft or approve legislation on data protection. Already in the late 1960s and 1970s, discussion concerning data files, processing of personal data and data protection had started in organizations such as the OECD and the Council of Europe. While it took until the early 1980s for these discussions to materialize in the OECD Recommendation⁶ and the Council of Europe Convention⁷, national data protection legislation was approved in certain countries several years earlier. The Datenschutzgesetz of the West German state of Hesse, which was approved and entered into effect in October 1970, is considered the first act on data protection. Other examples of the first generation of data protection laws include the Swedish datalag (SFS 1973:289) and kreditupplysningslag (SFS 1973:1173) as well as the Gesetz zum Schutz vor Mißbrauch personenbezogener Daten bei der Datenverarbeitung (approved in 1977 and entered into effect on January 1, 1978), a federal act applying to the whole of West Germany.⁸

Despite the strong tradition of Nordic co–operation and collaboration in law drafting, in data protection matters the Nordic countries saw fit to find their own, separate ways. In Finland, drafting of data protection legislation began in November 1971 with the appointment of the so–

5 FICORA, an agency operating under the Ministry of Transport and Communications, has some tasks relating to the supervision of the provisions of the Information Society Code (917/2014) that replaced the Act on Privacy in Electronic Communications (516/2004). Due to its organization and other tasks, FICORA can hardly be

considered a genuine, independent data protection authority.

6 Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of the Personal Data, 23.8.1980.

7 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (108/1981).

8 The background of datalag is discussed extensively in Söderlindh, Personlig integritet som informationspolitik (2009).

171

called Data Protection Commission (Tietosuojatoimikunta).⁹ Its report¹⁰ and the documents produced by its successors, the Information System Committee (Tietojärjestelmäkomitea)¹¹ and the Personal Data File Working Group (Henkilörekisterityöryhmä)¹², did not lead to legislative action in the 1970s. This was largely due to the controversial and at the time highly politicized nature of the matter. In fact, the Information System Committee was disbanded in May 1975 for political reasons before it could finish its assignment. In 1980, the new Data Protection Committee (Tietosuojakomitea) was given the assignment of drafting a bill on data protection in the form of a Government Proposition. The Data Protection Committee completed its report¹³ in 1981, but it took an additional five years of drafting at the Ministry of Justice before the Government Proposition on the Personal Data File Act and related legislation (HE 49/1986 vp) was finally given. In February 1987, the bills were passed by the Parliament with some minor amendments. The President approved the bills on April 30, 1987. Simultaneously, related decrees were issued by the Government.¹⁴

Internationally, the PDFA can be classified as a second generation data protection law. It was in effect for over 11 years, during which time it was amended three times, most significantly in 1994 when, i.e., sections governing the processing of personal data for the purposes of direct marketing, genealogical research and public registers were included in the act.¹⁵ Concurrently, data files maintained for journalistic purposes were largely excluded from the scope of the act. Soon after this, in 1995, the need for a new general data protection act was brought on by two events: the reform on fundamental rights, and the adoption of the EU Data Protection Directive.

9 The assignment was preliminary and preparatory in nature: to map the problems relating to gathering, distribution and disclosure of data in relation to private individuals, public sector and business sector, with the aim of drafting a commission for a committee.

10 KM 1972:B 31.

11 KM 1974:110.

12 Sinisalo & al., Henkilörekisterityöryhmän väliraportti (1977).

13 KM 1981:66

14 In the Data Protection Committee report and the Government Proposition, the ombudsman–like authority was called tietosuoja–asiamies. The title was amended in the course of the parliamentary proceedings, and in the final act the authority was called tietosuojavaltuutettu. –– For a more detailed description of the early history of data protection in Finland (in Finnish), see Konstari, Henkilörekisterilaki (1992) pp. 3–9, 15–35, Wallin &

Nurmi, Tietosuojalainsäädäntö (1991) pp. 1–7, 16–20 and Korhonen, Perusrekisterit ja tietosuoja (2003) pp.

