EU digital and data regulation
The EU's digital and data regulation facilitate the movement of data within the EU, create clear and fair rules for data use and promote compliance with privacy, data protection and competition rules. Digital and data regulations also bring new tasks to the Office of the Data Protection Ombudsman.
The role and powers of the Data Protection Ombudsman in key digital data regulations
The purpose of the Digital Markets Act (DMA) is to ensure fairness and transparency in the digital market. It aims to tackle unfair trading practices by the major platform companies, and ensure that the digital market is not entirely dominated by them.
The Act imposes obligations on the largest platform companies in the EU, which are the so-called "gatekeepers" of the market. For example, they must allow the installation of competing applications or access to competing services, and must not favour their own services. The European Commission has designated gatekeeper companies on the basis of criteria set out in the Digital Markets Act.
The European Commission is primarily responsible for monitoring compliance with the Act. On data protection issues, the Commission may seek advice from the European Data Protection Board. It may also appoint experts from EU data protection authorities to support the monitoring work. The Act entered into force in May 2023.
More information on gatekeeper companies on the Commission website
The Digital Services Act (DSA) imposes obligations on digital service providers to improve the transparency and security of their services. The Act applies to so-called network brokerage services, including online platforms, storage services and online marketplaces.
Monitoring of the Digital Services Act in Finland is divided between the Finnish Transport and Communications Agency (Traficom), the Data Protection Ombudsman and the Consumer Ombudsman. Traficom is the main enforcer of the Act. The Data Protection Ombudsman monitors the identifiability of non-profit and social advertising, the transparency of online advertising and recommender systems, and the protection of minors on online platforms. The Act fully entered into force in February 2024.
Frequently asked questions about the Digital Services Act
Questions and answers about the Digital Services Act on Traficom's website
The Artificial Intelligence Act (AIA) regulates AI systems in EU countries. It aims to ensure that AI is safe for all and that AI systems respect fundamental rights and ethical principles. The greater the risks posed by an AI system, the stricter the rules that apply to it. AI systems that are considered a clear threat to people's security, livelihoods and rights will be banned.
The Artificial Intelligence Act entered into force on 1 August 2024, and its application is being introduced in stages. Most of the rules will apply from 2 August 2026. Compliance with the Artificial Intelligence Act is monitored both by the European Commission and by several different authorities from EU countries. The Act also gives tasks to the Data Protection Ombudsman.
The Office of the Data Protection Ombudsman will act as a so-called market surveillance authority, monitoring that AI systems are lawful and that prohibited AI systems are not being developed and used. It will also check whether certain high-risk AI systems meet the requirements of the Act before they enter the market. The Office of the Data Protection Ombudsman will also handle complaints and participate in testbed activities for AI regulation (so-called “sandboxes”). The responsibilities of the Data Protection Ombudsman will become more clearly defined once the official functions are regulated by law in Finland.
More information on the Artificial Intelligence Act on the Commission website
The Data Governance Act (DGA) regulates the sharing of data between organisations. The Act will increase access to data and harmonise its sharing across the EU through common rules. It aims to increase confidence in the wider use of data. The Act will promote the reuse of protected data held by the public sector (such as personal data) and also facilitate the movement of data between companies.
It will create rules for new players in the data economy – so-called data brokerage services – and data altruism-based organisations. Data brokerage services broker data between data holders and data users. Data all altruism means promoting the release of data for public benefit, such as scientific research, health care and the fight against climate change.
The Office of the Data Protection Ombudsman monitors the processing of personal data in the activities provided for in the Data Governance Act. The Data Governance Act applies in addition to data protection regulation. The application of the Data Governance Act began in September 2023.
More information on the Data Governance Act on the Commission website
The Data Act (DA) changes the rules for sharing data from internet-connected devices and network-connected services. It aims to increase the availability and use of such data.
Users will have the right to access data generated by the use of devices and services connected to the internet. They will also be able to share this data with a competing company that provides maintenance or additional services, for example. The Data Act also aims to improve people's rights to switch cloud service providers and move their data from one system to another.
The Office of the Data Protection Ombudsman will monitor compliance with the Act as regards the protection of personal data. With the introduction of the Data Act, the Data Protection Ombudsman will also monitor compliance with the rules of the Act when personal data and other types of data are inextricably linked. The Data Act will apply from 12 September 2025.