skip to content
 

Data Protection Laws and Freedom of Expression: Finland File:Flag of Finland.svg

 

I. First-Generation Statutory Law

Finland adopted data protection legislation in the form of the Personal Data File Act on 30 April 1987. A law amending this Act was passed on 27 May 1994.
 
Special Expression Derogation
Finland’s initial law passed in 1987 provided that data protection ‘shall not affect the right to publish printed matter’ (s. 1). Although absolute in its area of application, this provision did not shield either databases containing personal data which were used internally by the media or other expressive actors or the publication of personal data in a publicly available electronic database. Finland engaged in further legislative reform during this first-generation period. In 1994 an amending law released both publicly available archival databases and also internal databases produced by the media from all substantive data protection provisions, subject only to compliance with certain security guarantees (see s. 1 of  the Laki henkilörekisterilain muuttamisesta (Law amending the Personal Data Act))
 
Broad Expression:
The exemption for publishing printed matter (see above) was not limited to journalistic or other special expressive purposes (s. 1). Otherwise, however, there was no relevant provision.
 
Personal Exemption
The 1987 law exempted the “collection, recording or use of personal data for personal reasons only or for corresponding normal private purposes” (s. 1)
 
Knowledge Facilitation Framework
The 1987 law set out special dispensation from purpose limitation and the data subject notification obligation (s. 30(2)). It also included exceptions from the prohibition of recording both ordinary (s. 5) and sensitive personal data without consent (s. 7(7)).
 
Parliamentary Debates
Much of the legislative and parliamentary debates were concerned with the protection of individuals against the control of their data by public and private actors. Pursuant to the responsible Legal Committee, the purpose of the proposed 1987 legislation was accordingly to secure the protection of the individual right to privacy while simultaneously improving the flow of information necessary in a ‘successful’ society.[1]
 
Special Expression Derogation
Concerns were voiced regarding the potentially detrimental consequences of the proposed 1987 law for the digitalization of existing media archives and for the registries necessary for the effective work of the mass media.[2] A minority objection written to the Legal Committee’s report proposed to amend the 1987 draft to allow mass media to collect sensitive information in registries if necessary for their own functioning, including the media’s previously published personal information.[3] However, this minority proposition was not adopted.[4]
 
The 1994 amendment to the 1987 law inter alia proposed to make editorial registries only amenable to the law on person registries in those parts that deal with data security and to exempt released registries made up of published material from the law. The first relevant amendment was prompted by fear that the Ombudsman’s legal authority over editorial registries would open up the possibility for censorship.[5] Another concern with regard to the special expression derogation was raised by MP Ukkola, in particular. She feared that paid sources could not be kept secret as payments or premiums for information had to be registered by the magazines. The new law would, pursuant to MP Ukkola not protect such paid sources.[6] MP Aittoniemi countered her claim. He would not be aware of such registries and even if they existed, those selling information to the media deserved to be caught.[7]
MP Ukkola further mentioned the position of authors who fell outside of the category of journalists. These authors would process data for literary purposes and sometimes even draw on data registries maintained by journalists. MP Ukkola stressed that the law did not clarify such authors’ status.[8]
 
Knowledge Facilitation Framework
While there was broad agreement that the proposed 1987 legislation struck an adequate balance between the above described aims, concerns were raised regarding the compatibility of the Knowledge Facilitation Framework with the corresponding provisions in other states, particularly Sweden and Norway, which Finland interacted with in this regard[9] as well as whether scientific research could justify keeping and combining registers and creating new ones.[10] Another point of contention concerned the proposed restrictions on marketing and market research, which by its nature necessitated the recording of sensitive consumer data to be useful.[11] The minority opinion to the report of the Legal Committee on the proposed 1987 law, moreover, suggested to broaden the knowledge facilitation exemption to adequately allow particularly for longitudinal studies.[12]
 

II. Second-Generation Statutory Law

Finland adopted second-generation legislation which inter alia transposed and implemented the Data Protection Directive 95/46 in 1999.
 
Special Expression Derogation
Finland exempted processing for the purposes of journalism or artistic or literary expression completely and unconditionally from all the substantive data protection provisions (s. 2(5)).
 
Broad Expression
There was no relevant provision.
 
Personal Exemption
The Data Protection Law did not apply to processing of personal data by a private individual for purely personal purposes or for comparable ordinary and private purposes (sec. 2(3)).
 
Knowledge Facilitation Framework
Finnish law provided that processing for the purposes of historical or scientific research was generally permitted including without consent but that in all cases this required that (if consent was not obtained) consent not be possible due to the quantity or age of the data or another comparable reason, data use is based on an appropriate research plan with designated responsible person(s), data related to given individuals was not disclosed to outsiders (unless this manifestly unnecessary to protect privacy owwing to the age of quality of the data) and that data no longer required for the research or vertification of results was destroyed, deidentified or transferred to an archive (s. 14).  The law provided for an exemption for historical, scientific and statistical research purposes from the compatibility principle (sec. 7), the reactive transparency rule (subject access) (sec. 27(1)(3)), the sensitive data rules (sec. 12(6)). No exemption, in contrast, was applicable to the direct and indirect transparency rules as well as the data export and legitimating ground conditions
Parliamentary Debates
The special expression derogation was not debated during the legislative process. With regard to the knowledge facilitation derogation, the Administrative Committee suggested to define holding periods for sensitive material. After five years, such material should be reviewed and deleted if necessary.[13] Section 12(2) eventually included the provision that the reason and the need for processing of sensitive data should be re-evaluated at five-year intervals at the longest, unless otherwise provided in the Act or stated in a permission of the Data Protection Board.
 

