The EU Regulation on harmonised rules on fair access to and use of data (the "Data Act") is set to revolutionize the access and use of data in the European Union. The Data Act entered into force in January 2024 and will become applicable in September 2025. On 20 December 2024, the Ministry of Transport and Communications in Finland published a draft government proposal for the implementation of the EU Data Act in Finland. The draft proposal was sent out for public consultation, and the deadline for comments is 31 January 2025.
Link to the draft government proposal may be foundhere.
An Overview ofthe Data Act and the Implementation Process in Finland
As highlighted in ourprevious article, the EU has adopted the Data Act in January 2024. The Data Act establishes a framework for the access and use of data generated within the European Union. Firstly, the Act governs how data generated by connected devices (especially IoT) and their related services can be accessed and used. It grants individuals and businesses using such connected devices and related services rights to the data generated through interactions with the devices. This shift places a responsibility on manufacturers and service providers to design their products and services with data accessibility in mind. It also demands that such manufacturers, service providers and other potential data holders will only use the device and service data once they have secured a permission from the users to collect and use that data.
In addition to empowering users, the Data Act also targets providers of data processing services, requiring them to facilitate seamless switching between providers. These obligations apply broadly to cloud-services such as SaaS, PaaS, and IaaS providers. In addition, the Data Act addresses data sharing between different parties, unfair contractual terms, data protection and interoperability for data flow.
The Data Act entered into force on 11 January 2024. The transitional period for the Data Act is currently ongoing, and Member States have the opportunity to adjust their national laws to ensure a smooth implementation of the Act once it comes into full effect. The Data Act will become directly applicable throughout the EU from 12 September 2025. However, it also requires that Member States supplement the Data Act with national rules concerning supervision, competent authorities and penalties.
In Finland, the process has made significant progress on 20 December 2024, as the Ministry of Transport and Communications published the draft government proposal for the implementation of the Data Act in Finland.
The Ministry of Transport and Communications is currently in the process of requesting comments on the draft government proposal. The consultation period will end on January 31, 2025, and it is currently estimated that the formal government proposal will be presented to Parliament on week 14. The Data Act is part of the EU data strategy and will majorly change the way data is accessed, shared and managed in Europe.
In Finland, the Data Act requires several national regulatory changes. The draft proposal introduces enacting one new act – the so-called 'Act on Data Management and Supervision'. This new piece of legislation would set forth the rules on competent authorities and penalties in Finland.
In addition, amendments to multiple existing national Finnish acts are proposed, such as the Act on the Enforcement of Fines, the Act on Electronic Communications Services and the Act on Certain Powers of the Consumer Protection Authorities.
Proposed Amendments to Finnish Legislation: What You Need to Know
Who Is in Charge of Supervision?
Finland will not establish a new competent authority to supervise compliance with the Data Act. Instead, and as expected by most, the government proposes assigning several existing authorities to oversee the Data Act. The principal competent authority will be the Finnish Transport and Communications Agency ("Traficom") which will also be assigned as the data coordinator.
In addition to Traficom, the Finnish Competition and Consumer Authority will have a strengthened role in handling disputes related to unfair contractual terms in data-sharing agreements. On the other hand, the Consumer Ombudsman will oversee specific consumer-related obligations, ensuring that businesses adhere to fair practices while dealing with individual users.
While the Data Protection Ombudsman is not designated as a supervisory authority under the Data Act, the draft proposal clarifies that any processing of personal data under the Data Act will fall under the Ombudsman's jurisdiction. The Data Protection Ombudsman is responsible for overseeing personal data infringements, with penalties being enforced based on the GDPR.
Roles defined for the competent authorities are listed in the table below.
Sanctions and Penalties
The range of sanctions under the Data Act extends from warnings to significant financial penalties. Supervisory authorities can also enforce compliance by imposing conditional fines, suspension orders, or other enforcement measures. The maximum financial penalty for serious violations is set at 4% of a company's annual European turnover. For individuals, the maximum fine is capped at 1,000 euros or 1% of their annual income, whichever is higher.
In addition, the legislator has chosen to exclude three situations in which fines would not be levied. These include:
- Minor infringements: If the breach of the obligation is considered minor or manifestly unreasonable.
- Ongoing criminal investigation: A fine cannot be imposed on a person who is suspected of the same act during a preliminary investigation, a prosecution or a criminal case pending before a court, or who has already been convicted of the same act by a final judgment.
- Time limits: A fine cannot be imposed if more than five years have elapsed since the offence was committed. In the case of continuous infringements, this time limit is calculated from the end of the infringement.
M&A Transactions
Under the GDPR, there has been lingering uncertainty about whether the risk of an administrative fine under the GDPR would pass to the acquirer in an M&A transaction. Surprisingly, the draft government proposal takes a position on this issue regarding penalties under the Data Act.
The proposal addresses cases where a Data Act infringement occurred within a business that has since been transferred to a new owner through acquisition or otherwise. In such cases, the new entity assuming the business operations may be held liable for the fine, ensuring greater clarity and accountability in these transactions.
What's next?
The deadline for submitting feedback on the draft government proposal is set for 31 January 2025. The new legislation on data management and oversight is expected to come into effect on 12 September 2025, aligning with the implementation of most provisions of the Data Act on the same day. With the deadline fast approaching, taking immediate action to ensure compliance is no longer optional—if you have not already done so, now is the time to act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
