Insights | January 17, 2022

GDPR enforcement in Finland: latest news

Although the General Data Protection Regulation has been applicable for close to four years now, the Finnish Data Protection Authority has thus far not imposed many administrative fines for violations of the GDPR. In our article from last August (see below), we provided an overview of the enforcement landscape at the time and analyzed existing case law. Now, due to the recent administrative fines imposed on the psychotherapy clinic Vastaamo, it is time for an update. In this article, we will analyze the Vastaamo case and its various consequences.

On 7 December 2021, the Finnish Data Protection Authority (DPA) issued its decision (full decision available here in Finnish) concerning psychotherapy clinic Vastaamo and imposed a fine of EUR 608,000 which translates to 4.16% of Vastaamo’s turnover in 2020. This is the highest fine in the history of Finnish General Data Protection Regulation (GDPR) enforcement in terms of both the amount and the percentage of turnover. However, the hefty fine was to be expected, considering the violations widely reported in the media.

Health data leaked due to a hacker attack

Vastaamo is (or rather was, as it declared bankruptcy due to reasons attributable to the case) a Finnish private psychotherapy clinic. As a part of its regular business operations, Vastaamo stored health data in its patient records, including very personal and detailed descriptions of patients, their visits and the state of their mental health. Vastaamo’s patient records consisted of personal data of over 30,000 individuals.

Due to a hacker attack, Vastaamo’s patient records were stolen and partially leaked to the internet. However, the data breaches that took place in 2018 and 2019 were only reported to the authorities and the individuals affected one and half years after Vastaamo must have become aware that a reportable data breach had occurred.

GDPR breaches identified by the DPA and our views on the amounts of fines imposed

The DPA stated in its decision that Vastaamo had neglected its duties related to data security, as not even basic measures had been implemented, as well as its duty to report the personal data breach. Deficiencies were also found in drawing up the documentation required to comply with the principle of accountability. The DPA noted that Vastaamo’s negligence was extremely serious and its failure to notify intentional – it simply decided not to inform its customers and authorities about the breach. Moreover, the data breach itself was undoubtedly extremely serious considering the nature of the data, the extent of the breach and its consequences for individuals.

According to the DPA’s decision, the DPA considered the following factors when evaluating the fine to be imposed:

Factors that would raise the amount of the fine

  • The personal data was an integral part of Vastaamo’s business operations
  • The nature of the personal data, including the highly confidential nature of such data
  • The lack of even the most basic protective functions
  • The failure to inform the patients affected of the data breach in an appropriate and timely manner intentionally*)
  • The actual damage incurred by the data subjects
  • The duration of the violations
  • The serious, intentional and/or negligent nature of the infringements
  • The financial benefit gained from non-compliance
  • The failure to draft proper documentation on the data breaches and the failure to assess the impact of the data breaches correctly

Factors that would reduce the amount of the fine

  • The actions taken by Vastaamo to mitigate the damage caused by the breach, e.g. setting up a crisis phone line, providing free appointments with psychiatrists, providing guidance on the website, and adding resources to customer service and GDPR-related obligations
  • The bankruptcy and the cessation of business operations
  • The fact that Vastaamo cooperated with the DPA
(*) NB In early January this year, the European Data Protection Board issued guidelines on examples of data breach notifications, which will soon be available here: https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en?page=1
.

The DPA’s decision is under appeal in the Administrative Court.

Views on the amounts of fines imposed by the DPA thus far

By way of comparison, as reported in our previous article, the DPA fined a postal service company EUR 100,000 (0.01% of turnover), a taxi company EUR 72,000 (0.71% of turnover) and a consulting firm EUR 7,000 (3.3% of turnover), and these fines represent the high-end of the fines either in terms of their amount or the percentage of the company’s turnover. However, it should be noted that the fine imposed on the postal service company is still pending. The fine was recently overturned by the Administrative Court but the DPA appealed the decision to the Supreme Administrative Court.

Quite clearly, the fine imposed on Vastaamo is significantly higher than any of the previous fines imposed in Finland, but it is still on the low side compared to the fines imposed at the European or Nordic level, and compared to the maximum fine that can be imposed under the GDPR i.e. EUR 20 million. For example, the Norwegian DPA recently imposed a NOK 65 million (EUR 6,5 million) fine, which is approximately 32% of the maximum fine that can be imposed.

Nonetheless, the Vastaamo case seems to be the DPA’s first step into stricter enforcement and may be the start of a trend of higher fines. Further, the fact that Vastaamo had been declared bankrupt had an impact on the amount of the fine. Also, due to the amount of publicity the case has received, it is likely to lower the threshold for individuals to report GDPR violations and file complaints to the DPA.

Other consequences and the impact of the Vastaamo case on GDPR matters in M&A projects

The Vastaamo case is also a prime example of various other consequences and risks that can arise as a result of non-compliance with the GDPR. In addition to the imposition of administrative fines, non-compliance may lead to reputational damage (beyond repair), long-running court proceedings, claims for damages, seizure of business operations as well as many other unforeseen consequences. In Vastaamo’s case, non-compliance with the GDPR led to, for example, bankruptcy and an unusual surge in claims for damages from those affected by the breach.

Although the number of claims made against the bankruptcy estate of Vastaamo has not been confirmed, it has been reported that there have been thousands of claims made by individuals. The Vastaamo case is likely to lead to interesting case law on the amount of damages payable to data subjects who have suffered as a result of a GDPR breach.

Another interesting aspect of the Vastaamo case is its effect on M&A deals. During the period after the occurrence of the data breach (when the breach had not been reported), a private equity investor acquired a majority stake in Vastaamo. When the data breach was finally reported and its gravity revealed to the public, the private equity investor demanded the cancellation of the acquisition based on a lack of disclosure during the due diligence review.

In light of this, the case will definitely further increase the importance of data protection and data security in due diligence reviews, M&A negotiations and SPAs. Not only because of the high fine imposed but due to Vastaamo’s bankruptcy and the customers’ reactions to the breach, which led to a sudden decrease in revenue. Thus, investors will most likely want to avoid any similarities with the Vastaamo case, because possible comparisons to it could mean a wide variety of undesired risks and consequences, including high fines, the loss of customers, a subsequent need to exit the investment at the worst possible moment, or, ultimately, loss of the investment.

Conclusions

All of these separate aspects of this case spell out a singular message, which is that the repercussions of a data breach can amount to much more than just a fine imposed by the local DPA. GDPR needs to be taken seriously. Will this have an effect on enforcement, though? Well, the fact that the DPA has been known to have some case backlog and that the DPA’s sanctions board began its work only over a year after the GDPR entered into force have likely had an impact on the DPA’s enforcement activity. The first fines were imposed two years after the GDPR entered into force and, as of the date of this article, the DPA has imposed fewer than ten fines in total. It remains to be seen whether we will see increased and more frequent enforcement activity in the future.

Article written by Partner Johanna Lilja, Associate Ida Leskinen and Associate Trainee Juho Laitila.

GDPR & non-compliance: Sanctions imposed by the Finnish DPA