Misuse of Health Data in Finland: Prevalence, Legal Context, and Trust Implications
Misuse of Health Data in Finland: Prevalence, Legal Context, and Trust Implications
Introduction
The Finnish health data ecosystem is often viewed as a model of comprehensive record-keeping and public trust. Finland’s citizens traditionally exhibit high confidence in government institutions and the handling of personal data. Officially, strict laws like the EU’s General Data Protection Regulation (GDPR) and national regulations safeguard health information, and authorities emphasize ethical data use. However, this report examines the hypothesis that misuse of health data in Finland is more common than officially acknowledged. Recent cases and research suggest there are underappreciated risks and incidents that challenge the prevailing narrative of security and trust. This issue is important not only for privacy and individual rights but also for maintaining public trust in health systems. The report will explore Finland’s health data infrastructure and legal framework, analyze case studies (including investigative media reports and academic findings), assess technical re-identification risks, discuss legal implications (especially vis-à-vis GDPR), and compare the situation to other countries. Ultimately, assess whether the public’s trust in Finnish institutions is justified given the evidence.
Background
Health Data Infrastructure in Finland: Finland has one of the world’s most extensive health and social data infrastructures, built on unique personal identity codes that enable linking data across registries. A flagship example is FinRegistry, a newly compiled dataset covering over 7.1 million Finns with detailed health and social information. FinRegistry amalgamates records from 19 different registries dating back to the 1950s. It includes highly sensitive data on individuals’ medical history (e.g. diagnoses, hospitalizations, infectious diseases), social welfare (e.g. use of income support), family relationships, and even socioeconomic information like earnings and pensions. For instance, the dataset contains data on cancers, congenital conditions, social assistance, hospital visits, intensive care episodes, marriages, kinship, and lab test results. On average, each person has 18 laboratory results recorded. These data were originally collected by agencies such as the Finnish Institute for Health and Welfare (THL), Kela (Social Insurance Institution), Population Register (DVV), and others, but FinRegistry aggregates them into one massive resource.
Finland’s government has actively promoted such data resources. In 2019, a Secondary Use of Health and Social Data Act (often called the “toisiolaki”) came into force, aiming to facilitate the use of health data for research, innovation and business development. The law established Findata, a centralized data permit authority, to oversee and “mediate” access to sensitive health data for secondary purposes. “Finland is the promised land of registers,” as one Findata specialist put it, highlighting both the richness of Finnish data and the intent to leverage it. The goal was to attract scientific research and even foreign business by making data access more efficient. Findata now offers FinRegistry as a ready-made dataset to approved researchers, including international academics and companies, touting that data can be obtained “more quickly and cost-effectively” than if gathered from multiple sources separately.
Trust in Institutions and Data Practices: Historically, Finns have high trust in public institutions and a culture of using data for the public good. This trust has been a foundation for broad data collection without public backlash. However, it also assumes that authorities handle data with utmost integrity and transparency. As this report will show, gaps in transparency and oversight have raised questions. Many Finns were unaware that their health and social data would be compiled for secondary use until investigative journalism brought it to light in 2024. The revelation that virtually all Finnish citizens’ health data had been packaged for research without individual notification surprised and concerned many. This indicates a potential mismatch between institutional practices and public expectations, which can erode trust if not addressed.
Legal Privacy Frameworks: Finland, as an EU member, is subject to the GDPR, one of the world’s strictest data protection regimes. GDPR classifies health data as sensitive personal data, requiring a lawful basis for processing (e.g. explicit consent or a special derogation for research) and mandates robust safeguards. To implement GDPR domestically, Finland enacted the Data Protection Act (2018) and the above-mentioned Secondary Use Act (2019) for health/social data. The latter provides the legal basis for using personal health data in scientific research, statistics, and development without consent, as long as certain conditions are met (such as pseudonymization and data security via Findata’s controlled environment). The legislation attempts to “strike a balance between the protection of personal data and the need to process personal data for scientific research”. It explicitly allows combining data from different registries for research, essentially overriding the original purpose limitation under strict oversight.
GDPR also grants individuals rights over their data: the right to be informed, to access their data, to rectify inaccuracies, to object to processing, and even to request erasure (the “right to be forgotten”) in certain circumstances. However, under GDPR Article 89 and the Finnish secondary use law, some of these rights can be restricted for research and archival purposes. In practice, Finland’s framework does not allow citizens to delete their health records from the primary systems, and deletion is not contemplated for research datasets like FinRegistry either. As the national media bluntly summarized: “One’s own social and health data cannot be removed from the registers, but their use for secondary purposes can be opposed”. Citizens may file an objection to prevent their data from being used in research, but the data itself remains stored. This means health data can effectively live on indefinitely in government systems – a point of contention we will revisit in the legal analysis.
