Data Protection – the institutions

(1)

Data Protection and the Judiciary

‐ the Finnish approach

Aki Hietanen, Ministry of Justice, Finland

Presentation in the ”E‐Justice and E‐Law Conference, Rome, Italy

13.10.2014

E‐Justice and E‐Law, Rome, Italy 1

(2)

Data Protection in Finland – the history

1988

‐the first Personal Data File Act came into force, as the first law concerning data protection in Finland. The Act was to prevent violations of integrity at all stages of data processing. The functional objective was to promote the development of, and compliance with, good data processing practices.

1999

‐new Personal Data Act, replacing the Personal Data File Act, came into force. The main principles of the protection of privacy remained largely unchanged. The

Personal Data Act accommodated the constitutional reform and the EU Data Protection Directive 95/46/EC.

The basic rights and freedom of individuals are even more strongly emphasised also in the processing of personal data.

1999

‐new Constitution: Section 10 ‐ The right to privacy

“Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.”

13.10.2014 Aki Hietanen, Ministry of Justice, Finland

(3)

Data Protection in Finland – the history

⁽²⁾

2004

the Act on the Protection of Privacy in Electronic Communications, which safeguards

confidentiality and privacy in telecommunications. It seeks to clarify the rules for processing confidential identification data and to expand their scope to encompass corporate or associate subscribers. Compliance with the Act is mainly supervised by the Finnish Communications Regulatory Authority.

The Data Protection Ombudsman supervises the processing of location data, telephone directories and directory inquiries, compliance with provisions pertaining to direct marketing by means of automated systems and compliance with provisions pertaining to a user’s special right of access to information.

2004

the Act on the Protection of Privacy in Working Life, which addresses the key data protection issues by creating various procedures for the needs of working life. The Act has provisions on new topics such as drug testing, camera surveillance and electronic mail privacy protection.

The amendment to the Act about how to process personal credit data entered into force in 2008. The Personal Data Act and the Act on the Protection of Privacy in Electronic

Communications contain general data protection provisions, which are also applied in working life.

(4)

Data Protection – the institutions

‐ The role of the Data Protection Ombudsman and Data Protection Board

The Finnish Constitution guarantees every citizen's private life and honour and the sanctity of the home. The protection of personal data is stipulated in detail by an Act. One of the objectives of the Personal Data Act is to improve the

opportunity of individuals to control the use of their personal data. Citizens have the right to know why and how personal data is being processed and to decide about the processing, unless otherwise stipulated by the law.

The Data Protection Ombudsman and the Office of the Data Protection Ombudsman (appr. 20 persons) provide guidance and advice on all issues related to the processing of personal data and control the observance of the law. The website www.tietosuoja.fi is being used for disseminating information.

The Data Protection Board is an expert organ, also making decisions on cases transferred from the Data Protection Ombudsman. A decision by the Data Protection Board may be appealed in the Supreme Administrative Court. If necessary, the Supreme Administrative Court can asked the European Court of Justice to rule on the interpretation of the Data Protection Directive.

(5)

Data Protection and Transparency – the Finnish approach

In Finland there is a long tradition of transparency in the public sector .

According to the Finnish Freedom of Information Act (Act on the Openness of Government Activities, 621/1999) , official documents shall be in the public domain, unless specifically otherwise provided in the FOI Act or another Act.

When do documents enter the public domain? There are specific rules on that:

•

e.g. a court order or judgment enters the public domain from the moment it is handed down or when it is made available to the parties;

•

a decision, a statement or a contractual commitment enter the public domain when the decision, statement or contract has been signed

(6)

Data Protection and Transparency – the exceptions

When are documents kept secret? There are specific rules on that (Section 24 of the FOI Act):

•

e.g. the documents concerning the relationship of Finland with a foreign state or an international organisation

•

the documents concerning a matter pending before an international court of law

•

the documents of the security police and the other authorities concerning the maintenance of State security,

•

documents concerning military intelligence

•

In Section 24, there are altogether 32 provisions for keeping certain documents secret

(7)

Data Protection and the Judiciary – the Finnish approach

In Finland courts are independent . There are , in addition to the Supreme Court and Supreme Administrative Court, 27 Disctrict Courts, 5 Courts of Appeal, 6 Administrative Courts and three Special Courts

● Under the Constitution of Finland, everyone is entitled to have their case heard by a court or an authority appropriately and without undue delay.

