Effective Enforcement in Data Protection Law: The Case of Finland

1

Effective Enforcement in Data Protection Law: The Case of Finland

Aino Koho

aino.koho@student.uva.nl 11048115

European Competition Law and Regulation Supervisor: Dr. Kati Cseres

University of Amsterdam July 26th ₂₀₁₉

2

Abstract

To ensure that Finnish citizens can enjoy their fundamental right to data protection, compliance with the relevant rules laid down in EU as well as national legislation must be ensured. To ensure such compliance, law enforcement must be effective. Together with the various changes introduced by the General Data Protection Regulation (GDPR) of the European Union, the Finnish Data Protection Act has modernized the enforcement mechanisms available for the national regulators. Building on responsive regulation, a model of regulatory enforcement developed by Ian Ayres and John Braithwaite, this paper explores the normative basis for effective enforcement. It is proposed that although many of the components of effective enforcement are already utilized in the enforcement practices of Finnish data protection law regulators, there is also room for development. The findings suggest that especially resource constraints, wide-spread GDPR non-compliance amongst Finnish companies, and lack of third party inclusion in the regulatory process currently jeopardize the effectiveness of enforcement.

3

Table of Contents

1. Introduction ... 4

2. Research Questions ... 5

3. Methodology ... 5

4. What Is Effective Data Protection Law Enforcement? ... 6

4.1 Responsive regulation ... 7

4.1.1 The enforcement pyramid ... 8

4.1.2 Enforced self-regulation ... 9

4.1.3 Public interest groups ... 11

5. Data Protection Law Enforcement in the Finnish Regulatory Context ... 12

5.1 The Office of the Finnish Data Protection Ombudsman ... 13

5.2 Is Finnish data protection law enforcement effective? The enforcement pyramid ... 14

5.2.1 Answer to criticism ... 16

5.3 Is Finnish data protection law enforcement effective? Enforced self-regulation ... 18

5.3.1 Answer to criticism ... 22

5.4 Is Finnish data protection law enforcement effective? The role of public interest groups ... 23

6. Conclusion ... 25

4

1. Introduction

The world has become increasingly digital. Finland, the digital hub of northern Europe, is one of the leading countries when it comes to digitalization. In the annual Digital Economy and Society Index report1 _{published by the European Commission, the country ranked among the top three in the overall} index measuring the progress made by the EU Member States in terms of digitalization in 2018. Finland has taken a leading role in developing and delivering digital services, creating new innovation and boosting new business opportunities2_{. However, whilst new technologies make our lives easier,} digitalization also creates new risks. The rapidly increasing powers of many technology companies and their ability to collect, transfer, and process personal data of internet users worldwide demonstrate some of the unforeseen issues pertaining to the digital environment; issues that pose considerable challenges for data protection laws3.

Data protection is a fundamental right4. In the Finnish legislative context, the right for protection of personal data can be found in Section 10 of the Finnish Constitution5 as well as in various legislative Acts6. For the citizens of the European Union the right to data protection can further be found in Article 8(1) of the Charter of Fundamental Rights of the European Union7 (“Charter”) and in Article 16(1) of the Treaty of the Functioning of the European Union8. Noteworthy is also Article 8(3) of the Charter stating that compliance with the said data protection rules “shall be subject to control by an independent authority”9. This constitutes a strong guarantee in the EU’s legislative framework and indicates that data protection is not just a playground for reflexive regulation. This is crucial in the context of national and EU data protection law enforcement as we do not (yet) know how the Court of Justice of the European Union (“the Court”) will exactly interpret this right. Previous case law of the Court, however, indicates that it takes it very seriously10.

The General Data Protection Regulation (“GDPR/Regulation”) of the European Union entered into force on May 28th _{2018, and was designed to strengthen EU citizens’ rights regarding the processing}

1 _{European Commission. (2018). Digital Economy and Society Index 2018, Country Report Finland}

2 _{Ubiquitous Information Society Advisory Board, Ministry of Transport and Communications. (2011). Productive and}

inventive Finland, Digital Agenda for 2011–2020

3 _{Koho, A. (2018). Will the EU General Data Protection Regulation Change the World? An Exploration into the}

Protections Provided and the Case for a Global Data Protection Standard

4 _{Art 16(1) TFEU}

5 _{§10 Finnish Constitution}

6 _{See, for example, Act on Electronic Communications Services (2014/917); Act on the Protection of Privacy in}

Working Life (759/2004)

7 _{Art. 8(1) Charter} 8 _{Art. 16(1) TFEU} 9 _{Art. 8(3) Charter}

5

of their personal data. On November 13th 2018, the Finnish Parliament approved the new Data Protection Act11 _{aimed at supplementing the Regulation. Together with the various changes} introduced by the GDPR, the Data Protection Act modernizes the enforcement mechanisms available for the national regulators.

To ensure that Finnish citizens can truly enjoy their fundamental right to data protection, compliance with the rules laid down in EU as well as national legislation must be ensured. To ensure such compliance, law enforcement must be effective. In fact, the GDPR makes use of powerful rhetoric and refers to “strong enforcement12_{”, “effective enforcement}13_{” and “consistent […] enforcement}14_” in its Recitals. The Regulation does not, however, clearly indicate what this actually means in practice. Indeed, practical challenges faced by the regulators can be numerous and severe: resources are often highly limited, non-compliant behavior can be difficult to detect, regulatory objectives may not always be clear, jurisdictional constraints may apply, and enforcement functions can be distributed between a variety of actors who may struggle to co-ordinate their actions15. In other words, the question still remains: what exactly is effective data protection law enforcement?

2. Research Questions

What is effective data protection law enforcement?

Is the enforcement of data protection law effective in Finland?

3. Methodology

The primary purpose of this paper is to answer the two research questions as stated above. As such, the aim of the research is two-fold: to conceptualize the notion of effective enforcement in the context of data protection law; and subsequently, to investigate whether or not Finnish data protection law enforcement is effective in light of the above-noted conceptualization. In order to answer these two research questions, various regulatory concepts will be explained and analysed.

The research will be conducted using relevant legal, political and philosophical literature. In the normative evaluation of what constitutes effective enforcement, this paper relies on the theoretical underpinnings of the highly influential responsive regulation approach developed by Ian Ayres and John Braithwaite. Three concepts will be of particular importance: the enforcement pyramid, enforced self-regulation and the role of public interest groups. The findings of this paper aim to serve as a

11 _{Finnish Data Protection Act (1050/2018)} 12 _{Recital 7 GDPR}

13 _{Recital 127 GDPR} 14 _{Recital 129 GDPR}

6

normative basis for assessing the need for possible changes in the Finnish data protection law enforcement framework. Thus, the goal of this research is to inform regulatory policymakers and enforcement officials of effective enforcement strategies needed to ensure that Finnish citizens can truly enjoy their fundamental right to data protection. Here it should also be noted that this paper provides a preview into to the enforcement framework of one Member State. As a result, the findings are specific to the Finnish regulatory environment and not necessarily applicable to the EU data protection law enforcement system as a whole (nor that of other Member States).