In summary, Finland has strong formal protections and an ethos of utilizing data for societal benefit. Yet the confluence of vast integrated datasets, high public trust, and complex regulations creates a scenario where misuse or lapses might occur unnoticed. The following case studies illustrate why concerns are growing that reality might not fully match the official assurances of privacy and security.
Case Studies
To evaluate how health data is handled in practice, we consider several notable incidents and findings – from investigative journalism exposés to research studies – that shed light on potential misuse or risky practices.
FinRegistry: Data Package Without Public Awareness (2024). In June 2024, Yle’s investigative unit MOT revealed details about the FinRegistry dataset that alarmed many Finns. This “ready-made” data resource, assembled as part of a THL and University of Helsinki project, contains sensitive health and life information on nearly the entire population of Finland. Crucially, this compilation was done without explicit knowledge or consent of the individuals. The data includes any Finn who was alive and residing in Finland as of 1 Jan 2010, and additionally links in their parents, spouses, children, and siblings – making it not just a snapshot of individuals but a web of familial connections. Health records (diagnoses, hospital treatments, medications, lab results, etc.) are combined with socioeconomic data (such as pension earnings and welfare benefits) and demographic data (birthdates, gender, place of birth).
This unprecedented scope led experts to warn about significant privacy risks. “This is an unprecedentedly broad combination of sensitive information, and it carries high risks,” said Professor Tomi Voutilainen, an expert in public law. Another researcher noted that such a centralized trove could be “very attractive to people who want to cause harm to society or individuals” if it fell into the wrong hands. Despite the data being stripped of names and addresses, it is only pseudonymized – not truly anonymous. Findata replaces personal identity numbers with project-specific codes to link records, but other quasi-identifiers remain. In fact, FinRegistry retains each person’s full birth date, sex, and even their birthplace (first registered postal code). According to Prof. Voutilainen and Prof. Reijo Sund, these details could re-identify individuals when combined: “With those pieces of information it is possible to identify citizens,” they observed. They further pointed out that even subtler data points can enable identification – for example, knowing when someone was hospitalized for a specific condition could allow matching to a particular individual if such an event is unique or publicly known.
Findata officials have openly acknowledged this risk. Peija Haaramo, a lead specialist at Findata, stated that the FinRegistry data is not claimed to be anonymous, conceding that “if a malicious person really wanted to identify someone [from the pseudonymized data], very likely they could do so”. Haaramo characterized this as an accepted trade-off in scientific research using registry data – not unique to FinRegistry, but inherent in all rich data sets. The safeguard, he argued, lies in the “researchers’ responsibility and high moral standards”. Indeed, Findata’s stance has been to trust approved researchers to use the data ethically. Yle found that Findata performs no formal background checks on those applying for access, instead “emphasizing the high moral character of researchers to use the data correctly.”. This reliance on trust was highlighted by the fact that, as of mid-2024, FinRegistry was newly advertised but no research permits had yet been granted for it.
The immediate public reaction to Yle’s FinRegistry revelations was telling. Within days, Findata was flooded with inquiries and objections from citizens who had not realized their data could be repurposed in this manner. By 19 June 2024 (just a few days after the news), around 800 Finns had filed official requests – mostly to object to the use of their data or to at least check what information about them was included. Findata had to add an information page for concerned individuals and explained the process: citizens cannot erase their data from the source registers, but they can request Findata to exclude their records from any secondary-use datasets. Officials noted that processing these requests could take time and emphasized that no FinRegistry data had been released yet, implying there was “no rush” to opt out. Nevertheless, the episode exposed a gap in transparency – many people simply did not know such a comprehensive dataset existed. It also demonstrated that a segment of the public was uncomfortable once aware, directly countering the narrative that Finns uniformly trust authorities with their health data.
Researcher with a Criminal Background (2021 Conviction). In a related investigative report, Yle MOT discovered that one of the key scientists behind FinRegistry had a troubling personal background that raised security questions. The leader of the FinRegistry research group – an accomplished FIMM (Institute for Molecular Medicine Finland) researcher who helped compile the dataset – was found to have a recent drug crime conviction. According to court records unearthed by journalists, this male researcher was convicted in 2021 for a narcotics offense after ordering 20 grams of amphetamines from the dark web to his home. He received a 60-day suspended prison sentence. The conviction, which remains on his criminal record until 2026, would have been flagged in a standard security clearance – yet no such background check was done before or during his work on FinRegistry. THL officials admitted they were unaware of his criminal record. This case is striking because this individual had access to almost all Finns’ health and register data as part of the project. He is by all accounts a respected expert in his field, and the court believed his explanation that the drugs were for personal use (not distribution). Nonetheless, a professor of public law noted that this finding “calls into question what kinds of backgrounds are allowed access to sensitive information on millions of citizens”. The incident suggests a potential insider risk: if someone with personal vulnerabilities or past illegal behavior can be in a position of great data trust without detection, there may be insufficient safeguards against misuse by insiders. It contrasts with assumptions that all researchers accessing data will unfailingly adhere to high ethical standards. At minimum, it sparked discussion in Finland about tightening vetting procedures for those handling national health datasets.
