KHO - KHO:2024:115

From GDPRhub
Korkein hallinto-oikeus (Finland) - KHO:2024:115
Courts logo1.png
Court: Korkein hallinto-oikeus(Finland)
Jurisdiction: Finland
Relevant Law: Article 2(2)(a) GDPR
Article 33 GDPR
Article 33(1) GDPR
Article 34 GDPR
Article 34(1) GDPR
Article 2 Data Protection Act
Section 24 Act on the Openness of Government Activities
Decided: 31.10.2024
Published:
Parties: Ministry of Foreign Affairs
National Case Number/Name: KHO:2024:115
European Case Law Identifier:
Appeal from: HELSINGIN HALLINTO-OIKEUS
7408/2023
Appeal to: Unknown
Original Language(s): Finnish
Original Source: Korkein hallinto-oikeus (in Finnish)
Initial Contributor: elu

The Supreme Administrative Court held that the Finish Ministry for Foreign Affairs failed to notify the Data Protection Ombudsman without undue delay about a data breach related to spyware found on Finnish diplomats´ phones.

English Summary

Facts

On 24 January 2022, the Ministry for Foreign Affairs, the controller, notified the Data Protection Ombudsman of a data breach as per Article 33 GDPR. This data breach concerned spy malware, which has been installed on Finnish diplomats´ phones and allowed the exploitation of information stored on the phones.

Four months later, the Data Protection Ombudsman decided that the controller did not comply with the notification limit, i.e. 72 hours as per Article 33(1) GDPR and did not provide for a reasoned explanation for such delay. Moreover, the controller did not comply with Article 34 GDPR due to the improper notification to data subjects (only oral and during a press release). The controller appealed the Data Protection Ombudsman decision.

The Administrative Court held that the personal data breach in this case was posing a high threat to the rights and freedoms of individuals, within the meaning of Article 34(1) GDPR.

While the controller did notify via press release the data subjects of the breach, the Court found that the controller did not notify the parties of the infringement without undue delay. Two main reasons were brought forward: the gravity and seriousness of impact on data subjects, and the fact that Finland did not provide any national law limiting the scope of application of Article 33 and 34 GDPR due to national security guarantees.

The controller appealed the decisions of the Administrative Court to the Supreme Administrative Court.

Holding

In its decision, the Supreme Administrative Court elaborated on three main points:

1. The GDPR is not applicable for foreign and security policy matters.

In this regard, the Court decided that, even if the GDPR expressly states that the processing of personal data relating to national security and the common Union foreign and security policy is excluded from the GDPR, in Article 2(1) of the Finnish Data Protection Act, the scope of the GDPR has been nationally extended in Finland to the processing of personal data carried out in connection with the activities referred to in Article 2(2)(a) and (b) GDPR, which in this case would a national security matter.

The scope of the GDPR has not been extended nationally to suit reporting obligations. National law is the relevant basis for information which is the subject of confidentiality at least until the “threat of national security or foreign policy related to the disclosure of information subsided”. However, since national law does not have any equivalent provision, one shall then consider whether Article 33 and 34 GDPR apply in the present case by legal effects of EU law or by national law.

Thus, the Supreme Administrative Court considers that Article 33 and 34 GDPR are now applicable in the present case as national law applies, and that the application of those Articles must take full account of other national laws, such as the provisions of the Finnish Publicity Act.

2. Delay of a notification to a supervisory authority under Article 33 of the GDPR

The Supreme Administrative Court agreed with the Administrative Court that, given the high risk to the rights and freedoms of natural persons, the controller should have notified the data breach without undue delay and thus that Article 33 GDPR was violated.

3. Delay of a notification to the data subject referred to in Article 34 of the GDPR

The Supreme Administrative Court considered that information on cyber espionage against the controller may be kept secret under Section 24(1), paragraphs 2, 7 and/or 9 of the Finnish Publicity Act. The substantive requirements of the notice to the data subject pursuant to Article 34(2) GDPR lead to the fact that confidential information may be included in the notification. Confidentiality provisions of the Publicity Act must be regarded as lex specialis in relation to the present situation in relation to the national law applicable. Taking into account the interests of Finland’s international relations and the security of the State, the controller is said to have reported the data breach in accordance with Article 34(1) GDPR and that no violation of Article 34 GDPR occurred.

Comment

In Finland, the Office of the Data Protection Ombudsman functions as the supervisory authority. Personal data breaches must be reported to the Office of the Data Protection Ombudsman without undue delay and, where feasible, not later than 72 hours after the controller has become aware of the personal data breach.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details. 