The paper proceeds as follows: the fourth section will discuss and explain relevant concepts and theories in the field of law enforcement and data protection aiming to conceptualize the notion of effective enforcement; the fifth section will discuss and analyze the effectiveness of Finnish data protection law enforcement in light of the above-noted; the sixth section will conclude.

4. What Is Effective Data Protection Law Enforcement?

In order to answer the first research question, namely, “what is effective data protection law?”, the following section proceeds to discuss some of the key ideas in the field of law enforcement. In general, enforcement refers to “activities of the agencies responsible for the prevention, detection and investigation of crime and the execution of criminal penalties”16. While a considerable amount of literature has been published on the topic, the generalizability of such research on different regulatory fields (such as data protection) requires some further analysis. For the purposes of this paper, enforcement refers to activities of the agencies responsible for the prevention, detection and investigation of data protection law violations and the execution of administrative and criminal penalties.

This paper describes the theoretical underpinnings of the highly influential responsive regulation approach developed by Ian Ayres and John Braithwaite in the 1990s. The aim is to describe and discuss elements of effective enforcement in relation to data protection law. What kind of institutional arrangements and strategies are needed for particular enforcement outcomes? What would be the normative framework for an ideal enforcement? Are there any peculiarities of effective enforcement in terms of data protection? Can the lessons learned from responsive regulation be applied to data protection law enforcement?

16 _{Policy Department for Citizens' Rights and Constitutional Affairs. (2015). A Comparison between US and EU Data}

7

4.1 Responsive regulation

Responsive regulation occupies a prominent place in the field of enforcement. In essence, it is a model of regulatory enforcement, pointing out the advantages of particular institutional arrangements and strategies. It is a predictive model, promising particular enforcement outcomes as a result of its application17_{. Essentially, responsive regulation is a theory about how to elicit cooperation and} compliance. In the case of data protection law, effective enforcement ideally leads to the realization of the policy goal behind those laws: namely, a high level of protection of personal data. Thus, responsive regulation, promising particular enforcement outcomes as a result of its application, is a suitable approach for building up a normative framework for effective enforcement.

It is no coincidence that responsive regulation leaves open the possibility for many pathways to be worked out in practice18. Although with varying degrees of success, the central ideas have been applied and adopted in different policy fields, such as taxation19, healthcare20 and food safety21. More broadly, the approach has been a classic in areas interested in the power of street-level bureaucrats and enforcement in practice, rather than merely on a theoretical level22. Additionally, much of the literature regarding EU enforcement has relied on “formal policy change, institutional arrangements, and formal infringement proceedings rather than actual enforcement practices23”. This paper thus further contributes to research on the actual enforcement practices at the national level within the context of effective enforcement as conceptualized in the following sections of this paper. As noted by Parker, the attractiveness of responsive regulation is predominantly based on the pragmatic understanding of regulatory discretion and how it works in day-to-day practices of real regulators, whilst also engaging in a sophisticated analysis that explains cooperation and defection in regulation, as well as compliant and non-compliant responses to law24. It thus seems adequate to measure the effectiveness of enforcement in light of the above-noted model’s findings.

17 _{Lodge, M. (2015). Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate, p.}

7

18 _{Parker, C. (2013). Twenty years of responsive regulation: An appreciation and appraisal}

19 _{Job, J., Stout, A., & Smith, R. (2007). Culture Change in Three Taxation Administrations: From}

Command-and-Control to Responsive Regulation

20 _{Tombs, S., & Whyte, D. (2013). Transcending the deregulation debate? Regulation, risk, and the enforcement of}

health and safety law in the UK

21 _{Mascini, P., & Van Wijk, E. (2009). Responsive regulation at the Dutch Food and Consumer Product Safety}

Authority: An empirical assessment of assumptions underlying the theory

22 _{Lodge, M. (2015). Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate} 23 _{Ibid, p. 13}

8

Responsive regulation is based on three main components: the enforcement pyramid, enforced self-regulation, and the role of public interest groups. The following section will explain and discuss each of these components in more detail.

4.1.1 The enforcement pyramid

At the very heart of responsive regulation lays the notion of the enforcement pyramid: a gradual sanctioning regime that prioritizes cooperation and punishes behavior only after a continued non-compliance has been found25. The presence of a credible threat of sanctions – a so-called “big gun” – is crucial for giving firms incentives to cooperate, whilst also deterring them from participating in non-cooperative behavior. The presence of such a “big gun” is critical especially when the regulatee is a powerful party, equipped with substantial financial resources and power26. This is certainly something very pressing in data protection law enforcement where national regulators (and courts) may at times be faced with data protection law violations committed by companies such as Facebook or Google that are equipped with considerable financial power, technical expertise and societal influence. The enforcement pyramid starts with advice and warnings; it only moves gradually towards actual sanctions. What makes this type of sanctioning regime effective, as suggested by Ayres and Braithwaite, is the reduction in the amount of formal processes for the regulatory agencies, as most of the identified non-compliance can be rectified already at an early stage via persuasion and warnings27.

Regarding the notion of the enforcement pyramid, some criticisms has emerged. First, the existence of a clearly identifiable regulator capable of imposing a credible threat of sanctions (let alone actual sanctions) has been criticized. It has been argued that responsive regulation, and the notion of the enforcement pyramid regime in particular, focuses too much on the state (thus failing to acknowledge the importance of non-state actors) and, in addition, does not take into account the dispersed and transnational nature of contemporary regulation28_{. In such a fragmented system, the argument goes,} regulatory capacity should be located outside the state in order to achieve efficient outcomes. By some it is thus argued that the very concept of the enforcement pyramid is unrealistic and not responsive to the present day regulatory framework.

25 _{Ayres, I., & Braithwaite, J. (1992). Responsive Regulation: Transcending the Deregulation Debate} 26 _{Westerman, P. (2013). Pyramids and the value of generality}

27 _{Ayres, I., & Braithwaite, J. (1992). Responsive Regulation: Transcending the Deregulation Debate}

28 _{See, for example, Abbott, K., & Snidal, D. (2013). Taking responsive regulation transnational: Strategies for}

9

Second, the well-established relationship between the regulator and the regulatees has also sparked some commentary. For example, the gradual sanctioning regime with a step by step escalation up the pyramid may not always be appropriate29. Sometimes immediate reaction at the higher levels may be required, whilst at other times moving up and down the pyramid may not be feasible as the use of punitive sanctions can compromise the relationship between regulators and regulatees30_{. As} cooperation is prioritized over immediate punishment of non-compliance, the same infringement by different regulatees may result in different types of sanctions depending on the degree of cooperation. From a legal perspective, such inconsistent law application can especially be seen as highly problematic31.