Data Leaks to Third Parties in Healthcare Services (Rauti, 2025). Beyond government registries, another form of health data misuse occurs in the digital services that citizens use for healthcare – often without anyone’s knowledge until recently. In 2025, Sampsa Rauti’s doctoral dissertation exposed serious privacy leaks in Finnish health-related websites and e-services. Rauti investigated numerous platforms – including online pharmacies, public and private healthcare appointment systems, and mental health service websites – and conducted web traffic analysis to see if user data was unintentionally being sent to third parties. The findings were alarming: many of these sites were quietly forwarding personal health information to external companies through embedded analytics and marketing trackers. In some cases, data such as the names of prescription medications a user added to an online pharmacy cart were leaked to tech giants like Google and Meta (Facebook) via tracking scripts. Healthcare appointment booking sites were found sending details of the medical service or clinic being booked, coupled with user identifiers, to outside domains. Overall, Rauti noted that a large portion of tested sites had these “data leaks,” and notably 35% of Finnish online pharmacies leaked prescription drug names to third parties. Even more worrying, some data was going to abroad-based companies: for instance, some leaks went to Russia’s Yandex and to Bing’s analytics in North America. This implies Finnish users’ health-related activities were being exposed to entities outside EU jurisdiction, possibly even subject to foreign surveillance.
Such leaks violate the spirit, if not the letter, of data protection law since users were typically not properly informed or asked consent for sharing these details. In fact, Rauti found that even if users declined cookies or tracking on some sites, technical flaws meant certain personal data still flowed out automatically. The leaked identifiers (like IP addresses or device IDs) may seem pseudonymous, but as Rauti pointed out, “major tech companies have the means to link these with a user’s real identity”. This creates a risk that sensitive information (like one’s medication or health condition implied by a clinic visit) could be used or sold by third parties, or become exposed in a data breach down the line – a clear privacy risk. The silver lining is that once revealed, many of these issues were corrected: Rauti’s team informed the website operators, leading to fixes in the majority of cases. The Finnish Data Protection Ombudsman’s office also opened investigations, particularly into the pharmacy leaks, given the potential GDPR violations. Nonetheless, the research highlights that misuse of health data was happening under the radar, through everyday digital interactions, and it required an academic study to uncover the extent. It underscores that not all misuse is intentional or malicious – sometimes it is negligent design – but the effect is the same: private health information escaping the secure confines it should stay in.
Major Breach of Mental Health Records (Vastaamo, 2020). No discussion of Finnish health data risks is complete without the infamous Vastaamo incident. Vastaamo was a private psychotherapy provider whose patient database was hacked, leading to one of the worst privacy violations in Finland’s history. The attackers stole therapy session notes of roughly 33,000 patients and then attempted to extort both the company and individual patients by threatening to publish their highly sensitive mental health records. When the clinic refused to pay the ransom, the criminals did indeed release hundreds of records on the dark web and sent blackmail demands directly to victims – causing immense trauma to vulnerable individuals. Investigations later found Vastaamo had egregiously poor security (unencrypted data, no proper passwords). The Data Protection Authority fined the company €608,000 for GDPR violations, and the case became an international scandal. While Vastaamo was a private sector failure rather than a government register, its aftermath shook public confidence and served as a stark reminder that health data, if compromised, can have devastating personal consequences. It likely contributed to heightened sensitivity around health data use in Finland – citizens and politicians alike were shocked that such misuse (via criminal hack) could happen.
In reviewing these case studies, a pattern emerges: officials and organizations did not fully acknowledge or anticipate the potential for misuse until after problems came to light. Whether it’s the quiet bundling of national data for research, the unchecked background of a data handler, the invisible trackers siphoning patient data, or the catastrophic breach of a therapy database – each instance reveals blind spots in the system. These cases lend credence to the hypothesis that misuse and risks are more common (or at least more plausible) than the Finnish public was led to believe. Next, we delve deeper into the technical mechanisms that enable some of these risks, particularly the potential to re-identify individuals in “anonymized” datasets.
Technical Risks: Re-identification and Data Linking
A critical concern with large-scale health databases like FinRegistry is the risk of de-anonymization – that is, re-identifying individuals from supposedly anonymized or pseudonymized data. In FinRegistry’s case, as noted, the data is pseudonymized (direct identifiers replaced with codes), but it still contains a wealth of indirect identifiers. These include an individual’s exact date of birth, gender, place of birth, and detailed longitudinal records of life events (medical, social, familial). According to experts, these attributes in combination can function like a fingerprint. Finland’s population of 5.5 million is relatively small, and many data points in FinRegistry are unique or rare. The more variables and linkage in a dataset, the easier it becomes to pinpoint a specific person. For example, knowing that a particular person is a middle-aged male from a small town who had heart surgery in 2015 and is married with three children narrows the field dramatically – especially if one has any outside knowledge about residents of that town or community events.