ewogICJ0ZXh0LWVkaXRvciIgOiAic3RhdG8vYXJ0aWNsZXMvYXJ0aWNsZS9jb250ZW50ZWRpdG9yL3RleHQiLAogICJidXR0b24uYWRkY29sdW1ucmlnaHQiIDogInRydWUiLAogICJlbGVtZW50LndvcmtlcnBhcnNlIiA6ICJmYWxzZSIsCiAgInNraW4iIDogInRleHQuaHRtbCIsCiAgImVkaXR1cmwiIDogIi9iaW4vZ2V0L3ZlZC9BY0E4QzJobjIuQWNIRzdRYVdTLk50Y2FuTkh4cyIsCiAgInRhYmxlLWVkaXRvciIgOiAic3RhdG8vYXJ0aWNsZXMvYXJ0aWNsZS9jb250ZW50ZWRpdG9yL3RhYmxlIiwKICAic3BlY3RydW0uY29udGFpbmVyQ2xhc3NOYW1lIiA6ICJzdWktY29sb3JwaWNrZXIiLAogICJidXR0b24uaHlwaGVuYXRlIiA6ICJmYWxzZSIsCiAgIkVsZW1lbnQuQmFzZSIgOiAic3RhdG8vY21zL2NvbnRlbnRlZGl0b3IvdGV4dC1lZGl0b3IiLAogICJidXR0b24uc3RyaWtldGhyb3VnaCIgOiAiZmFsc2UiLAogICJVSUQiIDogImlkUE9TSUhsbGhNIiwKICAiYnV0dG9uLmRlbGV0ZWNvbHVtbiIgOiAidHJ1ZSIsCiAgInRvb2xiYXIuZHJhZyIgOiAidHJ1ZSIsCiAgImJ1dHRvbi5hbGlnbi5qdXN0aWZ5IiA6ICJ0cnVlIiwKICAiQ1VSUkVOVFBBVEgiIDogIi9zdGF0by9mcmFtZXNldC9zdGF0by9mcmFtZXNldC9LSE8vZW5uYWtrb3BhYXRvcy9LSE8vZW5uYWtrb3BhYXRvcy9vaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQvb2gtaW50ZXJuZXQtc2lzYWxsb25oYWxsaW50YS9zaXNhbHRvZWRpdG9yaS90ZXh0LyIsCiAgImJ1dHRvbi5jb2RlbW9kZSIgOiAiZmFsc2UiLAogICJidXR0b24udmlkZW8iIDogImZhbHNlIiwKICAiYnV0dG9uLnN1cGVyc2NyaXB0IiA6ICJ0cnVlIiwKICAiZWxlbWVudC44IiA6ICJ0cnVlIiwKICAiZWxlbWVudC43IiA6ICJ0cnVlIiwKICAiZWxlbWVudC42IiA6ICJmYWxzZSIsCiAgInNvcnRhYmxlIiA6ICJmYWxzZSIsCiAgImVsZW1lbnQuNSIgOiAiZmFsc2UiLAogICJidXR0b24uaDYiIDogInRydWUiLAogICJidXR0b24uaDUiIDogInRydWUiLAogICJidXR0b24uaDQiIDogInRydWUiLAogICJidXR0b24uaDMiIDogInRydWUiLAogICJlbGVtZW50LmNvbXBvbmVudCIgOiAidHJ1ZSIsCiAgImJ1dHRvbi5oMiIgOiAidHJ1ZSIsCiAgImJ1dHRvbi5oMSIgOiAiZmFsc2UiLAogICJlbGVtZW50LnB1YmxpY2NvbXBvbmVudCIgOiAiIiwKICAidG9vbGJhci5yZW1vdmUiIDogInRydWUiLAogICJlbGVtZW50LnN0YXRpYyIgOiAidHJ1ZSIsCiAgImNhcmRjaGFubmVsIiA6ICJwdWJsaWMiLAogICJjZXdyYXBwZXJJc0VkaXRhYmxlIiA6ICJ0cnVlIiwKICAiYnV0dG9uLmZ1bGxzY3JlZW4iIDogImZhbHNlIiwKICAiYWxsb3dfbmVzdGVkX2Jsb2NrcyIgOiAiZmFsc2UiLAogICJlbGVtZW50LnB1YmxpY2xpbmsiIDogIi9lbGVtZW50Lmh0bWwuc3R4IiwKICAiYnV0dG9uLnAuaGlnaGxpZ2h0IiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5kZWxldGVyb3ciIDogInRydWUiLAogICJzcGVjdHJ1bS5zaG93UGFsZXR0ZSIgOiAidHJ1ZSIsCiAgImJsb2NrdHlwZSIgOiAidGV4dC1lZGl0b3IiLAogICJlbGVtZW50LmxvYWQiIDogImNsaWVudCIsCiAgImJ1dHRvbi5wYWdlIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5hbGlnbi5yaWdodCIgOiAidHJ1ZSIsCiAgImVsZW1lbnQubGluayIgOiAiL2VsZW1lbnQuaHRtbC5zdHgiLAogICJibG9jay50aXRsZSIgOiAiVGVrc3RpIiwKICAiYnV0dG9uLnN1YnNjcmlwdCIgOiAidHJ1ZSIsCiAgInNwZWN0cnVtLnNob3dQYWxldHRlT25seSIgOiAidHJ1ZSIsCiAgImVsZW1lbnQuaW1wb3J0Y2hpbGRyZW4iIDogInZ1bGNhbml6ZSIsCiAgImZpZWxkbmFtZSIgOiAicmF0a2Fpc3UubGVpcGF0ZWtzdGkiLAogICJidXR0b24ucmVtb3ZlZm9ybWF0IiA6ICJ0cnVlIiwKICAiYnV0dG9uLmluZGVudCIgOiAidHJ1ZSIsCiAgImNoYW5uZWwubGFuZ3VhZ2UiIDogImZpIiwKICAiZWRpdG1vZGUiIDogImVkaXQiLAogICJjc3NfbGlicmFyaWVzIiA6ICIiLAogICJhbGxvd19lbXB0eV90YWdzIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5wIiA6ICJ0cnVlIiwKICAiZGF0YV9saXN0ZW5lcnMiIDogIm9oLWludGVybmV0LXNpc2FsbG9uaGFsbGludGEvc2lzYWx0b2VkaXRvcmkvdGV4dCIsCiAgInNwZWN0cnVtLnByZWZlcnJlZEZvcm1hdCIgOiAiaGV4IiwKICAiZWxlbWVudC5vbmxvYWQiIDogImNsaWVudCIsCiAgImFsbG93X211bHRpcGxlX2xpbmVicmVha3MiIDogInRydWUiLAogICJidXR0b24udW5kbyIgOiAiZmFsc2UiLAogICJidXR0b24uYmxvY2txdW90ZSIgOiAidHJ1ZSIsCiAgImJsb2NrZWRpdG9yLmJsb2NrIiA6ICJ0cnVlIiwKICAiZWxlbWVudF9wYXRoIiA6ICJvaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQiLAogICJwdWJsaWN1cmwiIDogIi9lbGVtZW50Lmh0bWwuc3R4IiwKICAiYnV0dG9uLmltYWdlIiA6ICJ0cnVlIiwKICAiaW1wb3J0cGF0aCIgOiAiL3dlYmNvbXBvbmVudHMvb2gtaW50ZXJuZXQtc2lzYWxsb25oYWxsaW50YS9zaXNhbHRvZWRpdG9yaS90ZXh0IiwKICAiZWxlbWVudC5iYXNlIiA6ICJjb250ZW50L3RleHQiLAogICJpbWFnZS1lbGVtZW50IiA6ICJvaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQvaW1hZ2UiLAogICJyZW1vdmFibGUiIDogImZhbHNlIiwKICAiYnV0dG9uLmFkZHJvd2JlbG93IiA6ICJ0cnVlIiwKICAiZWxlbWVudC5sYW5ndWFnZSIgOiAiZmkiLAogICJ2aWV3dXJsIiA6ICIvYmluL2dldC92aWQvQWNBOEMyaG4yLkFjSEc3UWFXUy5OdGNhbk5IeHMiLAogICJjc3MiIDogImNzcy90ZXh0LmNzcyxjc3MvdGV4dC1lZGl0b3IuY3NzIiwKICAiZWxlbWVudF9tb2RlIiA6ICIiLAogICJkYnNhZmVlbW9qaXMiIDogImZhbHNlIiwKICAic3BlY3RydW0uc2hvd0FscGhhIiA6ICJmYWxzZSIsCiAgImluc2lkZU5ld0VkaXRvciIgOiAidHJ1ZSIsCiAgImJsb2NrLmljb24iIDogImZhcyBmYS1hbGlnbi1sZWZ0IiwKICAic3BlY3RydW0ucGFsZXR0ZSIgOiAiW1snIzAwMCcsJyM0NDQnLCcjNjY2JywnIzk5OScsJyNjY2MnLCcjZWVlJywnI2YzZjNmMycsJyNmZmYnXSxbJyNmMDAnLCcjZjkwJywnI2ZmMCcsJyMwZjAnLCcjMGZmJywnIzAwZicsJyM5MGYnLCcjZjBmJ10sWycjZjRjY2NjJywnI2ZjZTVjZCcsJyNmZmYyY2MnLCcjZDllYWQzJywnI2QwZTBlMycsJyNjZmUyZjMnLCcjZDlkMmU5JywnI2VhZDFkYyddLFsnI2VhOTk5OScsJyNmOWNiOWMnLCcjZmZlNTk5JywnI2I2ZDdhOCcsJyNhMmM0YzknLCcjOWZjNWU4JywnI2I0YTdkNicsJyNkNWE2YmQnXSxbJyNlMDY2NjYnLCcjZjZiMjZiJywnI2ZmZDk2NicsJyM5M2M0N2QnLCcjNzZhNWFmJywnIzZmYThkYycsJyM4ZTdjYzMnLCcjYzI3YmEwJ10sWycjYzAwJywnI2U2OTEzOCcsJyNmMWMyMzInLCcjNmFhODRmJywnIzQ1ODE4ZScsJyMzZDg1YzYnLCcjNjc0ZWE3JywnI2E2NGQ3OSddLFsnIzkwMCcsJyNiNDVmMDYnLCcjYmY5MDAwJywnIzM4NzYxZCcsJyMxMzRmNWMnLCcjMGI1Mzk0JywnIzM1MWM3NScsJyM3NDFiNDcnXSxbJyM2MDAnLCcjNzgzZjA0JywnIzdmNjAwMCcsJyMyNzRlMTMnLCcjMGMzNDNkJywnIzA3Mzc2MycsJyMyMDEyNGQnLCcjNGMxMTMwJ11dIiwKICAiYnV0dG9uLnJlZG8iIDogImZhbHNlIiwKICAiYnV0dG9uLnB1YmxpY2xpbmsiIDogImZhbHNlIiwKICAiYnV0dG9uLmFsaWduIiA6ICJ0cnVlIiwKICAiYnV0dG9uLnBub3dyYXAiIDogInRydWUiLAogICJidXR0b24uYm9sZCIgOiAidHJ1ZSIsCiAgImVsZW1lbnQucGF0aCIgOiAib2gtaW50ZXJuZXQtc2lzYWxsb25oYWxsaW50YS9zaXNhbHRvZWRpdG9yaS90ZXh0IiwKICAic2VjdGlvbiIgOiAiZGVmYXVsdCIsCiAgIklOU1RBTkNFSUQiIDogIlBPUzlGOVJaTSIsCiAgImJ1dHRvbi5hbGlnbi5jZW50ZXIiIDogInRydWUiLAogICJlbGVtZW50LnByZXJvb3QiIDogInRydWUiLAogICJ1cmxleGVjdXRlcGF0aCIgOiAiL2NoYW5uZWxzL3B1YmxpYy93d3cva2hvL2ZpL2luZGV4L3BhYXRva3NpYS92dW9zaWtpcmphcGFhdG9rc2V0L0FjOTFFeTVESSIsCiAgImJ1dHRvbi5vbCIgOiAidHJ1ZSIsCiAgInNlbGVjdC50eXBlIiA6ICJmYWxzZSIsCiAgImVsZW1lbnQuYmFzZS5saXN0IiA6ICIvbW9kdWxlc2Jhc2UvZWxlbWVudHMvY29udGVudC90ZXh0LC9tb2R1bGVzYmFzZS9lbGVtZW50cy9jb250ZW50L2xlZ2FjeXRleHQsL21vZHVsZXNiYXNlL2VsZW1lbnRzL3N0YXRvL2Ntcy9jb250ZW50ZWRpdG9yL3RleHQtZWRpdG9yIiwKICAiYnV0dG9uLmF0dGFjaG1lbnQiIDogInRydWUiLAogICJidXR0b24ubGFuZ3VhZ2VzIiA6ICIiLAogICJidXR0b24udWwiIDogInRydWUiLAogICJlbGVtZW50LnJvb3QubGlzdCIgOiAiL21vZHVsZXNiYXNlL2VsZW1lbnRzL3N0YXRvL2Ntcy9jb250ZW50ZWRpdG9yL3RleHQtZWRpdG9yL3Jvb3Quc3RhdG8iLAogICJidXR0b24uYWxpZ24ubGVmdCIgOiAidHJ1ZSIsCiAgImJ1dHRvbi5saW5rIiA6ICJ0cnVlIiwKICAiYWRkYWJsZSIgOiAidHJ1ZSIsCiAgImNsYXNzIiA6ICJpcy10ZXh0LWVkaXRvciIsCiAgImVsZW1lbnQubW9kZSIgOiAiZWxlbWVudCIsCiAgImJ1dHRvbi5saW5lIiA6ICJ0cnVlIiwKICAiYnV0dG9uLmFuY2hvciIgOiAiZmFsc2UiLAogICJwaWNrdXAtZWxlbWVudCIgOiAib2gtaW50ZXJuZXQtbWF0ZXJpYWwvcGlja3VwIiwKICAiYnV0dG9uLml0YWxpYyIgOiAidHJ1ZSIsCiAgImRhdGFUeXBlIiA6ICJ0ZXh0LWVkaXRvci1IVE1MIiwKICAiYnV0dG9uLmhyIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5vdXRkZW50IiA6ICJ0cnVlIiwKICAic3BlY3RydW0uc2hvd0J1dHRvbnMiIDogImZhbHNlIiwKICAicGFyc2VsaW5rcy5zZXJ2aWNlIiA6ICJzdGF0by9jbXMvY29udGVudGVkaXRvci9saW5rcyIsCiAgInNraW4uZXh0ZW5kIiA6ICIvdG9vbHMvZWxlbWVudHMvY21zL2NvbnRlbnRlZGl0b3IvdGV4dC1lZGl0b3Ivc2tpbnMvaHRtbC90ZXh0LWVkaXRvci5odG1sIiwKICAicGxhY2Vob2xkZXIiIDogIlNpc8OkbHTDtiIsCiAgImVsZW1lbnQub3V0bGluZSIgOiAidHJ1ZSIsCiAgImVsZW1lbnQuc2tpbi5tb2RlIiA6ICJleHRlbmQiLAogICJidXR0b24udW5kZXJsaW5lIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5pbXBvcnQiIDogInRydWUiLAogICJlbGVtZW50IiA6ICJvaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQiLAogICJzcGVjdHJ1bS5zaG93SW5pdGlhbCIgOiAiZmFsc2UiLAogICJhcHBlbmRDbGFzcyIgOiAiZC1ibG9jayIsCiAgIkdVSUQiIDogIiIsCiAgInNwZWN0cnVtLnNob3dJbnB1dCIgOiAiZmFsc2UiLAogICIiIDogIiIKfQ==