Third, criticism has also focused on the administrative prerequisites of the enforcement pyramid. It has been argued that this component of the responsive regulation disregards the various organizational constraints often faced by the regulators. Challenges have thus been identified especially regarding the capacity of regulators and their agencies to transform themselves sufficiently to be truly responsive32.

The application of the enforcement pyramid may thus become problematic in practice. Whether or not these criticisms are relevant (or can be overcome) in the field of data protection law enforcement in Finland will be analysed in section five of this paper. Regarding the first component of the responsive regulation – the notion of the enforcement pyramid – three conclusions can be drawn. First, for regulatory enforcement to be effective, a gradual sanctioning regime that prioritizes cooperation over punishment is needed. Second, the existence and presence of a credible threat of sanctions in case of non-compliance is essential. Lastly, for enforcement to be effective, various criticisms regarding the regulator, the gradual sanctioning regime and various administrative perquisites must be addressed and overcome.

4.1.2 Enforced self-regulation

The second component of the responsive regulation is the notion of enforced self-regulation. Building on the idea of the enforcement pyramid, regulatees are also here seen and encouraged to act as responsible actors33_{. In essence, enforced self-regulation means that the regulated entities are allowed} some flexibility to “tailor” regulation to their individual circumstances, while they are still held

29 _{Baldwin, R., & Black, J. (2008). Really Responsive Regulation} 30 _Ibid.

31 _{Westerman, P. (2013). Pyramids and the value of generality}

32 _{Mascini, P. (2013). Why was the enforcement pyramid so influential? And what price was paid?}

10

accountable for the realization of the regulatory goals.34 Firms are thus to “write their own self-policing rules and have these agreed, verified, and checked by regulatory agencies35_{”. According to} Ayres and Braithwaite, this type of self-regulatory approach makes enforcement more effective as it reduces information asymmetry problems, whilst encouraging cooperation. Regarding the former, enforced self-regulation optimizes regulatees’ “superior access to organization-specific information and requires them to analyze, and provide regulators with, information about the risks posed by their operations to regulatory objectives36_{”. This way regulators’ understanding of the regulated industries} as well as the regulated entities may be improved, causing regulatory enforcement and supervision to become more targeted and effective37. Regarding the latter, firms are offered some discretion in terms of their operational detail, rather than merely receiving a prescription to amend their ways38. As identified by Gilad, “the possible gains to regulatees include reduction in compliance and production costs, improved internal controls, better industrial relations, and improved public image39”. Again, this seems particularly relevant in the case of data protection law enforcement where the regulators may be vis-à-vis multinational technology companies reluctant to share information about their business practices.

Trends of enforced self-regulation can be observed in a variety of different fields, such as health, food safety, financial markets, and environmental protection40. This type of regulation is often intended to mitigate regulators’ limited access to information and expertise, while also encouraging more corporate commitment and the enhancement of firms’ self-regulatory capacity41. Current research, although limited, indicates that enforced self-regulation tends to have a positive impact on the fulfillment of the regulatory objectives, thus making the enforcement more effective42. In the context of EU data protection, trends of enforced self-regulation can be observed throughout the GDPR. For example, data protection by design and default – as established under Article 25 of the Regulation – requires companies to consider privacy and data protection issues already at the design phase of any

34 _{Gilad, S. (2010). It runs in the family: Meta-regulation and its siblings}

35 _{Lodge, M. (2015). Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate, p.}

7

36 _{Gilad, S. (2010). It runs in the family: Meta-regulation and its siblings, p. 493} 37 _Ibid.

38 _{Lodge, M. (2015). Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate} 39 _{Gilad, S. (2010). It runs in the family: Meta-regulation and its siblings, p. 498}

40 _Ibid. 41 _Ibid. 42 _Ibid.

11

system service, product or business practice43. Companies are thus required to anticipate risks and privacy-invasive events before they occur, and take steps to prevent harm to individuals44_.

However, the notion of enforced self-regulation does not come without its criticism. First, the (arguably) logical criticism regarding this component of the responsive regulation is the considerable regulatory burden placed on the regulated entities and regulators alike45_{. Assessing the quality of the} firms’ self-regulation can be costly, complex and time-consuming.

Second, for self-regulation to be effective, sustainable regulatory environment will be required. This includes the organizations’ normative commitment to regulatory requirements46_{. If the regulated} entity perceives them to be unreasonable, compliance is unlikely47. Here, of course, the attitudes towards the value of privacy in the media, political discourse and civil society at large can also have a significant impact on the companies’ values.

Once again, the real-life application of responsive regulation faces some challenges. To what (if any) extent these consideration are undermining the effectiveness of data protection law enforcement in Finland will further be analysed in section 5 of this paper. Regarding the second component of responsive regulation – the notion of enforced self-regulation – a few conclusions can be drawn at this point. First, for regulatory enforcement to be effective, regulated entities must be seen and encouraged to act as responsible actors, thus granted some flexibility to “tailor” regulation to their individual circumstances. Second, for enforcement to be effective, criticism regarding the capacity for self-regulation and the regulatory environment in general must be addressed.

4.1.3 Public interest groups

The third – and last – component of the responsive regulation is the role of public interest groups. In essence, regulatory responsiveness requires the regulator to be responsive to the people, not just regulated entities48. As noted by Parker, “public interest group participation in the dialogue of responsive regulation is necessary to hold both regulators and businesses accountable for their negotiation of the exercise of regulatory discretion49_{”. Ayres and Braithwaite argue for the enhanced} role of non-state actors: this may be done, for example, by providing them with regulatory

43 _{Art. 25(1) GDPR}

44 _{Koho, A. (2018). Will the EU General Data Protection Regulation Change the World? An Exploration into the}

Protections Provided and the Case for a Global Data Protection Standard

45 _{Gilad, S. (2010). It runs in the family: Meta-regulation and its siblings} 46 _Ibid.

47 _Ibid.

48 _{Hong, S.‐H., & You, J.‐s. (2018). Limits of regulatory responsiveness: Democratic credentials of responsive}

regulation

12

information, granting them a seat at the negotiation table, or the authority to take action against regulators and regulated entities alike50_{. Such societal control exercised by these third-party actors} has proven to increase compliance and thus make enforcement more effective51. In the context of Finnish data protection law enforcement, third parties could be included in the process of negotiation and drafting of the relevant legislation, or, for example, by establishing mechanisms to ensure that the national regulator remains open and accountable to the public.

Even though the notion of inclusion of public interest groups acknowledges the importance and potential effectiveness of non-sate-based regimes regarding enforcement52_{, the idea is still rarely} discussed in scholarly literature on responsive regulation53. As already argued elsewhere, “researchers rarely define responsiveness beyond the binary regulator-regulatee relationship, conceiving it as flexible enforcement strategies rather than connecting it to democratic responsiveness to the general public54”. Thus, in contrast to the two previous components of the responsive regulation as discussed above, the criticism relates mostly to the lack of the real-life implementation of this component rather than its theoretical underpinnings per se.

