Greetings from Brussels!
Here we are at the start of a new year; 2018 went by in a flash, at least I thought so. It was a busy year for those of you working in privacy; lots went on across the board. This year will most likely be more of the same. I suspect that privacy developments won’t let up, and to be fair, while we are all relatively intimate with the GDPR, it is still a young piece of legislation — we have yet to witness its first birthday. Clearly, there’s still plenty of education and application to undergo in the year ahead.
Straight up, and the new year heralded in a meaningful announcement. In the United Kingdom, the Queen’s Honours list is big deal, and this year privacy got a sizable shoutout. U.K. Information Commissioner Elizabeth Denham was awarded the honor of CBE — Commander of the Most Excellent Order of the British Empire by the Queen. Quite the acknowledgment, Denham had this to say: “As a Canadian, now a United Kingdom resident, I am privileged to be recognised with this distinguished award for my career’s work in the fields of data privacy and information rights.” While also acknowledging the great work done by colleagues at the ICO, Denham’s hope is that this award will help bring greater attention to data protection for citizens in the digital age and against a backdrop of legislative reform.
Well done, Elizabeth Denham.
In other news, Finland’s new Data Protection Act took effect 1 Jan. Enhanced data security measures approved by the Finnish Parliament last November came into effect, and notably, the law incorporates the GDPR into the amended act. A lengthy debate on the tough sanctions mandated by the EU regulation had delayed the law’s adoption. Much of the act concerns the protection of children’s data, mandating a new “age of consent” where companies can no longer use or access the information of children aged 13 and under. In addition, the regulators will also have increased powers to fine and prosecute companies that are negligent of noncompliance. Another significant development is the increased powers of public authorities to access citizens’ personal data in the name of “public interest.” The new act gives certain Finnish authorities, such as the national crime agencies, immunity from fines imposed by GDPR breaches.
Reijo Aarnio, who has served as Finland’s data protection ombudsman for the last two decades, says his office receives an average of 10 data breach notifications each day. As elsewhere in the EU, Finnish companies systematically failing to comply with the GDPR may soon have to pay for their offenses. The new act should certainly serve as a stimulus to get one’s house in order. This year, a new three-person team in Aarnio's office will start investigating GDPR breaches in Finland, largely thanks to the reformed Finnish data protection legislation. Aarnio also stated that the GDPR is still suffering from a lack of harmonization at the EU level as there are varying degrees of interpretation of the rules. Aarnio added that it is still a sizable task to harmonize the level of fines across the EU28 to prevent companies engaging in “GDPR shopping” where infringements — in certain member states — may carry a more relaxed approach to enforcement culture and financial penalties.
Eija Warma-Lehtinen, IAPP country leader for the Nordics, was upbeat about the developments in her native country, saying it will be interesting to see how the Finnish regulator will investigate the application of the GDPR. Will we see a pronounced change in regulatory investigation practices? She added that businesses were eagerly waiting for the first regulatory actions of the new year.
Well, here’s hoping 2019 will be more stable and predictable than 2018 on all fronts. Last year was a political and economic upheaval for most, impacting business considerably more than in previous years. May your year be blessed with good fortune!
If you want to comment on this post, you need to login.