Publicly available information can be leveraged to facilitate re-identification. Finland has an open information culture in certain domains; for instance, annual income data above a certain threshold is publicly accessible (Finns often check newspaper lists of top earners each year). FinRegistry includes individuals’ earnings and pension data. A motivated actor could cross-reference income brackets or employment histories with known figures or local news (e.g., “Person X earned €60k in 2018 in this municipality”). Social media is another rich source: people might post about their health (“Finally recovered from COVID last week” or “Running in a cancer charity for my 5-year remission anniversary”), family events (“Welcomed a new baby on [date]”), moves (“Just settled in Oulu!”), or other life events. All these hints could be correlated with registry entries (infectious disease records, cancer registry entries, birth records, address changes, etc.). Family linkages in FinRegistry further amplify the risk: if you identify one person, you potentially identify their relatives’ records as well. Analyses of network graphs (using relationships and shared attributes) could reveal clusters that correspond to real-life families or communities.
Modern computational tools make such cross-matching increasingly feasible. Artificial intelligence (AI) and machine learning algorithms can be trained to find patterns or matches between datasets. One could imagine an AI model fed with some public data (like obituaries, social media profiles, public registry excerpts) and tasked with finding the best matches in the FinRegistry data. Similarly, social network analysis could exploit the kinship and marriage data in FinRegistry to infer identities by matching network structures. For example, an unusual family configuration (say, a person with a very large number of siblings or multiple spouses over time) could be unique enough to trace back to a known family. Researchers Sund and Voutilainen explicitly noted that even “less obvious” pieces of information can succeed in identifying someone when combined cleverly. This is borne out by prior re-identification demonstrations in other countries – famously, Massachusetts Governor William Weld’s medical records were re-identified from “anonymized” hospital data using voter registry information, and Netflix users were re-identified from movie rating data using IMDb public reviews. FinRegistry’s detail rivals those examples and thus would be a prime candidate for re-identification attacks if it fell into unauthorized hands.
Another technical risk vector is the possibility of data breaches or leaks. While Findata’s system (called Kapseli®) is designed as a secure remote environment where approved researchers access data without it leaving the server, no system is perfectly secure. A breach of the FinRegistry dataset could be disastrous because it holds essentially a full copy of Finland’s population health profile. The centralization of data, which FinRegistry boasts as a convenience, is a double-edged sword: it becomes a “honeypot” target. A single intrusion or malicious insider could access a sweeping scope of information. This contrasts with the data’s original state, siloed across different agencies – in that scenario, multiple breaches would be needed to get the same completeness of personal profiles. As Voutilainen warned, the more data aggregated in one place, the more enticing it is to those with harmful intent.
The earlier case studies provide concrete examples of technical risks manifesting. Rauti’s findings on web trackers show how easily data can slip out via software bugs or third-party integrations. In that case, users didn’t even realize their data (like prescription names) was leaving the site – a subtle leak far less guarded than FinRegistry. In another Nordic example, a software bug in Denmark caused 1.26 million Danish citizens’ personal ID numbers (CPRs) to be inadvertently sent to Google and Adobe Analytics over 5 years. The CPR number is akin to the Finnish personal identity code – it encodes birth date and gender – so this leak was essentially exposing sensitive personal data to outside companies. If such a bug occurred in a Finnish e-health system, it could similarly expose IDs or health info at a large scale.
In summary, the technical reality is that no pseudonymized bulk dataset can be considered immune to re-identification, especially when rich in variables. Finland’s inclusion of comprehensive data (health + social + economic + family) in FinRegistry creates many potential “jigsaw pieces” that can be fitted together with external data. The use of advanced analytics or AI can accelerate this process. Therefore, the official line that data is pseudonymized and researchers are trustworthy, while true in intent, does not eliminate the inherent privacy risks. The next section examines how these realities square with the legal framework – notably GDPR – and whether current practices might conflict with the law’s letter or spirit.
Legal Implications
From a legal perspective, the handling of Finnish health data raises several important questions. GDPR provides a robust foundation for personal data protection, and health data gets special attention due to its sensitivity. How does Finland’s approach – exemplified by FinRegistry and the secondary use law – align with GDPR, and where might it fall short in practice?
GDPR and Consent vs. Lawful Basis: Under GDPR, processing of health data is generally prohibited unless a specific condition is met (Article 9). One such condition is the data subject’s explicit consent. Notably, in Finland’s secondary use model, consent of individuals was not obtained for including their data in FinRegistry or other research registries. Instead, the lawful basis invoked is likely Article 9(2)(j) – processing necessary for scientific or historical research in the public interest, as enabled by EU or member state law. The 2019 Finnish act serves as that enabling law, embedding safeguards like pseudonymization and centralized oversight. This means, legally, Finland opted for a “consent waiver” model for large-scale research data, prioritizing societal benefit over individual control, but with regulatory control as a counterweight. While this can be legal under GDPR, it puts the onus on authorities to protect rights in other ways.
