Annual Report 2019

The Office of the Data Protection Ombudsman is an autonomous and independent authority that supervises compliance with data protection legislation and other laws governing the processing of personal data.

The Office of the Data Protection Ombudsman promotes awareness of the rights and obligations related to the processing of personal data, imposes administrative sanctions for violations of the General Data Protection Regulation of the EU if necessary, carries out investigations and inspections and issues statements on legislative and administrative reforms. The Data Protection Ombudsman cooperates with the supervisory authorities of other countries and represents Finland on the European Data Protection Board.

In 2019, Reijo Aarnio acted as the Data Protection Ombudsman and Jari Råman as well as Anu Talus acted as Deputy Data Protection Ombudsmen. The Data Protection Ombudsman and Deputy Ombudsmen are appointed by the government for terms of five years.

Data Protection Ombudsman Reijo Aarnio: 2019, a year of reforms

Data Protection Ombudsman Reijo Aarnio The duties and competence of data protection authorities are provided for in the General Data Protection Regulation (GDPR) of the EU ((EU) 2016/679) and the Data Protection Law Enforcement Directive ((EU) 2016/680). The Finnish Data Protection Act (1050/2018) that entered into force in early 2019 complements the GDPR, and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) that entered into force at the same time implements the Data Protection Law Enforcement Directive, ensuring that the law enforcement power of the Data Protection Ombudsman is as comprehensive as required by the Constitution of Finland. In addition, the Finnish Data Protection Act includes provisions on matters left at a margin of manoeuvre by the GDPR.

The intelligence legislation that had been prepared for a long time entered into force in the summer of 2019, and the Intelligence Ombudsman started to work independently. A new Intelligence Oversight Committee was established in the Parliament; the Data Protection Ombudsman carried out the checks required by the Parliament's Rules of Procedure before the work of the Committee started. In addition, the Intelligence Ombudsman and the Data Protection Ombudsman agreed on cooperation in order to carry out effective law enforcement tasks.

During the year, especially during Finland's Presidency of the Council of the European Union, the aim was also to promote the ePrivacy Regulation. The work was still not finished, however, and it was transferred to the responsibility of the next presiding country. At the same time, the EU approved the Directive on certain aspects concerning contracts for the supply of digital content and digital services ((EU) 2019/770). According to the Directive, digital services are also paid by providing personal data in addition to money.

A new organisation to support a customer service-oriented operating method

The number of cases instituted continued to rise. A large number of this growth was due to reports of personal data breaches, which represent approximately one third of all cases. The data protection reform meant a considerable challenge to the ability of the Office of the Data Protection Ombudsman to provide services. In addition to the increase in the number of cases, this was also often caused by the joint European method of processing them. 

The Office of the Data Protection Ombudsman changed the rules of procedure to support the new customer service-oriented organisation. Three customer service teams were established at the Office; both of the Deputy Data Protection Ombudsmen and the Data Protection Ombudsman act as their leaders. In addition, the Office has horizontal customer service development teams; the aim is to ensure uniform decision practice and the efficient functioning of customer service processes with their help. A lot of attention was paid to the competence of the personnel and their ability to cope. When the Deputy Data Protection Ombudsmen started to work, the sanctions board of the Office became competent. However, it was not yet necessary to impose administrative financial sanctions during the operating year.

The communications of the Office were developed further; telephone guidance was reformed, a newsletter was started and entering the decisions of the Data Protection Ombudsmen into the Finlex collection of decisions began. The annual report of the Office of the Data Protection Ombudsman was presented at and processed by the Parliament.

European cooperation consumed a considerable amount of the Office’s resources. In questions related to the interpretation of the GDPR, the European Data Protection Board that exercises the ultimate power of decision assembled monthly to a plenary session to make decisions. The Board also has twelve subgroups, and the Office of the Data Protection Ombudsman was represented in all of them.

Artificial intelligence and profiling as hot topics

During the operating year, artificial intelligence, algorithms and profiling rose high up on the social agenda. I was heard by the Parliament when they discussed the Government report on information policy and artificial intelligence. As for the Aurora national artificial intelligence programme, it was reviewed by a working group appointed by the Ministry of Finance. The aim of the health and social services reform that was since dropped was to calculate a specific forecast related to the payment of capitation compensation and based on profiling for every citizen. On this topic, too, I was heard several times by the Constitutional Law Committee as well as the Social Affairs and Health Committee of the Parliament. The Parliament was particularly concerned about the relationship between profiling and individual automated decisions. Concerning certain other Government proposals, too, the Constitutional Law Committee in particular had to think about the use of algorithms from the perspective of not only data protection but also constitutional law in general.

In the processing of personal data, the question of joint controllers resulted in discussion in several fields and in the preparation of laws. In many cases, solutions were found to match the activities in practice. During the year, the European Data Protection Board prepared instructions to clarify the division of responsibilities.

The European Commission implemented a special programme against the manipulation of elections for the European Parliament election. In Finland, the Ministry of Justice, the Prime Minister's Office and the Security Committee started a training project with the purpose of increasing awareness of the manipulation of elections. In this project, the Office of the Data Protection Ombudsman participated in training the representatives of political parties, among other things, because the manipulation of elections is typically also linked to profiling and the processing of personal data.

The Office of the Data Protection Ombudsman mainly reached the performance targets set for it well. However, the processing times of several types of cases were considerably long, partly also due to their supranational processing methods. At the start of 2020, a project to fix the issue was started at the Office.

Reijo Aarnio
Data Protection Ombudsman (until 31 October 2020)

Read more:
Deputy Data Protection Ombudsman Anu Talus: The importance of international cooperation is growing
Deputy Data Protection Ombudsman Jari Råman: Issues related to internal security in focus
Focus areas of data protection activities
Personnel and finances
Annual Report of the Office of the Data Protection Ombudsman 2019 (pdf)