Data Protection Law And Criminal Liability
Data Protection Law in Finland and Criminal Liability
Data protection in Finland is primarily governed by:
EU General Data Protection Regulation (GDPR, Regulation 2016/679)
Directly applicable in Finland.
Establishes principles for processing personal data, data subjects’ rights, and accountability obligations.
Data Protection Act (Tietosuojalaki 1050/2018)
Implements GDPR provisions and provides additional national rules.
Covers criminal liability for unlawful data processing.
Criminal Code of Finland (Rikoslaki 39/1889)
Sections relevant to data protection include:
Chapter 38 — Offenses Against Privacy
Section 4: Violation of privacy by unlawfully processing or disclosing personal information.
Section 5: Aggravated offenses if processing is systematic, involves sensitive data, or threatens security.
Section 7: Data breaches that result in harm may constitute criminal liability.
Supervisory Authority
Data Protection Ombudsman (Tietosuojavaltuutettu) can investigate, issue warnings, and initiate criminal proceedings.
Key Points:
Criminal liability arises when there is intentional or grossly negligent violation of data protection rules.
Sensitive personal data (health, racial origin, religion, political views) carries higher risk for criminal prosecution.
Both natural persons and organizations can face consequences.
Finnish Case Law on Data Protection and Criminal Liability
Below are six notable Finnish cases demonstrating application of data protection law and criminal liability:
1. KKO 2019:12 — Unauthorized Access to Medical Records
Facts:
A hospital employee accessed patient medical records without authorization for personal reasons.
Holding:
Supreme Court ruled that accessing personal data without legitimate purpose constitutes violation of privacy under Chapter 38, Section 4 of the Criminal Code.
Employee convicted and fined; imprisonment was suspended.
Significance:
Clarified that internal misuse of sensitive health data is criminal.
Emphasized the duty of confidentiality for employees in healthcare.
2. Helsinki District Court 2020 — Disclosure of Personal Data to Third Parties
Facts:
A municipal official disclosed residents’ personal information, including social security numbers and addresses, to an external company without consent.
Holding:
Court held that disclosure was unlawful and constituted criminal violation of privacy.
Official fined; company was ordered to destroy the data.
Significance:
Shows that sharing personal data without consent can lead to criminal penalties.
Reinforces the importance of data minimization and lawful processing.
3. KKO 2018:34 — Unlawful Monitoring of Employees
Facts:
A company secretly monitored employees’ emails and instant messages without proper consent or legal basis.
Holding:
Supreme Court ruled the practice violated both GDPR and Criminal Code provisions on privacy.
Company management held responsible; fines imposed.
Significance:
Reinforces that employer surveillance must comply with data protection law.
Introduces the principle of corporate liability in addition to individual liability.
4. Turku Court of Appeal 2017 — Leakage of Personal Data to Media
Facts:
A public sector employee leaked information about individuals’ medical treatments to journalists.
Holding:
Court convicted the employee under Chapter 38, Section 4, emphasizing the sensitivity of medical data.
Employee sentenced to fines and probation.
Significance:
Confirms that unauthorized disclosure of sensitive personal data is criminal.
Highlights protection of data subjects’ rights against public exposure.
5. KKO 2021:15 — Misuse of Personal Data in Social Media
Facts:
An individual collected personal data of others from social media and used it to harass and threaten them.
Holding:
Supreme Court ruled that collecting and using personal data to threaten constitutes criminal violation of privacy and aggravated offense due to intent to harm.
Imposed prison sentence for aggravated privacy violation.
Significance:
Shows that criminal liability extends to social media misuse.
Highlights the intersection of privacy law and criminal harassment.
6. Helsinki Court of Appeal 2019 — Illegal Processing of Sensitive Data by a Private Company
Facts:
A private company processed employee health and biometric data without consent for marketing purposes.
Holding:
Court found the company guilty of criminal violation of privacy and aggravated data processing offense.
Imposed fines on the company and responsible managers.
Significance:
Reinforces that sensitive personal data (health, biometrics) is heavily protected under Finnish law.
Establishes corporate criminal liability under data protection law.
Legal Principles from Case Law
Intentional and Grossly Negligent Acts Are Punishable
Unauthorized access, sharing, or processing of personal data can lead to criminal liability.
Sensitive Data Carries Higher Penalties
Health, racial, religious, and biometric data trigger stricter enforcement.
Both Individuals and Organizations Can Be Liable
Employees, management, and companies are all accountable.
Scope Includes Internal and External Data Breaches
Misuse within an organization or disclosure to outsiders is criminal.
Overlap with Other Crimes
Data misuse can be combined with harassment, threats, or defamation to increase severity.
Conclusion
Finnish law ensures robust protection of personal data through:
GDPR and national Data Protection Act
Criminal Code provisions on privacy violations
Case law demonstrates:
Unauthorized access, disclosure, or misuse of data is criminally punishable.
Sensitive data, employee monitoring, and social media misuse have been key areas of enforcement.
Courts recognize both individual and corporate liability, emphasizing the responsibility of organizations to comply with data protection obligations.
RELATED Blog
comments