Finland is preparing to close a long-standing gap in its data protection enforcement regime. In April 2026, the Government submitted to Parliament a proposal (HE 46/2026 vp) to amend the Finnish Data Protection Act (1050/2018) and the Act on the Processing of Personal Data in Criminal Matters and in Connection with the Maintenance of National Security (1054/2018), so that administrative fines under the GDPR may, for the first time, be imposed on public-sector controllers and processors. Previously, public authorities – including ministries, municipalities and other public-sector bodies – were shielded from such fines. The Data Protection Ombudsman could issue reprimands, orders and other corrective measures, but monetary penalties were simply not available against the public sector.
The proposal originates from a working group set up by the Ministry of Justice, whose draft bill was open for public consultation between 2 October 2025 and 13 November 2025. A total of 94 responses were submitted. Notably, the majority of respondents took a critical or outright negative position on the idea of extending administrative fines to public-sector actors. Despite this, the Government has continued with the project, which is expressly anchored in prime minister Orpo’s government programme and forms part of the broader comprehensive reform of Finnish data protection legislation now underway.
Background: The Original Exemption and Its Rationale
When Finland implemented the GDPR through the Data Protection Act of 2018, public-sector controllers were carved out of the administrative fines regime. The exemption was based on a national law option expressly preserved by the GDPR itself.
The justification for the original exemption was largely practical but also constitutional. Imposing fines on Finnish public authorities was seen, by many, as a circular exercise: a monetary penalty paid by a public body would, in effect, be a transfer of taxpayer funds within the state itself. The exemption also reflected a Finnish administrative law tradition that favours corrective and supervisory powers over punitive measures against public actors, on the view that political accountability, internal oversight and judicial review of administrative decisions provide the appropriate response to misconduct in the public sector.
Whatever its merits, the exemption created an obvious asymmetry. Private-sector controllers in Finland faced administrative fines of up to EUR 10 million or 2 % of total worldwide annual turnover for less serious infringements, and up to EUR 20 million or 4 % for the most serious ones. Public-sector controllers handling materially the same kinds of data – and frequently more sensitive categories, such as health, social welfare, or law enforcement data – faced no comparable financial exposure. Over time, this divergence became increasingly difficult to defend, both to data subjects and to private-sector controllers who saw themselves bearing the entire monetary burden of enforcement.
The New Amendment and Its Scope
Under the Government Bill, administrative fines may be imposed on public authorities and other public-sector controllers and processors for infringements of the data protection rules, subject to specific national limitations. The Government’s express objective is to strengthen the practical implementation of data protection and to harmonise the sanction regime as between the public and the private sectors. The substantive conditions for imposing a fine on a public-sector controller would be the same as those that apply in the private sector. What changes is the ceiling and the calibration of the fine, not the underlying logic.
The maximum amounts in the public-sector context are set markedly lower than those applicable to private entities. Under the proposed model, fines would be capped at EUR 500,000 for less serious infringements and EUR 1,000,000 for more serious ones. Crucially, the calculation does not rely on turnover – a metric that is largely meaningless for a ministry or a municipality – but is instead pegged to the size and financial position of the public-sector entity concerned. When determining the amount, the supervisory authority must satisfy itself that the fine is proportionate to the body’s scale and economic capacity, a calibration that explicitly mirrors language used in the Government Bill and the supporting Ministry of Justice communications.
Private organisations performing public administrative tasks under statute would, in turn, be treated like public-sector bodies for these purposes, with the same lower caps. The aim is to avoid an artificial gap between, for example, a municipality processing personal data in-house and a private service provider performing the same task as a delegated public function.
Carve-outs and Constitutional Considerations
The reform does not apply uniformly to all public actors. Courts, the offices of Parliament and other parliamentary institutions, and authorities responsible for national security are to remain outside the scope of administrative fines. The Government has framed these carve-outs primarily in constitutional terms, on the basis that imposing administrative penalties on such bodies would sit uneasily with the separation of powers and with the constitutionally protected functions of the courts and Parliament. Whether one finds that reasoning entirely satisfying or not, the effect is that the most sensitive functions of the state remain subject to corrective measures only.
A further, and arguably more interesting, carve-out concerns public sector transparency. Disclosures of personal data carried out under Finnish openness legislation – in particular the Act on the Openness of Government Activities – will not give rise to administrative fines. The stated purpose is to ensure that the new sanction regime does not chill the lawful disclosure of public documents, and thereby preserve the principle of openness that has long characterised Finnish public administration. This is a deliberate choice to draw the line so that data protection enforcement does not, in practice, work against another constitutional value of equal standing.
Enforcement Practice and Practical Implications
Even with the new tool in the supervisor’s hands, the Government has signalled that the practical use of public-sector fines is expected to be relatively rare and modest in amount. The Ministry of Justice has noted in its communications that fines are not expected to produce direct effects on the state finances and that public-sector controllers are not being saddled with new substantive obligations – the existing GDPR obligations remain unchanged. What changes is the enforcement toolkit. Supervisory authorities are likely to continue relying primarily on reprimands, orders and other corrective measures in cases involving minor or first-time infringements, with administrative fines reserved for more serious or repeated violations.
For public-sector controllers, the reform has practical implications even before any fine is actually imposed. The mere availability of monetary sanctions will sharpen the incentives to ensure that data protection frameworks are robust in practice and not only on paper.
A Shift Towards Equal Treatment
Viewed in the wider European context, the reform brings Finland closer to the mainstream. The extension of administrative fines to the Finnish public sector represents a genuine shift in enforcement philosophy. While the model retains tailored safeguards – lower caps, proportionality to size and financial position, transparency-related carve-outs and constitutional exclusions – it reinforces the basic proposition that public authorities are subject to the same fundamental data protection obligations as private actors, and should bear comparable consequences for failing to meet them. For controllers in the Finnish public sector, the practical message is straightforward: data protection compliance is no longer only a matter of administrative supervision and political accountability, but is becoming, gradually, a question of financial exposure as well.
As mentioned earlier, the original exemption was partly justified through constitutional arguments. As of the publication of this article, the Government Bill has not yet been approved in the Parliament, and it is not yet clear whether the Constitutional Law Committee will approve the Bill due to potential constitutional issues, despite the political will to extend the monetary penalties to the public sector.
Article provided by INPLP members: Daniel Stranius and Otto Lindholm (Dottir, Finland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
