Minister of Justice Antti Häkkänen´s speech about GDPR´s possibilities to companies at Amcham Finland´s seminar 7 March 2018

Ministry of Justice 7.3.2018 10.24

Ladies and gentlemen,

I very much appreciate this kind invitation to participate your breakfast meeting - and this opportunity to share some thoughts on this important topic with an audience of such high level of expertise.

Protection of personal data and innovations, or scientific research to be more precise, is certainly a combination with many layers.

Scientific research and an innovation friendly environment, which provides appropriate circumstances to conduct scientific research was one of topics on which Finland did set a lot weight during the GDPR negotiations.

The negotiations for the national flexibility on this topic were not easy to overcome, but now we do have Data Protection Regulation which contains the said flexibility, and we are willing to take full use of it.

I will come back to this in more detail later.

Role of personal data is becoming more important all the time. Digitalization gives new opportunities for all citizens and companies. Many new business concepts especially in service sector need use of personal data in new ways. For example new kind of concepts like mobility as a service need clear legal framework for use of personal data. When we discuss about use of personal data we discuss about balance between two interests: right to privacy and flexible use of data. As Minister of Justice, I give attention to those both interests. My goal is to ensure proper protection of personal data and ensure enough flexibility to use of personal data. In my opinion, it is also our important duty as legislators to give enough attention to flexible legislation that can enable new business possibilities. 

Now, moving on to some more recent developments. I believe this audience knows quite well, why 78 is the number of the day – this is how many days there is left before the GDPR will become applicable.

We have had two years to prepare ourselves for this date. Two years is a very short transition period - but a lot has been done and achieved during this time. The developments have taken place on various different levels, both here in Finland and in the EU also.

In Finland government’s proposal for the new Data Protection Act was submitted to the Parliament last week. In other words, our Parliament is currently processing the proposal for the Data Protection Act.

Apart from the two forerunners (Germany and Austria, where national Data Protection laws have been accepted by the respective Parliaments a long ago) the other Member States have proceeded in a very similar pace. The draft laws are currently either debated in the Parliament or the governments are about to submit their proposals.

Besides the legislative measures, the implementation of the GDPR has taken place in the companies. The pace of this process has varied. Data Protection authorities Working Party (WP 29) has provided its guidance on several topics for this purpose. The European Commission also provided its guidance on the direct application of the GDPR. [This is quite rare and shows the weight which Commission sets on this topic and coherent application of the GDPR.]

A lot of weight has now been set on how “to get GDPR-ready” – and it is delightful to see that data protection requirements have been studied so intensively. 

But it ought to be remembered that the core principles of the data processing will endure. When personal data has been processed in line with our current data protection legislation (henkilötietolaki), it should not be too challenging to meet the requirements set by the GDPR either.

Then, moving on to the interpretation of the GDPR. First, it must be noted that the GDPR itself approaches scientific research in a very broad manner. In the meaning of the GDPR, scientific research includes for example technological development, fundamental research and applied research and privately funded research. This is very broad interpretation of the notion scientific research.

Furthermore, when it comes to interpretation, we can approach this question from two angles. First – the interpretation carried out by the national data protection authorities (DPA’s). And second - the interpretation carried out by national legislator when implementing the GDPR and deciding how to use the national flexibility provided by the GDPR.

In both case the GDPR and European setting do set the frames for the interpretation. One of the aims of the whole data protection reform was to unify the interpretation of the data protection legislation in the European Union and this cannot be overlooked.

This is also for example the reason why the cooperation mechanism for the European data protection authorities were created by the GDPR.

In other words, the overall aim is to avoid a situation where the approach to data protection legislation would be very fragmented in the EU.

Keeping this in mind,  we can next address the leeway provided by the GDPR.

As I said in the very beginning of my comments – the aim is to make full use of the national flexibility when it comes to scientific research. This was the very reason we worked so hard during the negotiations to have the said flexibility in the GDPR.

This task is quite challenging though. Scientific research is a multilayered topic and a solution found in a general law should fit to various different processing purposes.

Furthermore, when providing innovation friendly circumstances for data processing, the other side of the coin is to ensure that data subjects’ rights are protected. Only this way can a balanced solution be found.

Once again, I thank you for the opportunity to present my viewpoints to such a distinguished audience on this important topic.