A Sneak Peek into Data Act Implementation in Finland: What Is Proposed?

On 20 December 2024, the Ministry of Transport and Communications in Finland published a draft government proposal for the implementation of the EU Data Act in Finland. The draft proposal was sent out for public consultation, and the deadline for comments is 31 January 2025.

Link to the draft government proposal (in Finnish) is here:  

Introduction

The EU Data Act sets out a framework for data sharing and regulates the use of and access to data generated through connected devices. Individuals and business users of connected devices will be granted rights to the data that has been generated through their use of a connected device, which requires manufacturers and service providers to design their connected devices and related services in a way that enables access to the data. Furthermore, the Data Act also imposes general requirements on cloud computing providers to facilitate switching between providers.

The Data Act entered into force on 11 January 2024, and most of its provisions will become applicable in all EU Member States on 12 September 2025.

As the Data Act is an EU Regulation and therefore directly applicable in all Member States, the obligations and rights arising from it will enter into force as such in Finland. However, Member States must supplement the Data Act with national rules related to competent authorities and penalties. In this blog post, we take a closer look at national implementation in Finland.

What Is Proposed?

In 2023, the Ministry of Transport and Communications set up an interministerial working group with the mandate to understand current competences among authorities and propose appropriate supervision under the Data Act. On 3 May 2024, the working group published a draft memorandum on the national implementation of the Data Act.

The newly published draft government proposal is largely based on the working group memorandum. Pursuant to the draft government proposal, a new act on data management and supervision would be enacted, which would set rules on competent authorities and penalties in Finland.

Supervisory Authorities

As expected, Finland has decided to rely on existing authorities and designate more than one competent authority. The Finnish Transport and Communications Agency (“Traficom”) will be the principal supervisory authority and the data coordinator.

As a rule, supervision in Business-to-Business (B2B) matters is centralised to Traficom, whereas matters relating to consumer contracts are handled by competent consumer authorities in Finland.

The competence is proposed to be divided as follows:

The Data Protection Ombudsman is not designated as a supervisory authority under the Data Act, but the draft proposal clarifies that the processing of personal data under the Data Act would fall within the competence of the Data Protection Ombudsman.

The competent authorities have a broad co-operation obligation, extending to other relevant authorities as well. In addition, the competent consumer authorities have an obligation to report their investigations under the Data Act to Traficom.

Decisions taken by Traficom and consumer authorities under the Data Act can be appealed to an administrative court as the first instance. Appeals thus proceed in the same way as in GDPR matters. Pursuant to the draft proposal, several alternatives for appeals were considered, including centralising appeals to the Market Court (special court, e.g. in patent and copyright matters and certain trade secret cases) or to one administrative court instead of several administrative courts. Based on the draft proposal, the proposed model emphasises continuity and legal certainty. It can be read between the lines that the number of appeals is expected to be rather low.

Enforcement Powers and Penalties

For infringements, penalties range from a reprimand to hefty fines. As a reinforcement, the supervisory authority can impose a conditional fine or a suspension or enforcement threat.

As the Data Act refers to the GDPR for determining the amount of the fine, it is therefore no surprise that the draft government proposal sets a maximum fine of 4% of annual global turnover of the relevant company, the same maximum amount that is set out in the GDPR. If a fine is imposed on an individual, the fine may not exceed EUR 1,000 or 1% of the individual’s income according to the most recent tax decision, whichever is greater.

No fine can be imposed in the following situations:

• Minor infringement: An infringement is considered minor or manifestly unreasonable.

• Criminal investigation or conviction: A fine cannot be imposed on an individual who has been convicted or is suspected of the same act in a criminal case pending in a preliminary investigation, prosecution consideration, or court.

• Statute of limitations: A fine must not be imposed if more than five years have elapsed since the infringement occurred. If the infringement was of a continuous nature, the five-year period is calculated from the end of the infringement.

Traficom has powers to impose administrative fines under EUR 100,000, and if the fine exceeds EUR 100,000, it is imposed by Traficom’s Sanctions Board. Consumer authorities will have similar powers to impose fines of up to 4% of global turnover of the company under the Consumer Protection Act. Personal data infringements are overseen by the Data Protection Ombudsman and fines are imposed on the basis of the GDPR.

Interestingly, the draft government proposal specifically states that a fine may also be imposed on a company to which a business in which an infringement occurred has been transferred as a result of an acquisition or transaction. Pursuant to the draft government proposal, this has been added for the sake of clarity to avoid ambiguities.

Next Steps

The deadline for comments on the draft government proposal is 31 January 2025. The new act on data management and supervision is expected to enter into force on 12 September 2025, on the same day as most provisions of the Data Act.

More Information

Find more information in our articles relating to the Data Act:

• Have You Updated Your Contracts to Reflect the Changes Introduced by the Data Act

https://www.hannessnellman.com/news-views/blog/have-you-updated-your-contracts-to-reflect-the-changes-introduced-by-the-data-act/

• The Data Act and Trade Secrets – Part II: Refusing Access to Data Under the Data Act Based on Trade Secret Protection

https://www.hannessnellman.com/news-views/blog/the-data-act-and-trade-secrets-part-ii-refusing-access-to-data-under-the-data-act-based-on-trade-secret-protection/

• The Data Act and Trade Secrets

https://www.hannessnellman.com/news-views/blog/the-data-act-and-trade-secrets/

Contact Us