Ministry of Foreign Affairs – Court Ruling (Finland, 2024)

On 24 January 2022, the Ministry for Foreign Affairs, the controller, notified the Data Protection Ombudsman of a data breach as per Article 33 GDPR. This data breach concerned spy malware, which has been installed on Finnish diplomats´ phones and allowed the exploitation of information stored on the phones. Four months later, the Data Protection Ombudsman decided that the controller did not comply with the notification limit, i.e. 72 hours as per Article 33(1) GDPR and did not provide for a reasoned explanation for such delay. Moreover, the controller did not comply with Article 34 GDPR due to the improper notification to data subjects (only oral and during a press release). The controller appealed the Data Protection Ombudsman decision. The Administrative Court held that the personal data breach in this case was posing a high threat to the rights and freedoms of individuals, within the meaning of Article 34(1) GDPR. While the controller did notify via press release the data subjects of the breach, the Court found that the controller did not notify the parties of the infringement without undue delay. Two main reasons were brought forward: the gravity and seriousness of impact on data subjects, and the fact that Finland did not provide any national law limiting the scope of application of Article 33 and 34 GDPR due to national security guarantees. The controller appealed the decisions of the Administrative Court to the Supreme Administrative Court. In its decision, the Supreme Administrative Court elaborated on three main points: 1. The GDPR is not applicable for foreign and security policy matters. In this regard, the Court decided that, even if the GDPR expressly states that the processing of personal data relating to national security and the common Union foreign and security policy is excluded from the GDPR, in [https://www.finlex.fi/en/laki/kaannokset/2018/en20181050.pdf Article 2(1) of the Finnish Data Protection Act], the scope of the GDPR has been nat