Transparency and Awareness: GDPR mandates transparency – people should be informed about how their data is used. In the FinRegistry case, one could argue transparency was lacking. Many citizens only learned from the media that their records had been pooled for secondary use. It’s possible that a general notice was buried in some privacy policy or an official gazette, but clearly it wasn’t effectively communicated to the average person. This borders on non-compliance with GDPR’s notice requirements. The public outcry and surprise evidenced that people did not feel properly informed, which is itself a failure of communication if not law. The Office of the Data Protection Ombudsman emphasizes that trust in research requires taking care of data protection and planning data use from the start. Informed participation (even if not consent, at least awareness) is part of maintaining trust. Going forward, Finnish authorities may need to improve how they inform citizens about such initiatives – for example, direct notifications or public information campaigns – to adhere to the spirit of transparency.
Right to Object and “Opt-out” Rights: GDPR Article 21 gives data subjects the right to object to processing of their personal data under certain conditions (especially when the basis is public interest or legitimate interest). Finland does honor this in the secondary use context by allowing citizens to file an objection to research use. As noted, after Yle’s reporting, hundreds exercised this right, and Findata must now filter those individuals out of datasets. This is akin to an opt-out mechanism. It’s a positive aspect that Finland provides an opt-out, but the episode revealed that many people simply didn’t know this right existed until the media coverage. Additionally, the process to opt out is somewhat cumbersome – requiring a form submission via a secure online service with strong authentication. Legal experts might question whether this fully satisfies GDPR’s requirement that objection be allowed “at any time, free of charge, and handled timely.” The backlog of 800 requests with no clear timeline for processing suggests practical challenges in upholding this right efficiently.
Right to Erasure (Data Deletion): Perhaps the thorniest issue is deletion. GDPR’s Article 17 grants individuals the right to have personal data erased, under conditions like withdrawal of consent or when data is no longer needed. However, this right is not absolute – GDPR carves out exceptions, including when data is processed for scientific research or public health purposes if erasure would seriously impair that processing (Art. 17(3)(d)). Finland leans heavily on this exception. As described, individuals cannot demand deletion of their health records from primary systems or research repositories. Health records in clinical systems are typically retained for long periods (for continuity of care and legal compliance), often decades or even indefinitely for certain registers (like cancer registry data is kept permanently for epidemiology). FinRegistry, being a derived research dataset, will likely be updated over time rather than wiped clean of those who object – in practice, an objection leads to excluding one’s data from outputs, but not necessarily purging it from all backups or archives. This raises an argument that, in spirit, health data in Finland is “never fully deleted,” which could be seen as violating the spirit of GDPR’s emphasis on data minimization and storage limitation. While legally permissible due to research exceptions, it challenges the idea that citizens have meaningful control. Some privacy advocates might contend that there should be a path to actual deletion, at least after a person’s death or after a certain retention period, to honor the principle that personal data shouldn’t live forever without purpose. Yet in Finland’s framework, the default is open-ended retention for possible future research, as exemplified by FinRegistry compiling data back to the mid-20th century.
The spirit of GDPR also encompasses accountability and avoiding undue harm. If individuals feel their data is held hostage in systems they cannot exit, they may lose trust in those systems. This connects to the trust implications discussed later: a perception that “the government knows everything about me and I have no say” can erode the social license that authorities rely on.
Data Security and Compliance: GDPR obliges data controllers to implement appropriate security and protection measures (Article 32) and to ensure privacy by design. The case studies highlight areas of non-compliance or weak compliance in this regard. The Vastaamo breach was a direct GDPR failure – inadequate security leading to a massive leak of sensitive data. The hefty fine and the ensuing bankruptcy of that company underscored that GDPR has teeth when violations occur. In the public sector, if something like FinRegistry were breached, one would expect a similar strong response. Rauti’s discovery of routine leaks to third parties suggests that some Finnish health service providers were violating GDPR’s rules on data sharing and consent. The fact that the Data Protection Ombudsman is investigating means there could be enforcement actions or at least mandated fixes. GDPR can impose penalties up to 4% of global turnover or €20 million for serious infractions; while public hospitals aren’t typically fined, private entities like pharmacies could be.
One complexity is that Findata itself is now a data controller for FinRegistry and similar datasets. This means Findata carries GDPR responsibilities (ensuring lawfulness, responding to data subject rights, securing the data). The rush of objections tested Findata’s processes. It also must consider data security deeply: as controller of a mega-dataset, Findata would be in the spotlight if any unauthorized access or misuse happens. The revelation that a researcher with a drug conviction had access points to a gap in organizational measures. GDPR Article 32 talks about measures including access control and vetting who gets access. Not performing background checks on personnel handling ultra-sensitive data could be seen as a lapse in due diligence. While GDPR doesn’t explicitly require employee vetting, a regulator might say it’s part of ensuring integrity and confidentiality. At the very least, going forward, one might expect stricter screening or monitoring of those who work on such projects, to mitigate insider threats.
