GDPR cases drive bigger budgets for Nordic regulators

High-profile General Data Protection Regulation cases in Finland and Sweden have increased the workload for regulators, which are to receive an increase in funding

The Nordic countries have seen a wave of high-profile General Data Protection Regulation (GDPR) cases since the European Union’s (EU) new data protection and privacy laws came into force.

Sweden and Finland have responded to their data inspectorates’ need for more resources by promising additional funding in 2019-2020. 

In particular, the inspectorates need more funding to support growing legal case work for emerging high-profile and costly GDPR cases that could have significant long-term implications for privacy laws and data handling by companies in Finland and Sweden.

Finland’s data protection ombudsman is to receive a 6% increase in its annual budget for 2019-2020, while Sweden’s data protection authority hopes to see an 8% rise in its annual budget for the same period. 

Apart from core budgeting, the assimilation of the EU’s GDPR into national data and privacy laws has placed a significant burden on Nordic data inspectorates in terms of resource and case-work management and recruiting additional experts to prepare and pursue legal actions against companies and organisations suspected to be in breach of the GDPR.

The GDPR superseded all EU member states’ data protection laws when it was implemented on 25 May 2018. It gave data inspectorates across EU member states stronger powers of supervision and the means to make a more effective legal response to non-compliant actors. Under the GDPR, organisations found in serious breach of the rules can face financial penalties of up to 4% of their annual global turnover or €20m, whichever is greater.  

Also, “data subjects” have the right to seek judicial remedies against data controllers and processors, as well as the right to receive compensation for damages resulting from GDPR breaches. The role of data inspectorates has not only become more expansive, but also more capital intensive as they prepare legal case strategies and fight potentially expensive court battles against often well-resourced corporations. 

High-profile cases, such as the ongoing investigations into Nordic tech companies HMD Global and Klarna Group, illustrate the uphill struggle the data inspectorates face to balance their case load against their operating budgets and funding restrictions. The Swedish and Finnish inspectorates both struggle from a lack of capacity to process all GDPR complaints in a timely fashion and enforce the rules.

Read more about the General Data Protection Regulation

Their workload has become more challenging under the GDPR regime, which gives people the right to ask service providers to stop processing their personal data or selling it to third parties. The GDPR has made it easier to file complaints against organisations, and the inspectorates’ challenge is demonstrated by the 2,700 personal data breach complaints reported to Finland’s ombudsman between June 2018 and February 2019.

“We are receiving an average of 10 data breach notifications each day,” said Reijo Aarnio, director general of Finland’s data protection ombudsman. “We are seeing that larger companies have more resources than smaller ones to implement the GDPR. We are dealing with both very simple cases and very complex ones that encompass millions of subjects whose data has been breached.”

The ombudsman’s high-profile caseload includes an investigation into Nokia-branded phones produced under licence by Helsinki-based HMD Global. The regulator has received complaints that HMD’s Nokia 7 Plus model may have breached data rules after an unspecified number of devices sent data and data packages in an unencrypted format to a server in China.

HMD acknowledged the data dispatch “glitch” to a Chinese server. The company, which did not identify the server in question, attributed it to an error in the software packaging process and to “a single batch of one device model”. HMD has told the inspectorate that it does not share personal data with third parties, and that the issue with the Nokia 7 Plus was observed and resolved in February.

HMD, which was established by former Nokia managers and engineers, reached an agreement with Microsoft in 2016 to produce Nokia phones under licence for the Finnish and international markets. Microsoft acquired Nokia’s handset business in 2014.

Digital payments data probe

Another high-profile technology corporation is also the subject of a GDPR probe in Sweden. The country’s data protection authority is investigating suspected breaches of GDPR rules by Klarna, one of the fastest-growing Nordic digital payment systems providers. The investigation follows complaints from a number of Klarna customers concerned about possible misuse of their financial and personal information.

The regulator will seek to clarify whether Klarna failed to comply with its legal obligations in the processing, storage and potential third-party use of customers’ personal data, said Petra Lennhede, a senior lawyer on the authority’s legal team.

“Our review will cover multiple individuals,” said Lennhede. “It relates to a large amount of personal data. We have looked at the company’s data protection policy as part of the complaints received, and believe there is justification for us to examine how Klarna processes and handles personal data.”

Klarna described the regulator’s investigation as “a welcome development” in an evolving niche industry. The company said the digital payments sector can benefit from GDPR guidance and the provision of clearer guidelines on how the industry should work with personal data.

The investigation will also examine how Klarna uses private data across its geographic market reach, and how it routinely processes payment information on digital transactions. 

“We welcome the authority’s audit,” said Anna Mirsch Peiris, a senior lawyer at Klarna. “All handling of personal data is important, and it is also important that our customers feel confident in how we process and handle their information.”

Healthcare calls exposed

Sweden’s healthcare service, Vårdguiden 1177, is also the subject of a GDPR probe by the data protection authority after it was revealed that more than 2.7 million calls to its telephone hotline were accessible on an unprotected online server. The service links users seeking medical advice with professional medical personnel.

The investigation will also include Voice Integrate Nordic, a Sweden-based firm contracted to deliver and maintain the Vårdguiden 1177’s core audio network and systems.

Preliminary findings indicate that calls to the Vårdguiden 1177 hotline, totalling 170,000 hours of sensitive personal medical information, have been accessible to “external parties” since 2013. The regulator is investigating reports that the unprotected server lacked both password protection and auxiliary security measures, making calls accessible for anyone to download or listen to.

The healthcare service, including calls handled and recorded, was outsourced by Inera – a digital technology company controlled by Sweden’s regional municipalities and county councils – to Thailand-based MediCall in 2013.

“Under the GDPR, personal data must be protected so that unauthorised persons cannot gain access,” said the regulator’s case investigator, Suzanne Isberg. “Data cannot be disseminated without justification. When the subject matter is sensitive personal data relating to health, the requirements are particularly stringent.”

Read more on Privacy and data protection