Annual report 2018

Data Protection Ombudsman’s annual review

The third page in the history of data protection was turned in the 31st operating year of the Office of the Data Protection Ombudsman, when the EU's General Data Protection Regulation (2016/679) was implemented on 25 May. At the same time, the Data Protection Directive (2016/680) updated the legislation on data protection in criminal matters. This directive also required national implementation measures (Act on data protection in criminal matters 1054/2018).

The GDPR also includes many directive-like features that require national implementation. Therefore, a national Data Protection Act (1050/2018) was drafted under the supervision of the Ministry of Justice and entered into force on 1 January 2019, replacing the previous Personal Data Act and the related Decree. The process also involved extensive amendments to national special legislation. The Data Protection Ombudsman was heard by Parliament 93 times in 2018. The work of the Parliamentary Constitutional Law Committee was particularly noteworthy. The Committee redefined its policies on enactments governing the protection of personal data and ruled that the GDPR essentially amounted to the level of data protection required by section 10 of the Constitution, also noting the risk-based approach of the GDPR.

New powers and duties

The GDPR entailed many changes. It significantly improved the rights of data subjects, imposed new obligations on controllers and facilitated operations in the digital single market. At the same time, it caused the upheaval of the century in the work and powers of the enforcement authorities.

One chapter in the history of data protection was closed with the dissolution of the independent Data Protection Board of Finland, which used to be the highest decision-making authority in the field of data protection. The work is continued by the European Data Protection Board (EDPB), which began operations in May. The EDPB and its various sub-committees launched their operations successfully, and an agenda was drawn up for the EDPB for 2019–2020. However, it seems likely that the capacity of the EDPB will be sorely tested by the growing number of cases in the near future.

The reform also gave birth to a new profession, the Data Protection Officer. The Office welcomes the new Officers and their assistance to data subjects and controllers as a positive development.

In 2018, there were 2,5 times as many cases instituted as a year before.We were still forced to operate under two sets of legislation for part of the year, which naturally posed challenges to the service provision capacity of our Office. Another noteworthy feature of the past year was the explosive growth in case numbers. The Office of the Data Protection Ombudsman registered 9,617 cases instituted in 2018, while the corresponding number in the previous year was 3,957. The GDPR brought entirely categories of matters, such as Data Protection Officer notifications, notifications of personal data breaches and cross-border matters applying to several EU Member States.

Additional resources required

The Office of the Data Protection Ombudsman is seeking to adapt its operations to the data protection reform of the century by improving its competence management. We drew up descriptions of practically every new task appointed to the Office and updated our ERP system. Our staff did an unbelievable amount of work with the scant resources available. My heartfelt thanks to all colleagues for this.

Thankfully, we were also assigned some extra resources. It is my belief that our competence in the subject matter is among the best in Europe! The recruitment process for two Deputy Data Protection Ombudsmen was started in late 2018. When they take up their posts, we will have the collegium required by the national Data Protection Act, enabling the Office to exercise the powers granted by the GDPR. The collegium is an internal body of the Office of the Data Protection Ombudsman with multiple members, which decides on administrative sanctions for infringements of data protection legislation.

Processing time of the cases resolved has gone down in 2018 compared to the year before.The enactment of new intelligence legislation was also the subject of great interest in 2018. The Office was mainly involved with the oversight of legality in the process. After many and varied developments, the bill was finally passed this year. As a result, an independent Office of the Intelligence Ombudsman will be established parallel to the Office of the Data Protection Ombudsman.

Unprecedented interest in data protection

The Data Protection Ombudsman has witnessed some eventful years in the history of the office. In my experience, the past year was nevertheless completely exceptional in comparison to any that have gone before. On the one hand, the reform described above and, on the other, the Government's actions at the conclusion of its term made the year the most intensive in the memory of the Ombudsman. The media also expressed an exceptional interest in data protection.

The entry of “top experts in data protection” to the market in such great numbers was also a new phenomenon, at least to myself. The early days of the GDPR were a goldmine for consultants. Unfortunately, the information offered to controllers was not always up to standard. These entrepreneurs ”marketed” the new legislation mainly from the perspective of sanctions. This had the effect of making some controllers turn in on themselves, while the purpose of the GDPR was to encourage businesses to seek growth on the digital single market by introducing common rules for a market of 510 million consumers.

Data protection is an enabler and a success factor. The approach of the 2019 elections revealed that it is also one of the safeguards of democracy. The Cambridge Analytica scandal was largely based on inappropriate profiling. In addition, our attention was drawn to the use of artificial intelligence. Digitalisation is proceeding, and providers want to make service provision faster and more cost-effective. The GDPR makes provision for approving the use of AI in national legislation, provided that appropriate measures are adopted for the protection of data subjects.

Reijo Aarnio
Data Protection Ombudsman


Read more:
Cases instituted and resolved 2017 and 2018 (pdf, in Finnish)
Guidelines of the European Data Protection Board (EDPB's website)
Opinions of the European Data Protection Board (EDPB's website)
English summary of the Annual Report 2018 (pdf)