13.10.2014 Aki Hietanen

(8)

Data Protection and the Judiciary – the Finnish approach

Even if the courts are independent, they should not be seen as totally independent institutions in data protection issues.

Certain principles have to be taken into account



The duplication of data should be kept to the minimum



The access rights of users to case management systems or registers should be managed strictly



The amount of personal data in the electronic systems and registers should be in relation to the need to identify a person



There should be detailed rules on the retention and deletion of personal data (e.g. following the example of criminal records)

(9)

Data Protection and Transparency in Action – the criminal investigations and court hearings

According to the FOI Act (Act on the Openness of Authorities), Section 24, following documents are to be kept secret

● the reports of offences made to the police and any other authorities carrying out criminal investigations, as well as to the public prosecutor

● the documents obtained or prepared for purposes of criminal investigations or a decision on whether to bring charges, as well as the application for a summons, the summons and the defendant’s response in a criminal case, until a decision has been made for a hearing in the case,

● specific rules are available in the Act on the Openness of Court Proceedings

(370/2007), Section 4 – Publicity of basic information regarding court proceedings

● information regarding the court considering a case, the specific nature of a case, and the time and place of oral proceedings as well as the information necessary for identifying a party is public. However, the court may order that information regarding the identity of an injured party or an asylum seeker shall be kept secret.

E‐Justice and E‐Law, Rome , Italy 9

(10)

Data Protection in Action – the case management of courts and access to judgments

In Finland the access to information in the registers and case management systems of the courts and prosecutors is managed centrally by the Legal Register Centre, based on the Act on the National Information System of the Judiciary (372/2010).

‐

For judges and prosecutors, there is strict management of access rights, with need‐to‐know basis

‐

The main systems of case management are centralized

‐

Every citizen has the right to check information concerning him/her in the court registers or case management.

‐

Matters concerning the use of the inspection right under the Personal Data Act always necessitate a request in writing. Requests are answered by the Legal Register Centre.

‐

Information on any judgment (public domain) can be acquired from the individual court or Legal Register Centre

(11)

Data Protection in Action – the publishing of judgments

In Finland there are no general rules concerning the publishing of judgments on the Internet. Usually the principles of publishing are found in the rules of procedure of the courts.

‐

Case law of the Supreme Courts, Courts of Appeal, Administrative Courts, Special Courts are available on the website of the courts at www.oikeus.fi and in Finlex Data Bank www.finlex.fi

‐

The scope in the publishing of the judgments varies:

‐ from certain courts, e.g. Labour Court and Market Court, all judgments are published on fulltext (anonymized)

‐ from some courts, e.g. Courts of Appeal, only summaries are available

‐

Information in court homepages and Finlex: judgments are anonymized by the courts (manually)

(12)

The next steps: some concluding remarks

In Finland there has been a well‐functioning balance between transparency and protection of personal data, also within the judiciary

‐ There have been no decisions or opinions by the Data Protection Ombudsman concerning the protection of personal data in the courts

‐ The cross‐border exchange of judicial information is a new challenge

‐ The experiences of ECRIS in the exchange of criminal record information between EU member states can be seen as an example of secure exchange of sensitive data

In 2014‐2016 the case management of courts and prosecutors is being reformed in the so‐

called AIPA project (AIPA= Material Bank)

● new document flow for the documents – one single repository with several different access rights and workflows

● prevents reproduction of data in several places and increases data quality

● the anonymization of judgments for the Internet – using structured documents

13.10.2014 12