Suomalaisiin diplomaatteihin oli kohdistettu verkkovakoilua vakoiluhaittaohjelmalla, joka oli pystytty tuomaan käyttäjän puhelimeen hänen huomaamattaan ja ilman käyttäjän toimenpiteitä. Vakoiluohjelma oli voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen ominaisuuksien hyväksikäytön.Asiassa oli ratkaistavana, oliko rekisterinpitäjä ulkoministeriö ilmoittanut tapahtuneesta vakoiluhaittaohjelmalla toteutetusta verkkovakoilusta aiheutuneesta henkilötietojen tietoturvaloukkauksesta tietosuojavaltuutetulle ja rekisteröidyille yleisen tietosuoja-asetuksen 33 ja 34 artikloissa säädettyjen aikarajojen mukaisesti.Korkein hallinto-oikeus katsoi ensinnäkin, että käsillä olevassa kansalliseen turvallisuuteen ja ulkopolitiikkaan kytkeytyvässä asiassa sovellettiin tietosuojalain 2 §:n 1 momentin perusteella yleistä tietosuoja-asetusta. Ottaen kuitenkin huomioon, että unionin oikeudessa oli säädetty nimenomaisesti kansalliseen turvallisuuteen ja yhteiseen ulko- ja turvallisuuspolitiikkaan liittyvien toimien jäämisestä yleisen tietosuoja-asetuksen soveltamisalan ulkopuolelle ja että tietosuojalain 2 §:n 1 momentissa oli myös pidätetty kansalliselle lainsäätäjälle toimivalta supistaa yleisen tietosuoja-asetuksen soveltamisalan kansallista laajennusta, yleisen tietosuoja-asetuksen 33 ja 34 artiklat tulivat käsillä olevassa asiassa sovellettaviksi sillä tavoin kuin kansallista lainsäädäntöä sovelletaan. Mainituilla artikloilla ei siten ollut unionin oikeuden oikeusvaikutuksia, kuten etusijaa kansalliseen lainsäädäntöön nähden. Tästä seurasi se, että artikloita sovellettaessa tuli täysimääräisesti ottaa huomioon muukin kansallinen lainsäädäntö, kuten julkisuuslain säännökset.Tietosuojavaltuutetulle tehtävää ilmoitusta koskevan 33 artiklan osalta korkein hallinto-oikeus viittasi salassapidettävien tietojen luovuttamista ja saamista koskeviin tietosuojalain ja julkisuuslain säännöksiin ja katsoi, ettei salassapidettävien tietojen sisältymisellä valvontaviranomaiselle tehtävään ilmoitukseen ollut merkitystä arvioitaessa, oliko rekisterinpitäjä noudattanut säädettyjä aikarajoja ilmoittaessaan tietoturvaloukkauksesta tietosuojavaltuutetulle. Ilmoittaminen oli viivästynyt eikä ilmennyt, että viivästymiselle olisi ollut yleisen tietosuoja-asetuksen 33 artiklassa tarkoitettu aiheellinen peruste.Rekisteröidylle tehtävää ilmoitusta koskevan 34 artiklan osalta korkein hallinto-oikeus katsoi, että julkisuuslain salassapitosäännöksiä oli pidettävä erityissäännöksinä suhteessa tietosuoja-asetuksen ilmoitusvelvollisuutta koskevaan säännökseen. Artiklassa tarkoitetun ilmoituksen antamisajankohtaa arvioidessaan rekisterinpitäjän tuli ottaa huomioon, merkitsisikö ilmoituksen antaminen samalla salassa pidettävien tietojen ilmaisemista rekisteröidyille.Kun otettiin huomioon julkisuuslain 24 §:n 1 momentin 2, 7 ja 9 kohdilla suojatut Suomen kansainvälisiin suhteisiin ja valtion turvallisuuteen liittyvät intressit, ulkoministeriön voitiin katsoa ilmoittaneen henkilötietojen tietoturvaloukkauksesta yleisen tietosuoja-asetuksen 34 artiklan 1 kohdassa edellytetysti ilman aiheetonta viivytystä niille rekisteröidyille, joiden tietoja oli sisältynyt puhelimeen, johon vakoiluhaittaohjelma oli pystytty tuomaan.Euroopan parlamentin ja neuvoston asetus (EU) 2016/679 luonnollisten henkilöiden suojelusta henkilötietojen käsittelyssä sekä näiden tietojen vapaasta liikkuvuudesta ja direktiivin 95/46/EY kumoamisesta (yleinen tietosuoja-asetus) 2 artikla 2 kohta a ja b alakohta, 4 artikla 12 kohta, 33 artikla 1, 2, 3 ja 4 kohta, 34 artikla ja 58 artikla 2 kohta b alakohtaTietosuojalaki 1 §, 2 § 1 ja 3 momentti, 8 § 1 momentti ja 18 § 1 momenttiLaki viranomaisten toiminnan julkisuudesta (julkisuuslaki) 24 § 1 momentti 2, 7 ja 9 kohta ja 29 § 1 momentti 1 kohtaPäätös, jota muutoksenhaku koskeeHelsingin hallinto-oikeus 18.12.2023 nro 7408/2023Korkeimman hallinto-oikeuden ratkaisu Korkein hallinto-oikeus myöntää ulkoministeriölle valitusluvan ja tutkii asian. 1. The appeal is rejected in so far as it concerns the administrative court's decision to reject the Ministry of Foreign Affairs' appeal against the decision of the Deputy Data Protection Commissioner, in so far as the latter decision concerns the delay in the notification to the supervisory authority referred to in Article 33 of the General Data Protection Regulation and the notice given about this delay. The outcome of the administrative court's decision will not be changed in this respect.2. The decisions of the Administrative Court and the Deputy Data Protection Commissioner are annulled to the extent that they concern the delay in the notification to the data subject referred to in Article 34 of the General Data Protection Regulation and the notice given about this delay. Background of the case (1) On 24 January 2022, the Ministry of Foreign Affairs has submitted to the Data Protection Commissioner the notification referred to in Article 33 of the General Data Protection Regulation about a security breach of personal data. According to the announcement, online espionage has been targeted at Finnish diplomats with NSO Group's Pegasus spyware, which was able to be introduced to the user's phone without the user noticing and without the user's intervention. Spyware has been able to enable a very extensive use of the information and its features on the phone. According to the announcement, the Ministry has investigated the case in question against the posted staff working abroad in Finland with various authorities and stakeholders during the fall of 2021 and the winter of 2022. (2) On March 16, 2022, the Ministry of Foreign Affairs gave the Data Protection Commissioner a report on the dates of making the notifications referred to in Articles 33 and 34 of the General Data Protection Regulation. (3) The deputy data protection commissioner is in its decision of March 23, 2022, considered that the data controller, the Ministry of Foreign Affairs, has not complied with the 72-hour time limit for notification to the supervisory authority in accordance with Article 33, paragraph 1 of the General Data Protection Regulation, and has not provided a reasoned explanation as referred to in the said article for the lateness of the notification to the supervisory authority of a data security breach of personal data. Furthermore, the decision considers that the data controller has not complied with Article 34, paragraph 1 of the General Data Protection Regulation, according to which the data controller must notify the data subject of a data security breach without undue delay. Since the Ministry of Foreign Affairs has not complied with Articles 33 and 34 of the General Data Protection Regulation in its operations, the Deputy Data Protection Commissioner has given the Ministry a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation. (4) The Helsinki Administrative Court, in its decision subject to appeal, after organizing an oral hearing in the case, rejected the Ministry of Foreign Affairs' appeal against the decision of the Deputy Data Protection Commissioner. The reasons for the Administrative Court's decision include, among other things, the following: Application of the General Data Protection Regulation (5) The Administrative Court states that the General Data Protection Regulation will not, in principle, apply to national external and for the processing of personal data related to the security policy. Section 2, subsection 1 of the Data Protection Act has, however, expanded the application of the general data protection regulation so that the regulation also applies to the processing of personal data that falls outside the application of the regulation based on Article 2, paragraph 2, subparagraph a of the regulation. According to the preliminary works of the Data Protection Act, the above-mentioned expansion of the scope of the General Data Protection Regulation would not apply to situations where, in a matter falling outside the scope of Union legislation, national law would have provided otherwise.  (6) The Administrative Court considers that, since the scope of the General Data Protection Regulation has been expanded nationally, Finland could, without preventing Union law, provide in national legislation that the data breach reporting obligations and deadlines of Articles 33 and 34 of the General Data Protection Regulation do not apply to national foreign and security policy and national security to the processing of related personal data. In Finland, however, such a deviation is not regulated. Therefore, the administrative court considers that the general data protection regulation is applied in the case based on Section 2, subsection 1 of the Data Protection Act, and Articles 33 and 34 of the regulation will thus also be applicable in this case as such. The legislator's intention must be evident from the law and the law preparation material, and the preparation material of the Data Protection Act does not contain aspects related to national security or reservations regarding the extension of the scope of the General Data Protection Regulation beyond its actual scope. The Administrative Court therefore considers that the aspects presented in the appeal, counter-explanation and oral hearing, related to the Criminal Matters Data Protection Act, among other things, cannot be used as an interpretation aid in assessing the legislator's intention regarding the extent to which the general data protection regulation applies or does not apply to matters related to the national foreign and security policy.  