This component of the responsive regulation does, unsurprisingly, not come without its reservations. Regarding the last component of the responsive regulation – the notion of the inclusion of public interest groups – one general conclusion can be drawn: for regulatory enforcement to be effective, public interest groups should enjoy an enhanced role in the regulatory process.

5. Data Protection Law Enforcement in the Finnish Regulatory Context

In order to answer the second research question, namely, “is the enforcement of data protection law effective in Finland?”, the following section proceeds to analyze Finnish data protection law enforcement in light of the findings established in the previous section. First, an overview of the framework within which the Finnish data protection enforcers operate will briefly be discussed. Second, the effectiveness of enforcement will be analysed in light of the three components of responsive regulation as discussed in the section above: the enforcement pyramid, the enforced self-regulation and the role of public interest groups. The section will also assess whether there is a need for changes in the Finnish data protection law enforcement framework to be made, and, consequently,

50 _{Hong, S.‐H., & You, J.‐s. (2018). Limits of regulatory responsiveness: Democratic credentials of responsive}

regulation

51 _Ibid.

52 _{Lodge, M. (2015). Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate} 53 _{Parker, C. (2013). Twenty years of responsive regulation: An appreciation and appraisal}

54 _{Hong, S.‐H., & You, J.‐s. (2018). Limits of regulatory responsiveness: Democratic credentials of responsive}

13

provides suggestions for future improvements. It should also be noted that while this paper provides a sneak peek into to the enforcement framework of one Member State, the applicability of the findings to other Member States or to EU level enforcement in general may prove difficult in practice. 5.1 The Office of the Finnish Data Protection Ombudsman

The Data Protection Ombudsman (“the Ombudsman”) is the national data protection authority which supervises the entire field of data protection in Finland. The Office of the Data Protection Ombudsman (“the Office”) currently employs approximately 40 persons55 _{and its main task is to} “monitor and enforce” relevant data protection laws56_{. The GDPR lists a variety of different} competences and powers that enable the Office to fulfill this task. These include, inter alia, promoting awareness of the rights and obligations regarding the processing of personal data57; providing advice and information58; carrying out investigations and inspections59; notifying companies of alleged infringements under the Regulation60; issuing warnings and reprimands61; withdrawing certifications62; imposing administrative sanctions for violations of the Regulation63; approving codes of practice and standard clauses64; cooperating with EU’s other data protection authorities65; and participating in the operations and decision-making of the European Data Protection Broad (“EDPB”)66.

Furthermore, as established under the Finnish Data Protection Act, the Ombudsman may also impose additional periodic penalty payments67 when it is exercising its corrective powers under the GDPR68 or its investigative powers under the Finnish Data Protection Act69. As established under the GDPR, the Ombudsman may also impose administrative fines in addition to, or instead of, the corrective measures at its disposal under the same Regulation. Additionally, the Finnish Criminal Code70 states that violations of the GDPR or the Finnish Data Protection Act may also lead to criminal penalties or

55 _{Office of the Data Protection Ombudsman. (2019, May 7). Office of the Data Protection Ombudsman} 56 _{Art. 58(1)(a) GDPR; Office of the Data Protection Ombudsman. (2019, May 7). Office of the Data Protection}

Ombudsman

57 _{Art. 57(1)(b) GDPR; Art. 57(1)(d) GDPR} 58 _{Art. 57(1)(c) GDPR; Art. 57(1)(e) GDPR}

59 _{Art. 57(1)(f) GDPR; Art. 57(1)(h) GDPR; Art. 58(1)(b) GDPR} 60 _{Art. 58(1)(d) GDPR}

61 _{Art. 58(2)(a) GDPR; Art. 58(2)(b) GDPR} 62 _{Art. 58(2)(h) GDPR}

63 _{Art. 58(2)(i) GDPR; Art. 83 GDPR}

64 _{Art. 57(1)(j) GDPR; Art. 57(1)(m) GDPR; Art. 58(3)(d)} 65 _{Art. 57(1)(g) GDPR; Art. 57(1)(h) GDPR}

66 _{Office of the Data Protection Ombudsman. (2019, May 7). Office of the Data Protection Ombudsman} 67 _{Uhkasakko = periodic penalty payment}

68 _{Art. 58(2)(c-g)(j)}

69 _{§18(1) Finnish Data Protection Act}

14

up to one year in prison. Thus, the review of the sanctioning powers of the Office demonstrates that it has a variety of different measures at its disposal. How these powers are (and should be) utilized for effective enforcement outcomes will be discussed in the following section.

5.2 Is Finnish data protection law enforcement effective? The enforcement pyramid

As discussed in the theoretical framework above, regarding the first component of the responsive regulation – the notion of the enforcement pyramid – three conclusions may be drawn. First, for regulatory enforcement to be effective, a gradual sanctioning regime that prioritizes cooperation over punishment is needed. Second, the existence and presence of a credible threat of sanctions in the case of non-compliance is essential. Lastly, for enforcement to be effective, various criticisms regarding the regulator, the gradual sanctioning regime and various administrative perquisites must be addressed and overcome. The following will analyse the effectiveness of Finnish data protection law enforcement in light of these findings.

First, does the Office employ a gradual sanctioning regime that prioritizes cooperation and punishes behavior only after a continued non-compliance has been found? As discussed above, the Ombudsman has a variety of different measures at its disposal. Together the GDPR, the Finnish Data Protection Act and the Finnish Criminal Code establish a framework for a gradual sanctioning regime that indeed prioritizes cooperation over punishment. Cooperative measures – at the bottom of the pyramid – include issuing warnings regarding operations that are likely to infringe data protection laws71; issuing reprimands when infringements have been found72; and ordering infringers to bring their operations into compliance with relevant legislations73. The somewhat harder measures include imposing temporary or definitive limitations on processing74; ordering rectification75; withdrawing certifications76; and ordering suspension77. The punitive measures – situated higher up in the pyramid – include imposing administrative fines78; imposing periodic penalty payments79; and finally, imposing criminal penalties (maximum up to one year in prison)80_{. As follows, a review of the} measures currently at the disposal of the Office reveals the existence of a gradual sanctioning regime. As noted earlier, what makes this type of sanctioning regime effective, is the reduction in the amount

71 _{Art. 58(2)(a) GDPR} 72 _{Art. 58(2)(b) GDPR} 73 _{Art. 58(2)(d) GDPR} 74 _{Art. 58(2)(f) GDPR} 75 _{Art. 58(2)(g) GDPR} 76 _{Art. 58(2)(h) GDPR} 77 _{Art. 58(2)(j) GDPR}

78 _{Art. 58(2)(i) GDPR; Art. 83 GDPR} 79 _{§22 Finnish Data Protection Act} 80 _{Chapter 38, §9 Finnish Criminal Code}

15

of formal processes for the regulatory agencies as most of the identified non-compliance can already be rectified at an early stage via persuasion and warnings81_{. The following section will thus proceed} by analyzing whether or not the existence of such a gradual sanctioning regime is utilized in the actual enforcement practices by the Finnish regulatory authorities.