Purpose Limitation and Scope Creep: GDPR’s principle of purpose limitation states that data collected for one purpose (e.g., providing healthcare) should not be used for incompatible purposes without further consent. Finland’s secondary use law attempts to resolve this by defining secondary research use as a compatible purpose under a legal mandate. However, some critics argue that taking data given in confidence for treatment and then using it to, say, help pharmaceutical companies develop drugs (even if via research) tests the boundaries of ethical use. The Yle investigation highlighted that one goal of FinRegistry was explicitly to “attract business” and foreign investment in health tech. While economic development isn’t inherently bad, using patients’ data as a commodity to entice companies is sensitive. GDPR would frown upon using personal data for commercial ends without consent – but because it’s framed as research in the public interest, it slides through legally. This blurring of lines might not sit well with everyone and could be seen as undermining the spirit of GDPR, which is rooted in respecting individual autonomy. If people feel their data is being “sold” (even if not literally sold, the perception of being used as an asset), it can lead to a backlash that laws alone can’t prevent.
In practice, Finland is navigating a fine line: leveraging GDPR’s flexibility for research while trying not to betray the trust of its people. The legal framework allows much of what Finland is doing, but the true test is whether the implementation maintains public confidence. To gauge that, it’s useful to compare with how other countries approach similar dilemmas, as we do next.
Comparative Perspective
Finland is not alone in grappling with the balance of rich health data utilization and privacy/trust. Many countries, especially in Europe, have large health data repositories or are developing them. A brief look at other contexts – particularly Sweden, Denmark, and Germany – reveals both parallels and contrasts.
Sweden: Culturally and structurally, Sweden is very similar to Finland in terms of comprehensive personal registries (thanks to personal ID numbers) and a strong welfare state interest in health data. Sweden has long-running national health registers (e.g., cancer registry since 1958, quality registers for various diseases) and high participation in research. Trust in authorities is also traditionally high in Sweden. However, Sweden has experienced pushback when it comes to expanding data use without clear consent. A notable case was the LifeGene project around 2011. LifeGene, spearheaded by Karolinska Institutet, aimed to collect health information and genetic data from half a million Swedes as a research resource for future studies. The concept was similar to FinRegistry in that it was a broad collection for unspecified research questions. Sweden’s Data Inspection Board (the privacy regulator) intervened and halted LifeGene, ruling that gathering personal health data “for future research” without a specific defined purpose and consent violated Sweden’s Personal Data Act (the law in force before GDPR). The Board essentially said you can’t just vacuum up data on the chance it might be useful later, because that infringes on individuals’ informational self-determination. Karolinska appealed, but the case was a wake-up call – it underscored the importance of purpose limitation and consent. Post-GDPR, Sweden continues to use registry data, but likely with more caution on broad-based projects. The LifeGene experience contrasts with Finland’s approach: Finland’s law explicitly permits what Sweden’s regulator disallowed then. It shows that even in a high-trust society, there are boundaries – Swedish authorities took the side of privacy when it seemed research ambitions overreached. This illustrates that concerns about large health data sets are not unique to Finland; they exist elsewhere, and different countries draw the line differently.
Denmark: Denmark is another Nordic country known for leveraging nationwide health data (they have used personal health records for decades in research, and like Finland, have a data access platform for researchers via Statistics Denmark and other bodies). Danes generally trust the public health system, but Denmark has had its share of data mishaps. One example is the incident where a massive trove of Danish citizen data (including health-related personal identifiers) was accidentally exposed. In 2020 it was revealed that a software bug in Denmark’s tax portal leaked 1.26 million CPR numbers (personal ID numbers) to Google and Adobe Analytics scripts over several years. The CPR number encodes birth date and gender, and is used across health and social systems, so its leakage is a serious privacy issue. While that was a tax system bug, the principle carries to health data: even well-intentioned systems can inadvertently leak information if not carefully audited. Denmark has also been very open about sharing data for research and had to assure the public that appropriate safeguards exist. Notably, in 2015 a mistake by a Danish official led to a security breach where a huge dataset from the national patient registry (covering the entire population’s health records) was sent to a statistical contractor’s server in another country – a breach of protocol that caused a scandal (this incident was reported in local media and highlighted the need for strict procedures in data handling). Furthermore, Denmark suffered a health data cyberattack in 2018 when the Health South-East authority (covering a region, albeit this was actually Norway, as discussed below) was breached – a reminder that Nordic health data can be a target.
Actually, regarding Norway: In early 2018, Norway’s Health South-East RHF (which serves about half of Norway’s population) was hacked, potentially exposing health records of 2.9 million Norwegians. This cross-border example shows that even countries with advanced security can fall victim to cyber threats, reinforcing fears that large centralized health databases are at risk. The Norway breach was attributed to a state-sponsored hacking group, underscoring the geopolitical interest in health data (for espionage or other motives). Finland’s systems likely face similar threats.