III. Third-Generation Statutory Law

Finland adopted third-generation data protection legislation which inter alia implemented the General Data Protection Regulation 2016/679 in 2018.
 
Special Expression Derogation
Finland’s implementing law sets out a wide-ranging unconditional exemption for processing solely for journalistic purposes or for the purposes of artistic, literary and academic expression. However, no derogation is provided from the requirements of fair, lawful and transparent processing and purpose specificity, legitimacy, and compatibility. Data export restrictions uniquely depend on a satisfaction of a strict/objective public interest threshold (s. 27).  This clause only ambiguously establishes the priority of the special expression derogation over the Knowledge Facilitation Framework.
 
Broad Expression Derogation
No special provision adopted.
 
Personal Exemption – see GDPR, art. 2(2)(c)
 
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
The Act provides a special legal basis when using the public interest task or the exercise of official authority legal ground (s. 6(1)(e) GDPR) for scientific and historical research purposes and statistical purposes (s. 4(3)) and also public interest archiving (s. 4(4)) so long as processing is proportionate to the public interest objectives pursued and in the case of archiving to the rights of the data subject.  The prohibition on processing sensitive data in Article 9(1) can thereby be excluded (s. 6(7) and for archiving s. 6(8) which excludes genetic data from this) so long as suitable and specific safegaurding measures are put in place.  An indicative list of these is provided.  The data subject’s rights under Articles 15, 16, 18 and 21 GDPR may be waived subject to no further conditions in the case of public interest archiving (s. 32) and in other cases provided that: (i) the treatment is based on an appropriate research plan; (ii) the research has a responsible person or a group responsible for it; and (iii) personal data are used and disclosed only for historical or scientific or for any other compatible purpose, and is otherwise carried out in such a way that information relating to a particular person is not disclosed to third parties, (iv)  such processing is covered by a Code of Conduct or by a Data Protection Impact Asessment (which must be submitted to the DPA for information prior to processing) (s. 31)
Parliamentary Debates
Special Expression Derogation
In its commentary to the proposal of the implementing law, the government noted that the means through which the right to freedom of expression is exercised have changed considerably over the years with the advances in digital technology, including online publications and social media platforms. This would also affect the exercise of freedom of expression in the journalistic, academic, artistic and literary contexts.[14] However, no further comments were made on the interaction between freedom of expression and social media. As regards social media platforms, only the tangential question of the age limit for children using the site and the collection of their personal data were discussed.
On the protection of journalistic freedom of expression, the government argued that the transparency rules should not apply to the processing of personal data for journalistic purposes. This was argued to be necessary in order to protect the media’s role to check to power in a democracy as well as to safeguard the secrecy of journalistic sources.[15]
The Committee on Constitutional Affairs stressed both that data protection and journalistic freedom of expression must be adequately balanced and that any restrictions of fundamental rights must be strictly and precisely defined and its essence laid down in law. The Committee voiced concern that these requirements were not met with the proposed article 27 of the data protection law implementing the GDPR.[16] The Administrative Committee, in contrast, maintained that the proposed law achieved a good balance between the protection of privacy and freedom of expression.[17] The respective provision eventually remained unchanged.
 
Knowledge Facilitation Framework
Regarding knowledge facilitation, the government noted that the proposed derogations were necessary to avoid unnecessarily jeopardizing scientific and historical research. The Administrative Committee worried that the new rules would increase administrative burden and consequently detrimentally affect competitiveness. The Constitutional Committee echoed these concerns, noting that the additional administrative burden imposed in connection with the processing of personal data for research purposes may not be compatible with the freedom of science provided for in the Finnish Constitution.[18] Similarly, the Management Committee criticized that the safeguards provided for were insufficient to adequately protect sensitive personal data. This comment was echoed by the Constitutional Committee.[19]
The government then considered that additional safeguards could be integrated into the Data Protection Law, including a Code of Conduct, which may be taken to ensure the safeguarding of privacy interests in light of data processing for knowledge facilitation purposes.[20] The possibility of a Code of Conduct was welcomed by the Administrative Committee as it would reduce the administrative burden and permit specific sectorial needs to be taken into account.[21] Art. 30(3) of the implementing Finish Data Protection Law eventually made reference to a Code of Conduct to be adopted in line with Art. 40 GDPR.
 

[1] LaVM, 10/1986, 19 December 1986.
[2] Ibid, p 3.
[3] Ibid, p 10.
[4] EPK, 1986, 29 January 1987, pp 5368-5369.
[5] PTK 3/1994; further HaVM 1/1994.
[6] PTK 24/1994.
[7] Ibid.
[8] Ibid.
[9] EKP 1986, 15 May 1986, pp 1205-1207.
[10] EKP 1986, 20 May 1986, pp 1270-1271.
[11] EKP 1986, 15 May 1986, pp 1205-1207.
[12] EPK 1996, 29 January 1987, 5368-5369.
[14] Finland, ‘Hallituksen esitys HE 9/2018 vp’ (1 March 2018) https://www.eduskunta.fi/FI/vaski/HallituksenEsitys/-Sivut/HE_9+2018.aspx (last accessed 21 September 2020).
[15] Ibid.
[16] Finland, ‘Valiokunnan mietintö HaVM 13 2018 vp’ (Committee Report) https://www.eduskunta.fi/FI/vaski/Mietinto/Sivut/HaVM_13+2018.aspx (last accessed 10 July 2020).
[17] Finland, ‘Valiokunnan mietintö HaVM 13/2018 vp HE 9/2018 vp’ (7 November 2018) https://www.eduskunta.fi-/FI/vaski/Mietinto/Sivut/HaVM_13+2018.aspx (last accessed 21 September 2020).
[18] Ibid.
[19] Ibid.
[20] Ibid.
[21] Ibid.