The cornerstones of the Office’s strategy are “anticipation and prioritizing, competence, [and] guidance based on information and alliances”82. This is much in line with the lower levels of the enforcement pyramid, where non-compliance is preferred being addressed via persuasion and warnings. A noteworthy feature of the work of the Office was the explosive growth in case numbers in 2018: there was a total of 9617 cases instituted, whereas the corresponding number for the previous year was merely 395783. This runs counter to the hypothesis in responsive regulation where the use of a gradual sanctioning regime would lead to a reduction in the amount of formal processes. Nevertheless, the increased workload of the Office can largely be explained due to the fact that the GDPR brought entirely new categories of matters (such as Data Protection Officer notifications, notifications of personal data breaches, and cross-border matters applying to several EU Member States) into the field of competence of the Office84 and does not therefore necessarily tell much about the effectiveness of the use of the enforcement pyramid. Additionally, the Office itself is also committed to educating individuals about their data protection rights and companies about their data protection obligations85. The general increase in interest regarding data protection matters may thus also partly explain the increase in the Office’s workload: Finns value their privacy and have been amongst the most active EU citizens when it comes exercising their data protection rights86.

Second, is there a presence of a credible threat of sanctions, a so-called “big gun”, giving firms incentives to cooperate and deter them from non-cooperative behavior? Here it is crucial to look at punitive measures. The GDPR grants the national supervisory authorities the power to impose administrative fines for the violations of the Regulation. The amount of the fine shall be decided in each individual case, taking into account a plethora of factors, such as the nature, gravity and duration of the infringement87_{; any action taken to mitigate the damage suffered}88_{; relevant previous}

81 _{Ayres, I., & Braithwaite, J. (1992). Responsive Regulation: Transcending the Deregulation Debate} 82 _{The Office of the Data Protection Ombudsman. (2019). Annual Report 2018, p. 4}

83 _Ibid. 84 _Ibid.

85 _{Office of the Data Protection Ombudsman. (2019, May 7). Office of the Data Protection Ombudsman} 86 _{European Union. (2019). Special Eurobarometer 487a}

87 _{Art. 83(2)(a) GDPR} 88 _{Art. 83(2)(c) GDPR}

16

infringements89; the degree of cooperation with the supervisory authority90; the manner in which the infringement became known to the supervisory authority91_{; as well previous corrective measures} ordered against the infringer92. This indicates that cooperative behavior and self-regulation (as discussed below) are mitigating factors that will be rewarded.

The most severe infringements may lead to administrative fines up to 20 million euros or up to 4% of the undertakings total worldwide annual turnover, whichever is higher93. This arguably constitutes a so-called “big-gun”, giving firms a proper incentive for cooperative behavior. The first major GDPR fine was issued to Google by the French data protection authorities due to the company’s data protection breaches under the Regulation. The €50 million fine represents “around two-thirds of the daily profits of the firm’s parent company Alphabet94”. Thus, it seems that the GDPR vests the national regulators with the option of imposing heavy fines that should indeed have a proper deterrent effect. The Finnish data protection authorities have not (yet) made use of the punitive measures they have at their disposal95. Nevertheless, the very existence of such measures already makes enforcement more effective as the very point of the gradual sanctioning regime is the credible threat of substantive sanctions rather than their actual enforcement per se.

5.2.1 Answer to criticism

Much of the criticism of the responsive regulation has focused on the notion of the enforcement pyramid. First, the existence of a clearly identifiable regulator capable imposing a credible threat of sanctions or actual sanctions has been criticized. In the Finnish regulatory context, this seems not to be a relevant concern. As noted earlier, the Ombudsman is the national data protection authority and supervises the entire field of data protection law in Finland96. It thus constitutes as a clearly identifiable regulator, and it has a variety of different sanctions (and therefore a threat of sanctions) at its disposal.

However, even if a clearly identifiable regulator has been recognized, another strain of criticism claims that the enforcement pyramid regime focuses too much on the state (failing to acknowledge the importance of non-state actors), and fails to take into account the dispersed and transnational nature of contemporary regulation. Once again, this seems not too valid of a concern in the Finnish

89 _{Art. 83(2)(e) GDPR} 90 _{Art. 83(2)(f) GDPR} 91 _{Art. 83(2)(h) GDPR} 92 _{Art. 83(2)(i) GDPR} 93 _{Art. 83(5) GDPR}

94 _{Google is first company hit with major GDPR fine. (2019)} 95 _{Ius Laboris. (2019, May 24). The GDPR: one year on} 96 _{§8 Finnish Data Protection Act}

17

regulatory context. Both the GDPR and the Finnish Data Protection Act acknowledge the crucial importance of effective cooperation between national supervisory authorities as well as the cooperation between the Member States and the EU97. Thus, even if the part of the regulatory capacity is located outside the Finnish Ombudsman, as long as the workload is clearly and efficiently divided between the relevant parties, the effectiveness of the enforcement pyramid is not jeopardized by the transnational nature of data protection law enforcement.

Indeed, international cooperation in data protection matters has increased. The key task of the EDPB is to promote such cooperation between EU’s data protection authorities 98_{. The Regulation itself} contains detailed rules regarding the cooperation between different data protection authorities when it comes to cross-broader matters impacting more than one Member State99. One of these is the one-stop-shop mechanism, which determines the cooperation between the lead supervisory authority and the other supervisory authorities concerned100. In 2018, there was a total of 591 cross-border matters: Finland was a supervisory authority concerned in 106 cases whereas it acted as a lead supervisory authority in 5 cases101. The Internal Market Information System (“IMI”), an IT platform developed by the European Commission together with the Member States, further contributes to the effective enforcement of the GDPR provisions by enabling the exchange of information on cross-border matters between the relevant supervisory authorities102.

Second, the well-established relationship between the regulator and the regulatees has also sparked some commentary. The cornerstones of the Office’s strategy are “anticipation and prioritizing, competence, [and] guidance based on information and alliances”103. Obviously, the use of punitive sanctions can prejudice the relationships between regulators and the regulatees. However, as noted above, when imposing administrative fines under the GDPR, the national regulator shall take multiple different factors into account. Thus, by initiating cooperative behavior (by taking action to mitigate the damage suffered or, for example, by reporting the infringement to the supervisory authorities) companies may mitigate the level of their fines. Such an approach is arguably less destructive to the relationship between the regulator and the regulatee.