Back to Denmark – overall, Danish authorities are now quite careful. They have implemented a centralized research access through a secure environment (like Finland’s Kapseli concept) and require projects to be approved. The Danish model, however, did not face an uproar largely because they communicated and built these systems earlier, and perhaps because no single new dataset like FinRegistry was introduced suddenly – their registries grew gradually. Still, the potential for identification in Denmark’s data is comparable to Finland’s, and Danish officials have acknowledged that no public data can be fully anonymized. The key difference is perhaps in communication and incident track record: Denmark has had notable incidents which may have made the public and officials more wary in recent years.
Germany: Germany provides an interesting contrast due to a different cultural and legal stance on data privacy. Germans are historically more skeptical of government data collection, owing to historical experiences. Health data in Germany has been relatively siloed and difficult to utilize nationally – there hasn’t been a single ID used universally in health care until recently, and data protection laws are stringent at the state (Land) level. Germany did implement GDPR fully and even added some stricter provisions in its national law (BDSG). Until recently, research and industry complained that Germany’s rich health data (from its many clinics, insurers, etc.) was “locked up” by privacy concerns. In 2023, however, Germany moved towards a model not unlike Finland’s (but with differences). The government passed the Health Data Utilization Act (GDNG), set to take effect in 2024, which will enable pseudonymized health data from statutory insurers and electronic patient records to be pooled in a central Health Data Lab for research use. Notably, Germany’s model explicitly includes an opt-out for patients – data will be gathered unless a patient opts out of having their records forwarded for research. This is analogous to Finland’s approach with objections, but Germany is building the opt-out in from the start of its new electronic health record system. The German law also aims to allow private companies (pharma, medtech) to access data for R&D, under strict conditions, similar to Finland’s goals. Germany’s approach is cautious: they are centralizing data (which is a big step for them), but because trust is lower, they emphasize patient choice (opt-out), and they are very explicit about prohibiting uses like marketing or insurance discrimination. The fact that Germany waited and observed other countries’ experiences (including likely learning from Nordic models) means they are trying to thread the needle of utility and trust. This suggests that the concerns Finland is now grappling with (privacy, re-use of data, public acceptance) are on the minds of German policymakers as well – they know that to succeed, they must not alienate the public. Surveys in Germany have shown some wariness; for example, a 2021 study found many Germans only willing to share health data if robust privacy and security measures are in place, and trust in data handling significantly affects their willingness.
In sum, other countries mirror Finland’s core challenge: how to reap the benefits of big health data without undermining individuals’ rights and trust. Sweden’s regulator chose to clamp down early on an all-encompassing project, prioritizing consent and purpose specificity. Denmark and Norway experienced tangible harms from data leaks and breaches, which underscore the risks Finland must avoid. Germany is proceeding with caution and explicit opt-out provisions, reflecting a more privacy-conscious stance from the outset. Finland’s current situation might be seen as somewhere in between – very ambitious in data use like Denmark/Sweden, but now catching up on the transparency and trust aspects perhaps more in line with German sensibilities.
One could also mention the United Kingdom: the NHS attempted a program called “care.data” in 2014 to share patient general practice records for research/commercial use, and it faced massive public backlash and had to be abandoned due to lack of trust and insufficient communication. The lesson globally is clear: if citizens feel uninformed or powerless regarding their health data, trust can collapse and projects can fail. Finland, fortunately, has not reached that low point – public trust in health authorities remains relatively high, but as these comparisons show, it should not be taken for granted. Continuous engagement, ethical oversight, and learning from peers will be key to sustaining Finland’s approach.
Conclusion
The evidence reviewed in this report suggests that the hypothesis holds weight: misuse of health data in Finland is likely more common than the official narrative has acknowledged, and the robustness of legal protections and institutional trust is being tested. Finland’s health data environment, while legally sophisticated, has revealed cracks through which personal information can slip or be mishandled. Investigative journalism and academic research have brought to light instances of underappreciated risk – from the compilation of virtually every citizen’s data into a single dataset without broad awareness, to the inadequate vetting of individuals with access to sensitive data, to the silent leaking of health details via digital services. These instances are not merely one-offs; they indicate systemic challenges in balancing data use with privacy.
Legally, Finland operates within GDPR’s allowances, but the spirit of GDPR demands more than checking the boxes – it requires honoring individuals’ rights and ensuring they remain in control to a reasonable degree. The fact that hundreds of Finns rushed to opt out once they learned about FinRegistry shows a clear gap between what the law permitted and what people were comfortable with. It is a reminder that public trust, once lost, is hard to regain. Trust in Finnish public institutions has been a comparative advantage (many countries struggle to even implement such data systems due to lack of trust), so it is vital to nurture that trust through transparency and responsiveness. This may involve policy adjustments: for example, better public notification about data uses, easier ways to exercise rights, and perhaps tighter criteria on who can access data and for what purposes. It also likely involves cultural change among data controllers – moving from a “decide and defend” approach to a “consult and include” approach with the public.