112–116. In English, see also Saarenpää, ‘Finland’ in Blume (ed.), Nordic Data Protection (2001) p. 42

15 As regards genealogical research (and many other things), it is important to notice that the PDFA applied, as does the current PDA, to personal data of deceased persons, at least to some extent. By contrast, the Data Protection Directive does not apply to deceased persons. See WP 29, Opinion 4/2007 on the concept of personal data p. 22–23 (referencing Minutes of the Council of the European Union, 8.2.1995, document 4730/95). See also Saarenpää, ‘Data protection in the network society – the exceptional becomes the natural’ in Galindo (ed.), El derecho de la sociedad en red (2013) pp. 116–117.

172

Finland’s ratification of the European Convention on Human Rights in October 1990 paved way for the 1995 reform on fundamental rights, which can be seen as a major legislative milestone also from the point of view of data protection. The reform added, without much discussion in the drafting documents,¹⁶ a new constitution–level provision on the right to privacy, which was later transferred to the new Constitution of Finland (731/1999). Currently located in section 10 of the Constitution, the provision states that everyone's private life, honor and the sanctity of the home are guaranteed, and that more detailed provisions on the protection of personal data are laid down by an Act. This provision elevated the right to data protection to the status of a fundamental right, albeit only as a part of privacy, not as an independent right as it is nowadays understood.¹⁷

In Finland, the 1990s were marked by European integration on two separate but related fronts. As regards the Council of Europe, in addition to the ECHR, Finland ratified the aforementioned Personal Data Convention in December 1991.¹⁸ As regards the European Union, Finland’s accession came into effect on January 1,1995. In October of the same year, the Data Protection Directive (95/46/EC) was adopted. Member states were given three years to implement the directive in their national legislation. In Finland, a new committee called the Personal Data Commission (Henkilötietotoimikunta) was trusted with preparing this implementation.¹⁹ The Commission was also instructed to take into account the reform on fundamental rights and the Personal Data Convention. Largely based on the Commission’s report²⁰, the Government Proposition on the Personal Data Act and certain related legislation (HE 96/1998 vp) was given to the Parliament in July 1998. The time limit for the implementation of the Directive could not be met; the bills were approved in 1999 and the new Personal Data Act replaced the old PDFA on June 1, 1999.

The PDA, a third–generation general data protection law, has now been in effect for 15 years. It has been updated six times, but the amendments have been largely technical and of little significance. The general principles of the Act have stood the test of time in a changing, developing, increasingly technological and networked society. However, the development of data protection legislation has been marked by the ever–increasing amount of special laws and

16 See KM 1992:3 and HE 309/1993 vp.

17 Cf. Charter of Fundamental Rights of the European Union (2010/C 83/02), Articles 7 and 8.

18 The ECHR entered into force in Finland simultaneously with the ratification on May 10, 1990, and served as an inspiration for the aforementioned reform on fundamental rights. The Personal Data Convention entered into force on April 1, 1992.

19 The committee consisted of a chairperson, eight members and nine permanent experts. The implementation was prepared nationally. Again, Nordic co–operation was not pursued, save for one meeting in Norway.

Saarenpää, ‘Finland’, in Blume (ed.), Nordic Data Protection (2001) pp. 46–47.

20 KM 1997:9.

173

provisions. Notable, current Finnish data protection special laws include the Act on the Protection of Privacy in Working Life (759/2004) and the Credit Data Act (527/2007). A further noteworthy special law, the Act on Privacy in Electronic Communications (516/2004)²¹, was replaced by largely corresponding provisions incorporated in the new, massive Information Society Code (917/2014), which entered into effect on January 1, 2015. Provisions on the processing of personal data can be found in dozens of other acts and decrees, including a large amount of legislation concerning various national registers, among them the most important basic registers of the Finnish society, e.g., the Population Information System²². However, none of the special laws override all the provisions of the general law, and therefore the PDA must be taken into account in all data processing activities.