97 _{See, for example, Recital 13 GDPR; Recital 116 GDPR; Recital 119 GDPR; Art. 60 GDPR; §14 Finnish Data}

Protection Act

98 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018, p. 11} 99 _{Art. 60 GDPR}

100 _Ibid.

101 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018} 102 _{European Commission. (2018, August 31). Internal Market Information System} 103 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018, p. 4}

18

It is also worth noting that as cooperation is prioritized over immediate punishment of non-compliance, same infringement by different regulatees may result in different types of sanctions depending on the degree of their cooperation. Such inconsistent law application can be seen as highly problematic. This criticism is harder to overcome as the relevant data protection legislation (both the GDPR and the Finnish Data Protection Act) is still fairly new, it thus remains to be seen whether or not the relevant authorities will manage to apply it in a consistent and predictable manner. The Ombudsman has, however, stressed the importance of consistency when it comes to interpreting and applying the Regulation, noting that the future practice of the EDPB “is expected to significantly impact on the Data Protection Ombudsman’s actions104”. Additionally, the Office has created a process team, tasked with the creation of uniform procedures for processing complaints filed by data subjects105. This is certainly a step in the right direction.

Third, criticism has also focused on the administrative prerequisites of the enforcement pyramid. As noted by Mascini, challenges have been identified especially regarding the capacity of regulators and their agencies to transform themselves sufficiently to be truly responsive106. This seems to be particularly relevant in the context of Finnish data protection law enforcement: regardless of the extra resources assigned to the Office in 2018, in its annual report the Office noted that available resources were scant relative to the workload of the Office107. As already stated above, the Ombudsman received almost three times more complaints in 2018 compared to previous years. There has already been consistent efforts to overcome such organizational constraints: in the spring of 2019, the government appointed two new deputy ombudsmen to help with the increased workload of the Office108. For data protection law enforcement to be effective in the future, it is thus crucial for the Office to have sufficient resources.

5.3 Is Finnish data protection law enforcement effective? Enforced self-regulation

Regarding the second component of responsive regulation – the notion of enforced self-regulation – a few general conclusions can also be drawn. First, for regulatory enforcement to be effective, regulated entities must be seen and encouraged to act as responsible actors, and thus granted with some flexibility to “tailor” regulation to their individual circumstances. Second, for enforcement to be effective, criticism regarding the capacity for self-regulation and the regulatory environment in general must be addressed. The following section will analyse the effectiveness of Finnish data

104 _{Ius Laboris. (2019, May 24). The GDPR: one year on}

105 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018}

106 _{Mascini, P. (2013). Why was the enforcement pyramid so influential? And what price was paid?} 107 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018}

19

protection law enforcement in light of these findings. Two tools of enforced self-regulation as introduced by the GDPR will be discussed: the certification mechanism and the data protection impact assessments.

Are the regulated entities seen and encouraged to act as responsible actors? In this regard it should be noted that “the governance of privacy everywhere is now based on a co-regulatory model in which regulators give organizations advice and guidance about how and when to deploy tools, and stand in the background ready to enforce and sanction, if necessary109_{”. From the regulatory perspective, such} an approach is effective as it embraces “companies’ inherent capacity to manage themselves, without letting them off the hook if their self-regulatory efforts fall short of regulator (and stakeholder) expectations”110. The establishment of the certification mechanism by the GDPR is a good illustration of enforced self-regulation. In essence “certification schemes serve as useful declarations of assurance for consumers interested in engaging with commercial entities that adhere to desired principles and practices”111. Thus, this is a good illustration of how regulated entities are seen and encouraged to act as responsible actors, as it is assumed that the competitive advantage, mitigation of reputational damage and the threat of punitive sanctionsare adequate motivators for companies to undertake such assessments112. It should be noted however, that although the Regulation states that the establishment of certification mechanisms demonstrating compliance with the Regulation should be encouraged113, it also states that such certifications system “shall be voluntary”114.

Another good illustration of enforced self-regulation is data protection impact assessments (“DPIAs”) which, after the introduction of the GDPR, became a mandatory requirement for businesses under certain circumstances115. In essence, the GDPR requires companies to conduct DPIAs prior to different types of processing of personal data when such processing is “likely to result in a high risk to the rights and freedoms of natural persons”116. For instance, DPIAs are required when processing relates to profiling and sensitive personal data or involves using new technologies117_{. Companies may} be required to evaluate and report on their own self-regulating strategies so that regulatory authorities can determine whether or not the regulatory goals can be met via the use of such strategies118_{. Rather}

109 _{Bennett, C., & Raab, C. (2018). Revisiting the governance of privacy: Contemporary policy instruments in global}

perspective, p. 15

110 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach, p. 23} 111 _{Certification Europe. (2019, July 26). EU GDPR}

112 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 113 _{Art. 42(1) GDPR}

114 _{Art. 42(3) GDPR}

115 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 116 _{Art. 35(1) GDPR}

117 _{Recital 89 GDPR}

20

than prescribing an exact form for such assessments, the Regulation leaves it up to the regulated entities to “identify their own solutions to mitigate risks that are appropriate to their context”119_{. Thus,} DPIAs are another good illustration of how regulated entities are seen and encouraged to act as responsible actors.

In the Finnish regulatory context, the GDPR and the Finnish Data Protection Act grant the national supervisory authorities the power to impose punitive fines on those who fail to meet the regulatory targets, while also allowing regulatees some discretion in designing their own strategies for meeting those targets. Similar to the enforcement pyramid, the notion of enforced self-regulation also enables regulators to efficiently prioritize their focus and resources on projects that require greater attention: “this rests partly on the detailed lists to be drawn up by supervisory authorities, but where these do not provide a clear guide, the controller must decide for themselves on the basis of the guidance in Article 35 [of the GDPR]”120. The requirement to conduct DPIAs thus constitutes a tool of enforced self-regulation as it’s a combination of legal rules prescribed by the regulator while it also encompasses policies that the regulated entities must devise and impose upon themselves121.

When the DPIA reveals that high risks to the rights and freedoms of natural persons exists, the regulatees must consult with the supervisory authority122. The supervisory authority may then use its powers to temporarily or indefinitely ban the processing123 or impose administrative fines124. Thus, also here the existence of a gradual sanctioning regime can be utilized: in case of continued non-compliance, the national supervisory authority may move from a limitation on processing or suspension on data flows to hefty administrative fines up to 20 million euros or up to 4% of the undertakings total worldwide annual turnover, whichever is higher. In this way the supervisory authority makes corporations responsible for the own efforts to self-regulate – this is essentially what enforced self-regulation is. Nevertheless, the success of enforced self-regulation depends heavily on the capacity of the regulator to independently and effectively assess and challenge the validity of the information that the regulated entities provide about their activities. This may prove to be particularly challenging in practice. As already noted above, while the workload of the Office has significantly increased, its resources have not. Again, this jeopardies the effectiveness of the data protection law enforcement.