From a risk assessment standpoint, Finnish authorities and organizations need to assume that if data can be misused, eventually it will be – whether by accident, malicious insider, external hacker, or even well-intentioned research that inadvertently identifies someone. Preparing for that means doubling down on security (technical and procedural), conducting regular audits (as Rauti’s work did externally), and addressing vulnerabilities proactively. It also means being honest about the limitations of anonymization and the potential consequences of a breach. Such frankness, coupled with concrete safeguards, can actually bolster trust, as people see that risks are not ignored or glossed over.
Is the Finnish public’s trust justified? Yes and no. Yes, in that Finland genuinely has world-class systems and dedicated professionals, and there is no evidence of widespread intentional abuse by authorities. The legal framework is designed to protect data while enabling beneficial use, and there have been positive outcomes from research using Finnish health data (improving treatments, understanding diseases, etc.). Finnish institutions, compared to many countries, are quite transparent and accountable, as seen in the swift reactions once issues came to light (e.g., Findata providing info to citizens, websites fixing leaks, DPA investigating breaches). However, trust should not mean complacency. The cases we examined show that misuse – whether through negligence, oversight, or malice – does occur in Finland, even if not at a scandalous frequency. Officialdom may have been too sanguine, assuming high ethical standards would suffice. The lesson is that trust must be continuously earned and verified. In a data-rich environment, that means stringent enforcement of privacy rules, independent oversight, and an ongoing dialogue with citizens about how their data is used.
In conclusion, Finland stands at a crossroads where it must reinforce the message: “Your data is in safe hands” with tangible action. A failure to do so could lead to public pushback, stricter constraints from regulators, or loss of the social license that currently allows the extensive use of health data. The hypothesis that misuse is more common than acknowledged serves as a caution – one that Finnish policymakers and institutions appear to be heeding now, given the heightened attention to data security and privacy. By learning from recent missteps and comparative experiences abroad, Finland can improve its data practices. This will help ensure that the public’s trust is not misplaced – that it is indeed justified by a reality in which individuals’ fundamental rights to privacy and data protection go hand in hand with groundbreaking health research and innovation.
References:
Mattinen, J. (2024a, June 15). Lähes kaikista suomalaisista on kerätty arkaluontoisia tietoja aineistoon, jota markkinoidaan tutkijoille ulkomailla. Yle MOT. (Finnish investigative news article describing the FinRegistry dataset and associated risks).
Mattinen, J., & Hämäläinen, V.-P. (2024b, June 18). Lähes kaikkien suomalaisten terveystiedot yhteen koonneella tutkijalla tuomio – tilasi huumeita pimeästä verkosta. Yle MOT. (Finnish news article revealing a FinRegistry researcher’s drug conviction and lack of background checks).
Kinnunen, V. (2024, June 19). Suomalaisilta kerättiin arkaluontoisia tietoja heidän tietämättään – jo 800 on ilmoittanut vastustavansa käyttöä. Yle Uutiset. (Report on public objections following FinRegistry news, noting inability to remove one’s data but right to object to secondary use).
Rauti, S. (2025). Tietovuodot kolmansille osapuolille suomalaisissa terveydenhuollon verkkopalveluissa (Doctoral dissertation, University of Turku). [Press release]. (Study finding serious privacy leaks of health data to third parties via Finnish web services).
Findata. (2025). FinRegistry ready-made dataset description. Findata.fi. (Details of the FinRegistry data sources and contents, per the national data permit authority).
DSG Data Science Lab. (2022). Finregistry longitudinal and endpoint generation [GitHub repository]. (Technical documentation of FinRegistry project data structure).
GDPR (EU) 2016/679, General Data Protection Regulation. (Key EU law on data protection, applicable in Finland via Data Protection Act 2018).
Secondary Use of Health and Social Data Act 552/2019 (Finland). (National law enabling research use of personal health data under specific conditions).
Data Protection Ombudsman’s Office. (n.d.). Scientific research and data protection. Tietosuoja.fi. (Guidance on applying data protection in research, balancing rights and research needs).
Bloomberg Law. (2012, Jan 13). Swedish Data Board Halts LifeGene Project, Citing Privacy, Consent Issues. (Case of Sweden’s regulator stopping a large health data project for legal/privacy reasons).
Inside EU Life Sciences. (2023, July 4). Germany plans Health Data Use Act…. (Overview of Germany’s new Health Data Use Act and its provisions like patient opt-out).
CISOMAG. (2020, Feb 12). Software Bug Exposes CPR Numbers of 1.26 million Danish Citizens. (Incident of Danish personal data leak to analytics due to a bug).
Wikipedia. (2023). Vastaamo data breach. (Summary of the 2020 Finnish psychotherapy data breach and its consequences).