Notification of a data security breach to data subjects (7) The Administrative Court considers that the data security breach of personal data in question, which has targeted mobile devices used by Finland's mission abroad, is likely to cause a high risk to the rights and freedoms of natural persons, as referred to in Article 34 paragraph 1 of the General Data Protection Regulation. The Ministry of Foreign Affairs has personally notified the target person who is the subject of online espionage and the close circle of this person and the employees of the mission about the data security breach, as it presented in more detail in the oral hearing.  (8) In the case of an attack on people's mobile devices, the spyware in question may have also processed the data of other people mentioned in the data content of the device. Based on the report received, such persons have not been personally notified of the incident, but the Ministry of Foreign Affairs has published a bulletin on the matter on its website on January 28, 2022.  (9) The Deputy Data Protection Commissioner has deemed that the Ministry of Foreign Affairs has not complied with Article 34, paragraph 1 of the General Data Protection Regulation, according to which the data controller must notify the data subject of a data security breach without undue delay. In his statement, the Deputy Data Protection Commissioner has pointed out that according to the oral report received by the Data Protection Commissioner from the Ministry of Foreign Affairs and the notification of a data security breach, as well as the announcement on the website of the Ministry of Foreign Affairs, the breach has already taken place during 2021. According to the statement, there has been a time between receiving information about the data breach and the notification to the data subject, which can be considered too long, especially considering the nature of the malware that was the cause of the data breach and the status of the data subjects as officials working abroad of the Ministry of Foreign Affairs.  (10) The Administrative Court considers, on the basis of the report received, that the Ministry of Foreign Affairs, after obtaining sufficient assurance of a data security breach, has notified the registrants whose mobile devices have been targeted by online espionage in the manner referred to in Article 34, paragraph 1 of the regulation, without undue delay. Notification of a data security breach to all data subjects mentioned in the data content of mobile devices must be deemed to have taken place with the announcement published on the website of the Ministry of Foreign Affairs on January 28, 2022. However, based on the report obtained in the case, the Ministry of Foreign Affairs had sufficient certainty about the data security breach clearly before this time. Taking into account the quality of the data breach and the seriousness of the possible effects on data subjects, as well as the actions taken by the Ministry of Foreign Affairs on the one hand, and the fact that in Finland there are no per se restrictions permitted in Article 23 of the General Data Protection Regulation on the application of Article 34 on the basis of guaranteeing national security, the Administrative Court considers that the Ministry of Foreign Affairs has not notified of infringement to the latter parties without undue delay.   Note (11) According to Article 58(2)(b) of the General Data Protection Regulation, each supervisory authority has the authority to issue a notice to the controller or personal data processor if the processing operations have been in violation of the provisions of this regulation.  (12) The Administrative Court finds that the Ministry of Foreign Affairs has not notified the data security breach as required by Article 33, Paragraph 1 of the General Data Protection Regulation within 72 hours to the supervisory authority, i.e. the Data Protection Commissioner, and has also not presented an explanation on the basis of which the step-by-step notification allowed in the article would not have been possible. The announcement was made only on January 24, 2022. The Administrative Court has also, as stated above, considered that not all data subjects have been notified of a data security breach within the time limit required by Article 34 of the General Data Protection Regulation. Consequently, the administrative court considers that the deputy data protection commissioner has had the conditions to issue a notice to the Ministry of Foreign Affairs in accordance with article 58, paragraph 2, subparagraph b of the regulation due to the violation of articles 33 and 34. The matter has been resolved by members of the administrative court Marja Viima, Anna-Kristiina Karikko and Nina Tuominen, also presented the case. Claims and explanations in the Supreme Administrative Court(13) The Ministry of Foreign Affairs is requested permission to appeal the administrative court's decision, and has demanded in his appeal that the decisions of the administrative court and the deputy data protection commissioner be annulled in their entirety or at least in parts concerning the alleged procedure contrary to Article 34 of the General Data Protection Regulation. Among other things, the following has been presented in support of the demands: (14) The Ministry of Foreign Affairs has been given a notice about the neglect of notification obligations regarding a data security breach, even though the general data protection regulation is not directly applicable to foreign and security policy. In this case, the notification obligations according to Articles 33 and 34 of the regulation are also not applicable to the situation at hand. (15) The scope of the General Data Protection Regulation has also not been expanded nationally in such a way that the notification obligations would apply on this basis. Section 2, subsection 3 of the Data Protection Act firstly provides for an exception to the scope extension according to section 1. In addition, sections 24 subsection 1, points 1, 2, 7 and 9 of the Freedom of Information Act are the kind of special legislation that takes priority in relation to the extension of section 2 of the Data Protection Act made as a general law. At least the national extension of Section 2 of the Data Protection Act, the exception to it according to subsection 3 of said section, and the secrecy provisions of the Publicity Act form a whole that must be interpreted together and uniformly. In the current situation, it is about information that is subject to secrecy at least until the threat related to the management of national security or foreign policy related to the disclosure of the information recedes, for example with the passage of time and/or the expiration of the information. (16) The Ministry admits that it has not made General Data Protection Regulation 33 official notification in accordance with the article within the 72-hour deadline required by the law. With regard to the comment on the official notification, the matter is thus decided according to whether Article 33 of the regulation is applicable at all.  (17) However, the situation is not the same with regard to the notification to data subjects referred to in Article 34 of the General Data Protection Regulation. First of all, the information security breach has become known to the persons who are its immediate target immediately after the ministry has received information about it. Second, as far as other persons mentioned in some way in the device subject to the breach are also considered to be registered subjects of a data security breach, the ministry has informed about the situation on its website on January 28, 2022. (18) The term "without undue delay" in Article 34 of the General Data Protection Regulation is open to interpretation and allows interpretations based on the situation and weighing of interests. If the article is considered to be applicable, it would be of the utmost importance that the Ministry of Foreign Affairs be left with sufficient opportunity for variation in the scheduling of public announcements. Public information in itself endangers Finland's foreign and security policy interests, when a hostile state can easily determine which of its espionage attempts have been detected and which have not. This, in turn, would allow a hostile state to target its espionage in a way that is against Finland's interests. The reference to "unwarranted delay" in Article 34 of the Regulation must be interpreted as meaning that the Interim period between the espionage case and the public information about it, necessary to protect the foreign and security policy interests of the Finnish state, is not "unwarranted". The Ministry must therefore be considered to have acted within the framework allowed by Article 34 of the regulation. (19) The Deputy Data Protection Commissioner has stated in his statement that the scope of the General Data Protection Regulation is not limited in Section 2, Subsection 1 of the Data Protection Act in such a way that the national regulations on confidentiality could take precedence over the provisions of the regulation. The Data Protection Act has provided for the extension of the scope of the General Data Protection Regulation without exceptions, so the regulation as such will be fully applicable to the activities of the data controller. (20) In its response, the Ministry of Foreign Affairs has stated that the data protection regulation is applicable in the present case at most as a national law, not as a Union law. Reasons for the decision of the Supreme Administrative Court Question formulation (21) The issue to be resolved is whether the Ministry of Foreign Affairs, the data controller, has notified the supervisory authority and the data subjects of the data security breach of personal data caused by online espionage carried out with spyware in accordance with the time limits stipulated in Articles 33 and 34 of the General Data Protection Regulation. (22) When the question is the application of the mentioned articles in such an area of application , which does not actually falls within the EU law scope of the General Data Protection Regulation, the matter must first take a position on the question of whether the mentioned articles are applied in this situation like Union law in general or like national legislation. (23) Namely, if the mentioned articles are applied fully like Union law in general, the legal effects of Union law will also apply applicable general legal principles, such as the priority principle. If, on the other hand, the general data protection regulation is applied with a nationally extended scope like national legislation, it will be fully evaluated, among other things, what importance should be given to the publicity act and especially its provisions on confidentiality in relation to the obligation to notify data security breaches stipulated in the data protection regulation and the relevant deadlines. This question is related to the examination of both the possible delay of the notification to the supervisory authority referred to in Article 33 and the possible delay of the notification to the data subject referred to in Article 34. Applicable legal guidelines General Data Protection Regulation (on the protection of natural persons in the processing of personal data and on the free movement of this data and the repeal of Directive 95/46/EC issued by Regulation (EU) 2016/679 of the European Parliament and of the Council) (24) According to Article 2, paragraph 2 of the General Data Protection Regulation, this regulation does not apply to the processing of personal data, a) which is carried out in connection with an activity that does not fall within the scope of Union legislation; b) which is carried out by member states when carrying out an activity that falls within the scope of Chapter 2 of Title V of the EU Treaty;( ---).(25) According to point 16 of the preamble of the General Data Protection Regulation, this regulation does not apply to the protection of fundamental rights and freedoms that do not fall within the scope of Union law, or to the free transfer of personal data mobility issues such as national security measures. This regulation does not apply to the processing of personal data in the member states when they implement actions related to the Union's common foreign and security policy. (26) According to Article 4, paragraph 12 of the General Data Protection Regulation, in this regulation, 'personal data security breach' means a security breach that results in personal data being accidentally transferred, stored or otherwise processed accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to information. (27) Public according to article 33 paragraph 1 of the data protection regulation, if a data security breach of personal data occurs, the controller must report it without undue delay and, if possible, within 72 hours of its discovery to the competent supervisory authority in accordance with article 55, unless the data security breach of personal data is unlikely to cause a risk to the rights and freedoms of natural persons. If the notification is not given within 72 hours, the controller must provide the supervisory authority with a reasoned explanation. According to paragraph 2 of the article, the processor of personal data must notify the data controller of a data security breach of personal data without undue delay after becoming aware of it. According to paragraph 3 of the article, the notification referred to in paragraph 1 above must at least a) describe the data security breach of personal data, including, if possible, the groups and estimated numbers of the data subjects concerned and the groups and estimated numbers of types of personal data; b) indicate the name and contact information of the data protection officer or another point of contact from which additional information can be obtained; c) describe the likely consequences of a personal data security breach; d) describe the measures that the data controller has proposed or implemented as a result of a personal data security breach, including, if necessary, measures to mitigate possible adverse effects. According to paragraph 4 of the article, if and to the extent that it is not possible to deliver the data simultaneously, the data can be delivered in stages without undue delay. (28) According to the preamble paragraph 85 of the General Data Protection Regulation, if a security breach of personal data is not dealt with sufficiently effectively and quickly, natural persons may suffer physical, material or immaterial damage, such as loss of control over their own personal data or restriction of their own rights, discrimination, identity theft or fraud, financial losses, unauthorized release of pseudonymisation, damage to reputation, loss of confidentiality of personal data subject to confidentiality or other significant financial or social damage. Therefore, the data controller should notify the supervisory authority of a data security breach of personal data without undue delay as soon as it becomes known to the data controller, and if possible within 72 hours, except if the data controller can demonstrate in accordance with the duty of proof principle that the data security breach of personal data is unlikely to cause a risk to the rights and freedoms of natural persons. If such notification cannot be made within 72 hours, the notification should be accompanied by an explanation of the reasons for the delay, and the information can be provided in stages without undue further delay. (29) According to Article 34, Paragraph 1 of the General Data Protection Regulation, when a breach of personal data security is likely to cause a high risk to the rights of natural persons and freedoms, the data controller must notify the data subject of a data security breach without undue delay. According to paragraph 2 of the article, the notification given to the data subject referred to in paragraph 1 of this article must describe in clear and simple language the nature of the personal data security breach and provide at least the information and measures referred to in points b, c and d of Article 33 paragraph 3. According to paragraph 3 of the article, the notification to the data subject referred to in paragraph 1 above is not required if one of the following conditions is met: a) the controller has implemented appropriate technical and organizational protection measures and the measures in question have been applied to the personal data subject to a data security breach, especially those that are used to change the personal data into a format where they are not comprehensible to persons who do not have permission to access the information, such as encryption; b) the controller has taken further measures to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is no longer likely to materialize; c) it would require unreasonable effort. In such cases, a public announcement or a similar measure must be used to inform the data subjects in an equally effective manner. According to section 4 of the article, if the data controller has not yet notified the data subject of a data security breach of