Deputy Data Protection Ombudsman Anu Talus: The importance of international cooperation is growing

Deputy Data Protection Ombudsman Anu Talus I started as the Deputy Data Protection Ombudsman in August 2019. Even though a lot of work had already been done at that time, it was also clear that there was a massive amount yet to be done.

Transferring into a new position offers a good chance to take a look at the development in the field. Only a few years ago, it was a good idea to start talks at events from the basic concepts, such as what is a data subject, controller or processor. When we were working on a media release at the start of the year, I wondered if data subject as a concept was already as widely understood as consumer. We have not quite reached this point yet. However, the overall level of competence has increased dramatically, and data protection has become mainstream. And the development is not over yet. In fact, in the future every Master of Laws should graduate with the basic ability to handle data protection matters. 

As the Deputy Data Protection Ombudsman and the supervisor of my own team, I am responsible for cross-border issues and matters principally related to the private sector. These issues include, among other things, journalism, elections, discussion platforms, blogs, banking activities, financing companies and granting credit, the field of telecommunications, online shopping, electricity, accounting, direct marketing, phone call recordings, social media, games, traffic, transport and travel – to name only a few subject areas. So, from this point of view too, there is plenty of work to be done.

The first Finnish steps to outline the application of the GDPR were also taken during the last year. Among other things, last year we issued the first decision on direct marketing based on the Planet 49 ruling of the Court of Justice of the European Union concerning the use of cookies. A decision on evaluating creditworthiness concerning automated decision-making that included discriminatory elements was also issued last autumn. Of other significant issues, the statement to the Supreme Administrative Court on a matter concerning the inspection of comparative tax information should also be mentioned. The decision of the Supreme Administrative Court issued at the start of 2020 confirmed the policy of the Data Protection Ombudsman in the matter.

As stated in the Data Protection Ombudsman’s own review, the work of the European Data Protection Board and its subgroups has started according to the work programmes. In addition to this, the European supervisory authorities are also cooperating in connection with the One-Stop-Shop. These official channels have also increased unofficial cooperation between authorities. In fact, international networking is extremely important in order to promote the goals of the Office of the Data Protection Ombudsman.    

The first decisions have already been made via the One-Stop-Shop mechanism, but no major decisions by the European Data Protection Board have been issued yet. The Court of Justice of the European Union also issued rulings last year outlining the application of the GDPR. For example, the Planet 49 ruling issued in the autumn of 2019 clarifies the relationship between the ePrivacy Regulation and the GDPR for its part.

The Office’s internal work to participate in the work of the European Data Protection Board’s subgroups also started during the last year, and it is still ongoing. The goal is to create a working model that can effectively influence European decision-making. This is important for ensuring that the very pragmatic Finnish perspective will be represented in the European forums. It has been a great pleasure to observe how motivated the personnel of the Office of the Data Protection Ombudsman are to participate in the European data protection work.

During the last year, we also prepared for a so-called hard Brexit a few times – fortunately, it turned out to be unnecessary. However, there are changes upcoming to the transfers of data between the EU countries and the United Kingdom at the end of this year. If the United Kingdom does not separate itself too far from the data protection principles of the EU, the Commission can still make a decision on the sufficient level of data protection. In that case, the change would not be very visible in the everyday life of controllers.  

Cooperation with the Data Protection Ombudsman and the other Deputy Data Protection Ombudsman has also started out smoothly during 2019. It has been a pleasure to work with these excellent colleagues.

Anu Talus
Deputy Data Protection Ombudsman (Data Protection Ombudsman From 1 November 2020)

Read more:
Data Protection Ombudsman Reijo Aarnio: 2019, a year of reforms
Deputy Data Protection Ombudsman Jari Råman: Issues related to internal security in focus
Focus areas of data protection activities
Personnel and finances
Annual Report of the Office of the Data Protection Ombudsman 2019