119 _{Art. 35(7)(d) GDPR}

120 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 121 _Ibid.

122 _{Recital 84 GDPR} 123 _{Art. 58(2)(f) GDPR} 124 _{Art. 83(5) GDPR}

21

Here it is also worth noting that self-regulation (and thus investing in compliance) may also result in long-term business benefits125_{. Current research indicates that organizations that have made privacy} investments in the course of getting ready for the GDPR have primarily done so “to avoid the significant fines and other penalties associated with not meeting the regulation”126_{. However, there} are other significant business benefits associated with such investments, such as the increase in trust for one’s business as customers as well as stakeholders are provided with reassurance that personal data is being protected; competitive advantage as one can stand out from competitors by protecting personal data at the highest level; brand protection as adverse publicity due to data breaches is reduced; and business growth as by adhering to common standards makes it easier to do business globally127. Overall, the costs associated with data breaches tend to be lower for GDPR-ready companies128. Additionally, research also indicates that some data controllers value their status as industry leaders: “this can be seen in efforts by major industry players to publicize and disseminate their best practices, and initiatives within the privacy profession to elevate the status of industry ‘thought leaders’”129. This indicates that “privacy maturity has become an important competitive advantage for many companies”130. In the long run, it would therefore be beneficial for regulators to draw more attention to such benefits, thus possibly making commitment to proper self-regulation more effective. For example, a recent study by the Ponemon Institute, an independent research firm specializing in privacy and data protection, demonstrated that merely 28% of the surveyed Facebook users believe in the company’s commitment to protection of their personal data131.

Finns value their privacy. According to the latest Eurobarometer, Finns rank among the top three Member States when it comes to exercising their right to access data; exercising their right to object and receive direct marketing; knowing which public authority is responsible for protecting their rights regarding personal data; reading privacy statements; and having tried to change their default privacy settings of their personal profile132. A further indication of the importance Finns attach to their privacy can also be seen in the increase of reported personal data breaches in 2018, when compared to the previous year, and in the growing awareness amongst said population regarding data protection rights in general133_{. On the other hand, however, it seems that Finnish companies may not share the same}

125 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 126 _{Cisco. (2019). Maximizing the value of your data privacy investments}

127 _{Certification Europe. (2019, July 22). ISO 27018:2014 protection of personally identifiable information (PII)} 128 _{Cisco. (2019). Maximizing the value of your data privacy investments}

129 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 130 _{Cisco. (2019). Maximizing the value of your data privacy investments}

131 _{Hisbaum, H. (2018, April 18). Trust in Facebook has dropped by 66 percent since the Cambridge Analytica scandal} 132 _{European Union. (2019). Special Eurobarometer 487a}

133 _{Office of the Data Protection Ombudsman. (2019). The Office of the Data Protection Ombudsman's Annual Report}

22

intensity of interest on privacy matters: a recent study on GDPR implementation amongst Finnish companies demonstrated non-compliance to be far-spread; required changes in the processing of personal data to be superficial and inadequate; and the importance of data protection in general to be belittled134_{. However, as noted above, safeguarding the rights and freedoms of individuals regarding} the processing of their personal data is not beneficial merely for Finnish citizens. For businesses, providing proper data protection can generate a competitive advantage “based on responsible operations”135_{. In concrete terms this may result in a reduction in compliance and production costs,} improved internal controls, better industrial relations, and improved public image. Thus, enforced self-regulation has the potential of providing the regulated entities with various long term business benefits (thus making their commitment to the regulatory objectives more likely), whilst also providing the regulators with a further tool for a more effective enforcement regime. Additionally, research also indicates that some data controllers value their status as industry leaders: “this can be seen in efforts by major industry players to publicize and disseminate their best practices, and initiatives within the privacy profession to elevate the status of industry ‘thought leaders’”136.

5.3.1 Answer to criticism

First, the (arguably) logical criticism regarding this component of the responsive regulation is the considerable regulatory burden placed on the regulated entities and regulators alike. Assessing the quality of the firms’ self-regulation can be complex, costly and time consuming. Additionally, while the national regulator may have a superior understanding of the data protection principles as established under the GDPR, this may not be the case when it comes to the latest data processing techniques or the most suitable privacy-enhancing technologies137. Thus, in practice, it is possible that the regulated entities may, in some cases, have greater expertise than the regulator. For enforcement to be effective, such concerns against various organizational constraints must be addressed and overcome. It is very likely that the national regulators are going to need significant boosts in their resources, staff and staff-training in the future in order to keep up with their new tasks. Here it is also crucial to note that enforced self-regulation works best in industries with a few bad apples, whereas its effectiveness is jeopardized when non-compliance is persistent and widespread138_. This seems relevant in the Finnish regulatory context. When analysing data protection law compliance amongst major Finnish companies, recent studies have shown that non-compliance is

134 _{Sankari, V., & Wiberg, M. (2019). GDPR ei toimi}

135 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018, p. 2} 136 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 137 _Ibid.

23

quite far-spread139. Therefore, before any of the self-regulatory mechanisms can actually be effective, wider compliance with the relevant legislation must be ensured. In the beginning this may mean imposing heavy fines for non-compliance, rather than relying on soft measures and cooperative behavior. However, caution should be exercised as the GDPR should not merely be approached from the perspective of sanctions as the very purpose of the regulation is to “encourage businesses to seek growth on the digital single market by introducing common rules for a market of 510 million consumers140_”.

Second, for self-regulation to be effective, a sustained supportive environment will be required. As already identified by Gilad, enforced self-regulation only works if “regulators and regulatees enjoy mutual trust and external political and public support, which […] provide them, with latitude for short-term experimentation in pursuit of long term improvements”. This is crucial as regulated companies must feel that by making them responsible for their own efforts to self-regulate, the regulators do not just shift the blame for future failure onto the companies. Regarding this, the EU (and thus Finland) has potential in providing a sustained and supportive regulatory environment. Considering the significant amount of time and effort put into the drafting and implementation of the GDPR, it is unlikely that the said legislation will change significantly in the near future. However, as already noted elsewhere, the level of trust between the regulator and the regulated entities may be less than ideal141. Thus, attempting to create and sustain cooperative relationships may prove difficult in practice. For instance, recent interactions between the regulators (e.g. the EU Commission or the national data protection authorities) and the regulated entities (e.g. Facebook or Google) have been adversarial and frayed142. For enforcement to be effective, efforts should therefore be made for the creation of a supportive and consistent regulatory environment, although this is obviously easier said than done.

5.4 Is Finnish data protection law enforcement effective? The role of public interest groups Again, building on the findings of the theoretical framework above, regarding the last component of the responsive regulation – the notion of the inclusion of public interest groups – one general conclusion can be drawn: for regulatory enforcement to be effective, public interest groups should enjoy an enhanced role. The following analyses the effectiveness of Finnish data protection law enforcement in light of this finding.

139 _{Sankari, V., & Wiberg, M. (2019). GDPR ei toimi}

140 _{Office of the Data Protection Ombudsman. (2019). Annual Report 2018, p. 6} 141 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach} 142 _Ibid.

24

Do public interest groups enjoy an enhanced role? Ayres and Braithwaite argue for the enhanced role of non-state actors: this may be done, for example, by providing them with regulatory information, granting them a seat at the negotiation table, or the authority to take action against regulators and regulated entities alike. In connection to the previous component, namely, enforced self-regulation, it can be noted that the regulatory authority must “connect the private capacity and practice of corporate self-regulation to public dialogue and justice, by requiring companies to gather and disclose information on which corporate self-regulation and its impacts can be judged (by regulators and stakeholders alike)”143. To what (if any) extent do public interest groups play a role in the regulatory framework of data protection law in Finland?

Regarding policymaking at the EU level, various authors have characterized “EU lobbying system in terms of elite pluralism, where business interests are systematically advantaged over citizen group and non-governmental organisations (NGOs)”144. The GDPR “has been one of the most lobbied pieces of European legislation in European Union history”. As already noted elsewhere, the Regulation has indeed been subject to a large amount of lobbying pressure, shaping it to adhere to the interests of a “small number of very powerful private sector firms”145. In this regard it is thus crucial to draw a distinction between industry-specific lobby groups focused on advancing their own economic interests and public interest lobby groups advocating on behalf of the public good146. It is the societal control exercised by the latter, according to the model of responsive regulation, which increases compliance and thus makes enforcement more effective.

First, are third parties included in the process of negotiating and drafting relevant legislations? Interest group lobbying the European Commission on the matter of the GDPR during three separate consultations between 2009 and 2011 has been demonstrated to be widespread and involving a variety of different interests147. As noted by Binns, “there is a large, diverse, knowledgeable, and vocal privacy advocacy community willing to engage on behalf of data subjects”148_{. Indeed, such groups} have had a heightened role lobbying EU regulators over the final form of the GDPR, whilst also pressuring national supervisory authorities to take action against companies that are in violation of data protection laws149_{. For example, recently the French regulatory authority levied a fine of 50}

143 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach, p. 29}

144 _{Atikcan, E., & Chalmers, A. (2018). Choosing lobbying sides: the General Data Protection Regulation of the}

European Union, p. 3

145 _{Ibid, p. 3} 146 _Ibid. 147 _Ibid.

148 _{Binns, R. (2017). Data protection impact assessments: a meta-regulatory approach, p. 33} 149 _Ibid.

25

million euros to Google due to its data protection breaches under the GDPR. Interestingly, the fine was a result of complaints made by two NGOs: None Of Your Business and La Quadrature du Net150_. Such activities demonstrate the increased importance of public interest groups in the framework of data protection law enforcement.

Furthermore, the GDPR specifically opens up the possibility for an enhanced role of public interest groups. It states that “where appropriate, the controller shall seek the views of data subjects or their

representatives on the intended processing, without prejudice to the protection of commercial or

public interests or the security of processing operations”151_{. Thus, the full realization of this} component of the responsive regulation is largely dependent on a strong interpretation and enforcement of the relevant GDPR provisions. Finnish regulatory authorities should make consistent efforts to include public interest groups, thereby making enforcement more effective: “commercial, public and security interest should not be used as an excuse to avoid engagement”152.

6. Conclusion

The aim of this paper was to assess whether there is need for changes in the Finnish data protection law enforcement. The goal was to inform regulatory policymakers and enforcement officials of effective enforcement strategies in order to ensure that the citizens of Finland can truly enjoy their fundamental right to data protection. The findings of this paper suggest that there is indeed room for improvement to be made. The first part of this paper aimed to conceptualize the notion of effective enforcement in the context of data protection law. Responsive regulation was offered here both as a descriptive account of effective enforcement as well as a normative ideal to which regulatory policymakers and enforcement officials can aspire. The second part of this paper proceeded to analyze the Finnish data protection law enforcement framework in light of the conceptualized standard of effective enforcement.

The use of the first component of the responsive regulation, the enforcement pyramid, is utilized in the enforcement practices of the Office. Together the GDPR, the Finnish Data Protection Act and the Finnish Criminal Code establish a framework for a gradual sanctioning regime that prioritizes cooperation over punishment. There is also a presence of a credible threat of sanctions, a so-called “big gun”, giving firms incentives to cooperate and deter them from non-cooperative behavior as the GDPR grants the national supervisory authorities the power to impose hefty administrative fines for

150 _{Google is first company hit with major GDPR fine. (2019)} 151 _{Art. 35(9) GDPR}

26

non-compliance with the Regulation. Not surprisingly, resource constraints have been particularly pressing since the introduction of the GDPR, and could possibly jeopardise the effectiveness of enforcement of Finnish data protection law.

Enforced self-regulation is also utilized in the Finnish data protection law enforcement framework. The regulated entities are seen and encouraged to act as responsible actors. Two mechanisms established by the GDPR are good illustrations of this: the certification mechanism, and the data protection impact assessments. It is assumed that the competitive advantage, mitigation of reputational damage and the threat of punitive sanctions are adequate motivators for companies to undertake such assessments. Again, resource constraints may jeopardize the effectiveness of enforcement as assessing the quality of the firms’ self-regulation can be complex, costly and time consuming. Additionally, wide-spread GDPR non-compliance amongst Finnish companies further threatens the effectiveness of the enforcement by the means of enforced self-regulation.

Regarding the last component of responsive regulation, namely, the role of public interest groups, it has proven hard to draw any straightforward conclusions. It was noted that such groups have had some influence on the final form of the GDPR on the EU level. Additionally, although not specific to the Finnish regulatory context, such groups have also been somewhat active on a national level, pressuring national supervisory authorities to take action against companies that are in violation of data protection laws. Overall, there is definitely room for development when it comes to the inclusion of third parties. This could, for example, be done via a strong interpretation and enforcement of the relevant GDPR provisions, such as Article 35(9).

As noted by the Office itself, the GDPR (and subsequently, the national implementation measures) “caused the upheaval of the century in the work and powers of the enforcement authorities”153_. Having analysed the Finnish data protection law enforcement in light of the findings of responsive regulation, multiple conclusions were drawn. In order to ensure that Finnish citizens can truly enjoy their fundamental right to data protection, some improvements to the current enforcement strategies in the framework of Finnish data protection law should be implemented regarding the wide-spread non-compliance amongst Finnish companies, the lack of focus on positive business benefits of compliance, and the various organizational constraints that the regulators are currently facing. In this way, Finnish data protection law enforcement could be made more effective.