personal data, the supervisory authority may require a notification or decide that one of the conditions in section 3 is met, after assessing how likely the data security breach of personal data poses a high risk. (30) Preamble of the General Data Protection Regulation According to section 86, the data controller should notify the data subject of a data security breach of personal data without delay, if this a data security breach is likely to cause a high risk to the rights and freedoms of a natural person, so that the data subject can take the necessary precautions. The notice should describe the nature of the personal data security breach and make recommendations on how the natural person concerned can mitigate its possible adverse effects. Such notification to the data subject should be made as soon as reasonably possible and in close cooperation with the supervisory authority, following the instructions given by the supervisory authority or other relevant authorities, such as law enforcement authorities. For example, the need to mitigate the risk of immediate harm requires that data subjects be notified without delay, while the need to take appropriate measures to prevent the continuation of a data security breach or similar data security breaches of personal data may be grounds for a longer notification period. (31) According to point 87 of the preamble of the General Data Protection Regulation, it should be checked whether all appropriate technical protection measures and organizational measures have been implemented in order to determine immediately whether there has been a loss of personal data information security breach, and bring the matter to the attention of the supervisory authority and the data subject without delay. The fact that the notification was made without undue delay should be clarified, especially taking into account the nature and seriousness of the data security breach of personal data, as well as the consequences and adverse effects of this for the data subject. The notification in question may lead to the supervisory authority intervening in the matter in accordance with the tasks and powers set out for it in this regulation. (32) According to Article 58, paragraph 2 of the General Data Protection Regulation, each supervisory authority has all the following remedial powers: (---)b) issue a notice to the controller or to the processor of personal data, if the processing operations have been contrary to the provisions of this regulation; (---). Data Protection Act(33) According to Section 1 of the Data Protection Act, this Act clarifies and supplements Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of this data and repealing Directive 95/46/EC (General Data Protection Regulation ), hereinafter the data protection regulation, and its national application.(34) According to section 2 subsection 1 of the Data Protection Act this law is applied in accordance with the scope of Article 2 of the Data Protection Regulation. This law and the data protection regulation also apply, with the exception of Article 56 and Chapter VII of the regulation, to the processing of personal data that is carried out in connection with the activities referred to in Article 2(2)(a) and (b), unless otherwise provided elsewhere in the law. According to section 3, this act does not apply to the processing of personal data, which is regulated in the law on the processing of personal data in criminal matters and in connection with the maintenance of national security. (35) According to section 8, subsection 1 of the Data Protection Act, the national supervisory authority referred to in the data protection regulation in connection with the Ministry of Justice is the data protection commissioner. (36) According to Section 18, subsection 1 of the Data Protection Act, in addition to what is stipulated in Article 58, Section 1 of the Data Protection Regulation, the supervisory authority's access to information and the right of inspection, the data protection officer has the right to obtain, without being hindered by confidentiality regulations, the information necessary for the performance of his duties free of charge. Act on the Publicity of Official Activities (Publicity Act) (37) According to Section 24, subsection 1 of the Publicity Act, official documents to be kept secret are, unless otherwise specifically stipulated:(---) 2) documents other than those referred to in paragraph 1, which concern Finland's relations with another state or international organization, documents which related to a matter being dealt with in an international judicial or investigative body or another international institution, and documents concerning the relations of the Finnish state, Finnish citizens, persons residing in Finland or entities operating in Finland with the authorities, persons or entities of another state, if providing information about them would cause damage or inconvenience to Finnish international relations or prerequisites for acting in international cooperation;(---)7) concerning security arrangements for persons, buildings, institutions, structures and information and communication systems and documents affecting their implementation, unless it is obvious that providing information about them does not jeopardize the fulfillment of the purpose of the security arrangements; security;(---).(38) According to section 29 subsection 1, paragraph 1 of the Publicity Act, an authority can provide another authority with information about a confidential document, if the information giving or the right to receive information is specifically provided for in the law. Legal assessment and conclusions Application of the General Data Protection Regulation and the meaning of the provisions of the Publicity Act (39) According to Article 2, paragraph 2, subparagraph a of the regulation, the General Data Protection Regulation does not apply to the processing of personal data, which is carried out in connection with an activity, which does not fall within the scope of Union legislation and, according to subsection b, the processing of personal data carried out by the Member States when implementing the scope of Chapter 2 of Title V of the SEU included activity. Processing of personal data related to, for example, national security and the Union's common foreign and security policy is therefore outside the scope of the regulation. (40) Section 2, subsection 1 of the Data Protection Act has, however, expanded the scope of the General Data Protection Regulation in Finland to include the processing of personal data that is carried out in Article 2, 2 of the regulation. in connection with the activities referred to in subsections a and b, unless otherwise provided elsewhere in the law. In the present case concerning the reporting of a data breach of personal data, which is connected to national security and foreign policy, the general data protection regulation is therefore applied, unless otherwise provided in the law. (41) Without preventing Union law, the national extension of the scope of the general data protection regulation could have been implemented in such a way that Articles 33 and 34 of the regulation regulations on reporting a security breach of personal data do not apply in contexts related to national security and foreign policy. However, this is not stipulated in the Data Protection Act, nor does it follow from the provisions of the Act on the processing of personal data in criminal matters and in connection with the maintenance of national security, that the aforementioned articles of the General Data Protection Regulation would not be applicable in the case at hand. Articles 33 and 34 in the present case with the legal effects of Union law or as national legislation. The legal effects of Union law include, among other things, that it takes precedence over national legislation in conflict situations. (43) First of all, it can be stated that in the general data protection regulation, the processing of personal data related to national security and the common foreign and security policy of the Union is delimited outside the scope of the regulation by an explicit provision. The extension of the scope of the General Data Protection Regulation has thus been implemented by a national legislative act, which is not required in any part of the regulation. (44) The aforementioned legislative action enacted in accordance with section 2, subsection 1 of the Data Protection Act has also reserved the power for the national legislature to reduce the national extension of the scope of the General Data Protection Regulation, because the subsection explicitly refers to the possibility of providing otherwise by law. (45) The possibility of a different regulation shows that the scope of the General Data Protection Regulation has not been expanded nationally "directly and absolutely". In this respect, it can be stated from the jurisprudence of the European Court of Justice (such as the judgment of 13.3.2019 in case C-635/17, E.) that it has considered it within its competence to resolve a request for a preliminary ruling in cases where, despite the fact that the facts of the main case do not directly fall within the scope of Union law, the rules of Union law are applied by virtue of national law due to the reference made to the content of the rules of Union law. However, the condition has been that the Union regulation is applied to the situation in question on the basis of national law "directly and absolutely". On the other hand, in situations where the Union legal provision expressly provides for cases outside its scope and where the national scope of the Union law provision has not been extended to this area "directly and absolutely", according to the European Court of Justice, the Union has no interest in monitoring the uniform interpretation of such a legal provision. (see judgment of 18 October 2012 in case C-583/10, Nolan).