News
Finland Extends GDPR Fines to Public Authorities – A Long-Awaited Shift in Enforcement
Finland is set to extend GDPR administrative fines to public-sector authorities, ending a long-standing exemption that has set the country apart from most of the European Union. The proposed amendment introduces financial accountability for public bodies, but does so with capped sanctions, targeted carve-outs and a proportionality test reflecting the particular character of public institutions.
Finland is preparing to close a long-standing gap in its data protection enforcement regime. In April 2026, the Government submitted to Parliament a proposal (HE 46/2026 vp) to amend the Finnish Data Protection Act (1050/2018) and the Act on the Processing of Personal Data in Criminal Matters and in Connection with the Maintenance of National Security (1054/2018), so that administrative fines under the GDPR may, for the first time, be imposed on public-sector controllers and processors. Previously, public authorities – including ministries, municipalities and other public-sector bodies – were shielded from such fines. The Data Protection Ombudsman could issue reprimands, orders and other corrective measures, but monetary penalties were simply not available against the public sector.
The proposal originates from a working group set up by the Ministry of Justice, whose draft bill was open for public consultation between 2 October 2025 and 13 November 2025. A total of 94 responses were submitted. Notably, the majority of respondents took a critical or outright negative position on the idea of extending administrative fines to public-sector actors. Despite this, the Government has continued with the project, which is expressly anchored in prime minister Orpo’s government programme and forms part of the broader comprehensive reform of Finnish data protection legislation now underway.
Background: The Original Exemption and Its Rationale
When Finland implemented the GDPR through the Data Protection Act of 2018, public-sector controllers were carved out of the administrative fines regime. The exemption was based on a national law option expressly preserved by the GDPR itself.
The justification for the original exemption was largely practical but also constitutional. Imposing fines on Finnish public authorities was seen, by many, as a circular exercise: a monetary penalty paid by a public body would, in effect, be a transfer of taxpayer funds within the state itself. The exemption also reflected a Finnish administrative law tradition that favours corrective and supervisory powers over punitive measures against public actors, on the view that political accountability, internal oversight and judicial review of administrative decisions provide the appropriate response to misconduct in the public sector.
Whatever its merits, the exemption created an obvious asymmetry. Private-sector controllers in Finland faced administrative fines of up to EUR 10 million or 2 % of total worldwide annual turnover for less serious infringements, and up to EUR 20 million or 4 % for the most serious ones. Public-sector controllers handling materially the same kinds of data – and frequently more sensitive categories, such as health, social welfare, or law enforcement data – faced no comparable financial exposure. Over time, this divergence became increasingly difficult to defend, both to data subjects and to private-sector controllers who saw themselves bearing the entire monetary burden of enforcement.
The New Amendment and Its Scope
Under the Government Bill, administrative fines may be imposed on public authorities and other public-sector controllers and processors for infringements of the data protection rules, subject to specific national limitations. The Government’s express objective is to strengthen the practical implementation of data protection and to harmonise the sanction regime as between the public and the private sectors. The substantive conditions for imposing a fine on a public-sector controller would be the same as those that apply in the private sector. What changes is the ceiling and the calibration of the fine, not the underlying logic.
The maximum amounts in the public-sector context are set markedly lower than those applicable to private entities. Under the proposed model, fines would be capped at EUR 500,000 for less serious infringements and EUR 1,000,000 for more serious ones. Crucially, the calculation does not rely on turnover – a metric that is largely meaningless for a ministry or a municipality – but is instead pegged to the size and financial position of the public-sector entity concerned. When determining the amount, the supervisory authority must satisfy itself that the fine is proportionate to the body’s scale and economic capacity, a calibration that explicitly mirrors language used in the Government Bill and the supporting Ministry of Justice communications.
Private organisations performing public administrative tasks under statute would, in turn, be treated like public-sector bodies for these purposes, with the same lower caps. The aim is to avoid an artificial gap between, for example, a municipality processing personal data in-house and a private service provider performing the same task as a delegated public function.
Carve-outs and Constitutional Considerations
The reform does not apply uniformly to all public actors. Courts, the offices of Parliament and other parliamentary institutions, and authorities responsible for national security are to remain outside the scope of administrative fines. The Government has framed these carve-outs primarily in constitutional terms, on the basis that imposing administrative penalties on such bodies would sit uneasily with the separation of powers and with the constitutionally protected functions of the courts and Parliament. Whether one finds that reasoning entirely satisfying or not, the effect is that the most sensitive functions of the state remain subject to corrective measures only.
A further, and arguably more interesting, carve-out concerns public sector transparency. Disclosures of personal data carried out under Finnish openness legislation – in particular the Act on the Openness of Government Activities – will not give rise to administrative fines. The stated purpose is to ensure that the new sanction regime does not chill the lawful disclosure of public documents, and thereby preserve the principle of openness that has long characterised Finnish public administration. This is a deliberate choice to draw the line so that data protection enforcement does not, in practice, work against another constitutional value of equal standing.
Enforcement Practice and Practical Implications
Even with the new tool in the supervisor’s hands, the Government has signalled that the practical use of public-sector fines is expected to be relatively rare and modest in amount. The Ministry of Justice has noted in its communications that fines are not expected to produce direct effects on the state finances and that public-sector controllers are not being saddled with new substantive obligations – the existing GDPR obligations remain unchanged. What changes is the enforcement toolkit. Supervisory authorities are likely to continue relying primarily on reprimands, orders and other corrective measures in cases involving minor or first-time infringements, with administrative fines reserved for more serious or repeated violations.
For public-sector controllers, the reform has practical implications even before any fine is actually imposed. The mere availability of monetary sanctions will sharpen the incentives to ensure that data protection frameworks are robust in practice and not only on paper.
A Shift Towards Equal Treatment
Viewed in the wider European context, the reform brings Finland closer to the mainstream. The extension of administrative fines to the Finnish public sector represents a genuine shift in enforcement philosophy. While the model retains tailored safeguards – lower caps, proportionality to size and financial position, transparency-related carve-outs and constitutional exclusions – it reinforces the basic proposition that public authorities are subject to the same fundamental data protection obligations as private actors, and should bear comparable consequences for failing to meet them. For controllers in the Finnish public sector, the practical message is straightforward: data protection compliance is no longer only a matter of administrative supervision and political accountability, but is becoming, gradually, a question of financial exposure as well.
As mentioned earlier, the original exemption was partly justified through constitutional arguments. As of the publication of this article, the Government Bill has not yet been approved in the Parliament, and it is not yet clear whether the Constitutional Law Committee will approve the Bill due to potential constitutional issues, despite the political will to extend the monetary penalties to the public sector.
Article provided by INPLP members: Daniel Stranius and Otto Lindholm (Dottir, Finland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Juni 2026
- Mai 2026
- April 2026
- März 2026
- Februar 2026
- Jänner 2026
- Dezember 2025
- November 2025
- Oktober 2025
- September 2025
- August 2025
- Juli 2025
- Juni 2025
- Mai 2025
- April 2025
- März 2025
- Februar 2025
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010