(46) Based on the above, the Supreme Administrative Court considers that Articles 33 and 34 of the General Data Protection Regulation will now be applicable in the case at hand in the same way as national legislation is applied . The mentioned articles therefore do not have the legal effects of Union law in this purely national scope, such as priority over national legislation. (47) It follows that when applying the mentioned articles, other national legislation, such as the provisions of the Publicity Act, must be fully taken into account.  The delay in the notification to the supervisory authority referred to in Article 33 of the General Data Protection Regulation and the notice given about this delay(48) The risk to the rights and freedoms of natural persons can be estimated from the security breach of personal data caused by online espionage carried out with spyware. According to Article 33, Paragraph 1 of the General Data Protection Regulation, the data controller must notify the supervisory authority of such a data security breach without undue delay and, if possible, within 72 hours of its discovery. If the notification is not given within 72 hours, the controller must provide the supervisory authority with a reasoned explanation according to the above-mentioned section of the regulation. According to section 4 of the said article, if and to the extent that it is not possible to submit the information simultaneously, the information can be submitted in stages without undue delay. the provision of information or the right to receive information is specifically provided for in the law. According to Section 18, subsection 1 of the Data Protection Act, the data protection officer has the right to receive the information necessary for the performance of his tasks, without being hindered by confidentiality regulations. It follows from the mentioned provisions that even if the notification of a personal data breach contains confidential information, this fact is not relevant when assessing compliance with the notification time limits in accordance with Article 33, Paragraph 1 of the General Data Protection Regulation and the appropriateness of a reasoned explanation, and when evaluating the conditions for the phased submission of information referred to in Article 4. 50) The registry holder, the Ministry of Foreign Affairs, has notified the Data Protection Commissioner about a data security breach of personal data 24/01/2022. According to the notification, the ministry has investigated the case in question with various authorities and stakeholders during the fall of 2021 and winter of 2022, so the data security breach must be considered to have come to the attention of the ministry significantly earlier than it had made the notification. The notification of a data security breach must be considered delayed and it has not appeared in the case that there was a valid reason for the delay.  (51) Due to the above, there are no grounds for changing the final result of the administrative court's decision, insofar as the Ministry of Foreign Affairs' appeal against the decision of the Deputy Data Protection Commissioner has been rejected, insofar as the latter decision concerns the delay in the notification to the supervisory authority referred to in Article 33 of the General Data Protection Regulation and Article 58(2) of the Regulation regarding this delay the notice given on the basis of subsection b (paragraph 1 of the decision of the Supreme Administrative Court). General the delay in the notification to the data subject referred to in Article 34 of the data protection regulation and the notice issued about this delay (52) The security breach of personal data in question, caused by online espionage carried out with spyware, can be assessed as likely to have caused a high risk to the rights and freedoms of natural persons. According to Article 34, Paragraph 1 of the General Data Protection Regulation, the data controller must notify the data subject of such a data security breach without undue delay. In the case, it has not appeared that the conditions referred to in subparagraphs a or b of paragraph 3 of the said article exist for not reporting a data security breach. (53) According to the Ministry of Foreign Affairs of the registry keeper, the information security breach has come to the attention of the persons directly affected by it immediately after the Ministry received information about the matter. In this regard, the Ministry of Foreign Affairs must be considered to have complied with the requirement of Article 34, paragraph 1 of the General Data Protection Regulation to notify the data subject of a data breach without undue delay. (54) In addition, the persons whose data was included in the phone into which the spyware was able to be imported must be considered as data subjects as referred to in Article 34 of the General Data Protection Regulation . These persons have not been notified of the data security breach personally, but the Ministry of Foreign Affairs has referred to the fact that on January 28, 2022, it has informed about the situation on its website. As it appears above, the ministry has investigated the case in question with various authorities and stakeholders during the fall of 2021 and the winter of 2022, so the data security breach must be considered to have come to the attention of the ministry much earlier than it had informed about the situation on its website. (55) Information about online espionage targeting the Ministry of Foreign Affairs or the disclosure of espionage may each depending on the circumstances of the individual case, may contain clauses pre-conditions for damages to be kept secret based on sections 24, subsection 1, sections 2, 7 and/or 9 of the Publicity Act. On the other hand, it follows from the content requirements of the notification to the data subject according to Article 34, paragraph 2 of the General Data Protection Regulation, that the notification should accordingly possibly include confidential information. (56) The Supreme Administrative Court considers that the confidentiality provisions of the Publicity Act must be considered as special provisions compared to the provisions of Article 34 of the General Data Protection Regulation in the current situation, where the mentioned article will be applied in the same way as national legislation is applied. It follows from this that, when assessing the time of issuing the notification referred to in the article, the controller must take into account whether giving the notification would at the same time mean disclosing confidential information to the data subjects. (57) Taking into account Finland's interests related to international relations and state security, which are protected by the above-mentioned confidentiality provisions, the Ministry of Foreign Affairs, despite the fact that it has only published the above-mentioned information on its website on January 28, 2022, can be considered to have notified a personal data security breach as required by Article 34, paragraph 1 of the General Data Protection Regulation without undue delay to the data subjects whose data has been included (58) Due to the above, the decisions of the Administrative Court and the Deputy Data Protection Commissioner must be annulled in so far as they concern the delay in the notification to the data subject referred to in Article 34 of the General Data Protection Regulation and this delay based on Article 58(2)(b) of the Regulation of the given remark (paragraph 2 of the decision of the Supreme Administrative Court). They have resolved the matter legal advisers Anne E. Niemi, Janne Aer, Petri Helander, Monica Gullans and Juha Lavapuro. The presenter of the case is Mikko Rautamaa.
Retrieved from "https://gdprhub.eu/index.php?title=KHO_-_KHO:2024:115&oldid=44648"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki